F #4845: Get permissions for vm operations from configuration in

RequestManager

include/Nebula.h

@@ -457,6 +457,15 @@ public:
         return get_conf_attribute("AUTH_MAD_CONF", driver, attribute, value);
     };
 
+    /**
+     *  Return the Authorization operation for a VM action
+     *
+     */
+    AuthRequest::Operation get_vm_auth_op(History::VMAction action)
+    {
+        return nebula_configuration->get_vm_auth_op(action);
+    }
+
     /**
      *  Gets an XML document with all of the configuration attributes
      *    @return the XML

include/NebulaTemplate.h

@@ -19,6 +19,7 @@
 
 #include "Template.h"
 #include "ActionSet.h"
+#include "AuthRequest.h"
 #include "History.h"
 
 #include <map>
@@ -88,6 +89,12 @@ public:
      */
     virtual int load_configuration();
 
+    /**
+     *  @param  action
+     *  @return authorization operation configured for the given VM action
+     */
+    AuthRequest::Operation get_vm_auth_op(History::VMAction action);
+
 private:
     /**
      *  Name for the configuration file, oned.conf

include/RequestManagerVirtualMachine.h

@@ -38,7 +38,7 @@ protected:
         pool        = nd.get_vmpool();
 
         auth_object = PoolObjectSQL::VM;
-        auth_op = AuthRequest::MANAGE;
+        auth_op     = AuthRequest::MANAGE;
     };
 
     ~RequestManagerVirtualMachine(){};
@@ -135,7 +135,7 @@ public:
                                      "Deploys a virtual machine",
                                      "A:siibi")
     {
-         auth_op = AuthRequest::ADMIN;
+        auth_op = Nebula::instance().get_vm_auth_op(History::DEPLOY_ACTION);
     };
 
     ~VirtualMachineDeploy(){};
@@ -153,9 +153,8 @@ public:
     VirtualMachineMigrate():
         RequestManagerVirtualMachine("VirtualMachineMigrate",
                                      "Migrates a virtual machine",
-                                     "A:siibbi")
-    {
-         auth_op = AuthRequest::ADMIN;
+                                     "A:siibbi"){
+        auth_op = Nebula::instance().get_vm_auth_op(History::MIGRATE_ACTION);
     };
 
     ~VirtualMachineMigrate(){};
@@ -173,7 +172,9 @@ public:
     VirtualMachineDiskSaveas():
         RequestManagerVirtualMachine("VirtualMachineDiskSaveas",
                            "Save a disk from virtual machine as a new image",
-                           "A:siissi"){};
+                           "A:siissi"){
+        auth_op= Nebula::instance().get_vm_auth_op(History::DISK_SAVEAS_ACTION);
+    };
 
     ~VirtualMachineDiskSaveas(){};
 
@@ -191,8 +192,7 @@ public:
     VirtualMachineMonitoring():
         RequestManagerVirtualMachine("VirtualMachineMonitoring",
                 "Returns the virtual machine monitoring records",
-                "A:si")
-    {
+                "A:si"){
         auth_op = AuthRequest::USE;
     };
 
@@ -211,7 +211,9 @@ public:
     VirtualMachineAttach():
         RequestManagerVirtualMachine("VirtualMachineAttach",
                            "Attaches a new disk to the virtual machine",
-                           "A:sis"){};
+                           "A:sis"){
+        auth_op= Nebula::instance().get_vm_auth_op(History::DISK_ATTACH_ACTION);
+    };
 
     ~VirtualMachineAttach(){};
 
@@ -228,7 +230,10 @@ public:
     VirtualMachineDetach():
         RequestManagerVirtualMachine("VirtualMachineDetach",
                            "Detaches a disk from a virtual machine",
-                           "A:sii"){};
+                           "A:sii"){
+        //Attach & detach are set to the same auth op in OpenNebulaTemplate
+        auth_op= Nebula::instance().get_vm_auth_op(History::DISK_DETACH_ACTION);
+    };
 
     ~VirtualMachineDetach(){};
 
@@ -245,7 +250,9 @@ public:
     VirtualMachineAttachNic():
         RequestManagerVirtualMachine("VirtualMachineAttachNic",
                            "Attaches a new NIC to the virtual machine",
-                           "A:sis"){};
+                           "A:sis"){
+        auth_op = Nebula::instance().get_vm_auth_op(History::NIC_ATTACH_ACTION);
+    };
 
     ~VirtualMachineAttachNic(){};
 
@@ -274,7 +281,10 @@ public:
     VirtualMachineDetachNic():
         RequestManagerVirtualMachine("VirtualMachineDetachNic",
                            "Detaches a NIC from a virtual machine",
-                           "A:sii"){};
+                           "A:sii"){
+        //Attach & detach are set to the same auth op in OpenNebulaTemplate
+        auth_op = Nebula::instance().get_vm_auth_op(History::NIC_DETACH_ACTION);
+    };
 
     ~VirtualMachineDetachNic(){};
 
@@ -300,7 +310,10 @@ public:
     VirtualMachineResize():
         RequestManagerVirtualMachine("VirtualMachineResize",
                            "Changes the capacity of the virtual machine",
-                           "A:sisb"){};
+                           "A:sisb"){
+        auth_op = Nebula::instance().get_vm_auth_op(History::RESIZE_ACTION);
+    };
+
     ~VirtualMachineResize(){};
 
     void request_execute(xmlrpc_c::paramList const& _paramList,
@@ -316,7 +329,12 @@ public:
     VirtualMachineSnapshotCreate():
         RequestManagerVirtualMachine("VirtualMachineSnapshotCreate",
                            "Creates a new virtual machine snapshot",
-                           "A:sis"){};
+                           "A:sis"){
+        Nebula& nd = Nebula::instance();
+
+        //All VM snapshot operations are set to the same auth value
+        auth_op    = nd.get_vm_auth_op(History::SNAPSHOT_CREATE_ACTION);
+    };
 
     ~VirtualMachineSnapshotCreate(){};
 
@@ -333,7 +351,12 @@ public:
     VirtualMachineSnapshotRevert():
         RequestManagerVirtualMachine("VirtualMachineSnapshotRevert",
                            "Reverts a virtual machine to a snapshot",
-                           "A:sii"){};
+                           "A:sii"){
+        Nebula& nd = Nebula::instance();
+
+        //All VM snapshot operations are set to the same auth value
+        auth_op    = nd.get_vm_auth_op(History::SNAPSHOT_REVERT_ACTION);
+    };
 
     ~VirtualMachineSnapshotRevert(){};
 
@@ -350,7 +373,12 @@ public:
     VirtualMachineSnapshotDelete():
         RequestManagerVirtualMachine("VirtualMachineSnapshotDelete",
                            "Deletes a virtual machine snapshot",
-                           "A:sii"){};
+                           "A:sii"){
+        Nebula& nd = Nebula::instance();
+
+        //All VM snapshot operations are set to the same auth value
+        auth_op    = nd.get_vm_auth_op(History::SNAPSHOT_DELETE_ACTION);
+    };
 
     ~VirtualMachineSnapshotDelete(){};
 
@@ -367,11 +395,7 @@ public:
     VirtualMachineRecover():
         RequestManagerVirtualMachine("VirtualMachineRecover",
                                      "Recovers a virtual machine",
-                                     "A:sii")
-    {
-         auth_op = AuthRequest::ADMIN;
-    };
-
+                                     "A:sii"){};
     ~VirtualMachineRecover(){};
 
     void request_execute(xmlrpc_c::paramList const& _paramList,
@@ -387,11 +411,12 @@ public:
 
     VirtualMachinePoolCalculateShowback():
         RequestManagerVirtualMachine("VirtualMachinePoolCalculateShowback",
-                                     "Processes all the history records, and stores the monthly cost for each VM",
-                                     "A:sii")
+            "Processes all the history records, and stores the monthly cost"
+            " for each VM", "A:sii")
     {
         Nebula& nd  = Nebula::instance();
         pool        = nd.get_vmpool();
+
         auth_object = PoolObjectSQL::VM;
     };
 
@@ -415,6 +440,9 @@ public:
                            "A:siis"){
         Nebula& nd  = Nebula::instance();
         ipool       = nd.get_ipool();
+
+        //All VM disk snapshot operations are set to the same auth value
+        auth_op = nd.get_vm_auth_op(History::DISK_SNAPSHOT_CREATE_ACTION);
     };
 
     ~VirtualMachineDiskSnapshotCreate(){};
@@ -435,7 +463,12 @@ public:
     VirtualMachineDiskSnapshotRevert():
         RequestManagerVirtualMachine("VirtualMachineDiskSnapshotRevert",
                            "Reverts disk state to a snapshot",
-                           "A:siii"){};
+                           "A:siii"){
+        Nebula& nd = Nebula::instance();
+
+        //All VM disk snapshot operations are set to the same auth value
+        auth_op = nd.get_vm_auth_op(History::DISK_SNAPSHOT_REVERT_ACTION);
+    };
 
     ~VirtualMachineDiskSnapshotRevert(){};
 
@@ -455,6 +488,9 @@ public:
                            "A:siii"){
         Nebula& nd  = Nebula::instance();
         ipool       = nd.get_ipool();
+
+        //All VM disk snapshot operations are set to the same auth value
+        auth_op = nd.get_vm_auth_op(History::DISK_SNAPSHOT_DELETE_ACTION);
     };
 
     ~VirtualMachineDiskSnapshotDelete(){};
@@ -475,7 +511,9 @@ public:
     VirtualMachineUpdateConf():
         RequestManagerVirtualMachine("VirtualMachineUpdateConf",
                            "Updates several configuration attributes of a VM",
-                           "A:sis"){};
+                           "A:sis"){
+        auth_op = Nebula::instance().get_vm_auth_op(History::UPDATECONF_ACTION);
+    };
 
     ~VirtualMachineUpdateConf(){};
 
@@ -493,8 +531,10 @@ public:
         RequestManagerVirtualMachine("VirtualMachineDiskResize",
                            "Resizes a disk from a virtual machine",
                            "A:siis"){
-        Nebula& nd  = Nebula::instance();
-        ipool       = nd.get_ipool();
+        Nebula& nd = Nebula::instance();
+        ipool      = nd.get_ipool();
+
+        auth_op = nd.get_vm_auth_op(History::DISK_RESIZE_ACTION);
     };
 
     ~VirtualMachineDiskResize(){};

src/nebula/NebulaTemplate.cc

@@ -791,4 +791,26 @@ error_op:
     return -1;
 }
 
+/* -------------------------------------------------------------------------- */
+/* -------------------------------------------------------------------------- */
 
+AuthRequest::Operation OpenNebulaTemplate::get_vm_auth_op(History::VMAction ac)
+{
+    if ( vm_admin_actions.is_set(ac) )
+    {
+        return AuthRequest::ADMIN;
+    }
+    else if ( vm_manage_actions.is_set(ac) )
+    {
+        return AuthRequest::MANAGE;
+    }
+    else if ( vm_use_actions.is_set(ac) )
+    {
+        return AuthRequest::USE;
+    }
+    else
+    {
+        return AuthRequest::MANAGE;
+    }
+
+}

src/rm/RequestManagerVirtualMachine.cc

@@ -489,7 +489,7 @@ void VirtualMachineAction::request_execute(xmlrpc_c::paramList const& paramList,
     ostringstream oss;
     string error;
 
-    AuthRequest::Operation op = auth_op;
+    AuthRequest::Operation op;
     History::VMAction action;
 
     VirtualMachine * vm;
@@ -506,10 +506,7 @@ void VirtualMachineAction::request_execute(xmlrpc_c::paramList const& paramList,
 
     History::action_from_str(action_st, action);
 
-    if (action == History::RESCHED_ACTION || action == History::UNRESCHED_ACTION)
-    {
-        op = AuthRequest::ADMIN;
-    }
+    op = nd.get_vm_auth_op(action);
 
     if ( vm_authorization(id, 0, 0, att, 0, 0, 0, op) == false )
     {
@@ -2436,9 +2433,34 @@ void VirtualMachineRecover::request_execute(
     int    rc;
     string error;
 
-    DispatchManager * dm = Nebula::instance().get_dm();
+    Nebula& nd           = Nebula::instance();
+    DispatchManager * dm = nd.get_dm();
 
-    if ( vm_authorization(id, 0, 0, att, 0, 0, 0, auth_op) == false )
+    AuthRequest::Operation aop;
+
+    switch (op)
+    {
+        case 0: //recover-failure
+        case 1: //recover-success
+            aop = nd.get_vm_auth_op(History::RECOVER_ACTION);
+            break;
+
+        case 2: //retry
+            aop = nd.get_vm_auth_op(History::RETRY_ACTION);
+            break;
+
+        case 3: //delete
+        case 4: //delete-recreate set same as delete in OpenNebulaTemplate
+            aop = nd.get_vm_auth_op(History::DELETE_ACTION);
+            break;
+
+        default:
+            att.resp_msg = "Wrong recovery operation code";
+            failure_response(ACTION, att);
+            return;
+    }
+
+    if ( vm_authorization(id, 0, 0, att, 0, 0, 0, aop) == false )
     {
         return;
     }
@@ -2473,16 +2495,8 @@ void VirtualMachineRecover::request_execute(
         case 4: //delete-recreate
             rc = dm->delete_recreate(vm, error);
             break;
-
-        default:
-            att.resp_msg = "Wrong recovery operation code";
-            failure_response(ACTION, att);
-
-            vm->unlock();
-            return;
     }
 
-
     if ( rc == 0 )
     {
         success_response(id, att);