1
0
mirror of https://github.com/OpenNebula/one.git synced 2024-12-22 13:33:52 +03:00

Feature #4215: Implement auth & quotas for all VR actions

This commit is contained in:
Carlos Martín 2016-02-01 17:07:04 +01:00
parent da39b2f424
commit 68a0184ed2
13 changed files with 166 additions and 36 deletions

View File

@ -49,7 +49,7 @@ public:
* @param error string
* @return true if the operation can be performed
*/
virtual bool check(Template* tmpl, Quotas& default_quotas, string& error) = 0;
//virtual bool check(Template* tmpl, Quotas& default_quotas, string& error) = 0;
/**
* Check if a resource update in usage counters will exceed the
@ -69,7 +69,7 @@ public:
* Decrement usage counters when deallocating image
* @param tmpl template for the resource
*/
virtual void del(Template* tmpl) = 0;
//virtual void del(Template* tmpl) = 0;
/**
* Returns the name that identifies the quota in a template

View File

@ -18,6 +18,7 @@
#define QUOTA_NETWORK_H_
#include "Quota.h"
#include "PoolObjectSQL.h"
/**
* DataStore Quotas, defined as:
@ -47,18 +48,21 @@ public:
/**
* Check if the resource allocation will exceed the quota limits. If not
* the usage counters are updated
* @param otype object type, VM or VRouter
* @param tmpl template for the resource
* @param default_quotas Quotas that contain the default limits
* @param error string
* @return true if the operation can be performed
*/
bool check(Template* tmpl, Quotas& default_quotas, string& error);
bool check(PoolObjectSQL::ObjectType otype, Template* tmpl,
Quotas& default_quotas, string& error);
/**
* Decrement usage counters when deallocating image
* @param otype object type, VM or VRouter
* @param tmpl template for the resource
*/
void del(Template* tmpl);
void del(PoolObjectSQL::ObjectType otype, Template* tmpl);
protected:

View File

@ -35,7 +35,8 @@ public:
VM, /**< Checks VM usage (MEMORY, CPU and VMS) */
NETWORK, /**< Checks Network usage (leases) */
IMAGE, /**< Checks Image usage (RVMs using it) */
VIRTUALMACHINE /**< Checks all VM associated resources VM, NETWORK, IMAGE */
VIRTUALMACHINE, /**< Checks all VM associated resources VM, NETWORK, IMAGE */
VIRTUALROUTER /**< Checks the Virtual Router NETWORK usage (leases) */
};
/**
@ -69,17 +70,6 @@ public:
return datastore_quota.get_quota(id, va);
}
/**
* Delete VM related usage (network, image and compute) from quota counters.
* @param tmpl template for the image, with usage
*/
void vm_del(Template * tmpl)
{
network_quota.del(tmpl);
vm_quota.del(tmpl);
image_quota.del(tmpl);
}
/**
* Gets a VM quota identified by its ID.
*

View File

@ -601,6 +601,10 @@ public:
Template * tmpl,
int& id,
RequestAttributes& att);
bool allocate_authorization(Template * obj_template,
RequestAttributes& att,
PoolObjectAuth * cluster_perms);
};
/* -------------------------------------------------------------------------- */

View File

@ -125,7 +125,11 @@ public:
* @param nic the nic to be authorized
* @param ar the AuthRequest
*/
void authorize_nic(VectorAttribute * nic, int uid, AuthRequest * ar);
void authorize_nic(
PoolObjectSQL::ObjectType ot,
VectorAttribute * nic,
int uid,
AuthRequest * ar);
/**
* Bootstraps the database table(s) associated to the VirtualNetwork pool

View File

@ -21,6 +21,7 @@
#include "Template.h"
#include "ObjectCollection.h"
#include "VirtualMachineTemplate.h"
#include "AuthRequest.h"
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
@ -94,6 +95,21 @@ public:
*/
int detach_nic(int nic_id);
// ------------------------------------------------------------------------
// Authorization related functions
// ------------------------------------------------------------------------
/**
* Sets an authorization request for a Virtual Router template based on
* the networks used
* @param uid for template owner
* @param ar the AuthRequest object
* @param tmpl the virtual router template
*/
static void set_auth_request(int uid,
AuthRequest& ar,
Template *tmpl);
private:
// -------------------------------------------------------------------------
// Friends

View File

@ -754,3 +754,43 @@ int VirtualRouterAllocate::pool_allocate(
return vrpool->allocate(att.uid, att.gid, att.uname, att.gname, att.umask,
tmpl, &id, att.resp_msg);
}
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
bool VirtualRouterAllocate::allocate_authorization(
Template * tmpl,
RequestAttributes& att,
PoolObjectAuth * cluster_perms)
{
if ( att.uid == 0 )
{
return true;
}
AuthRequest ar(att.uid, att.group_ids);
string tmpl_str;
// ------------------ Authorize create operation ------------------------
ar.add_create_auth(att.uid, att.gid, auth_object, tmpl->to_xml(tmpl_str));
VirtualRouter::set_auth_request(att.uid, ar, tmpl);
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
return false;
}
// -------------------------- Check Quotas ----------------------------
if (quota_authorization(tmpl, Quotas::VIRTUALROUTER, att, att.resp_msg) == false)
{
return AUTHORIZATION;
}
return true;
}

View File

@ -199,7 +199,7 @@ void VirtualRouterAttachNic::request_execute(
ar.add_auth(AuthRequest::MANAGE, vr_perms); // MANAGE VROUTER
VirtualMachine::set_auth_request(att.uid, ar, &tmpl); // USE VNET
VirtualRouter::set_auth_request(att.uid, ar, &tmpl); // USE VNET
if (UserPool::authorize(ar) == -1)
{
@ -211,7 +211,7 @@ void VirtualRouterAttachNic::request_execute(
RequestAttributes att_quota(vr_perms.uid, vr_perms.gid, att);
if ( quota_authorization(&tmpl, Quotas::NETWORK, att_quota) == false )
if ( quota_authorization(&tmpl, Quotas::VIRTUALROUTER, att_quota) == false )
{
return;
}
@ -223,7 +223,7 @@ void VirtualRouterAttachNic::request_execute(
if (vr == 0)
{
quota_rollback(&tmpl, Quotas::NETWORK, att_quota);
quota_rollback(&tmpl, Quotas::VIRTUALROUTER, att_quota);
att.resp_id = vrid;
failure_response(NO_EXISTS, att);
@ -240,7 +240,7 @@ void VirtualRouterAttachNic::request_execute(
if (nic == 0)
{
quota_rollback(&tmpl, Quotas::NETWORK, att_quota);
quota_rollback(&tmpl, Quotas::VIRTUALROUTER, att_quota);
failure_response(ACTION, att);
return;

View File

@ -27,13 +27,15 @@ const int QuotaNetwork::NUM_NET_METRICS = 1;
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
bool QuotaNetwork::check(Template * tmpl, Quotas& default_quotas, string& error)
bool QuotaNetwork::check(PoolObjectSQL::ObjectType otype, Template * tmpl,
Quotas& default_quotas, string& error)
{
vector<Attribute*> nics;
VectorAttribute * nic;
string net_id;
int num;
bool uses_lease;
map<string, float> net_request;
@ -52,7 +54,14 @@ bool QuotaNetwork::check(Template * tmpl, Quotas& default_quotas, string& error)
net_id = nic->vector_value("NETWORK_ID");
if ( !net_id.empty() )
uses_lease = true;
if ( otype == PoolObjectSQL::VROUTER )
{
nic->vector_value("FLOATING_IP", uses_lease);
}
if ( !net_id.empty() && uses_lease )
{
if ( !check_quota(net_id, net_request, default_quotas, error) )
{
@ -67,7 +76,7 @@ bool QuotaNetwork::check(Template * tmpl, Quotas& default_quotas, string& error)
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
void QuotaNetwork::del(Template * tmpl)
void QuotaNetwork::del(PoolObjectSQL::ObjectType otype, Template * tmpl)
{
vector<Attribute*> nics;
@ -75,6 +84,7 @@ void QuotaNetwork::del(Template * tmpl)
string net_id;
int num;
bool uses_lease;
map<string, float> net_request;
@ -93,7 +103,17 @@ void QuotaNetwork::del(Template * tmpl)
net_id = nic->vector_value("NETWORK_ID");
del_quota(net_id, net_request);
uses_lease = true;
if ( otype == PoolObjectSQL::VROUTER )
{
nic->vector_value("FLOATING_IP", uses_lease);
}
if (uses_lease)
{
del_quota(net_id, net_request);
}
}
}

View File

@ -150,7 +150,7 @@ void Quotas::quota_del(QuotaType type, Template *tmpl)
break;
case NETWORK:
network_quota.del(tmpl);
network_quota.del(PoolObjectSQL::VM, tmpl);
break;
case IMAGE:
@ -162,10 +162,14 @@ void Quotas::quota_del(QuotaType type, Template *tmpl)
break;
case VIRTUALMACHINE:
network_quota.del(tmpl);
network_quota.del(PoolObjectSQL::VM, tmpl);
vm_quota.del(tmpl);
image_quota.del(tmpl);
break;
case VIRTUALROUTER:
network_quota.del(PoolObjectSQL::VROUTER, tmpl);
break;
}
}
@ -183,7 +187,7 @@ bool Quotas::quota_check(QuotaType type,
return datastore_quota.check(tmpl, default_quotas, error_str);
case NETWORK:
return network_quota.check(tmpl, default_quotas, error_str);
return network_quota.check(PoolObjectSQL::VM, tmpl, default_quotas, error_str);
case IMAGE:
return image_quota.check(tmpl, default_quotas, error_str);
@ -192,25 +196,30 @@ bool Quotas::quota_check(QuotaType type,
return vm_quota.check(tmpl, default_quotas, error_str);
case VIRTUALMACHINE:
if ( network_quota.check(tmpl, default_quotas, error_str) == false )
if ( network_quota.check(PoolObjectSQL::VM,
tmpl, default_quotas, error_str) == false )
{
return false;
}
if ( vm_quota.check(tmpl, default_quotas, error_str) == false )
{
network_quota.del(tmpl);
network_quota.del(PoolObjectSQL::VM, tmpl);
return false;
}
if ( image_quota.check(tmpl, default_quotas, error_str) == false )
{
network_quota.del(tmpl);
network_quota.del(PoolObjectSQL::VM, tmpl);
vm_quota.del(tmpl);
return false;
}
return true;
case VIRTUALROUTER:
return network_quota.check(PoolObjectSQL::VROUTER,
tmpl, default_quotas, error_str);
}
return false;
@ -231,6 +240,7 @@ bool Quotas::quota_update(QuotaType type,
case NETWORK:
case IMAGE:
case VIRTUALMACHINE:
case VIRTUALROUTER:
error_str = "Cannot update quota. Not implemented";
return false;

View File

@ -3991,7 +3991,7 @@ void VirtualMachine::set_auth_request(int uid,
continue;
}
vnpool->authorize_nic(vector,uid,&ar);
vnpool->authorize_nic(PoolObjectSQL::VM, vector, uid, &ar);
get_security_groups(vector, sgroups);

View File

@ -301,9 +301,11 @@ int VirtualNetworkPool::nic_attribute(
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
void VirtualNetworkPool::authorize_nic(VectorAttribute * nic,
int uid,
AuthRequest * ar)
void VirtualNetworkPool::authorize_nic(
PoolObjectSQL::ObjectType ot,
VectorAttribute * nic,
int uid,
AuthRequest * ar)
{
string network;
VirtualNetwork * vnet = 0;
@ -337,5 +339,12 @@ void VirtualNetworkPool::authorize_nic(VectorAttribute * nic,
vnet->unlock();
ar->add_auth(AuthRequest::USE, perm);
if (ot == PoolObjectSQL::VM)
{
ar->add_auth(AuthRequest::USE, perm);
}
else // (ot == PoolObjectSQL::VROUTER)
{
ar->add_auth(AuthRequest::MANAGE, perm);
}
}

View File

@ -129,6 +129,8 @@ int VirtualRouter::drop(SqlDB * db)
release_network_leases();
shutdown_vms();
Quotas::quota_del(Quotas::VIRTUALROUTER, uid, gid, obj_template);
}
return rc;
@ -610,6 +612,8 @@ VectorAttribute * VirtualRouter::attach_nic(
int VirtualRouter::detach_nic(int nic_id)
{
Template tmpl;
VectorAttribute * nic = get_nic(nic_id);
if (nic == 0)
@ -619,6 +623,13 @@ int VirtualRouter::detach_nic(int nic_id)
obj_template->remove(nic);
release_network_leases(nic);
// Update quotas
tmpl.set(nic);
Quotas::quota_del(Quotas::VIRTUALROUTER, uid, gid, &tmpl);
return 0;
}
@ -646,3 +657,25 @@ VectorAttribute* VirtualRouter::get_nic(int nic_id) const
return 0;
}
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
void VirtualRouter::set_auth_request(int uid,
AuthRequest& ar,
Template *tmpl)
{
vector<VectorAttribute* > nics;
vector<VectorAttribute* >::const_iterator nics_it;
Nebula& nd = Nebula::instance();
VirtualNetworkPool * vnpool = nd.get_vnpool();
tmpl->get("NIC", nics);
for (nics_it = nics.begin(); nics_it != nics.end(); nics_it++)
{
vnpool->authorize_nic(PoolObjectSQL::VROUTER, *nics_it, uid, &ar);
}
}