diff --git a/include/RequestManagerAllocate.h b/include/RequestManagerAllocate.h index 8b3497b418..faceccd4db 100644 --- a/include/RequestManagerAllocate.h +++ b/include/RequestManagerAllocate.h @@ -205,6 +205,10 @@ public: void request_execute(xmlrpc_c::paramList const& _paramList, RequestAttributes& att); + + bool allocate_authorization(Template * obj_template, + RequestAttributes& att, + PoolObjectAuth * cluster_perms); }; /* ------------------------------------------------------------------------- */ diff --git a/src/image/Image.cc b/src/image/Image.cc index dfa867ee24..e05c4b8ffd 100644 --- a/src/image/Image.cc +++ b/src/image/Image.cc @@ -95,25 +95,10 @@ int Image::insert(SqlDB *db, string& error_str) string persistent_attr; string dev_prefix; string source_attr; - string aname; string saved_id; ostringstream oss; - // ------------------------------------------------------------------------ - // Check template for restricted attributes - // ------------------------------------------------------------------------ - - if ( uid != 0 && gid != GroupPool::ONEADMIN_ID ) - { - ImageTemplate *img_template = static_cast(obj_template); - - if (img_template->check(aname)) - { - goto error_restricted; - } - } - // --------------------------------------------------------------------- // Check default image attributes // --------------------------------------------------------------------- @@ -242,11 +227,6 @@ error_path_and_source: error_str = "Template malformed, PATH and SOURCE are mutually exclusive."; goto error_common; -error_restricted: - oss << "Template includes a restricted attribute " << aname << "."; - error_str = oss.str(); - goto error_common; - error_common: NebulaLog::log("IMG", Log::ERROR, error_str); return -1; diff --git a/src/rm/RequestManagerAllocate.cc b/src/rm/RequestManagerAllocate.cc index 5342d9efd8..e5c70bda4a 100644 --- a/src/rm/RequestManagerAllocate.cc +++ b/src/rm/RequestManagerAllocate.cc @@ -76,9 +76,28 @@ bool VirtualMachineAllocate::allocate_authorization( AuthRequest ar(att.uid, att.gid); string t64; + string aname; VirtualMachineTemplate * ttmpl = static_cast(tmpl); + // Check template for restricted attributes + + if ( att.uid != 0 && att.gid != GroupPool::ONEADMIN_ID ) + { + if (ttmpl->check(aname)) + { + ostringstream oss; + + oss << "VM Template includes a restricted attribute " << aname; + + failure_response(AUTHORIZATION, + authorization_error(oss.str(), att), + att); + + return false; + } + } + ar.add_create_auth(auth_object, tmpl->to_xml(t64)); VirtualMachine::set_auth_request(att.uid, ar, ttmpl); @@ -98,6 +117,39 @@ bool VirtualMachineAllocate::allocate_authorization( /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ +bool ImageAllocate::allocate_authorization( + Template * tmpl, + RequestAttributes& att, + PoolObjectAuth * cluster_perms) +{ + string aname; + + ImageTemplate * itmpl = static_cast(tmpl); + + // Check template for restricted attributes + + if ( att.uid != 0 && att.gid != GroupPool::ONEADMIN_ID ) + { + if (itmpl->check(aname)) + { + ostringstream oss; + + oss << "Template includes a restricted attribute " << aname; + + failure_response(AUTHORIZATION, + authorization_error(oss.str(), att), + att); + + return false; + } + } + + return RequestManagerAllocate::allocate_authorization(tmpl, att, cluster_perms); +} + +/* -------------------------------------------------------------------------- */ +/* -------------------------------------------------------------------------- */ + void RequestManagerAllocate::request_execute(xmlrpc_c::paramList const& params, RequestAttributes& att) { diff --git a/src/rm/RequestManagerVMTemplate.cc b/src/rm/RequestManagerVMTemplate.cc index a62aa2f56d..d354d5a037 100644 --- a/src/rm/RequestManagerVMTemplate.cc +++ b/src/rm/RequestManagerVMTemplate.cc @@ -39,6 +39,7 @@ void VMTemplateInstantiate::request_execute(xmlrpc_c::paramList const& paramList VMTemplate * rtmpl; string error_str; + string aname; rtmpl = tpool->get(id,true); @@ -57,6 +58,26 @@ void VMTemplateInstantiate::request_execute(xmlrpc_c::paramList const& paramList rtmpl->unlock(); + // Check template for restricted attributes, but only if the Template owner + // is not oneadmin + + if ( perms.uid != 0 && perms.gid != GroupPool::ONEADMIN_ID ) + { + if (tmpl->check(aname)) + { + ostringstream oss; + + oss << "VM Template includes a restricted attribute " << aname; + + failure_response(AUTHORIZATION, + authorization_error(oss.str(), att), + att); + + delete tmpl; + return; + } + } + tmpl->erase("NAME"); tmpl->set(new SingleAttribute("NAME",name)); diff --git a/src/vm/VirtualMachine.cc b/src/vm/VirtualMachine.cc index 38fd4100f0..f11f91ac70 100644 --- a/src/vm/VirtualMachine.cc +++ b/src/vm/VirtualMachine.cc @@ -198,26 +198,9 @@ int VirtualMachine::insert(SqlDB * db, string& error_str) int rc; string name; - SingleAttribute * attr; - string aname; - string value; - - ostringstream oss; - - // ------------------------------------------------------------------------ - // Check template for restricted attributes - // ------------------------------------------------------------------------ - - if ( uid != 0 && gid != GroupPool::ONEADMIN_ID ) - { - VirtualMachineTemplate *vt = - static_cast(obj_template); - - if (vt->check(aname)) - { - goto error_restricted; - } - } + SingleAttribute * attr; + string value; + ostringstream oss; // ------------------------------------------------------------------------ // Set a name if the VM has not got one and VM_ID @@ -327,11 +310,6 @@ error_leases_rollback: release_network_leases(); goto error_common; -error_restricted: - oss << "VM Template includes a restricted attribute " << aname << "."; - error_str = oss.str(); - goto error_common; - error_name_length: oss << "NAME is too long; max length is 128 chars."; error_str = oss.str();