diff --git a/include/AclManager.h b/include/AclManager.h index 1f23596671..e4bb79de36 100644 --- a/include/AclManager.h +++ b/include/AclManager.h @@ -32,7 +32,12 @@ class AclManager : public Callbackable public: AclManager(SqlDB * _db); - ~AclManager(); + AclManager():db(0),lastOID(0) + { + pthread_mutex_init(&mutex, 0); + }; + + virtual ~AclManager(); /** * Loads the ACL rule set from the DB @@ -40,15 +45,6 @@ public: */ int start(); - /** - * Loads the ACL rule set from its XML representation - * as obtained by a dump call - * - * @param xml_str string with the XML document for the ACL - * @return 0 on success. - */ - int start_xml(const string& xml_str); - /* ---------------------------------------------------------------------- */ /* Rule management */ /* ---------------------------------------------------------------------- */ @@ -84,10 +80,10 @@ public: * -2 if the rule is malformed, * -3 if the DB insert failed */ - int add_rule(long long user, - long long resource, - long long rights, - string& error_str); + virtual int add_rule(long long user, + long long resource, + long long rights, + string& error_str); /** * Deletes a rule from the ACL rule set * @@ -95,7 +91,7 @@ public: * @param error_str Returns the error reason, if any * @return 0 on success */ - int del_rule(int oid, string& error_str); + virtual int del_rule(int oid, string& error_str); /* ---------------------------------------------------------------------- */ /* DB management */ @@ -116,9 +112,9 @@ public: * @param oss The output stream to dump the rule set contents * @return 0 on success */ - int dump(ostringstream& oss); + virtual int dump(ostringstream& oss); -private: +protected: // ---------------------------------------- // ACL rules management @@ -135,6 +131,8 @@ private: */ map acl_rules_oids; +private: + /** * Gets all rules that apply to the user_req and, if any of them grants * permission, returns true. diff --git a/include/AclRule.h b/include/AclRule.h index 73f40b4cce..4047ff57ee 100644 --- a/include/AclRule.h +++ b/include/AclRule.h @@ -131,6 +131,20 @@ public: return resource & 0xFFFFFFFF00000000LL; }; + // ------------------------------------------------------------------------ + // Functions needed by the Scheduler ACL engine + // ------------------------------------------------------------------------ + + long long get_user() const + { + return user; + } + + long long get_oid() const + { + return oid; + } + private: // NONE_ID can never be used in a rule. It is useful to create masks that // will never match any existing rule diff --git a/src/acl/AclManager.cc b/src/acl/AclManager.cc index 5d401e3015..4aececeff9 100644 --- a/src/acl/AclManager.cc +++ b/src/acl/AclManager.cc @@ -71,34 +71,6 @@ int AclManager::start() return select(); } -/* -------------------------------------------------------------------------- */ - -int AclManager::start_xml(const string& xml_str) -{ - ObjectXML acl_xml(xml_str); - - vector rules; - vector::iterator it; - - acl_xml.get_nodes("/ACL_POOL/ACL",rules); - - for (it = rules.begin(); it != rules.end() ; it++) - { - AclRule * rule = new AclRule(0,0,0,0); - int rc = rule->from_xml(*it); - - if ( rc == 0 ) - { - acl_rules.insert( make_pair(rule->user, rule) ); - acl_rules_oids.insert( make_pair(rule->oid, rule) ); - } - } - - acl_xml.free_nodes(rules); - - return 0; -} - /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ diff --git a/src/scheduler/include/AclXML.h b/src/scheduler/include/AclXML.h new file mode 100644 index 0000000000..d3aecd593c --- /dev/null +++ b/src/scheduler/include/AclXML.h @@ -0,0 +1,83 @@ +/* -------------------------------------------------------------------------- */ +/* Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org) */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); you may */ +/* not use this file except in compliance with the License. You may obtain */ +/* a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, software */ +/* distributed under the License is distributed on an "AS IS" BASIS, */ +/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. */ +/* See the License for the specific language governing permissions and */ +/* limitations under the License. */ +/* -------------------------------------------------------------------------- */ + +#ifndef ACL_XML_H_ +#define ACL_XML_H_ + +#include "AclManager.h" +#include "Client.h" + +using namespace std; + +/** + * This class manages the ACL rules and the authorization engine + */ +class AclXML : public AclManager +{ +public: + AclXML(Client * _client):AclManager(), client(_client){}; + + virtual ~AclXML(){}; + + /** + * Loads the ACL rule set from the DB + * @return 0 on success. + */ + int set_up(); + +private: + /* ---------------------------------------------------------------------- */ + /* Re-implement DB public functions not used in scheduler */ + /* ---------------------------------------------------------------------- */ + int start() + { + return -1; + } + + int add_rule(long long user, + long long resource, + long long rights, + string& error_str) + { + return -1; + }; + + int del_rule(int oid, string& error_str) + { + return -1; + }; + + int dump(ostringstream& oss) + { + return -1; + }; + + Client * client; + + /** + * Loads the ACL rule set from its XML representation: + * as obtained by a dump call + * + * @param xml_str string with the XML document for the ACL + * @return 0 on success. + */ + int load_rules(const string& xml_str); + + void flush_rules(); +}; + +#endif /*ACL_XML_H*/ + diff --git a/src/scheduler/include/Scheduler.h b/src/scheduler/include/Scheduler.h index 5fd1ae6365..93e2ff7345 100644 --- a/src/scheduler/include/Scheduler.h +++ b/src/scheduler/include/Scheduler.h @@ -23,6 +23,7 @@ #include "VirtualMachinePoolXML.h" #include "SchedulerPolicy.h" #include "ActionManager.h" +#include "AclXML.h" using namespace std; @@ -50,6 +51,7 @@ protected: hpool(0), vmpool(0), upool(0), + acls(0), timer(_timer), url(_url), machines_limit(_machines_limit), @@ -78,6 +80,11 @@ protected: delete upool; } + if ( acls != 0) + { + delete acls; + } + if ( client != 0) { delete client; @@ -91,6 +98,7 @@ protected: HostPoolXML * hpool; VirtualMachinePoolXML * vmpool; UserPoolXML * upool; + AclXML * acls; // --------------------------------------------------------------- // Scheduler Policies diff --git a/src/scheduler/src/pool/AclXML.cc b/src/scheduler/src/pool/AclXML.cc new file mode 100644 index 0000000000..d9ed6b4954 --- /dev/null +++ b/src/scheduler/src/pool/AclXML.cc @@ -0,0 +1,114 @@ +/* -------------------------------------------------------------------------- */ +/* Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org) */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); you may */ +/* not use this file except in compliance with the License. You may obtain */ +/* a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, software */ +/* distributed under the License is distributed on an "AS IS" BASIS, */ +/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. */ +/* See the License for the specific language governing permissions and */ +/* limitations under the License. */ +/* -------------------------------------------------------------------------- */ + +#include "AclXML.h" +#include "ObjectXML.h" +#include + +/* -------------------------------------------------------------------------- */ +/* -------------------------------------------------------------------------- */ + +int AclXML::set_up() +{ + xmlrpc_c::value result; + + try + { + client->call(client->get_endpoint(), // serverUrl + "one.acl.info", // methodName + "s", // arguments format + &result, // resultP + client->get_oneauth().c_str());// argument + + vector values = + xmlrpc_c::value_array(result).vectorValueValue(); + + bool success = xmlrpc_c::value_boolean(values[0]); + string message = xmlrpc_c::value_string(values[1]); + + if( !success ) + { + ostringstream oss; + + oss << "ONE returned error while retrieving the acls:" << endl; + oss << message; + + NebulaLog::log("ACL", Log::ERROR, oss); + return -1; + } + + flush_rules(); + + load_rules(message); + + return 0; + } + catch (exception const& e) + { + ostringstream oss; + oss << "Exception raised: " << e.what(); + + NebulaLog::log("ACL", Log::ERROR, oss); + + return -1; + } +} + +/* -------------------------------------------------------------------------- */ +/* -------------------------------------------------------------------------- */ + +int AclXML::load_rules(const string& xml_str) +{ + ObjectXML acl_xml(xml_str); + + vector rules; + vector::iterator it; + + acl_xml.get_nodes("/ACL_POOL/ACL",rules); + + for (it = rules.begin(); it != rules.end() ; it++) + { + AclRule * rule = new AclRule(0,0,0,0); + int rc = rule->from_xml(*it); + + if ( rc == 0 ) + { + acl_rules.insert( make_pair(rule->get_user(), rule) ); + acl_rules_oids.insert( make_pair(rule->get_oid(), rule) ); + } + } + + acl_xml.free_nodes(rules); + + return 0; +} + +/* -------------------------------------------------------------------------- */ +/* -------------------------------------------------------------------------- */ + +void AclXML::flush_rules() +{ + multimap::iterator it; + + for ( it = acl_rules.begin(); it != acl_rules.end(); it++ ) + { + delete it->second; + } + + acl_rules.clear(); + acl_rules_oids.clear(); +} + diff --git a/src/scheduler/src/pool/SConstruct b/src/scheduler/src/pool/SConstruct index 0eb31942d5..428b17b01b 100644 --- a/src/scheduler/src/pool/SConstruct +++ b/src/scheduler/src/pool/SConstruct @@ -21,6 +21,7 @@ Import('sched_env') lib_name='scheduler_pool' source_files=[ + 'AclXML.cc', 'UserPoolXML.cc', 'UserXML.cc', 'HostPoolXML.cc', diff --git a/src/scheduler/src/sched/SConstruct b/src/scheduler/src/sched/SConstruct index 41cb064c98..e66ebfacf2 100644 --- a/src/scheduler/src/sched/SConstruct +++ b/src/scheduler/src/sched/SConstruct @@ -32,6 +32,7 @@ sched_env.Prepend(LIBS=[ 'scheduler_pool', 'nebula_log', 'scheduler_client', + 'nebula_acl', 'nebula_xml', 'nebula_common', 'crypto', diff --git a/src/scheduler/src/sched/Scheduler.cc b/src/scheduler/src/sched/Scheduler.cc index 0ea7eae18f..b3e141fe44 100644 --- a/src/scheduler/src/sched/Scheduler.cc +++ b/src/scheduler/src/sched/Scheduler.cc @@ -122,6 +122,7 @@ void Scheduler::start() hpool = new HostPoolXML(client); vmpool = new VirtualMachinePoolXML(client, machines_limit); upool = new UserPoolXML(client); + acls = new AclXML(client); // ----------------------------------------------------------- // Load scheduler policies @@ -244,9 +245,12 @@ int Scheduler::set_up_pools() //Cleans the cache and get the ACLs //-------------------------------------------------------------------------- - //TODO - // 1.- one.acl.list - // 2.- from_xml + rc = acls->set_up(); + + if ( rc != 0 ) + { + return rc; + } //-------------------------------------------------------------------------- //Get the matching hosts for each VM