diff --git a/include/RequestManagerAllocate.h b/include/RequestManagerAllocate.h index 5dd342c0af..67f8c84115 100644 --- a/include/RequestManagerAllocate.h +++ b/include/RequestManagerAllocate.h @@ -251,6 +251,10 @@ public: int& id, string& error_str, RequestAttributes& att); + + bool allocate_authorization(Template * obj_template, + RequestAttributes& att, + PoolObjectAuth * cluster_perms); }; /* ------------------------------------------------------------------------- */ diff --git a/src/rm/RequestManagerAllocate.cc b/src/rm/RequestManagerAllocate.cc index dbd5960c41..6e6fd3af84 100644 --- a/src/rm/RequestManagerAllocate.cc +++ b/src/rm/RequestManagerAllocate.cc @@ -525,6 +525,42 @@ int TemplateAllocate::pool_allocate( /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ +bool TemplateAllocate::allocate_authorization( + Template * tmpl, + RequestAttributes& att, + PoolObjectAuth * cluster_perms) +{ + if ( att.uid == UserPool::ONEADMIN_ID || att.gid == GroupPool::ONEADMIN_ID ) + { + return true; + } + + AuthRequest ar(att.uid, att.group_ids); + string t64; + string aname; + + VirtualMachineTemplate * ttmpl = static_cast(tmpl); + + // ------------ Check template for restricted attributes ------------------- + if (ttmpl->check(aname)) + { + ostringstream oss; + + oss << "VM Template includes a restricted attribute " << aname; + + failure_response(AUTHORIZATION, + authorization_error(oss.str(), att), + att); + + return false; + } + + return true; +} + +/* -------------------------------------------------------------------------- */ +/* -------------------------------------------------------------------------- */ + int HostAllocate::pool_allocate( xmlrpc_c::paramList const& paramList, Template * tmpl, diff --git a/src/rm/RequestManagerUpdateTemplate.cc b/src/rm/RequestManagerUpdateTemplate.cc index a4a6a0f67d..7e6c4eb9aa 100644 --- a/src/rm/RequestManagerUpdateTemplate.cc +++ b/src/rm/RequestManagerUpdateTemplate.cc @@ -95,8 +95,8 @@ void RequestManagerUpdateTemplate::request_execute( object = pool->get(oid,true); - if ( object == 0 ) - { + if ( object == 0 ) + { failure_response(NO_EXISTS, get_error(object_name(auth_object),oid), att); diff --git a/src/rm/RequestManagerVMTemplate.cc b/src/rm/RequestManagerVMTemplate.cc index 5d3e20573b..dcd354992b 100644 --- a/src/rm/RequestManagerVMTemplate.cc +++ b/src/rm/RequestManagerVMTemplate.cc @@ -79,24 +79,6 @@ void VMTemplateInstantiate::request_execute(xmlrpc_c::paramList const& paramList rtmpl->unlock(); - // Check template for restricted attributes, only if owner is not oneadmin - if (perms.uid!=UserPool::ONEADMIN_ID && perms.gid!=GroupPool::ONEADMIN_ID) - { - if (tmpl->check(aname)) - { - ostringstream oss; - - oss << "VM Template includes a restricted attribute " << aname; - - failure_response(AUTHORIZATION, - authorization_error(oss.str(), att), - att); - - delete tmpl; - return; - } - } - // Parse & merge user attributes (check if the request user is not oneadmin) if (!str_uattrs.empty()) {