1
0
mirror of https://github.com/OpenNebula/one.git synced 2024-12-22 13:33:52 +03:00

F #4775: Consolidate authorization requests for User creates. User

groups are always managed as a set
This commit is contained in:
Ruben S. Montero 2016-09-29 12:22:07 +02:00
parent e2b04e886f
commit 2dc9ddea40
4 changed files with 136 additions and 96 deletions

View File

@ -53,9 +53,9 @@ protected:
virtual void request_execute(xmlrpc_c::paramList const& _paramList,
RequestAttributes& att);
virtual bool allocate_authorization(Template * obj_template,
RequestAttributes& att,
PoolObjectAuth * cluster_perms);
virtual bool allocate_authorization(xmlrpc_c::paramList const& _paramList,
Template *obj_template, RequestAttributes& att,
PoolObjectAuth *cluster_perms);
/* -------------------------------------------------------------------- */
@ -150,9 +150,9 @@ public:
int& id,
RequestAttributes& att);
bool allocate_authorization(Template * obj_template,
RequestAttributes& att,
PoolObjectAuth * cluster_perms);
bool allocate_authorization(xmlrpc_c::paramList const& paramList,
Template *obj_template, RequestAttributes& att,
PoolObjectAuth *cluster_perms);
};
/* ------------------------------------------------------------------------- */
@ -258,9 +258,9 @@ public:
int& id,
RequestAttributes& att);
bool allocate_authorization(Template * obj_template,
RequestAttributes& att,
PoolObjectAuth * cluster_perms);
bool allocate_authorization(xmlrpc_c::paramList const& paramList,
Template *obj_template, RequestAttributes& att,
PoolObjectAuth *cluster_perms);
};
/* ------------------------------------------------------------------------- */
@ -331,6 +331,10 @@ public:
Template * tmpl,
int& id,
RequestAttributes& att);
bool allocate_authorization(xmlrpc_c::paramList const& paramList,
Template *obj_template, RequestAttributes& att,
PoolObjectAuth *cluster_perms);
private:
GroupPool * gpool;
};
@ -600,9 +604,9 @@ public:
int& id,
RequestAttributes& att);
bool allocate_authorization(Template * obj_template,
RequestAttributes& att,
PoolObjectAuth * cluster_perms);
bool allocate_authorization(xmlrpc_c::paramList const& paramList,
Template *obj_template, RequestAttributes& att,
PoolObjectAuth *cluster_perms);
};
/* ------------------------------------------------------------------------- */

View File

@ -55,10 +55,11 @@ public:
int allocate (
int * oid,
const string& uname,
int gid,
const string& password,
const string& auth,
bool enabled,
const vector<int>& gids,
const set<int>& gids,
string& error_str);
/**

View File

@ -25,6 +25,7 @@
/* -------------------------------------------------------------------------- */
bool RequestManagerAllocate::allocate_authorization(
xmlrpc_c::paramList const& paramList,
Template * tmpl,
RequestAttributes& att,
PoolObjectAuth * cluster_perms)
@ -65,6 +66,7 @@ bool RequestManagerAllocate::allocate_authorization(
/* -------------------------------------------------------------------------- */
bool VirtualMachineAllocate::allocate_authorization(
xmlrpc_c::paramList const& paramList,
Template * tmpl,
RequestAttributes& att,
PoolObjectAuth * cluster_perms)
@ -171,7 +173,7 @@ void RequestManagerAllocate::request_execute(xmlrpc_c::paramList const& params,
cluster_perms.oid = ClusterPool::NONE_CLUSTER_ID;
}
if ( allocate_authorization(tmpl, att, &cluster_perms) == false )
if ( allocate_authorization(params, tmpl, att, &cluster_perms) == false )
{
delete tmpl;
return;
@ -612,6 +614,7 @@ Request::ErrorCode TemplateAllocate::pool_allocate(
/* -------------------------------------------------------------------------- */
bool TemplateAllocate::allocate_authorization(
xmlrpc_c::paramList const& paramList,
Template * tmpl,
RequestAttributes& att,
PoolObjectAuth * cluster_perms)
@ -670,6 +673,73 @@ Request::ErrorCode HostAllocate::pool_allocate(
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
bool UserAllocate::allocate_authorization(
xmlrpc_c::paramList const& paramList,
Template * tmpl,
RequestAttributes& att,
PoolObjectAuth * cluster_perms)
{
if ( att.uid == 0 )
{
return true;
}
vector<xmlrpc_c::value> param_arr;
vector<xmlrpc_c::value>::const_iterator it;
if ( paramList.size() > 4 )
{
param_arr = xmlrpc_c::value_array(
paramList.getArray(4)).vectorValueValue();
}
AuthRequest ar(att.uid, att.group_ids);
ar.add_create_auth(att.uid, att.gid, auth_object, "");
for (it = param_arr.begin(); it != param_arr.end(); it++)
{
int tmp_gid = xmlrpc_c::value_int(*it);
Group* group = gpool->get(tmp_gid, true);
if (group == 0)
{
att.resp_id = tmp_gid;
att.resp_obj = PoolObjectSQL::GROUP;
failure_response(NO_EXISTS, att);
return false;
}
// Users can be created in request group if USE CREATE is granted for it
// Other groups needs MANAGE permission.
if (att.gid != tmp_gid)
{
PoolObjectAuth perms;
group->get_permissions(perms);
ar.add_auth(AuthRequest::MANAGE, perms); // MANAGE GROUP
}
group->unlock();
}
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
return false;
}
return true;
}
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
Request::ErrorCode UserAllocate::pool_allocate(
xmlrpc_c::paramList const& paramList,
Template * tmpl,
@ -680,51 +750,29 @@ Request::ErrorCode UserAllocate::pool_allocate(
string passwd = xmlrpc_c::value_string(paramList.getString(2));
string driver = xmlrpc_c::value_string(paramList.getString(3));
vector<int> gids;
set<int> gids;
int gid = -1;
vector<xmlrpc_c::value> param_arr;
vector<xmlrpc_c::value>::const_iterator it;
if ( paramList.size() > 4 )
{
param_arr = xmlrpc_c::value_array(paramList.getArray(4)).vectorValueValue();
param_arr = xmlrpc_c::value_array(
paramList.getArray(4)).vectorValueValue();
}
AuthRequest ar(att.uid, att.group_ids);
for (it = param_arr.begin(); it != param_arr.end(); it++)
{
int gid = xmlrpc_c::value_int(*it);
gids.push_back(gid);
int tmp_gid = xmlrpc_c::value_int(*it);
PoolObjectAuth perms;
Group* group = gpool->get(gid, true);
gids.insert(tmp_gid);
if (group == 0)
if ( gid == -1 ) //First gid is the primary group
{
att.resp_id = gid;
att.resp_obj = PoolObjectSQL::GROUP;
return NO_EXISTS;
}
// For compatibility with previous versions, a group admin can create
// a new user in his group only with the USE CREATE permission.
if (att.gid != gid)
{
group->get_permissions(perms);
ar.add_auth(AuthRequest::MANAGE, perms); // MANAGE GROUP
}
group->unlock();
}
if ( att.uid != UserPool::ONEADMIN_ID )
{
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
return Request::AUTHORIZATION;
gid = tmp_gid;
}
}
@ -732,11 +780,13 @@ Request::ErrorCode UserAllocate::pool_allocate(
{
if ( att.gid == GroupPool::ONEADMIN_ID )
{
gids.push_back(GroupPool::USERS_ID);
gid = GroupPool::USERS_ID;
gids.insert(GroupPool::USERS_ID);
}
else
{
gids.push_back(att.gid);
gid = att.gid;
gids.insert(att.gid);
}
}
@ -745,8 +795,8 @@ Request::ErrorCode UserAllocate::pool_allocate(
driver = UserPool::CORE_AUTH;
}
int rc = static_cast<UserPool *>(pool)->allocate(&id,uname,passwd,
driver,true,gids,att.resp_msg);
int rc = static_cast<UserPool *>(pool)->allocate(&id, uname, gid, passwd,
driver, true, gids, att.resp_msg);
if (rc < 0)
{
@ -986,6 +1036,7 @@ Request::ErrorCode VirtualRouterAllocate::pool_allocate(
/* -------------------------------------------------------------------------- */
bool VirtualRouterAllocate::allocate_authorization(
xmlrpc_c::paramList const& paramList,
Template * tmpl,
RequestAttributes& att,
PoolObjectAuth * cluster_perms)

View File

@ -63,11 +63,11 @@ UserPool::UserPool(SqlDB * db,
int i;
ostringstream oss;
string one_token;
string one_name;
string one_pass;
string random;
vector<int> gids;
string one_token;
string one_name;
string one_pass;
string random;
set<int> gids;
string filenames[5];
string error_str;
@ -154,10 +154,11 @@ UserPool::UserPool(SqlDB * db,
ofile.close();
}
gids.push_back(GroupPool::ONEADMIN_ID);
gids.insert(GroupPool::ONEADMIN_ID);
allocate(&one_uid,
one_name,
GroupPool::ONEADMIN_ID,
one_pass,
UserPool::CORE_AUTH,
true,
@ -171,6 +172,7 @@ UserPool::UserPool(SqlDB * db,
allocate(&server_uid,
SERVER_NAME,
GroupPool::ONEADMIN_ID,
one_util::sha1_digest(random),
"server_cipher",
true,
@ -224,24 +226,23 @@ error_common:
/* -------------------------------------------------------------------------- */
int UserPool::allocate (
int * oid,
const string& uname,
const string& password,
const string& auth,
bool enabled,
const vector<int>& gids,
int * oid,
const string& uname,
int gid,
const string& password,
const string& auth,
bool enabled,
const set<int>& gids,
string& error_str)
{
Nebula& nd = Nebula::instance();
User * user;
GroupPool * gpool = nd.get_gpool();
Group * group;
string auth_driver = auth;
string upass = password;
int gid;
string gname;
ostringstream oss;
@ -290,24 +291,18 @@ int UserPool::allocate (
goto error_no_groups;
}
gid = gids[0];
gname = gpool->get_name(gid);
group = gpool->get(gid, true);
if( group == 0 )
if(gname.empty())
{
goto error_group;
goto error_no_groups;
}
gname = group->get_name();
group->unlock();
// Build a new User object
user = new User(-1, gid, uname, gname, upass, auth_driver, enabled);
// Add the primary and secondary groups to the collection
for(vector<int>::const_iterator it = gids.begin(); it != gids.end(); it++)
for(set<int>::const_iterator it = gids.begin(); it != gids.end(); it++)
{
user->add_group(*it);
}
@ -324,9 +319,9 @@ int UserPool::allocate (
}
// Add the user to the main and secondary groups
for(vector<int>::const_iterator it = gids.begin(); it != gids.end(); it++)
for(set<int>::const_iterator it = gids.begin(); it != gids.end(); it++)
{
group = gpool->get(*it, true);
Group * group = gpool->get(*it, true);
if( group == 0 ) //Secondary group no longer exists
{
@ -355,7 +350,7 @@ error_duplicated:
goto error_common;
error_no_groups:
oss << "The array of groups needs to have at least one Group ID.";
oss << "The array of groups needs to have at least a valid Group ID.";
goto error_common;
error_group:
@ -372,9 +367,9 @@ error_group:
// Remove from all the groups, just in case the user id was added to a any
// of them before a non-existing group was found
for(vector<int>::const_iterator it = gids.begin(); it != gids.end(); it++)
for(set<int>::const_iterator it = gids.begin(); it != gids.end(); it++)
{
group = gpool->get(*it, true);
Group * group = gpool->get(*it, true);
if( group == 0 ) //Secondary group no longer exists
{
@ -956,19 +951,17 @@ bool UserPool::authenticate_external(const string& username,
string tmp_str;
string default_auth;
Nebula& nd = Nebula::instance();
Nebula& nd = Nebula::instance();
AuthManager * authm = nd.get_authm();
GroupPool * gpool = nd.get_gpool();
Group* group;
int gid = -1;
int rc;
int gid = -1;
int rc;
set<int>::iterator it;
set<int> empty_set;
vector<int> v_group_ids;
AuthRequest ar(-1,empty_set);
if (authm == 0)
@ -1015,31 +1008,22 @@ bool UserPool::authenticate_external(const string& username,
else
{
group_id = gid;
gname = gpool->get_name(group_id);
group = gpool->get(group_id, true);
if( group == 0 )
if(gname.empty())
{
error_str = "Primary Group no longer exist";
goto auth_failure_user;
}
gname = group->get_name();
group->unlock();
}
// Copy set into vector, copying the group_id first to make sure it is
// the main group
v_group_ids.push_back(group_id);
copy(group_ids.begin(), group_ids.end(), back_inserter(v_group_ids));
allocate(&user_id,
mad_name,
group_id,
mad_pass,
driver_name,
true,
v_group_ids,
group_ids,
error_str);
if ( user_id == -1 )