mirror of
https://github.com/OpenNebula/one.git
synced 2024-12-22 13:33:52 +03:00
Feature #4215: Implement auth & quotas for all VR actions
This commit is contained in:
parent
da39b2f424
commit
68a0184ed2
@ -49,7 +49,7 @@ public:
|
||||
* @param error string
|
||||
* @return true if the operation can be performed
|
||||
*/
|
||||
virtual bool check(Template* tmpl, Quotas& default_quotas, string& error) = 0;
|
||||
//virtual bool check(Template* tmpl, Quotas& default_quotas, string& error) = 0;
|
||||
|
||||
/**
|
||||
* Check if a resource update in usage counters will exceed the
|
||||
@ -69,7 +69,7 @@ public:
|
||||
* Decrement usage counters when deallocating image
|
||||
* @param tmpl template for the resource
|
||||
*/
|
||||
virtual void del(Template* tmpl) = 0;
|
||||
//virtual void del(Template* tmpl) = 0;
|
||||
|
||||
/**
|
||||
* Returns the name that identifies the quota in a template
|
||||
|
@ -18,6 +18,7 @@
|
||||
#define QUOTA_NETWORK_H_
|
||||
|
||||
#include "Quota.h"
|
||||
#include "PoolObjectSQL.h"
|
||||
|
||||
/**
|
||||
* DataStore Quotas, defined as:
|
||||
@ -47,18 +48,21 @@ public:
|
||||
/**
|
||||
* Check if the resource allocation will exceed the quota limits. If not
|
||||
* the usage counters are updated
|
||||
* @param otype object type, VM or VRouter
|
||||
* @param tmpl template for the resource
|
||||
* @param default_quotas Quotas that contain the default limits
|
||||
* @param error string
|
||||
* @return true if the operation can be performed
|
||||
*/
|
||||
bool check(Template* tmpl, Quotas& default_quotas, string& error);
|
||||
bool check(PoolObjectSQL::ObjectType otype, Template* tmpl,
|
||||
Quotas& default_quotas, string& error);
|
||||
|
||||
/**
|
||||
* Decrement usage counters when deallocating image
|
||||
* @param otype object type, VM or VRouter
|
||||
* @param tmpl template for the resource
|
||||
*/
|
||||
void del(Template* tmpl);
|
||||
void del(PoolObjectSQL::ObjectType otype, Template* tmpl);
|
||||
|
||||
protected:
|
||||
|
||||
|
@ -35,7 +35,8 @@ public:
|
||||
VM, /**< Checks VM usage (MEMORY, CPU and VMS) */
|
||||
NETWORK, /**< Checks Network usage (leases) */
|
||||
IMAGE, /**< Checks Image usage (RVMs using it) */
|
||||
VIRTUALMACHINE /**< Checks all VM associated resources VM, NETWORK, IMAGE */
|
||||
VIRTUALMACHINE, /**< Checks all VM associated resources VM, NETWORK, IMAGE */
|
||||
VIRTUALROUTER /**< Checks the Virtual Router NETWORK usage (leases) */
|
||||
};
|
||||
|
||||
/**
|
||||
@ -69,17 +70,6 @@ public:
|
||||
return datastore_quota.get_quota(id, va);
|
||||
}
|
||||
|
||||
/**
|
||||
* Delete VM related usage (network, image and compute) from quota counters.
|
||||
* @param tmpl template for the image, with usage
|
||||
*/
|
||||
void vm_del(Template * tmpl)
|
||||
{
|
||||
network_quota.del(tmpl);
|
||||
vm_quota.del(tmpl);
|
||||
image_quota.del(tmpl);
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets a VM quota identified by its ID.
|
||||
*
|
||||
|
@ -601,6 +601,10 @@ public:
|
||||
Template * tmpl,
|
||||
int& id,
|
||||
RequestAttributes& att);
|
||||
|
||||
bool allocate_authorization(Template * obj_template,
|
||||
RequestAttributes& att,
|
||||
PoolObjectAuth * cluster_perms);
|
||||
};
|
||||
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
@ -125,7 +125,11 @@ public:
|
||||
* @param nic the nic to be authorized
|
||||
* @param ar the AuthRequest
|
||||
*/
|
||||
void authorize_nic(VectorAttribute * nic, int uid, AuthRequest * ar);
|
||||
void authorize_nic(
|
||||
PoolObjectSQL::ObjectType ot,
|
||||
VectorAttribute * nic,
|
||||
int uid,
|
||||
AuthRequest * ar);
|
||||
|
||||
/**
|
||||
* Bootstraps the database table(s) associated to the VirtualNetwork pool
|
||||
|
@ -21,6 +21,7 @@
|
||||
#include "Template.h"
|
||||
#include "ObjectCollection.h"
|
||||
#include "VirtualMachineTemplate.h"
|
||||
#include "AuthRequest.h"
|
||||
|
||||
/* -------------------------------------------------------------------------- */
|
||||
/* -------------------------------------------------------------------------- */
|
||||
@ -94,6 +95,21 @@ public:
|
||||
*/
|
||||
int detach_nic(int nic_id);
|
||||
|
||||
// ------------------------------------------------------------------------
|
||||
// Authorization related functions
|
||||
// ------------------------------------------------------------------------
|
||||
|
||||
/**
|
||||
* Sets an authorization request for a Virtual Router template based on
|
||||
* the networks used
|
||||
* @param uid for template owner
|
||||
* @param ar the AuthRequest object
|
||||
* @param tmpl the virtual router template
|
||||
*/
|
||||
static void set_auth_request(int uid,
|
||||
AuthRequest& ar,
|
||||
Template *tmpl);
|
||||
|
||||
private:
|
||||
// -------------------------------------------------------------------------
|
||||
// Friends
|
||||
|
@ -754,3 +754,43 @@ int VirtualRouterAllocate::pool_allocate(
|
||||
return vrpool->allocate(att.uid, att.gid, att.uname, att.gname, att.umask,
|
||||
tmpl, &id, att.resp_msg);
|
||||
}
|
||||
|
||||
/* -------------------------------------------------------------------------- */
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
bool VirtualRouterAllocate::allocate_authorization(
|
||||
Template * tmpl,
|
||||
RequestAttributes& att,
|
||||
PoolObjectAuth * cluster_perms)
|
||||
{
|
||||
if ( att.uid == 0 )
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
string tmpl_str;
|
||||
|
||||
// ------------------ Authorize create operation ------------------------
|
||||
|
||||
ar.add_create_auth(att.uid, att.gid, auth_object, tmpl->to_xml(tmpl_str));
|
||||
|
||||
VirtualRouter::set_auth_request(att.uid, ar, tmpl);
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
// -------------------------- Check Quotas ----------------------------
|
||||
|
||||
if (quota_authorization(tmpl, Quotas::VIRTUALROUTER, att, att.resp_msg) == false)
|
||||
{
|
||||
return AUTHORIZATION;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
@ -199,7 +199,7 @@ void VirtualRouterAttachNic::request_execute(
|
||||
|
||||
ar.add_auth(AuthRequest::MANAGE, vr_perms); // MANAGE VROUTER
|
||||
|
||||
VirtualMachine::set_auth_request(att.uid, ar, &tmpl); // USE VNET
|
||||
VirtualRouter::set_auth_request(att.uid, ar, &tmpl); // USE VNET
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
@ -211,7 +211,7 @@ void VirtualRouterAttachNic::request_execute(
|
||||
|
||||
RequestAttributes att_quota(vr_perms.uid, vr_perms.gid, att);
|
||||
|
||||
if ( quota_authorization(&tmpl, Quotas::NETWORK, att_quota) == false )
|
||||
if ( quota_authorization(&tmpl, Quotas::VIRTUALROUTER, att_quota) == false )
|
||||
{
|
||||
return;
|
||||
}
|
||||
@ -223,7 +223,7 @@ void VirtualRouterAttachNic::request_execute(
|
||||
|
||||
if (vr == 0)
|
||||
{
|
||||
quota_rollback(&tmpl, Quotas::NETWORK, att_quota);
|
||||
quota_rollback(&tmpl, Quotas::VIRTUALROUTER, att_quota);
|
||||
|
||||
att.resp_id = vrid;
|
||||
failure_response(NO_EXISTS, att);
|
||||
@ -240,7 +240,7 @@ void VirtualRouterAttachNic::request_execute(
|
||||
|
||||
if (nic == 0)
|
||||
{
|
||||
quota_rollback(&tmpl, Quotas::NETWORK, att_quota);
|
||||
quota_rollback(&tmpl, Quotas::VIRTUALROUTER, att_quota);
|
||||
|
||||
failure_response(ACTION, att);
|
||||
return;
|
||||
|
@ -27,13 +27,15 @@ const int QuotaNetwork::NUM_NET_METRICS = 1;
|
||||
/* -------------------------------------------------------------------------- */
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
bool QuotaNetwork::check(Template * tmpl, Quotas& default_quotas, string& error)
|
||||
bool QuotaNetwork::check(PoolObjectSQL::ObjectType otype, Template * tmpl,
|
||||
Quotas& default_quotas, string& error)
|
||||
{
|
||||
vector<Attribute*> nics;
|
||||
VectorAttribute * nic;
|
||||
|
||||
string net_id;
|
||||
int num;
|
||||
bool uses_lease;
|
||||
|
||||
map<string, float> net_request;
|
||||
|
||||
@ -52,7 +54,14 @@ bool QuotaNetwork::check(Template * tmpl, Quotas& default_quotas, string& error)
|
||||
|
||||
net_id = nic->vector_value("NETWORK_ID");
|
||||
|
||||
if ( !net_id.empty() )
|
||||
uses_lease = true;
|
||||
|
||||
if ( otype == PoolObjectSQL::VROUTER )
|
||||
{
|
||||
nic->vector_value("FLOATING_IP", uses_lease);
|
||||
}
|
||||
|
||||
if ( !net_id.empty() && uses_lease )
|
||||
{
|
||||
if ( !check_quota(net_id, net_request, default_quotas, error) )
|
||||
{
|
||||
@ -67,7 +76,7 @@ bool QuotaNetwork::check(Template * tmpl, Quotas& default_quotas, string& error)
|
||||
/* -------------------------------------------------------------------------- */
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
void QuotaNetwork::del(Template * tmpl)
|
||||
void QuotaNetwork::del(PoolObjectSQL::ObjectType otype, Template * tmpl)
|
||||
{
|
||||
|
||||
vector<Attribute*> nics;
|
||||
@ -75,6 +84,7 @@ void QuotaNetwork::del(Template * tmpl)
|
||||
|
||||
string net_id;
|
||||
int num;
|
||||
bool uses_lease;
|
||||
|
||||
map<string, float> net_request;
|
||||
|
||||
@ -93,7 +103,17 @@ void QuotaNetwork::del(Template * tmpl)
|
||||
|
||||
net_id = nic->vector_value("NETWORK_ID");
|
||||
|
||||
del_quota(net_id, net_request);
|
||||
uses_lease = true;
|
||||
|
||||
if ( otype == PoolObjectSQL::VROUTER )
|
||||
{
|
||||
nic->vector_value("FLOATING_IP", uses_lease);
|
||||
}
|
||||
|
||||
if (uses_lease)
|
||||
{
|
||||
del_quota(net_id, net_request);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -150,7 +150,7 @@ void Quotas::quota_del(QuotaType type, Template *tmpl)
|
||||
break;
|
||||
|
||||
case NETWORK:
|
||||
network_quota.del(tmpl);
|
||||
network_quota.del(PoolObjectSQL::VM, tmpl);
|
||||
break;
|
||||
|
||||
case IMAGE:
|
||||
@ -162,10 +162,14 @@ void Quotas::quota_del(QuotaType type, Template *tmpl)
|
||||
break;
|
||||
|
||||
case VIRTUALMACHINE:
|
||||
network_quota.del(tmpl);
|
||||
network_quota.del(PoolObjectSQL::VM, tmpl);
|
||||
vm_quota.del(tmpl);
|
||||
image_quota.del(tmpl);
|
||||
break;
|
||||
|
||||
case VIRTUALROUTER:
|
||||
network_quota.del(PoolObjectSQL::VROUTER, tmpl);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
@ -183,7 +187,7 @@ bool Quotas::quota_check(QuotaType type,
|
||||
return datastore_quota.check(tmpl, default_quotas, error_str);
|
||||
|
||||
case NETWORK:
|
||||
return network_quota.check(tmpl, default_quotas, error_str);
|
||||
return network_quota.check(PoolObjectSQL::VM, tmpl, default_quotas, error_str);
|
||||
|
||||
case IMAGE:
|
||||
return image_quota.check(tmpl, default_quotas, error_str);
|
||||
@ -192,25 +196,30 @@ bool Quotas::quota_check(QuotaType type,
|
||||
return vm_quota.check(tmpl, default_quotas, error_str);
|
||||
|
||||
case VIRTUALMACHINE:
|
||||
if ( network_quota.check(tmpl, default_quotas, error_str) == false )
|
||||
if ( network_quota.check(PoolObjectSQL::VM,
|
||||
tmpl, default_quotas, error_str) == false )
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
if ( vm_quota.check(tmpl, default_quotas, error_str) == false )
|
||||
{
|
||||
network_quota.del(tmpl);
|
||||
network_quota.del(PoolObjectSQL::VM, tmpl);
|
||||
return false;
|
||||
}
|
||||
|
||||
if ( image_quota.check(tmpl, default_quotas, error_str) == false )
|
||||
{
|
||||
network_quota.del(tmpl);
|
||||
network_quota.del(PoolObjectSQL::VM, tmpl);
|
||||
vm_quota.del(tmpl);
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
|
||||
case VIRTUALROUTER:
|
||||
return network_quota.check(PoolObjectSQL::VROUTER,
|
||||
tmpl, default_quotas, error_str);
|
||||
}
|
||||
|
||||
return false;
|
||||
@ -231,6 +240,7 @@ bool Quotas::quota_update(QuotaType type,
|
||||
case NETWORK:
|
||||
case IMAGE:
|
||||
case VIRTUALMACHINE:
|
||||
case VIRTUALROUTER:
|
||||
error_str = "Cannot update quota. Not implemented";
|
||||
return false;
|
||||
|
||||
|
@ -3991,7 +3991,7 @@ void VirtualMachine::set_auth_request(int uid,
|
||||
continue;
|
||||
}
|
||||
|
||||
vnpool->authorize_nic(vector,uid,&ar);
|
||||
vnpool->authorize_nic(PoolObjectSQL::VM, vector, uid, &ar);
|
||||
|
||||
get_security_groups(vector, sgroups);
|
||||
|
||||
|
@ -301,9 +301,11 @@ int VirtualNetworkPool::nic_attribute(
|
||||
/* -------------------------------------------------------------------------- */
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
void VirtualNetworkPool::authorize_nic(VectorAttribute * nic,
|
||||
int uid,
|
||||
AuthRequest * ar)
|
||||
void VirtualNetworkPool::authorize_nic(
|
||||
PoolObjectSQL::ObjectType ot,
|
||||
VectorAttribute * nic,
|
||||
int uid,
|
||||
AuthRequest * ar)
|
||||
{
|
||||
string network;
|
||||
VirtualNetwork * vnet = 0;
|
||||
@ -337,5 +339,12 @@ void VirtualNetworkPool::authorize_nic(VectorAttribute * nic,
|
||||
|
||||
vnet->unlock();
|
||||
|
||||
ar->add_auth(AuthRequest::USE, perm);
|
||||
if (ot == PoolObjectSQL::VM)
|
||||
{
|
||||
ar->add_auth(AuthRequest::USE, perm);
|
||||
}
|
||||
else // (ot == PoolObjectSQL::VROUTER)
|
||||
{
|
||||
ar->add_auth(AuthRequest::MANAGE, perm);
|
||||
}
|
||||
}
|
||||
|
@ -129,6 +129,8 @@ int VirtualRouter::drop(SqlDB * db)
|
||||
release_network_leases();
|
||||
|
||||
shutdown_vms();
|
||||
|
||||
Quotas::quota_del(Quotas::VIRTUALROUTER, uid, gid, obj_template);
|
||||
}
|
||||
|
||||
return rc;
|
||||
@ -610,6 +612,8 @@ VectorAttribute * VirtualRouter::attach_nic(
|
||||
|
||||
int VirtualRouter::detach_nic(int nic_id)
|
||||
{
|
||||
Template tmpl;
|
||||
|
||||
VectorAttribute * nic = get_nic(nic_id);
|
||||
|
||||
if (nic == 0)
|
||||
@ -619,6 +623,13 @@ int VirtualRouter::detach_nic(int nic_id)
|
||||
|
||||
obj_template->remove(nic);
|
||||
|
||||
release_network_leases(nic);
|
||||
|
||||
// Update quotas
|
||||
tmpl.set(nic);
|
||||
|
||||
Quotas::quota_del(Quotas::VIRTUALROUTER, uid, gid, &tmpl);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -646,3 +657,25 @@ VectorAttribute* VirtualRouter::get_nic(int nic_id) const
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* -------------------------------------------------------------------------- */
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
void VirtualRouter::set_auth_request(int uid,
|
||||
AuthRequest& ar,
|
||||
Template *tmpl)
|
||||
{
|
||||
vector<VectorAttribute* > nics;
|
||||
vector<VectorAttribute* >::const_iterator nics_it;
|
||||
|
||||
Nebula& nd = Nebula::instance();
|
||||
|
||||
VirtualNetworkPool * vnpool = nd.get_vnpool();
|
||||
|
||||
tmpl->get("NIC", nics);
|
||||
|
||||
for (nics_it = nics.begin(); nics_it != nics.end(); nics_it++)
|
||||
{
|
||||
vnpool->authorize_nic(PoolObjectSQL::VROUTER, *nics_it, uid, &ar);
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user