mirror of
https://github.com/OpenNebula/one.git
synced 2024-12-22 13:33:52 +03:00
F #4775: Consolidate authorization requests for User creates. User
groups are always managed as a set
This commit is contained in:
parent
e2b04e886f
commit
2dc9ddea40
@ -53,9 +53,9 @@ protected:
|
||||
virtual void request_execute(xmlrpc_c::paramList const& _paramList,
|
||||
RequestAttributes& att);
|
||||
|
||||
virtual bool allocate_authorization(Template * obj_template,
|
||||
RequestAttributes& att,
|
||||
PoolObjectAuth * cluster_perms);
|
||||
virtual bool allocate_authorization(xmlrpc_c::paramList const& _paramList,
|
||||
Template *obj_template, RequestAttributes& att,
|
||||
PoolObjectAuth *cluster_perms);
|
||||
|
||||
/* -------------------------------------------------------------------- */
|
||||
|
||||
@ -150,9 +150,9 @@ public:
|
||||
int& id,
|
||||
RequestAttributes& att);
|
||||
|
||||
bool allocate_authorization(Template * obj_template,
|
||||
RequestAttributes& att,
|
||||
PoolObjectAuth * cluster_perms);
|
||||
bool allocate_authorization(xmlrpc_c::paramList const& paramList,
|
||||
Template *obj_template, RequestAttributes& att,
|
||||
PoolObjectAuth *cluster_perms);
|
||||
};
|
||||
|
||||
/* ------------------------------------------------------------------------- */
|
||||
@ -258,9 +258,9 @@ public:
|
||||
int& id,
|
||||
RequestAttributes& att);
|
||||
|
||||
bool allocate_authorization(Template * obj_template,
|
||||
RequestAttributes& att,
|
||||
PoolObjectAuth * cluster_perms);
|
||||
bool allocate_authorization(xmlrpc_c::paramList const& paramList,
|
||||
Template *obj_template, RequestAttributes& att,
|
||||
PoolObjectAuth *cluster_perms);
|
||||
};
|
||||
|
||||
/* ------------------------------------------------------------------------- */
|
||||
@ -331,6 +331,10 @@ public:
|
||||
Template * tmpl,
|
||||
int& id,
|
||||
RequestAttributes& att);
|
||||
|
||||
bool allocate_authorization(xmlrpc_c::paramList const& paramList,
|
||||
Template *obj_template, RequestAttributes& att,
|
||||
PoolObjectAuth *cluster_perms);
|
||||
private:
|
||||
GroupPool * gpool;
|
||||
};
|
||||
@ -600,9 +604,9 @@ public:
|
||||
int& id,
|
||||
RequestAttributes& att);
|
||||
|
||||
bool allocate_authorization(Template * obj_template,
|
||||
RequestAttributes& att,
|
||||
PoolObjectAuth * cluster_perms);
|
||||
bool allocate_authorization(xmlrpc_c::paramList const& paramList,
|
||||
Template *obj_template, RequestAttributes& att,
|
||||
PoolObjectAuth *cluster_perms);
|
||||
};
|
||||
|
||||
/* ------------------------------------------------------------------------- */
|
||||
|
@ -55,10 +55,11 @@ public:
|
||||
int allocate (
|
||||
int * oid,
|
||||
const string& uname,
|
||||
int gid,
|
||||
const string& password,
|
||||
const string& auth,
|
||||
bool enabled,
|
||||
const vector<int>& gids,
|
||||
const set<int>& gids,
|
||||
string& error_str);
|
||||
|
||||
/**
|
||||
|
@ -25,6 +25,7 @@
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
bool RequestManagerAllocate::allocate_authorization(
|
||||
xmlrpc_c::paramList const& paramList,
|
||||
Template * tmpl,
|
||||
RequestAttributes& att,
|
||||
PoolObjectAuth * cluster_perms)
|
||||
@ -65,6 +66,7 @@ bool RequestManagerAllocate::allocate_authorization(
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
bool VirtualMachineAllocate::allocate_authorization(
|
||||
xmlrpc_c::paramList const& paramList,
|
||||
Template * tmpl,
|
||||
RequestAttributes& att,
|
||||
PoolObjectAuth * cluster_perms)
|
||||
@ -171,7 +173,7 @@ void RequestManagerAllocate::request_execute(xmlrpc_c::paramList const& params,
|
||||
cluster_perms.oid = ClusterPool::NONE_CLUSTER_ID;
|
||||
}
|
||||
|
||||
if ( allocate_authorization(tmpl, att, &cluster_perms) == false )
|
||||
if ( allocate_authorization(params, tmpl, att, &cluster_perms) == false )
|
||||
{
|
||||
delete tmpl;
|
||||
return;
|
||||
@ -612,6 +614,7 @@ Request::ErrorCode TemplateAllocate::pool_allocate(
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
bool TemplateAllocate::allocate_authorization(
|
||||
xmlrpc_c::paramList const& paramList,
|
||||
Template * tmpl,
|
||||
RequestAttributes& att,
|
||||
PoolObjectAuth * cluster_perms)
|
||||
@ -670,6 +673,73 @@ Request::ErrorCode HostAllocate::pool_allocate(
|
||||
/* -------------------------------------------------------------------------- */
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
bool UserAllocate::allocate_authorization(
|
||||
xmlrpc_c::paramList const& paramList,
|
||||
Template * tmpl,
|
||||
RequestAttributes& att,
|
||||
PoolObjectAuth * cluster_perms)
|
||||
{
|
||||
if ( att.uid == 0 )
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
vector<xmlrpc_c::value> param_arr;
|
||||
vector<xmlrpc_c::value>::const_iterator it;
|
||||
|
||||
if ( paramList.size() > 4 )
|
||||
{
|
||||
param_arr = xmlrpc_c::value_array(
|
||||
paramList.getArray(4)).vectorValueValue();
|
||||
}
|
||||
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_create_auth(att.uid, att.gid, auth_object, "");
|
||||
|
||||
for (it = param_arr.begin(); it != param_arr.end(); it++)
|
||||
{
|
||||
int tmp_gid = xmlrpc_c::value_int(*it);
|
||||
|
||||
Group* group = gpool->get(tmp_gid, true);
|
||||
|
||||
if (group == 0)
|
||||
{
|
||||
att.resp_id = tmp_gid;
|
||||
att.resp_obj = PoolObjectSQL::GROUP;
|
||||
|
||||
failure_response(NO_EXISTS, att);
|
||||
return false;
|
||||
}
|
||||
|
||||
// Users can be created in request group if USE CREATE is granted for it
|
||||
// Other groups needs MANAGE permission.
|
||||
if (att.gid != tmp_gid)
|
||||
{
|
||||
PoolObjectAuth perms;
|
||||
|
||||
group->get_permissions(perms);
|
||||
|
||||
ar.add_auth(AuthRequest::MANAGE, perms); // MANAGE GROUP
|
||||
}
|
||||
|
||||
group->unlock();
|
||||
}
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/* -------------------------------------------------------------------------- */
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
Request::ErrorCode UserAllocate::pool_allocate(
|
||||
xmlrpc_c::paramList const& paramList,
|
||||
Template * tmpl,
|
||||
@ -680,51 +750,29 @@ Request::ErrorCode UserAllocate::pool_allocate(
|
||||
string passwd = xmlrpc_c::value_string(paramList.getString(2));
|
||||
string driver = xmlrpc_c::value_string(paramList.getString(3));
|
||||
|
||||
vector<int> gids;
|
||||
set<int> gids;
|
||||
int gid = -1;
|
||||
|
||||
vector<xmlrpc_c::value> param_arr;
|
||||
vector<xmlrpc_c::value>::const_iterator it;
|
||||
|
||||
if ( paramList.size() > 4 )
|
||||
{
|
||||
param_arr = xmlrpc_c::value_array(paramList.getArray(4)).vectorValueValue();
|
||||
param_arr = xmlrpc_c::value_array(
|
||||
paramList.getArray(4)).vectorValueValue();
|
||||
}
|
||||
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
for (it = param_arr.begin(); it != param_arr.end(); it++)
|
||||
{
|
||||
int gid = xmlrpc_c::value_int(*it);
|
||||
gids.push_back(gid);
|
||||
int tmp_gid = xmlrpc_c::value_int(*it);
|
||||
|
||||
PoolObjectAuth perms;
|
||||
Group* group = gpool->get(gid, true);
|
||||
gids.insert(tmp_gid);
|
||||
|
||||
if (group == 0)
|
||||
if ( gid == -1 ) //First gid is the primary group
|
||||
{
|
||||
att.resp_id = gid;
|
||||
att.resp_obj = PoolObjectSQL::GROUP;
|
||||
return NO_EXISTS;
|
||||
}
|
||||
|
||||
// For compatibility with previous versions, a group admin can create
|
||||
// a new user in his group only with the USE CREATE permission.
|
||||
if (att.gid != gid)
|
||||
{
|
||||
group->get_permissions(perms);
|
||||
|
||||
ar.add_auth(AuthRequest::MANAGE, perms); // MANAGE GROUP
|
||||
}
|
||||
|
||||
group->unlock();
|
||||
}
|
||||
|
||||
if ( att.uid != UserPool::ONEADMIN_ID )
|
||||
{
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
return Request::AUTHORIZATION;
|
||||
gid = tmp_gid;
|
||||
}
|
||||
}
|
||||
|
||||
@ -732,11 +780,13 @@ Request::ErrorCode UserAllocate::pool_allocate(
|
||||
{
|
||||
if ( att.gid == GroupPool::ONEADMIN_ID )
|
||||
{
|
||||
gids.push_back(GroupPool::USERS_ID);
|
||||
gid = GroupPool::USERS_ID;
|
||||
gids.insert(GroupPool::USERS_ID);
|
||||
}
|
||||
else
|
||||
{
|
||||
gids.push_back(att.gid);
|
||||
gid = att.gid;
|
||||
gids.insert(att.gid);
|
||||
}
|
||||
}
|
||||
|
||||
@ -745,8 +795,8 @@ Request::ErrorCode UserAllocate::pool_allocate(
|
||||
driver = UserPool::CORE_AUTH;
|
||||
}
|
||||
|
||||
int rc = static_cast<UserPool *>(pool)->allocate(&id,uname,passwd,
|
||||
driver,true,gids,att.resp_msg);
|
||||
int rc = static_cast<UserPool *>(pool)->allocate(&id, uname, gid, passwd,
|
||||
driver, true, gids, att.resp_msg);
|
||||
|
||||
if (rc < 0)
|
||||
{
|
||||
@ -986,6 +1036,7 @@ Request::ErrorCode VirtualRouterAllocate::pool_allocate(
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
bool VirtualRouterAllocate::allocate_authorization(
|
||||
xmlrpc_c::paramList const& paramList,
|
||||
Template * tmpl,
|
||||
RequestAttributes& att,
|
||||
PoolObjectAuth * cluster_perms)
|
||||
|
@ -63,11 +63,11 @@ UserPool::UserPool(SqlDB * db,
|
||||
int i;
|
||||
|
||||
ostringstream oss;
|
||||
string one_token;
|
||||
string one_name;
|
||||
string one_pass;
|
||||
string random;
|
||||
vector<int> gids;
|
||||
string one_token;
|
||||
string one_name;
|
||||
string one_pass;
|
||||
string random;
|
||||
set<int> gids;
|
||||
|
||||
string filenames[5];
|
||||
string error_str;
|
||||
@ -154,10 +154,11 @@ UserPool::UserPool(SqlDB * db,
|
||||
ofile.close();
|
||||
}
|
||||
|
||||
gids.push_back(GroupPool::ONEADMIN_ID);
|
||||
gids.insert(GroupPool::ONEADMIN_ID);
|
||||
|
||||
allocate(&one_uid,
|
||||
one_name,
|
||||
GroupPool::ONEADMIN_ID,
|
||||
one_pass,
|
||||
UserPool::CORE_AUTH,
|
||||
true,
|
||||
@ -171,6 +172,7 @@ UserPool::UserPool(SqlDB * db,
|
||||
|
||||
allocate(&server_uid,
|
||||
SERVER_NAME,
|
||||
GroupPool::ONEADMIN_ID,
|
||||
one_util::sha1_digest(random),
|
||||
"server_cipher",
|
||||
true,
|
||||
@ -224,24 +226,23 @@ error_common:
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
int UserPool::allocate (
|
||||
int * oid,
|
||||
const string& uname,
|
||||
const string& password,
|
||||
const string& auth,
|
||||
bool enabled,
|
||||
const vector<int>& gids,
|
||||
int * oid,
|
||||
const string& uname,
|
||||
int gid,
|
||||
const string& password,
|
||||
const string& auth,
|
||||
bool enabled,
|
||||
const set<int>& gids,
|
||||
string& error_str)
|
||||
{
|
||||
Nebula& nd = Nebula::instance();
|
||||
|
||||
User * user;
|
||||
GroupPool * gpool = nd.get_gpool();
|
||||
Group * group;
|
||||
|
||||
string auth_driver = auth;
|
||||
string upass = password;
|
||||
|
||||
int gid;
|
||||
string gname;
|
||||
|
||||
ostringstream oss;
|
||||
@ -290,24 +291,18 @@ int UserPool::allocate (
|
||||
goto error_no_groups;
|
||||
}
|
||||
|
||||
gid = gids[0];
|
||||
gname = gpool->get_name(gid);
|
||||
|
||||
group = gpool->get(gid, true);
|
||||
|
||||
if( group == 0 )
|
||||
if(gname.empty())
|
||||
{
|
||||
goto error_group;
|
||||
goto error_no_groups;
|
||||
}
|
||||
|
||||
gname = group->get_name();
|
||||
|
||||
group->unlock();
|
||||
|
||||
// Build a new User object
|
||||
user = new User(-1, gid, uname, gname, upass, auth_driver, enabled);
|
||||
|
||||
// Add the primary and secondary groups to the collection
|
||||
for(vector<int>::const_iterator it = gids.begin(); it != gids.end(); it++)
|
||||
for(set<int>::const_iterator it = gids.begin(); it != gids.end(); it++)
|
||||
{
|
||||
user->add_group(*it);
|
||||
}
|
||||
@ -324,9 +319,9 @@ int UserPool::allocate (
|
||||
}
|
||||
|
||||
// Add the user to the main and secondary groups
|
||||
for(vector<int>::const_iterator it = gids.begin(); it != gids.end(); it++)
|
||||
for(set<int>::const_iterator it = gids.begin(); it != gids.end(); it++)
|
||||
{
|
||||
group = gpool->get(*it, true);
|
||||
Group * group = gpool->get(*it, true);
|
||||
|
||||
if( group == 0 ) //Secondary group no longer exists
|
||||
{
|
||||
@ -355,7 +350,7 @@ error_duplicated:
|
||||
goto error_common;
|
||||
|
||||
error_no_groups:
|
||||
oss << "The array of groups needs to have at least one Group ID.";
|
||||
oss << "The array of groups needs to have at least a valid Group ID.";
|
||||
goto error_common;
|
||||
|
||||
error_group:
|
||||
@ -372,9 +367,9 @@ error_group:
|
||||
|
||||
// Remove from all the groups, just in case the user id was added to a any
|
||||
// of them before a non-existing group was found
|
||||
for(vector<int>::const_iterator it = gids.begin(); it != gids.end(); it++)
|
||||
for(set<int>::const_iterator it = gids.begin(); it != gids.end(); it++)
|
||||
{
|
||||
group = gpool->get(*it, true);
|
||||
Group * group = gpool->get(*it, true);
|
||||
|
||||
if( group == 0 ) //Secondary group no longer exists
|
||||
{
|
||||
@ -956,19 +951,17 @@ bool UserPool::authenticate_external(const string& username,
|
||||
string tmp_str;
|
||||
string default_auth;
|
||||
|
||||
Nebula& nd = Nebula::instance();
|
||||
Nebula& nd = Nebula::instance();
|
||||
|
||||
AuthManager * authm = nd.get_authm();
|
||||
GroupPool * gpool = nd.get_gpool();
|
||||
Group* group;
|
||||
|
||||
int gid = -1;
|
||||
int rc;
|
||||
int gid = -1;
|
||||
int rc;
|
||||
|
||||
set<int>::iterator it;
|
||||
set<int> empty_set;
|
||||
|
||||
vector<int> v_group_ids;
|
||||
|
||||
AuthRequest ar(-1,empty_set);
|
||||
|
||||
if (authm == 0)
|
||||
@ -1015,31 +1008,22 @@ bool UserPool::authenticate_external(const string& username,
|
||||
else
|
||||
{
|
||||
group_id = gid;
|
||||
gname = gpool->get_name(group_id);
|
||||
|
||||
group = gpool->get(group_id, true);
|
||||
|
||||
if( group == 0 )
|
||||
if(gname.empty())
|
||||
{
|
||||
error_str = "Primary Group no longer exist";
|
||||
goto auth_failure_user;
|
||||
}
|
||||
|
||||
gname = group->get_name();
|
||||
|
||||
group->unlock();
|
||||
}
|
||||
|
||||
// Copy set into vector, copying the group_id first to make sure it is
|
||||
// the main group
|
||||
v_group_ids.push_back(group_id);
|
||||
copy(group_ids.begin(), group_ids.end(), back_inserter(v_group_ids));
|
||||
|
||||
allocate(&user_id,
|
||||
mad_name,
|
||||
group_id,
|
||||
mad_pass,
|
||||
driver_name,
|
||||
true,
|
||||
v_group_ids,
|
||||
group_ids,
|
||||
error_str);
|
||||
|
||||
if ( user_id == -1 )
|
||||
|
Loading…
Reference in New Issue
Block a user