1
0
mirror of https://github.com/OpenNebula/one.git synced 2025-01-11 05:17:41 +03:00

Feature #2653: Add more checks to ACL creation

This commit is contained in:
Carlos Martín 2014-01-28 18:21:49 +01:00
parent 87df948ee3
commit 7254f1b81a
2 changed files with 46 additions and 0 deletions

View File

@ -272,6 +272,13 @@ private:
* Objects that cannot be used with the CLUSTER(%) selector
*/
static const long long INVALID_CLUSTER_OBJECTS;
/**
* Objects that cannot be used with the GROUP(@) selector
*/
static const long long INVALID_GROUP_OBJECTS;
static const long long FEDERATED_OBJECTS;
};
#endif /*ACL_RULE_H*/

View File

@ -56,6 +56,14 @@ const long long AclRule::INVALID_CLUSTER_OBJECTS =
PoolObjectSQL::TEMPLATE | PoolObjectSQL::GROUP | PoolObjectSQL::ACL |
PoolObjectSQL::CLUSTER | PoolObjectSQL::DOCUMENT | PoolObjectSQL::ZONE;
const long long AclRule::INVALID_GROUP_OBJECTS =
PoolObjectSQL::HOST | PoolObjectSQL::GROUP | PoolObjectSQL::CLUSTER |
PoolObjectSQL::ZONE;
const long long AclRule::FEDERATED_OBJECTS =
PoolObjectSQL::USER | PoolObjectSQL::GROUP | PoolObjectSQL::ZONE |
PoolObjectSQL::ACL;
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
@ -162,6 +170,21 @@ bool AclRule::malformed(string& error_str) const
<< PoolObjectSQL::type_to_str(PoolObjectSQL::NET) << " types";
}
if ((resource & GROUP_ID) && (resource_type & INVALID_GROUP_OBJECTS))
{
if ( error )
{
oss << "; ";
}
error = true;
oss << "[resource] GROUP(@) selector cannot be applied to "
<< PoolObjectSQL::type_to_str(PoolObjectSQL::HOST) << ", "
<< PoolObjectSQL::type_to_str(PoolObjectSQL::GROUP) << ", "
<< PoolObjectSQL::type_to_str(PoolObjectSQL::CLUSTER) << " or "
<< PoolObjectSQL::type_to_str(PoolObjectSQL::ZONE) << " types";
}
if ( (resource & 0xF00000000LL) == 0 )
{
if ( error )
@ -293,6 +316,22 @@ bool AclRule::malformed(string& error_str) const
oss << "when using the ALL bit, [zone] ID must be 0";
}
if ((zone & ALL_ID) &&
(resource & INDIVIDUAL_ID) &&
( (resource_type & FEDERATED_OBJECTS) != resource_type ) )
{
if ( error )
{
oss << "; ";
}
error = true;
oss << "[resource] INDIVIDUAL(#) selector cannot be applied "
<< "to ALL zones, except for "
<< PoolObjectSQL::type_to_str(PoolObjectSQL::USER) << ", "
<< PoolObjectSQL::type_to_str(PoolObjectSQL::GROUP) << " and "
<< PoolObjectSQL::type_to_str(PoolObjectSQL::ZONE) << " types";
}
if ( error )
{