mirror of
https://github.com/OpenNebula/one.git
synced 2024-12-22 13:33:52 +03:00
feature #1565: Check resource types for CLUSTER based ACLs
This commit is contained in:
parent
60e2753548
commit
382f1f722b
@ -36,7 +36,7 @@ public:
|
||||
|
||||
// ------------------------------------------------------------------------
|
||||
static const long long INDIVIDUAL_ID;
|
||||
|
||||
|
||||
static const long long GROUP_ID;
|
||||
|
||||
static const long long ALL_ID;
|
||||
@ -52,9 +52,9 @@ public:
|
||||
/**
|
||||
* Main ACL rule constructor
|
||||
*/
|
||||
AclRule(int _oid,
|
||||
long long _user,
|
||||
long long _resource,
|
||||
AclRule(int _oid,
|
||||
long long _user,
|
||||
long long _resource,
|
||||
long long _rights):
|
||||
oid(_oid), user(_user), resource(_resource), rights(_rights)
|
||||
{
|
||||
@ -66,8 +66,8 @@ public:
|
||||
*/
|
||||
|
||||
void set(int _oid,
|
||||
long long _user,
|
||||
long long _resource,
|
||||
long long _user,
|
||||
long long _resource,
|
||||
long long _rights)
|
||||
{
|
||||
oid = _oid;
|
||||
@ -191,8 +191,8 @@ private:
|
||||
int oid;
|
||||
|
||||
/**
|
||||
* 64 bit integer holding a user compound:
|
||||
*
|
||||
* 64 bit integer holding a user compound:
|
||||
*
|
||||
* 32 bits 32 bits
|
||||
* +-----------------------+-----------------------+
|
||||
* | Type (user,group,all) | user/group ID |
|
||||
@ -202,7 +202,7 @@ private:
|
||||
|
||||
/**
|
||||
* 64 bit integer holding a resource compound
|
||||
*
|
||||
*
|
||||
* 32 bits 32 bits
|
||||
* +-----------------------+-----------------------+
|
||||
* | Type (VM, Host...) | resource ID |
|
||||
@ -243,6 +243,11 @@ private:
|
||||
static const int num_auth_operations;
|
||||
|
||||
static const AuthRequest::Operation auth_operations[];
|
||||
|
||||
/**
|
||||
* Objects that cannot be used with the CLUSTER(%) selector
|
||||
*/
|
||||
static const long long INVALID_CLUSTER_OBJECTS;
|
||||
};
|
||||
|
||||
#endif /*ACL_RULE_H*/
|
||||
|
@ -36,7 +36,7 @@ using namespace std;
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
/**
|
||||
* The Virtual Network class. It represents a Virtual Network at manages its
|
||||
* The Virtual Network class. It represents a Virtual Network at manages its
|
||||
* leases. One lease is formed by one IP and one MAC address.
|
||||
* MAC address are derived from IP addresses.
|
||||
*/
|
||||
@ -70,7 +70,7 @@ public:
|
||||
/**
|
||||
* Adds Leases to the virtual network (Only implemented for FIXED networks)
|
||||
* @param leases template in the form LEASES = [IP=XX, MAC=XX].
|
||||
* MAC is optional. The template can only contain one LEASE
|
||||
* MAC is optional. The template can only contain one LEASE
|
||||
* definition.
|
||||
* @param error_msg If the action fails, this message contains the reason.
|
||||
* @return 0 on success
|
||||
@ -78,7 +78,7 @@ public:
|
||||
int add_leases(VirtualNetworkTemplate * leases, string& error_msg);
|
||||
|
||||
/**
|
||||
* Removes Leases from the virtual network; if they are not used.(Only
|
||||
* Removes Leases from the virtual network; if they are not used.(Only
|
||||
* implemented for FIXED networks)
|
||||
* @param leases template in the form LEASES = [IP=XX].
|
||||
* The template can only contain one LEASE definition.
|
||||
@ -146,7 +146,7 @@ public:
|
||||
};
|
||||
|
||||
/**
|
||||
* Check if a VM is the owner of the ip
|
||||
* Check if a VM is the owner of the ip
|
||||
* @param ip of the lease to be checked
|
||||
* @param vid the ID of the VM
|
||||
* @return true if the ip was already assigned
|
||||
@ -216,7 +216,7 @@ private:
|
||||
* Name of the physical device the bridge should be attached to
|
||||
*/
|
||||
string phydev;
|
||||
|
||||
|
||||
/**
|
||||
* VLAN ID of the NIC
|
||||
*/
|
||||
@ -326,8 +326,8 @@ private:
|
||||
* Reads the Virtual Network (identified with its OID) from the database.
|
||||
* @param db pointer to the db
|
||||
* @param name of the network
|
||||
* @param uid of the owner
|
||||
*
|
||||
* @param uid of the owner
|
||||
*
|
||||
* @return 0 on success
|
||||
*/
|
||||
int select(SqlDB * db, const string& name, int uid);
|
||||
|
@ -17,7 +17,7 @@
|
||||
#include "AclRule.h"
|
||||
#include "AuthRequest.h"
|
||||
#include "PoolObjectSQL.h"
|
||||
|
||||
|
||||
/* -------------------------------------------------------------------------- */
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
@ -50,6 +50,11 @@ const AuthRequest::Operation AclRule::auth_operations[] = {
|
||||
AuthRequest::CREATE
|
||||
};
|
||||
|
||||
const long long AclRule::INVALID_CLUSTER_OBJECTS =
|
||||
PoolObjectSQL::VM | PoolObjectSQL::IMAGE | PoolObjectSQL::USER |
|
||||
PoolObjectSQL::TEMPLATE | PoolObjectSQL::GROUP | PoolObjectSQL::ACL |
|
||||
PoolObjectSQL::CLUSTER | PoolObjectSQL::DOCUMENT;
|
||||
|
||||
/* -------------------------------------------------------------------------- */
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
@ -57,6 +62,7 @@ bool AclRule::malformed(string& error_str) const
|
||||
{
|
||||
ostringstream oss;
|
||||
bool error = false;
|
||||
long long resource_type;
|
||||
|
||||
// Check user
|
||||
|
||||
@ -139,6 +145,22 @@ bool AclRule::malformed(string& error_str) const
|
||||
<< "and ALL (*) bits are exclusive";
|
||||
}
|
||||
|
||||
resource_type = resource_code() & 0xFFFFFFF000000000LL;
|
||||
|
||||
if ((resource & CLUSTER_ID) && (resource_type & INVALID_CLUSTER_OBJECTS))
|
||||
{
|
||||
if ( error )
|
||||
{
|
||||
oss << "; ";
|
||||
}
|
||||
|
||||
error = true;
|
||||
oss << "[resource] CLUSTER(%) selector can be applied only to "
|
||||
<< PoolObjectSQL::type_to_str(PoolObjectSQL::DATASTORE) << ", "
|
||||
<< PoolObjectSQL::type_to_str(PoolObjectSQL::HOST) << " and "
|
||||
<< PoolObjectSQL::type_to_str(PoolObjectSQL::NET) << " types";
|
||||
}
|
||||
|
||||
if ( (resource & 0xF00000000LL) == 0 )
|
||||
{
|
||||
if ( error )
|
||||
@ -290,7 +312,7 @@ void AclRule::build_str()
|
||||
{
|
||||
oss << "??";
|
||||
}
|
||||
|
||||
|
||||
oss << " ";
|
||||
|
||||
prefix = false;
|
||||
@ -348,7 +370,7 @@ int AclRule::from_xml(xmlNodePtr node)
|
||||
break;
|
||||
}
|
||||
|
||||
xmlNodePtr elem = acl->children;
|
||||
xmlNodePtr elem = acl->children;
|
||||
|
||||
if ( elem->type != XML_TEXT_NODE )
|
||||
{
|
||||
|
@ -22,7 +22,7 @@ module OpenNebula
|
||||
# USER -> #<num>
|
||||
# @<num>
|
||||
# ALL
|
||||
# RESOURCE -> + separated list and "/{#,@}<num>|ALL"
|
||||
# RESOURCE -> + separated list and "/{#,@,%}<num>|ALL"
|
||||
# VM,
|
||||
# HOST
|
||||
# NET
|
||||
|
Loading…
Reference in New Issue
Block a user