From 58cc44b955f97c57116a88106bbff33cf9a66e3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Mart=C3=ADn?= Date: Fri, 6 Mar 2015 17:35:10 +0100 Subject: [PATCH 1/2] Bug #3659: Restricted VM attr apply to the VM Template also --- include/RequestManagerAllocate.h | 4 +++ src/rm/RequestManagerAllocate.cc | 40 ++++++++++++++++++++++++++++++ src/rm/RequestManagerVMTemplate.cc | 18 -------------- 3 files changed, 44 insertions(+), 18 deletions(-) diff --git a/include/RequestManagerAllocate.h b/include/RequestManagerAllocate.h index 5dd342c0af..67f8c84115 100644 --- a/include/RequestManagerAllocate.h +++ b/include/RequestManagerAllocate.h @@ -251,6 +251,10 @@ public: int& id, string& error_str, RequestAttributes& att); + + bool allocate_authorization(Template * obj_template, + RequestAttributes& att, + PoolObjectAuth * cluster_perms); }; /* ------------------------------------------------------------------------- */ diff --git a/src/rm/RequestManagerAllocate.cc b/src/rm/RequestManagerAllocate.cc index dbd5960c41..4830f8f2e3 100644 --- a/src/rm/RequestManagerAllocate.cc +++ b/src/rm/RequestManagerAllocate.cc @@ -525,6 +525,46 @@ int TemplateAllocate::pool_allocate( /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ +bool TemplateAllocate::allocate_authorization( + Template * tmpl, + RequestAttributes& att, + PoolObjectAuth * cluster_perms) +{ + if ( att.uid == UserPool::ONEADMIN_ID ) + { + return true; + } + + AuthRequest ar(att.uid, att.group_ids); + string t64; + string aname; + + VirtualMachineTemplate * ttmpl = static_cast(tmpl); + + // ------------ Check template for restricted attributes ------------------- + + if ( att.uid != UserPool::ONEADMIN_ID && att.gid != GroupPool::ONEADMIN_ID ) + { + if (ttmpl->check(aname)) + { + ostringstream oss; + + oss << "VM Template includes a restricted attribute " << aname; + + failure_response(AUTHORIZATION, + authorization_error(oss.str(), att), + att); + + return false; + } + } + + return true; +} + +/* -------------------------------------------------------------------------- */ +/* -------------------------------------------------------------------------- */ + int HostAllocate::pool_allocate( xmlrpc_c::paramList const& paramList, Template * tmpl, diff --git a/src/rm/RequestManagerVMTemplate.cc b/src/rm/RequestManagerVMTemplate.cc index 5d3e20573b..dcd354992b 100644 --- a/src/rm/RequestManagerVMTemplate.cc +++ b/src/rm/RequestManagerVMTemplate.cc @@ -79,24 +79,6 @@ void VMTemplateInstantiate::request_execute(xmlrpc_c::paramList const& paramList rtmpl->unlock(); - // Check template for restricted attributes, only if owner is not oneadmin - if (perms.uid!=UserPool::ONEADMIN_ID && perms.gid!=GroupPool::ONEADMIN_ID) - { - if (tmpl->check(aname)) - { - ostringstream oss; - - oss << "VM Template includes a restricted attribute " << aname; - - failure_response(AUTHORIZATION, - authorization_error(oss.str(), att), - att); - - delete tmpl; - return; - } - } - // Parse & merge user attributes (check if the request user is not oneadmin) if (!str_uattrs.empty()) { From 0cdb1bba32c174a395da2aad047698590633cf3c Mon Sep 17 00:00:00 2001 From: "Ruben S. Montero" Date: Sun, 8 Mar 2015 21:36:20 +0100 Subject: [PATCH 2/2] bug #3659: Advance GROUP_ADMIN comparison --- src/rm/RequestManagerAllocate.cc | 20 ++++++++------------ src/rm/RequestManagerUpdateTemplate.cc | 4 ++-- 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/src/rm/RequestManagerAllocate.cc b/src/rm/RequestManagerAllocate.cc index 4830f8f2e3..6e6fd3af84 100644 --- a/src/rm/RequestManagerAllocate.cc +++ b/src/rm/RequestManagerAllocate.cc @@ -530,7 +530,7 @@ bool TemplateAllocate::allocate_authorization( RequestAttributes& att, PoolObjectAuth * cluster_perms) { - if ( att.uid == UserPool::ONEADMIN_ID ) + if ( att.uid == UserPool::ONEADMIN_ID || att.gid == GroupPool::ONEADMIN_ID ) { return true; } @@ -542,21 +542,17 @@ bool TemplateAllocate::allocate_authorization( VirtualMachineTemplate * ttmpl = static_cast(tmpl); // ------------ Check template for restricted attributes ------------------- - - if ( att.uid != UserPool::ONEADMIN_ID && att.gid != GroupPool::ONEADMIN_ID ) + if (ttmpl->check(aname)) { - if (ttmpl->check(aname)) - { - ostringstream oss; + ostringstream oss; - oss << "VM Template includes a restricted attribute " << aname; + oss << "VM Template includes a restricted attribute " << aname; - failure_response(AUTHORIZATION, - authorization_error(oss.str(), att), - att); + failure_response(AUTHORIZATION, + authorization_error(oss.str(), att), + att); - return false; - } + return false; } return true; diff --git a/src/rm/RequestManagerUpdateTemplate.cc b/src/rm/RequestManagerUpdateTemplate.cc index a4a6a0f67d..7e6c4eb9aa 100644 --- a/src/rm/RequestManagerUpdateTemplate.cc +++ b/src/rm/RequestManagerUpdateTemplate.cc @@ -95,8 +95,8 @@ void RequestManagerUpdateTemplate::request_execute( object = pool->get(oid,true); - if ( object == 0 ) - { + if ( object == 0 ) + { failure_response(NO_EXISTS, get_error(object_name(auth_object),oid), att);