diff --git a/src/authm/AuthManager.cc b/src/authm/AuthManager.cc index 99d8667825..aeb40d0ba1 100644 --- a/src/authm/AuthManager.cc +++ b/src/authm/AuthManager.cc @@ -117,6 +117,28 @@ void AuthRequest::add_auth(Object ob, self_authorize = self_authorize && auth; auths.push_back(oss.str()); + + if ( auth == false ) + { + ostringstream oss; + + oss << message; + + if ( !message.empty() ) + { + oss << "; "; + } + + oss << "Not authorized to perform " << Operation_to_str(op) + << " " << Object_to_str(ob); + + if ( ob_id_int != -1 ) + { + oss << " [" << ob_id << "]"; + } + + message = oss.str(); + } } /* -------------------------------------------------------------------------- */ @@ -417,7 +439,20 @@ void AuthManager::notify_request(int auth_id,bool result,const string& message) } ar->result = result; - ar->message= message; + + if ( message != "-" ) + { + ostringstream oss; + + if ( !ar->message.empty() ) + { + oss << ar->message << "; "; + } + + oss << message; + + ar->message = oss.str(); + } ar->notify(); } diff --git a/src/authm_mad/one_auth_mad.rb b/src/authm_mad/one_auth_mad.rb index c1b9d6cd06..0b26c92f45 100755 --- a/src/authm_mad/one_auth_mad.rb +++ b/src/authm_mad/one_auth_mad.rb @@ -49,7 +49,9 @@ class AuthDriver < OpenNebulaDriver # # @param [String] the authorization method to be used, nil to use the # built-in ACL engine - def initialize(authZ, nthreads) + # @param [Array] authentication modules enabled, nil will use any + # any method existing in remotes directory + def initialize(authZ, authN, nthreads) super( "auth", :concurrency => nthreads, @@ -66,6 +68,20 @@ class AuthDriver < OpenNebulaDriver else @authZ_cmd = nil end + + if authN == nil + # get the directories from remotes dir that have an authenticate + # script + @authN_protocols=Dir[@local_scripts_path+"/*/authenticate"].map do |d| + d.split('/')[-2] + end + else + if authN.class==String + @authN_protocols=[authN] + else + @authN_protocols=authN + end + end end # Authenticate a user based in a string of the form user:secret when using the @@ -88,6 +104,14 @@ class AuthDriver < OpenNebulaDriver secret_attr.shift end + unless @authN_protocols.include?(protocol) + return send_message( + ACTION[:authN], + RESULT[:failure], + request_id, + "Authentication rotocol '#{protocol}' not available") + end + #build path for the auth action #/var/lib/one/remotes/auth//authenticate authN_path = File.join(@local_scripts_path, protocol) @@ -133,11 +157,13 @@ end # Auth Driver Main program opts = GetoptLong.new( [ '--threads', '-t', GetoptLong::REQUIRED_ARGUMENT ], - [ '--authz', '-z', GetoptLong::REQUIRED_ARGUMENT ] + [ '--authz', '-z', GetoptLong::REQUIRED_ARGUMENT ], + [ '--authn', '-n', GetoptLong::REQUIRED_ARGUMENT ] ) threads = 15 authz = nil +authn = nil begin opts.each do |opt, arg| @@ -146,12 +172,14 @@ begin threads = arg.to_i when '--authz' authz = arg + when '--authn' + authn = arg.split(',').map {|a| a.strip } end end rescue Exception => e exit(-1) end -auth_driver = AuthDriver.new(authz, threads) +auth_driver = AuthDriver.new(authz, authn, threads) auth_driver.start_driver diff --git a/src/authm_mad/remotes/quota/quota.rb b/src/authm_mad/remotes/quota/quota.rb index 37304120e2..1f13234e45 100644 --- a/src/authm_mad/remotes/quota/quota.rb +++ b/src/authm_mad/remotes/quota/quota.rb @@ -190,6 +190,7 @@ class Quota quota = get_quota(user_id) msg = "" + separator = "" info.each { |qname, quota_requested| unless quota[qname] next @@ -201,10 +202,13 @@ class Quota spent = used + request if spent > limit + msg << separator msg << " #{qname.to_s.upcase} quota exceeded " msg << "(Quota: #{limit}, " msg << "Used: #{used}, " msg << "Requested: #{request})" + + separator = ";" end } diff --git a/src/cli/one_helper/oneuser_helper.rb b/src/cli/one_helper/oneuser_helper.rb index 1fa41d3c58..f76ace7cc8 100644 --- a/src/cli/one_helper/oneuser_helper.rb +++ b/src/cli/one_helper/oneuser_helper.rb @@ -117,12 +117,11 @@ class OneUserHelper < OpenNebulaHelper::OneHelper begin proxy = File.read(options[:proxy]) - rc = proxy.scan(/(-+BEGIN CERTIFICATE-+\n[^-]*\n-+END CERTIFICATE-+)/) - certs = rc.flatten! + certs = proxy.scan(/(-+BEGIN CERTIFICATE-+\n[^-]*\n-+END CERTIFICATE-+)/) + certs.flatten! rc = proxy.match(/(-+BEGIN RSA PRIVATE KEY-+\n[^-]*\n-+END RSA PRIVATE KEY-+)/) - - key = rc[1] + key= rc[1] auth = X509Auth.new(:certs_pem=>certs, :key_pem=>key) rescue => e diff --git a/src/mad/sh/scripts_common.sh b/src/mad/sh/scripts_common.sh index 221c997959..61ba330d0d 100755 --- a/src/mad/sh/scripts_common.sh +++ b/src/mad/sh/scripts_common.sh @@ -20,7 +20,7 @@ BASH=/bin/bash CUT=cut DATE=/bin/date DD=/bin/dd -DU=/bin/du +DU=/usr/bin/du LVCREATE=/sbin/lvcreate LVREMOVE=/sbin/lvremove LVS=/sbin/lvs diff --git a/src/rm/Request.cc b/src/rm/Request.cc index 606d5d203d..5a3c2b73be 100644 --- a/src/rm/Request.cc +++ b/src/rm/Request.cc @@ -189,13 +189,16 @@ string Request::authorization_error (const string &message, { ostringstream oss; - oss << "[" << method_name << "]" << " User [" << att.uid << "] not authorized" - << " to perform action on " << object_name(auth_object) << "."; + oss << "[" << method_name << "]" << " User [" << att.uid << "] "; - - if ( !message.empty() ) + if ( message.empty() ) { - oss << message ; + oss << "not authorized to perform action on " + << object_name(auth_object) << "."; + } + else + { + oss << ": " << message << "."; } return oss.str();