mirror of
https://github.com/OpenNebula/one.git
synced 2025-03-19 06:50:07 +03:00
feature #200: Auth for VirtualNetworks
This commit is contained in:
parent
ec46c188bb
commit
6ab7f3e13c
@ -17,6 +17,8 @@
|
||||
#include "RequestManager.h"
|
||||
#include "NebulaLog.h"
|
||||
|
||||
#include "AuthManager.h"
|
||||
|
||||
/* -------------------------------------------------------------------------- */
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
@ -64,6 +66,19 @@ void RequestManager::VirtualNetworkAllocate::execute(
|
||||
uid = user->get_uid();
|
||||
|
||||
user->unlock();
|
||||
|
||||
//Authorize the operation
|
||||
if ( uid != 0 ) // uid == 0 means oneadmin
|
||||
{
|
||||
AuthRequest ar(uid);
|
||||
|
||||
ar.add_auth(AuthRequest::NET,-1,AuthRequest::CREATE,0,false);
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
goto error_authorize;
|
||||
}
|
||||
}
|
||||
|
||||
rc = vnpool->allocate(uid,stemplate,&nid);
|
||||
|
||||
@ -91,6 +106,10 @@ error_session:
|
||||
error_get_user:
|
||||
oss << "User not recognized, cannot allocate VirtualNetwork";
|
||||
goto error_common;
|
||||
|
||||
error_authorize:
|
||||
oss << "User not authorized to create a VirtualNetwork";
|
||||
goto error_common;
|
||||
|
||||
error_vn_allocate:
|
||||
oss << "Error allocating VN with template: " << endl << stemplate;
|
||||
|
@ -17,6 +17,8 @@
|
||||
#include "RequestManager.h"
|
||||
#include "NebulaLog.h"
|
||||
|
||||
#include "AuthManager.h"
|
||||
|
||||
/* -------------------------------------------------------------------------- */
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
@ -45,6 +47,27 @@ void RequestManager::VirtualNetworkDelete::execute(
|
||||
session = xmlrpc_c::value_string(paramList.getString(0));
|
||||
nid = xmlrpc_c::value_int (paramList.getInt (1));
|
||||
|
||||
// Only oneadmin or the VN owner can perform operations upon the VN
|
||||
rc = VirtualNetworkDelete::upool->authenticate(session);
|
||||
|
||||
if ( rc == -1 )
|
||||
{
|
||||
goto error_authenticate;
|
||||
}
|
||||
|
||||
//Authorize the operation
|
||||
if ( rc != 0 ) // rc == 0 means oneadmin
|
||||
{
|
||||
AuthRequest ar(rc);
|
||||
|
||||
ar.add_auth(AuthRequest::NET,nid,AuthRequest::DELETE,0,false);
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
goto error_authorize;
|
||||
}
|
||||
}
|
||||
|
||||
// Retrieve VN from the pool
|
||||
vn = vnpool->get(nid,true);
|
||||
|
||||
@ -54,14 +77,6 @@ void RequestManager::VirtualNetworkDelete::execute(
|
||||
}
|
||||
|
||||
uid = vn->get_uid();
|
||||
|
||||
// Only oneadmin or the VN owner can perform operations upon the VN
|
||||
rc = VirtualNetworkDelete::upool->authenticate(session);
|
||||
|
||||
if ( rc != 0 && rc != uid)
|
||||
{
|
||||
goto error_authenticate;
|
||||
}
|
||||
|
||||
rc = vnpool->drop(vn);
|
||||
|
||||
@ -79,8 +94,11 @@ void RequestManager::VirtualNetworkDelete::execute(
|
||||
return;
|
||||
|
||||
error_authenticate:
|
||||
vn->unlock();
|
||||
oss << "User cannot delete VN";
|
||||
oss << "User not authenticated, aborting VirtualNetworkDelete call";
|
||||
goto error_common;
|
||||
|
||||
error_authorize:
|
||||
oss << "User not authorized to delete Virtual Network with NID = " << nid;
|
||||
goto error_common;
|
||||
|
||||
error_vn_get:
|
||||
|
@ -17,6 +17,8 @@
|
||||
#include "RequestManager.h"
|
||||
#include "NebulaLog.h"
|
||||
|
||||
#include "AuthManager.h"
|
||||
|
||||
/* -------------------------------------------------------------------------- */
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
@ -51,7 +53,7 @@ void RequestManager::VirtualNetworkInfo::execute(
|
||||
{
|
||||
goto error_authenticate;
|
||||
}
|
||||
|
||||
|
||||
vn = vnpool->get(nid,true);
|
||||
|
||||
if ( vn == 0 )
|
||||
@ -59,6 +61,23 @@ void RequestManager::VirtualNetworkInfo::execute(
|
||||
goto error_vn_get;
|
||||
}
|
||||
|
||||
//Authorize the operation
|
||||
if ( rc != 0 ) // rc == 0 means oneadmin
|
||||
{
|
||||
AuthRequest ar(rc);
|
||||
|
||||
ar.add_auth(AuthRequest::NET,
|
||||
nid,
|
||||
AuthRequest::USE,
|
||||
0,
|
||||
vn->isPublic());
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
goto error_authorize;
|
||||
}
|
||||
}
|
||||
|
||||
oss << *vn;
|
||||
|
||||
vn->unlock();
|
||||
@ -82,9 +101,14 @@ error_authenticate:
|
||||
error_vn_get:
|
||||
oss << "Error getting Virtual Network with NID = " << nid;
|
||||
goto error_common;
|
||||
|
||||
error_authorize:
|
||||
vn->unlock();
|
||||
oss << "User not authorized to view VirtualNetwork" <<
|
||||
", VirtualNetworkInfo call aborted.";
|
||||
goto error_common;
|
||||
|
||||
error_common:
|
||||
|
||||
arrayData.push_back(xmlrpc_c::value_boolean(false)); // FAILURE
|
||||
arrayData.push_back(xmlrpc_c::value_string(oss.str()));
|
||||
|
||||
|
@ -65,9 +65,21 @@ void RequestManager::VirtualNetworkPublish::execute(
|
||||
goto error_vn_get;
|
||||
}
|
||||
|
||||
if ( uid != 0 && uid != vn->get_uid() )
|
||||
//Authorize the operation
|
||||
if ( uid != 0 ) // uid == 0 means oneadmin
|
||||
{
|
||||
goto error_authorization;
|
||||
AuthRequest ar(uid);
|
||||
|
||||
ar.add_auth(AuthRequest::NET,
|
||||
nid,
|
||||
AuthRequest::MANAGE,
|
||||
0,
|
||||
vn->isPublic());
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
goto error_authorize;
|
||||
}
|
||||
}
|
||||
|
||||
vn->publish(publish_flag);
|
||||
@ -95,7 +107,7 @@ error_vn_get:
|
||||
oss << "[VirtualNetworkPublish] Error getting VN with ID = " << nid;
|
||||
goto error_common;
|
||||
|
||||
error_authorization:
|
||||
error_authorize:
|
||||
oss << "[VirtualNetworkPublish] User not authorized to (un)publish VN" <<
|
||||
", aborting call.";
|
||||
vn->unlock();
|
||||
|
Loading…
x
Reference in New Issue
Block a user