1
0
mirror of https://github.com/OpenNebula/one.git synced 2024-12-22 13:33:52 +03:00

feature #1565: Check resource types for CLUSTER based ACLs

This commit is contained in:
Ruben S. Montero 2013-01-22 20:57:42 +01:00
parent 60e2753548
commit 382f1f722b
4 changed files with 47 additions and 20 deletions

View File

@ -36,7 +36,7 @@ public:
// ------------------------------------------------------------------------
static const long long INDIVIDUAL_ID;
static const long long GROUP_ID;
static const long long ALL_ID;
@ -52,9 +52,9 @@ public:
/**
* Main ACL rule constructor
*/
AclRule(int _oid,
long long _user,
long long _resource,
AclRule(int _oid,
long long _user,
long long _resource,
long long _rights):
oid(_oid), user(_user), resource(_resource), rights(_rights)
{
@ -66,8 +66,8 @@ public:
*/
void set(int _oid,
long long _user,
long long _resource,
long long _user,
long long _resource,
long long _rights)
{
oid = _oid;
@ -191,8 +191,8 @@ private:
int oid;
/**
* 64 bit integer holding a user compound:
*
* 64 bit integer holding a user compound:
*
* 32 bits 32 bits
* +-----------------------+-----------------------+
* | Type (user,group,all) | user/group ID |
@ -202,7 +202,7 @@ private:
/**
* 64 bit integer holding a resource compound
*
*
* 32 bits 32 bits
* +-----------------------+-----------------------+
* | Type (VM, Host...) | resource ID |
@ -243,6 +243,11 @@ private:
static const int num_auth_operations;
static const AuthRequest::Operation auth_operations[];
/**
* Objects that cannot be used with the CLUSTER(%) selector
*/
static const long long INVALID_CLUSTER_OBJECTS;
};
#endif /*ACL_RULE_H*/

View File

@ -36,7 +36,7 @@ using namespace std;
/* -------------------------------------------------------------------------- */
/**
* The Virtual Network class. It represents a Virtual Network at manages its
* The Virtual Network class. It represents a Virtual Network at manages its
* leases. One lease is formed by one IP and one MAC address.
* MAC address are derived from IP addresses.
*/
@ -70,7 +70,7 @@ public:
/**
* Adds Leases to the virtual network (Only implemented for FIXED networks)
* @param leases template in the form LEASES = [IP=XX, MAC=XX].
* MAC is optional. The template can only contain one LEASE
* MAC is optional. The template can only contain one LEASE
* definition.
* @param error_msg If the action fails, this message contains the reason.
* @return 0 on success
@ -78,7 +78,7 @@ public:
int add_leases(VirtualNetworkTemplate * leases, string& error_msg);
/**
* Removes Leases from the virtual network; if they are not used.(Only
* Removes Leases from the virtual network; if they are not used.(Only
* implemented for FIXED networks)
* @param leases template in the form LEASES = [IP=XX].
* The template can only contain one LEASE definition.
@ -146,7 +146,7 @@ public:
};
/**
* Check if a VM is the owner of the ip
* Check if a VM is the owner of the ip
* @param ip of the lease to be checked
* @param vid the ID of the VM
* @return true if the ip was already assigned
@ -216,7 +216,7 @@ private:
* Name of the physical device the bridge should be attached to
*/
string phydev;
/**
* VLAN ID of the NIC
*/
@ -326,8 +326,8 @@ private:
* Reads the Virtual Network (identified with its OID) from the database.
* @param db pointer to the db
* @param name of the network
* @param uid of the owner
*
* @param uid of the owner
*
* @return 0 on success
*/
int select(SqlDB * db, const string& name, int uid);

View File

@ -17,7 +17,7 @@
#include "AclRule.h"
#include "AuthRequest.h"
#include "PoolObjectSQL.h"
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
@ -50,6 +50,11 @@ const AuthRequest::Operation AclRule::auth_operations[] = {
AuthRequest::CREATE
};
const long long AclRule::INVALID_CLUSTER_OBJECTS =
PoolObjectSQL::VM | PoolObjectSQL::IMAGE | PoolObjectSQL::USER |
PoolObjectSQL::TEMPLATE | PoolObjectSQL::GROUP | PoolObjectSQL::ACL |
PoolObjectSQL::CLUSTER | PoolObjectSQL::DOCUMENT;
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
@ -57,6 +62,7 @@ bool AclRule::malformed(string& error_str) const
{
ostringstream oss;
bool error = false;
long long resource_type;
// Check user
@ -139,6 +145,22 @@ bool AclRule::malformed(string& error_str) const
<< "and ALL (*) bits are exclusive";
}
resource_type = resource_code() & 0xFFFFFFF000000000LL;
if ((resource & CLUSTER_ID) && (resource_type & INVALID_CLUSTER_OBJECTS))
{
if ( error )
{
oss << "; ";
}
error = true;
oss << "[resource] CLUSTER(%) selector can be applied only to "
<< PoolObjectSQL::type_to_str(PoolObjectSQL::DATASTORE) << ", "
<< PoolObjectSQL::type_to_str(PoolObjectSQL::HOST) << " and "
<< PoolObjectSQL::type_to_str(PoolObjectSQL::NET) << " types";
}
if ( (resource & 0xF00000000LL) == 0 )
{
if ( error )
@ -290,7 +312,7 @@ void AclRule::build_str()
{
oss << "??";
}
oss << " ";
prefix = false;
@ -348,7 +370,7 @@ int AclRule::from_xml(xmlNodePtr node)
break;
}
xmlNodePtr elem = acl->children;
xmlNodePtr elem = acl->children;
if ( elem->type != XML_TEXT_NODE )
{

View File

@ -22,7 +22,7 @@ module OpenNebula
# USER -> #<num>
# @<num>
# ALL
# RESOURCE -> + separated list and "/{#,@}<num>|ALL"
# RESOURCE -> + separated list and "/{#,@,%}<num>|ALL"
# VM,
# HOST
# NET