Bug #4094: Check DS permissions for scheduler authorization

src/scheduler/include/DatastoreXML.h

@@ -19,6 +19,7 @@
 #define DATASTORE_XML_H_
 
 #include "ObjectXML.h"
+#include "PoolObjectAuth.h"
 
 using namespace std;
 
@@ -92,12 +93,33 @@ public:
         return monitored;
     };
 
+    /**
+     *  Fills a auth class to perform an authZ/authN request based on the object
+     *  attributes
+     *    @param auths to be filled
+     */
+    void get_permissions(PoolObjectAuth& auth);
 
 private:
 
     int oid;
     int cluster_id;
 
+    int uid;
+    int gid;
+
+    int owner_u;
+    int owner_m;
+    int owner_a;
+
+    int group_u;
+    int group_m;
+    int group_a;
+
+    int other_u;
+    int other_m;
+    int other_a;
+
     long long free_mb; /**< Free disk for VMs (in MB). */
 
     bool monitored;

src/scheduler/src/pool/DatastoreXML.cc

@@ -37,6 +37,22 @@ void DatastoreXML::init_attributes()
 {
     xpath(oid,        "/DATASTORE/ID",          -1);
     xpath(cluster_id, "/DATASTORE/CLUSTER_ID",  -1);
+
+    xpath(uid,      "/DATASTORE/UID",  -1);
+    xpath(gid,      "/DATASTORE/GID",  -1);
+
+    xpath(owner_u, "/DATASTORE/PERMISSIONS/OWNER_U", 0);
+    xpath(owner_m, "/DATASTORE/PERMISSIONS/OWNER_M", 0);
+    xpath(owner_a, "/DATASTORE/PERMISSIONS/OWNER_A", 0);
+
+    xpath(group_u, "/DATASTORE/PERMISSIONS/GROUP_U", 0);
+    xpath(group_m, "/DATASTORE/PERMISSIONS/GROUP_M", 0);
+    xpath(group_a, "/DATASTORE/PERMISSIONS/GROUP_A", 0);
+
+    xpath(other_u, "/DATASTORE/PERMISSIONS/OTHER_U", 0);
+    xpath(other_m, "/DATASTORE/PERMISSIONS/OTHER_M", 0);
+    xpath(other_a, "/DATASTORE/PERMISSIONS/OTHER_A", 0);
+
     xpath(free_mb,    "/DATASTORE/FREE_MB",     0);
 
     long long total_mb, used_mb, limit_mb;
@@ -101,3 +117,25 @@ bool DatastoreXML::test_capacity(long long vm_disk_mb, string & error) const
 
 /* -------------------------------------------------------------------------- */
 /* -------------------------------------------------------------------------- */
+
+void DatastoreXML::get_permissions(PoolObjectAuth& auth)
+{
+    auth.obj_type = PoolObjectSQL::DATASTORE;
+
+    auth.oid = oid;
+    auth.uid = uid;
+    auth.gid = gid;
+    auth.cid = cluster_id;
+
+    auth.owner_u = owner_u;
+    auth.owner_m = owner_m;
+    auth.owner_a = owner_a;
+
+    auth.group_u = group_u;
+    auth.group_m = group_m;
+    auth.group_a = group_a;
+
+    auth.other_u = other_u;
+    auth.other_m = other_m;
+    auth.other_a = other_a;
+}

src/scheduler/src/sched/Scheduler.cc

@@ -635,9 +635,7 @@ static bool match_system_ds(AclXML * acls, VirtualMachineXML* vm, long long vdis
     {
         PoolObjectAuth dsperms;
 
-        dsperms.oid      = ds->get_oid();
-        dsperms.cid      = ds->get_cid();
-        dsperms.obj_type = PoolObjectSQL::DATASTORE;
+        ds->get_permissions(dsperms);
 
         // Only include the VM group ID