shaba/one
1
0
Fork 0
mirror of https://github.com/OpenNebula/one.git synced 2025-03-28 14:50:08 +03:00
Code Releases Wiki Activity

feature #687: Added an ACL Manager to the Scheduler. The ACL is base class for the new one

Browse Source
This commit is contained in:
Ruben S. Montero 2011-07-05 16:32:18 +02:00
parent d850f6924d
commit 37f0700a96
9 changed files with 243 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
include/AclManager.h
View File

@ -32,7 +32,12 @@ class AclManager : public Callbackable
public:
AclManager(SqlDB * _db);
~AclManager();
AclManager():db(0),lastOID(0)
{
pthread_mutex_init(&mutex, 0);
};
virtual ~AclManager();
/**
* Loads the ACL rule set from the DB
@ -40,15 +45,6 @@ public:
*/
int start();
/**
* Loads the ACL rule set from its XML representation
* as obtained by a dump call
*
* @param xml_str string with the XML document for the ACL
* @return 0 on success.
*/
int start_xml(const string& xml_str);
/* ---------------------------------------------------------------------- */
/* Rule management */
/* ---------------------------------------------------------------------- */
@ -84,10 +80,10 @@ public:
* -2 if the rule is malformed,
* -3 if the DB insert failed
*/
int add_rule(long long user,
long long resource,
long long rights,
string& error_str);
virtual int add_rule(long long user,
long long resource,
long long rights,
string& error_str);
/**
* Deletes a rule from the ACL rule set
*
@ -95,7 +91,7 @@ public:
* @param error_str Returns the error reason, if any
* @return 0 on success
*/
int del_rule(int oid, string& error_str);
virtual int del_rule(int oid, string& error_str);
/* ---------------------------------------------------------------------- */
/* DB management */
@ -116,9 +112,9 @@ public:
* @param oss The output stream to dump the rule set contents
* @return 0 on success
*/
int dump(ostringstream& oss);
virtual int dump(ostringstream& oss);
private:
protected:
// ----------------------------------------
// ACL rules management
@ -135,6 +131,8 @@ private:
*/
map<int, AclRule *> acl_rules_oids;
private:
/**
* Gets all rules that apply to the user_req and, if any of them grants
* permission, returns true.

14
include/AclRule.h
View File

@ -131,6 +131,20 @@ public:
return resource & 0xFFFFFFFF00000000LL;
};
// ------------------------------------------------------------------------
// Functions needed by the Scheduler ACL engine
// ------------------------------------------------------------------------
long long get_user() const
{
return user;
}
long long get_oid() const
{
return oid;
}
private:
// NONE_ID can never be used in a rule. It is useful to create masks that
// will never match any existing rule

28
src/acl/AclManager.cc
View File

@ -71,34 +71,6 @@ int AclManager::start()
return select();
}
/* -------------------------------------------------------------------------- */
int AclManager::start_xml(const string& xml_str)
{
ObjectXML acl_xml(xml_str);
vector<xmlNodePtr> rules;
vector<xmlNodePtr>::iterator it;
acl_xml.get_nodes("/ACL_POOL/ACL",rules);
for (it = rules.begin(); it != rules.end() ; it++)
{
AclRule * rule = new AclRule(0,0,0,0);
int rc = rule->from_xml(*it);
if ( rc == 0 )
{
acl_rules.insert( make_pair(rule->user, rule) );
acl_rules_oids.insert( make_pair(rule->oid, rule) );
}
}
acl_xml.free_nodes(rules);
return 0;
}
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */

83
src/scheduler/include/AclXML.h Normal file
View File

@ -0,0 +1,83 @@
/* -------------------------------------------------------------------------- */
/* Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org) */
/* */
/* Licensed under the Apache License, Version 2.0 (the "License"); you may */
/* not use this file except in compliance with the License. You may obtain */
/* a copy of the License at */
/* */
/* http://www.apache.org/licenses/LICENSE-2.0 */
/* */
/* Unless required by applicable law or agreed to in writing, software */
/* distributed under the License is distributed on an "AS IS" BASIS, */
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. */
/* See the License for the specific language governing permissions and */
/* limitations under the License. */
/* -------------------------------------------------------------------------- */
#ifndef ACL_XML_H_
#define ACL_XML_H_
#include "AclManager.h"
#include "Client.h"
using namespace std;
/**
* This class manages the ACL rules and the authorization engine
*/
class AclXML : public AclManager
{
public:
AclXML(Client * _client):AclManager(), client(_client){};
virtual ~AclXML(){};
/**
* Loads the ACL rule set from the DB
* @return 0 on success.
*/
int set_up();
private:
/* ---------------------------------------------------------------------- */
/* Re-implement DB public functions not used in scheduler */
/* ---------------------------------------------------------------------- */
int start()
{
return -1;
}
int add_rule(long long user,
long long resource,
long long rights,
string& error_str)
{
return -1;
};
int del_rule(int oid, string& error_str)
{
return -1;
};
int dump(ostringstream& oss)
{
return -1;
};
Client * client;
/**
* Loads the ACL rule set from its XML representation:
* as obtained by a dump call
*
* @param xml_str string with the XML document for the ACL
* @return 0 on success.
*/
int load_rules(const string& xml_str);
void flush_rules();
};
#endif /*ACL_XML_H*/

8
src/scheduler/include/Scheduler.h
View File

@ -23,6 +23,7 @@
#include "VirtualMachinePoolXML.h"
#include "SchedulerPolicy.h"
#include "ActionManager.h"
#include "AclXML.h"
using namespace std;
@ -50,6 +51,7 @@ protected:
hpool(0),
vmpool(0),
upool(0),
acls(0),
timer(_timer),
url(_url),
machines_limit(_machines_limit),
@ -78,6 +80,11 @@ protected:
delete upool;
}
if ( acls != 0)
{
delete acls;
}
if ( client != 0)
{
delete client;
@ -91,6 +98,7 @@ protected:
HostPoolXML * hpool;
VirtualMachinePoolXML * vmpool;
UserPoolXML * upool;
AclXML * acls;
// ---------------------------------------------------------------
// Scheduler Policies

114
src/scheduler/src/pool/AclXML.cc Normal file
View File

@ -0,0 +1,114 @@
/* -------------------------------------------------------------------------- */
/* Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org) */
/* */
/* Licensed under the Apache License, Version 2.0 (the "License"); you may */
/* not use this file except in compliance with the License. You may obtain */
/* a copy of the License at */
/* */
/* http://www.apache.org/licenses/LICENSE-2.0 */
/* */
/* Unless required by applicable law or agreed to in writing, software */
/* distributed under the License is distributed on an "AS IS" BASIS, */
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. */
/* See the License for the specific language governing permissions and */
/* limitations under the License. */
/* -------------------------------------------------------------------------- */
#include "AclXML.h"
#include "ObjectXML.h"
#include <vector>
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
int AclXML::set_up()
{
xmlrpc_c::value result;
try
{
client->call(client->get_endpoint(), // serverUrl
"one.acl.info", // methodName
"s", // arguments format
&result, // resultP
client->get_oneauth().c_str());// argument
vector<xmlrpc_c::value> values =
xmlrpc_c::value_array(result).vectorValueValue();
bool success = xmlrpc_c::value_boolean(values[0]);
string message = xmlrpc_c::value_string(values[1]);
if( !success )
{
ostringstream oss;
oss << "ONE returned error while retrieving the acls:" << endl;
oss << message;
NebulaLog::log("ACL", Log::ERROR, oss);
return -1;
}
flush_rules();
load_rules(message);
return 0;
}
catch (exception const& e)
{
ostringstream oss;
oss << "Exception raised: " << e.what();
NebulaLog::log("ACL", Log::ERROR, oss);
return -1;
}
}
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
int AclXML::load_rules(const string& xml_str)
{
ObjectXML acl_xml(xml_str);
vector<xmlNodePtr> rules;
vector<xmlNodePtr>::iterator it;
acl_xml.get_nodes("/ACL_POOL/ACL",rules);
for (it = rules.begin(); it != rules.end() ; it++)
{
AclRule * rule = new AclRule(0,0,0,0);
int rc = rule->from_xml(*it);
if ( rc == 0 )
{
acl_rules.insert( make_pair(rule->get_user(), rule) );
acl_rules_oids.insert( make_pair(rule->get_oid(), rule) );
}
}
acl_xml.free_nodes(rules);
return 0;
}
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
void AclXML::flush_rules()
{
multimap<long long, AclRule *>::iterator it;
for ( it = acl_rules.begin(); it != acl_rules.end(); it++ )
{
delete it->second;
}
acl_rules.clear();
acl_rules_oids.clear();
}

1
src/scheduler/src/pool/SConstruct
View File

@ -21,6 +21,7 @@ Import('sched_env')
lib_name='scheduler_pool'
source_files=[
'AclXML.cc',
'UserPoolXML.cc',
'UserXML.cc',
'HostPoolXML.cc',

1
src/scheduler/src/sched/SConstruct
View File

@ -32,6 +32,7 @@ sched_env.Prepend(LIBS=[
'scheduler_pool',
'nebula_log',
'scheduler_client',
'nebula_acl',
'nebula_xml',
'nebula_common',
'crypto',

10
src/scheduler/src/sched/Scheduler.cc
View File

@ -122,6 +122,7 @@ void Scheduler::start()
hpool = new HostPoolXML(client);
vmpool = new VirtualMachinePoolXML(client, machines_limit);
upool = new UserPoolXML(client);
acls = new AclXML(client);
// -----------------------------------------------------------
// Load scheduler policies
@ -244,9 +245,12 @@ int Scheduler::set_up_pools()
//Cleans the cache and get the ACLs
//--------------------------------------------------------------------------
//TODO
// 1.- one.acl.list
// 2.- from_xml
rc = acls->set_up();
if ( rc != 0 )
{
return rc;
}
//--------------------------------------------------------------------------
//Get the matching hosts for each VM