shaba/one
1
0
Fork 0
mirror of https://github.com/OpenNebula/one.git synced 2025-01-11 05:17:41 +03:00
Code Releases Wiki Activity

Feature #4215: Implement auth & quotas for all VR actions

Browse Source
This commit is contained in:
Carlos Martín 2016-02-01 17:07:04 +01:00
parent da39b2f424
commit 68a0184ed2
13 changed files with 166 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
include/Quota.h
View File

@ -49,7 +49,7 @@ public:
* @param error string * @param error string
* @return true if the operation can be performed * @return true if the operation can be performed
*/ */
virtual bool check(Template* tmpl, Quotas& default_quotas, string& error) = 0; //virtual bool check(Template* tmpl, Quotas& default_quotas, string& error) = 0;
/** /**
* Check if a resource update in usage counters will exceed the * Check if a resource update in usage counters will exceed the
@ -69,7 +69,7 @@ public:
* Decrement usage counters when deallocating image * Decrement usage counters when deallocating image
* @param tmpl template for the resource * @param tmpl template for the resource
*/ */
virtual void del(Template* tmpl) = 0; //virtual void del(Template* tmpl) = 0;
/** /**
* Returns the name that identifies the quota in a template * Returns the name that identifies the quota in a template

8
include/QuotaNetwork.h
View File

@ -18,6 +18,7 @@
#define QUOTA_NETWORK_H_ #define QUOTA_NETWORK_H_
#include "Quota.h" #include "Quota.h"
#include "PoolObjectSQL.h"
/** /**
* DataStore Quotas, defined as: * DataStore Quotas, defined as:
@ -47,18 +48,21 @@ public:
/** /**
* Check if the resource allocation will exceed the quota limits. If not * Check if the resource allocation will exceed the quota limits. If not
* the usage counters are updated * the usage counters are updated
* @param otype object type, VM or VRouter
* @param tmpl template for the resource * @param tmpl template for the resource
* @param default_quotas Quotas that contain the default limits * @param default_quotas Quotas that contain the default limits
* @param error string * @param error string
* @return true if the operation can be performed * @return true if the operation can be performed
*/ */
bool check(Template* tmpl, Quotas& default_quotas, string& error); bool check(PoolObjectSQL::ObjectType otype, Template* tmpl,
Quotas& default_quotas, string& error);
/** /**
* Decrement usage counters when deallocating image * Decrement usage counters when deallocating image
* @param otype object type, VM or VRouter
* @param tmpl template for the resource * @param tmpl template for the resource
*/ */
void del(Template* tmpl); void del(PoolObjectSQL::ObjectType otype, Template* tmpl);
protected: protected:

14
include/Quotas.h
View File

@ -35,7 +35,8 @@ public:
VM, /**< Checks VM usage (MEMORY, CPU and VMS) */ VM, /**< Checks VM usage (MEMORY, CPU and VMS) */
NETWORK, /**< Checks Network usage (leases) */ NETWORK, /**< Checks Network usage (leases) */
IMAGE, /**< Checks Image usage (RVMs using it) */ IMAGE, /**< Checks Image usage (RVMs using it) */
VIRTUALMACHINE /**< Checks all VM associated resources VM, NETWORK, IMAGE */ VIRTUALMACHINE, /**< Checks all VM associated resources VM, NETWORK, IMAGE */
VIRTUALROUTER /**< Checks the Virtual Router NETWORK usage (leases) */
}; };
/** /**
@ -69,17 +70,6 @@ public:
return datastore_quota.get_quota(id, va); return datastore_quota.get_quota(id, va);
} }
/**
* Delete VM related usage (network, image and compute) from quota counters.
* @param tmpl template for the image, with usage
*/
void vm_del(Template * tmpl)
{
network_quota.del(tmpl);
vm_quota.del(tmpl);
image_quota.del(tmpl);
}
/** /**
* Gets a VM quota identified by its ID. * Gets a VM quota identified by its ID.
* *

4
include/RequestManagerAllocate.h
View File

@ -601,6 +601,10 @@ public:
Template * tmpl, Template * tmpl,
int& id, int& id,
RequestAttributes& att); RequestAttributes& att);
bool allocate_authorization(Template * obj_template,
RequestAttributes& att,
PoolObjectAuth * cluster_perms);
}; };
/* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */

6
include/VirtualNetworkPool.h
View File

@ -125,7 +125,11 @@ public:
* @param nic the nic to be authorized * @param nic the nic to be authorized
* @param ar the AuthRequest * @param ar the AuthRequest
*/ */
void authorize_nic(VectorAttribute * nic, int uid, AuthRequest * ar); void authorize_nic(
PoolObjectSQL::ObjectType ot,
VectorAttribute * nic,
int uid,
AuthRequest * ar);
/** /**
* Bootstraps the database table(s) associated to the VirtualNetwork pool * Bootstraps the database table(s) associated to the VirtualNetwork pool

16
include/VirtualRouter.h
View File

@ -21,6 +21,7 @@
#include "Template.h" #include "Template.h"
#include "ObjectCollection.h" #include "ObjectCollection.h"
#include "VirtualMachineTemplate.h" #include "VirtualMachineTemplate.h"
#include "AuthRequest.h"
/* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */
@ -94,6 +95,21 @@ public:
*/ */
int detach_nic(int nic_id); int detach_nic(int nic_id);
// ------------------------------------------------------------------------
// Authorization related functions
// ------------------------------------------------------------------------
/**
* Sets an authorization request for a Virtual Router template based on
* the networks used
* @param uid for template owner
* @param ar the AuthRequest object
* @param tmpl the virtual router template
*/
static void set_auth_request(int uid,
AuthRequest& ar,
Template *tmpl);
private: private:
// ------------------------------------------------------------------------- // -------------------------------------------------------------------------
// Friends // Friends

40
src/rm/RequestManagerAllocate.cc
View File

@ -754,3 +754,43 @@ int VirtualRouterAllocate::pool_allocate(
return vrpool->allocate(att.uid, att.gid, att.uname, att.gname, att.umask, return vrpool->allocate(att.uid, att.gid, att.uname, att.gname, att.umask,
tmpl, &id, att.resp_msg); tmpl, &id, att.resp_msg);
} }
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
bool VirtualRouterAllocate::allocate_authorization(
Template * tmpl,
RequestAttributes& att,
PoolObjectAuth * cluster_perms)
{
if ( att.uid == 0 )
{
return true;
}
AuthRequest ar(att.uid, att.group_ids);
string tmpl_str;
// ------------------ Authorize create operation ------------------------
ar.add_create_auth(att.uid, att.gid, auth_object, tmpl->to_xml(tmpl_str));
VirtualRouter::set_auth_request(att.uid, ar, tmpl);
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
return false;
}
// -------------------------- Check Quotas ----------------------------
if (quota_authorization(tmpl, Quotas::VIRTUALROUTER, att, att.resp_msg) == false)
{
return AUTHORIZATION;
}
return true;
}

8
src/rm/RequestManagerVirtualRouter.cc
View File

@ -199,7 +199,7 @@ void VirtualRouterAttachNic::request_execute(
ar.add_auth(AuthRequest::MANAGE, vr_perms); // MANAGE VROUTER ar.add_auth(AuthRequest::MANAGE, vr_perms); // MANAGE VROUTER
VirtualMachine::set_auth_request(att.uid, ar, &tmpl); // USE VNET VirtualRouter::set_auth_request(att.uid, ar, &tmpl); // USE VNET
if (UserPool::authorize(ar) == -1) if (UserPool::authorize(ar) == -1)
{ {
@ -211,7 +211,7 @@ void VirtualRouterAttachNic::request_execute(
RequestAttributes att_quota(vr_perms.uid, vr_perms.gid, att); RequestAttributes att_quota(vr_perms.uid, vr_perms.gid, att);
if ( quota_authorization(&tmpl, Quotas::NETWORK, att_quota) == false ) if ( quota_authorization(&tmpl, Quotas::VIRTUALROUTER, att_quota) == false )
{ {
return; return;
} }
@ -223,7 +223,7 @@ void VirtualRouterAttachNic::request_execute(
if (vr == 0) if (vr == 0)
{ {
quota_rollback(&tmpl, Quotas::NETWORK, att_quota); quota_rollback(&tmpl, Quotas::VIRTUALROUTER, att_quota);
att.resp_id = vrid; att.resp_id = vrid;
failure_response(NO_EXISTS, att); failure_response(NO_EXISTS, att);
@ -240,7 +240,7 @@ void VirtualRouterAttachNic::request_execute(
if (nic == 0) if (nic == 0)
{ {
quota_rollback(&tmpl, Quotas::NETWORK, att_quota); quota_rollback(&tmpl, Quotas::VIRTUALROUTER, att_quota);
failure_response(ACTION, att); failure_response(ACTION, att);
return; return;

26
src/um/QuotaNetwork.cc
View File

@ -27,13 +27,15 @@ const int QuotaNetwork::NUM_NET_METRICS = 1;
/* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */
bool QuotaNetwork::check(Template * tmpl, Quotas& default_quotas, string& error) bool QuotaNetwork::check(PoolObjectSQL::ObjectType otype, Template * tmpl,
Quotas& default_quotas, string& error)
{ {
vector<Attribute*> nics; vector<Attribute*> nics;
VectorAttribute * nic; VectorAttribute * nic;
string net_id; string net_id;
int num; int num;
bool uses_lease;
map<string, float> net_request; map<string, float> net_request;
@ -52,7 +54,14 @@ bool QuotaNetwork::check(Template * tmpl, Quotas& default_quotas, string& error)
net_id = nic->vector_value("NETWORK_ID"); net_id = nic->vector_value("NETWORK_ID");
if ( !net_id.empty() ) uses_lease = true;
if ( otype == PoolObjectSQL::VROUTER )
{
nic->vector_value("FLOATING_IP", uses_lease);
}
if ( !net_id.empty() && uses_lease )
{ {
if ( !check_quota(net_id, net_request, default_quotas, error) ) if ( !check_quota(net_id, net_request, default_quotas, error) )
{ {
@ -67,7 +76,7 @@ bool QuotaNetwork::check(Template * tmpl, Quotas& default_quotas, string& error)
/* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */
void QuotaNetwork::del(Template * tmpl) void QuotaNetwork::del(PoolObjectSQL::ObjectType otype, Template * tmpl)
{ {
vector<Attribute*> nics; vector<Attribute*> nics;
@ -75,6 +84,7 @@ void QuotaNetwork::del(Template * tmpl)
string net_id; string net_id;
int num; int num;
bool uses_lease;
map<string, float> net_request; map<string, float> net_request;
@ -93,8 +103,18 @@ void QuotaNetwork::del(Template * tmpl)
net_id = nic->vector_value("NETWORK_ID"); net_id = nic->vector_value("NETWORK_ID");
uses_lease = true;
if ( otype == PoolObjectSQL::VROUTER )
{
nic->vector_value("FLOATING_IP", uses_lease);
}
if (uses_lease)
{
del_quota(net_id, net_request); del_quota(net_id, net_request);
} }
}
} }
/* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */

22
src/um/Quotas.cc
View File

@ -150,7 +150,7 @@ void Quotas::quota_del(QuotaType type, Template *tmpl)
break; break;
case NETWORK: case NETWORK:
network_quota.del(tmpl); network_quota.del(PoolObjectSQL::VM, tmpl);
break; break;
case IMAGE: case IMAGE:
@ -162,10 +162,14 @@ void Quotas::quota_del(QuotaType type, Template *tmpl)
break; break;
case VIRTUALMACHINE: case VIRTUALMACHINE:
network_quota.del(tmpl); network_quota.del(PoolObjectSQL::VM, tmpl);
vm_quota.del(tmpl); vm_quota.del(tmpl);
image_quota.del(tmpl); image_quota.del(tmpl);
break; break;
case VIRTUALROUTER:
network_quota.del(PoolObjectSQL::VROUTER, tmpl);
break;
} }
} }
@ -183,7 +187,7 @@ bool Quotas::quota_check(QuotaType type,
return datastore_quota.check(tmpl, default_quotas, error_str); return datastore_quota.check(tmpl, default_quotas, error_str);
case NETWORK: case NETWORK:
return network_quota.check(tmpl, default_quotas, error_str); return network_quota.check(PoolObjectSQL::VM, tmpl, default_quotas, error_str);
case IMAGE: case IMAGE:
return image_quota.check(tmpl, default_quotas, error_str); return image_quota.check(tmpl, default_quotas, error_str);
@ -192,25 +196,30 @@ bool Quotas::quota_check(QuotaType type,
return vm_quota.check(tmpl, default_quotas, error_str); return vm_quota.check(tmpl, default_quotas, error_str);
case VIRTUALMACHINE: case VIRTUALMACHINE:
if ( network_quota.check(tmpl, default_quotas, error_str) == false ) if ( network_quota.check(PoolObjectSQL::VM,
tmpl, default_quotas, error_str) == false )
{ {
return false; return false;
} }
if ( vm_quota.check(tmpl, default_quotas, error_str) == false ) if ( vm_quota.check(tmpl, default_quotas, error_str) == false )
{ {
network_quota.del(tmpl); network_quota.del(PoolObjectSQL::VM, tmpl);
return false; return false;
} }
if ( image_quota.check(tmpl, default_quotas, error_str) == false ) if ( image_quota.check(tmpl, default_quotas, error_str) == false )
{ {
network_quota.del(tmpl); network_quota.del(PoolObjectSQL::VM, tmpl);
vm_quota.del(tmpl); vm_quota.del(tmpl);
return false; return false;
} }
return true; return true;
case VIRTUALROUTER:
return network_quota.check(PoolObjectSQL::VROUTER,
tmpl, default_quotas, error_str);
} }
return false; return false;
@ -231,6 +240,7 @@ bool Quotas::quota_update(QuotaType type,
case NETWORK: case NETWORK:
case IMAGE: case IMAGE:
case VIRTUALMACHINE: case VIRTUALMACHINE:
case VIRTUALROUTER:
error_str = "Cannot update quota. Not implemented"; error_str = "Cannot update quota. Not implemented";
return false; return false;

2
src/vm/VirtualMachine.cc
View File

@ -3991,7 +3991,7 @@ void VirtualMachine::set_auth_request(int uid,
continue; continue;
} }
vnpool->authorize_nic(vector,uid,&ar); vnpool->authorize_nic(PoolObjectSQL::VM, vector, uid, &ar);
get_security_groups(vector, sgroups); get_security_groups(vector, sgroups);

11
src/vnm/VirtualNetworkPool.cc
View File

@ -301,7 +301,9 @@ int VirtualNetworkPool::nic_attribute(
/* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */
void VirtualNetworkPool::authorize_nic(VectorAttribute * nic, void VirtualNetworkPool::authorize_nic(
PoolObjectSQL::ObjectType ot,
VectorAttribute * nic,
int uid, int uid,
AuthRequest * ar) AuthRequest * ar)
{ {
@ -337,5 +339,12 @@ void VirtualNetworkPool::authorize_nic(VectorAttribute * nic,
vnet->unlock(); vnet->unlock();
if (ot == PoolObjectSQL::VM)
{
ar->add_auth(AuthRequest::USE, perm); ar->add_auth(AuthRequest::USE, perm);
}
else // (ot == PoolObjectSQL::VROUTER)
{
ar->add_auth(AuthRequest::MANAGE, perm);
}
} }

33
src/vrouter/VirtualRouter.cc
View File

@ -129,6 +129,8 @@ int VirtualRouter::drop(SqlDB * db)
release_network_leases(); release_network_leases();
shutdown_vms(); shutdown_vms();
Quotas::quota_del(Quotas::VIRTUALROUTER, uid, gid, obj_template);
} }
return rc; return rc;
@ -610,6 +612,8 @@ VectorAttribute * VirtualRouter::attach_nic(
int VirtualRouter::detach_nic(int nic_id) int VirtualRouter::detach_nic(int nic_id)
{ {
Template tmpl;
VectorAttribute * nic = get_nic(nic_id); VectorAttribute * nic = get_nic(nic_id);
if (nic == 0) if (nic == 0)
@ -619,6 +623,13 @@ int VirtualRouter::detach_nic(int nic_id)
obj_template->remove(nic); obj_template->remove(nic);
release_network_leases(nic);
// Update quotas
tmpl.set(nic);
Quotas::quota_del(Quotas::VIRTUALROUTER, uid, gid, &tmpl);
return 0; return 0;
} }
@ -646,3 +657,25 @@ VectorAttribute* VirtualRouter::get_nic(int nic_id) const
return 0; return 0;
} }
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
void VirtualRouter::set_auth_request(int uid,
AuthRequest& ar,
Template *tmpl)
{
vector<VectorAttribute* > nics;
vector<VectorAttribute* >::const_iterator nics_it;
Nebula& nd = Nebula::instance();
VirtualNetworkPool * vnpool = nd.get_vnpool();
tmpl->get("NIC", nics);
for (nics_it = nics.begin(); nics_it != nics.end(); nics_it++)
{
vnpool->authorize_nic(PoolObjectSQL::VROUTER, *nics_it, uid, &ar);
}
}