1
0
mirror of https://github.com/OpenNebula/one.git synced 2025-03-19 06:50:07 +03:00

feature #200: Auth for VirtualNetworks

This commit is contained in:
Tino Vázquez 2010-07-09 19:53:45 +02:00
parent ec46c188bb
commit 6ab7f3e13c
4 changed files with 88 additions and 15 deletions

View File

@ -17,6 +17,8 @@
#include "RequestManager.h"
#include "NebulaLog.h"
#include "AuthManager.h"
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
@ -64,6 +66,19 @@ void RequestManager::VirtualNetworkAllocate::execute(
uid = user->get_uid();
user->unlock();
//Authorize the operation
if ( uid != 0 ) // uid == 0 means oneadmin
{
AuthRequest ar(uid);
ar.add_auth(AuthRequest::NET,-1,AuthRequest::CREATE,0,false);
if (UserPool::authorize(ar) == -1)
{
goto error_authorize;
}
}
rc = vnpool->allocate(uid,stemplate,&nid);
@ -91,6 +106,10 @@ error_session:
error_get_user:
oss << "User not recognized, cannot allocate VirtualNetwork";
goto error_common;
error_authorize:
oss << "User not authorized to create a VirtualNetwork";
goto error_common;
error_vn_allocate:
oss << "Error allocating VN with template: " << endl << stemplate;

View File

@ -17,6 +17,8 @@
#include "RequestManager.h"
#include "NebulaLog.h"
#include "AuthManager.h"
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
@ -45,6 +47,27 @@ void RequestManager::VirtualNetworkDelete::execute(
session = xmlrpc_c::value_string(paramList.getString(0));
nid = xmlrpc_c::value_int (paramList.getInt (1));
// Only oneadmin or the VN owner can perform operations upon the VN
rc = VirtualNetworkDelete::upool->authenticate(session);
if ( rc == -1 )
{
goto error_authenticate;
}
//Authorize the operation
if ( rc != 0 ) // rc == 0 means oneadmin
{
AuthRequest ar(rc);
ar.add_auth(AuthRequest::NET,nid,AuthRequest::DELETE,0,false);
if (UserPool::authorize(ar) == -1)
{
goto error_authorize;
}
}
// Retrieve VN from the pool
vn = vnpool->get(nid,true);
@ -54,14 +77,6 @@ void RequestManager::VirtualNetworkDelete::execute(
}
uid = vn->get_uid();
// Only oneadmin or the VN owner can perform operations upon the VN
rc = VirtualNetworkDelete::upool->authenticate(session);
if ( rc != 0 && rc != uid)
{
goto error_authenticate;
}
rc = vnpool->drop(vn);
@ -79,8 +94,11 @@ void RequestManager::VirtualNetworkDelete::execute(
return;
error_authenticate:
vn->unlock();
oss << "User cannot delete VN";
oss << "User not authenticated, aborting VirtualNetworkDelete call";
goto error_common;
error_authorize:
oss << "User not authorized to delete Virtual Network with NID = " << nid;
goto error_common;
error_vn_get:

View File

@ -17,6 +17,8 @@
#include "RequestManager.h"
#include "NebulaLog.h"
#include "AuthManager.h"
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
@ -51,7 +53,7 @@ void RequestManager::VirtualNetworkInfo::execute(
{
goto error_authenticate;
}
vn = vnpool->get(nid,true);
if ( vn == 0 )
@ -59,6 +61,23 @@ void RequestManager::VirtualNetworkInfo::execute(
goto error_vn_get;
}
//Authorize the operation
if ( rc != 0 ) // rc == 0 means oneadmin
{
AuthRequest ar(rc);
ar.add_auth(AuthRequest::NET,
nid,
AuthRequest::USE,
0,
vn->isPublic());
if (UserPool::authorize(ar) == -1)
{
goto error_authorize;
}
}
oss << *vn;
vn->unlock();
@ -82,9 +101,14 @@ error_authenticate:
error_vn_get:
oss << "Error getting Virtual Network with NID = " << nid;
goto error_common;
error_authorize:
vn->unlock();
oss << "User not authorized to view VirtualNetwork" <<
", VirtualNetworkInfo call aborted.";
goto error_common;
error_common:
arrayData.push_back(xmlrpc_c::value_boolean(false)); // FAILURE
arrayData.push_back(xmlrpc_c::value_string(oss.str()));

View File

@ -65,9 +65,21 @@ void RequestManager::VirtualNetworkPublish::execute(
goto error_vn_get;
}
if ( uid != 0 && uid != vn->get_uid() )
//Authorize the operation
if ( uid != 0 ) // uid == 0 means oneadmin
{
goto error_authorization;
AuthRequest ar(uid);
ar.add_auth(AuthRequest::NET,
nid,
AuthRequest::MANAGE,
0,
vn->isPublic());
if (UserPool::authorize(ar) == -1)
{
goto error_authorize;
}
}
vn->publish(publish_flag);
@ -95,7 +107,7 @@ error_vn_get:
oss << "[VirtualNetworkPublish] Error getting VN with ID = " << nid;
goto error_common;
error_authorization:
error_authorize:
oss << "[VirtualNetworkPublish] User not authorized to (un)publish VN" <<
", aborting call.";
vn->unlock();