From 75d5e7a1fb65955289a8783b99b338604881b1d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Mart=C3=ADn?= Date: Mon, 2 Jan 2012 22:14:43 +0100 Subject: [PATCH] Add the Object type to the PoolObjectAuth class --- include/AclManager.h | 2 - include/AuthManager.h | 10 ++--- include/Group.h | 2 +- include/PoolObjectAuth.h | 2 + include/PoolObjectSQL.h | 19 +++++---- include/User.h | 4 +- src/acl/AclManager.cc | 11 +++--- src/authm/AuthManager.cc | 9 ++--- src/authm/test/AuthManagerTest.cc | 53 ++++++++++++++++---------- src/host/Host.cc | 2 +- src/image/Image.cc | 2 +- src/image/ImagePool.cc | 2 +- src/pool/test/TestPoolSQL.h | 2 +- src/rm/Request.cc | 2 +- src/rm/RequestManagerAllocate.cc | 8 ++-- src/rm/RequestManagerVMTemplate.cc | 2 +- src/rm/RequestManagerVirtualMachine.cc | 11 +++--- src/scheduler/src/sched/Scheduler.cc | 2 +- src/vm/VirtualMachine.cc | 2 +- src/vm_template/VMTemplate.cc | 2 +- src/vnm/VirtualNetwork.cc | 8 ++-- src/vnm/VirtualNetworkPool.cc | 2 +- 22 files changed, 85 insertions(+), 74 deletions(-) diff --git a/include/AclManager.h b/include/AclManager.h index 95f44e26b0..513d2b9d96 100644 --- a/include/AclManager.h +++ b/include/AclManager.h @@ -55,14 +55,12 @@ public: * * @param uid The user ID requesting to be authorized * @param gid Group ID of the user - * @param obj_type The object over which the operation will be performed * @param obj_perms The object's permission attributes * @param op The operation to be authorized * @return true if the authorization is granted by any rule */ const bool authorize(int uid, int gid, - AuthRequest::Object obj_type, PoolObjectAuth * obj_perms, AuthRequest::Operation op); diff --git a/include/AuthManager.h b/include/AuthManager.h index 0ae2923640..95c12013e4 100644 --- a/include/AuthManager.h +++ b/include/AuthManager.h @@ -349,15 +349,13 @@ public: * * OBJECT:OBJECT_ID:ACTION:OWNER:PUBLIC * - * @param ob the object over which the operation will be performed * @param op the operation to be authorized * @param ob_perms object's permission attributes */ - void add_auth(Object ob, - Operation op, + void add_auth(Operation op, PoolObjectAuth * ob_perms) { - add_auth(ob, op, ob_perms, ""); + add_auth(op, ob_perms, ""); } /** @@ -366,14 +364,12 @@ public: * * OBJECT:OBJECT_ID:ACTION:OWNER:PUBLIC * - * @param ob the object over which the operation will be performed * @param op the operation to be authorized * @param ob_perms object's permission attributes * @param ob_template new object's template. If it is empty, * it will be ignored */ - void add_auth(Object ob, - Operation op, + void add_auth(Operation op, PoolObjectAuth * ob_perms, string ob_template); diff --git a/include/Group.h b/include/Group.h index 0fdd367efa..4a06fa1263 100644 --- a/include/Group.h +++ b/include/Group.h @@ -78,7 +78,7 @@ private: // ************************************************************************* Group(int id, const string& name): - PoolObjectSQL(id,name,-1,-1,"","",table), + PoolObjectSQL(id,name,-1,-1,"","",table,AuthRequest::GROUP), ObjectCollection("USERS"){}; virtual ~Group(){}; diff --git a/include/PoolObjectAuth.h b/include/PoolObjectAuth.h index 92d171e806..be59c5e1e2 100644 --- a/include/PoolObjectAuth.h +++ b/include/PoolObjectAuth.h @@ -26,6 +26,8 @@ class PoolObjectAuth public: PoolObjectAuth(PoolObjectSQL* obj) { + obj_type = obj->obj_type; + oid = obj->oid; uid = obj->uid; gid = obj->gid; diff --git a/include/PoolObjectSQL.h b/include/PoolObjectSQL.h index d02dd5703c..79977628c4 100644 --- a/include/PoolObjectSQL.h +++ b/include/PoolObjectSQL.h @@ -20,6 +20,7 @@ #include "ObjectSQL.h" #include "ObjectXML.h" #include "Template.h" +#include "AuthManager.h" #include #include @@ -39,13 +40,14 @@ class PoolObjectAuth; class PoolObjectSQL : public ObjectSQL, public ObjectXML { public: - PoolObjectSQL(int id, - const string& _name, - int _uid, - int _gid, - const string& _uname, - const string& _gname, - const char * _table) + PoolObjectSQL(int id, + const string& _name, + int _uid, + int _gid, + const string& _uname, + const string& _gname, + const char * _table, + AuthRequest::Object _obj_type) :ObjectSQL(), ObjectXML(), oid(id), @@ -66,6 +68,7 @@ public: other_m(0), other_a(0), obj_template(0), + obj_type(_obj_type), table(_table) { pthread_mutex_init(&mutex,0); @@ -455,6 +458,8 @@ protected: */ Template * obj_template; + AuthRequest::Object obj_type; + private: /** diff --git a/include/User.h b/include/User.h index c0cd2c0e14..0ae2c0adec 100644 --- a/include/User.h +++ b/include/User.h @@ -288,7 +288,7 @@ protected: const string& _password, const string& _auth_driver, bool _enabled): - PoolObjectSQL(id,_uname,-1,_gid,"",_gname,table), + PoolObjectSQL(id,_uname,-1,_gid,"",_gname,table,AuthRequest::USER), password(_password), auth_driver(_auth_driver), enabled(_enabled), @@ -338,4 +338,4 @@ protected: } }; -#endif /*USER_H_*/ \ No newline at end of file +#endif /*USER_H_*/ diff --git a/src/acl/AclManager.cc b/src/acl/AclManager.cc index 7935557700..845ec89a65 100644 --- a/src/acl/AclManager.cc +++ b/src/acl/AclManager.cc @@ -119,7 +119,6 @@ AclManager::~AclManager() const bool AclManager::authorize( int uid, int gid, - AuthRequest::Object obj_type, PoolObjectAuth * obj_perms, AuthRequest::Operation op) { @@ -133,7 +132,7 @@ const bool AclManager::authorize( if ( obj_perms->oid >= 0 ) { - resource_oid_req = obj_type | AclRule::INDIVIDUAL_ID | obj_perms->oid; + resource_oid_req = obj_perms->obj_type | AclRule::INDIVIDUAL_ID | obj_perms->oid; } else { @@ -144,21 +143,21 @@ const bool AclManager::authorize( if ( obj_perms->gid >= 0 ) { - resource_gid_req = obj_type | AclRule::GROUP_ID | obj_perms->gid; + resource_gid_req = obj_perms->obj_type | AclRule::GROUP_ID | obj_perms->gid; } else { resource_gid_req = AclRule::NONE_ID; } - long long resource_all_req = obj_type | AclRule::ALL_ID; + long long resource_all_req = obj_perms->obj_type | AclRule::ALL_ID; long long rights_req = op; long long resource_oid_mask = - ( obj_type | AclRule::INDIVIDUAL_ID | 0x00000000FFFFFFFFLL ); + ( obj_perms->obj_type | AclRule::INDIVIDUAL_ID | 0x00000000FFFFFFFFLL ); long long resource_gid_mask = - ( obj_type | AclRule::GROUP_ID | 0x00000000FFFFFFFFLL ); + ( obj_perms->obj_type | AclRule::GROUP_ID | 0x00000000FFFFFFFFLL ); // Create a temporal rule, to log the request diff --git a/src/authm/AuthManager.cc b/src/authm/AuthManager.cc index 199a95ebad..b83ab5909b 100644 --- a/src/authm/AuthManager.cc +++ b/src/authm/AuthManager.cc @@ -30,8 +30,7 @@ const char * AuthManager::auth_driver_name = "auth_exe"; /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ -void AuthRequest::add_auth(Object ob, - Operation op, +void AuthRequest::add_auth(Operation op, PoolObjectAuth * ob_perms, string ob_template) { @@ -42,7 +41,7 @@ void AuthRequest::add_auth(Object ob, ostringstream oss; bool auth; - oss << Object_to_str(ob) << ":"; + oss << Object_to_str(ob_perms->obj_type) << ":"; if ( !ob_template.empty() ) { @@ -82,7 +81,7 @@ void AuthRequest::add_auth(Object ob, Nebula& nd = Nebula::instance(); AclManager* aclm = nd.get_aclm(); - auth = aclm->authorize(uid, gid, ob, ob_perms, op); + auth = aclm->authorize(uid, gid, ob_perms, op); } oss << auth; // Store the ACL authorization result in the request @@ -103,7 +102,7 @@ void AuthRequest::add_auth(Object ob, } oss << "Not authorized to perform " << Operation_to_str(op) - << " " << Object_to_str(ob); + << " " << Object_to_str(ob_perms->obj_type); if ( ob_perms->oid != -1 ) { diff --git a/src/authm/test/AuthManagerTest.cc b/src/authm/test/AuthManagerTest.cc index 8921bd6d8c..b0f8bb232f 100644 --- a/src/authm/test/AuthManagerTest.cc +++ b/src/authm/test/AuthManagerTest.cc @@ -188,34 +188,34 @@ public: PoolObjectAuth perm; perm.gid = 0; perm.uid = -1; + perm.obj_type = AuthRequest::VM; - ar.add_auth(AuthRequest::VM, - AuthRequest::CREATE, + ar.add_auth(AuthRequest::CREATE, &perm, "This is a template\n"); perm.oid = 2; perm.gid = 0; perm.uid = 3; + perm.obj_type = AuthRequest::IMAGE; - ar.add_auth(AuthRequest::IMAGE, - AuthRequest::USE, + ar.add_auth(AuthRequest::USE, &perm); perm.oid = 4; perm.gid = 0; perm.uid = 5; + perm.obj_type = AuthRequest::NET; - ar.add_auth(AuthRequest::NET, - AuthRequest::MANAGE, + ar.add_auth(AuthRequest::MANAGE, &perm); perm.oid = 6; perm.gid = 0; perm.uid = 7; + perm.obj_type = AuthRequest::HOST; - ar.add_auth(AuthRequest::HOST, - AuthRequest::MANAGE, + ar.add_auth(AuthRequest::MANAGE, &perm); am->trigger(AuthManager::AUTHORIZE,&ar); @@ -242,9 +242,9 @@ public: perm.oid = -1; perm.gid = 0; perm.uid = -1; + perm.obj_type = AuthRequest::VM; - ar1.add_auth(AuthRequest::VM, - AuthRequest::CREATE, + ar1.add_auth(AuthRequest::CREATE, &perm, "This is a template\n"); @@ -306,18 +306,21 @@ public: perm.oid = -1; perm.gid = -1; perm.uid = 2; - ar.add_auth(AuthRequest::VM,AuthRequest::CREATE,&perm,"dGhpcy"); + perm.obj_type = AuthRequest::VM; + ar.add_auth(AuthRequest::CREATE,&perm,"dGhpcy"); perm.oid = 2; perm.gid = 1; perm.uid = 2; - ar.add_auth(AuthRequest::NET,AuthRequest::USE,&perm); + perm.obj_type = AuthRequest::NET; + ar.add_auth(AuthRequest::USE,&perm); perm.oid = 3; perm.gid = 1; perm.uid = 4; perm.group_u = 1; - ar.add_auth(AuthRequest::IMAGE,AuthRequest::USE,&perm); + perm.obj_type = AuthRequest::IMAGE; + ar.add_auth(AuthRequest::USE,&perm); CPPUNIT_ASSERT(ar.core_authorize() == true); @@ -326,48 +329,56 @@ public: perm.oid = -1; perm.gid = -1; perm.uid = 2; - ar1.add_auth(AuthRequest::VM,AuthRequest::CREATE,&perm,"dGhpcy"); + perm.obj_type = AuthRequest::VM; + ar1.add_auth(AuthRequest::CREATE,&perm,"dGhpcy"); perm.oid = 2; perm.gid = 1; perm.uid = 2; - ar1.add_auth(AuthRequest::NET,AuthRequest::USE,&perm); + perm.obj_type = AuthRequest::NET; + ar1.add_auth(AuthRequest::USE,&perm); perm.oid = 3; perm.gid = 1; perm.uid = 4; - ar1.add_auth(AuthRequest::IMAGE,AuthRequest::USE,&perm); + perm.obj_type = AuthRequest::IMAGE; + ar1.add_auth(AuthRequest::USE,&perm); CPPUNIT_ASSERT(ar1.core_authorize() == false); perm.oid = -1; perm.gid = -1; perm.uid = 0; - ar2.add_auth(AuthRequest::HOST,AuthRequest::CREATE,&perm,"dGhpcy"); + perm.obj_type = AuthRequest::HOST; + ar2.add_auth(AuthRequest::CREATE,&perm,"dGhpcy"); CPPUNIT_ASSERT(ar2.core_authorize() == false); perm.oid = 5; perm.gid = 1; perm.uid = 2; - ar3.add_auth(AuthRequest::VM,AuthRequest::MANAGE,&perm); + perm.obj_type = AuthRequest::VM; + ar3.add_auth(AuthRequest::MANAGE,&perm); CPPUNIT_ASSERT(ar3.core_authorize() == false); perm.oid = 4; perm.gid = 1; perm.uid = 2; - ar4.add_auth(AuthRequest::VM,AuthRequest::MANAGE,&perm); + perm.obj_type = AuthRequest::VM; + ar4.add_auth(AuthRequest::MANAGE,&perm); CPPUNIT_ASSERT(ar4.core_authorize() == true); perm.oid = 4; perm.gid = -1; perm.uid = 0; - ar5.add_auth(AuthRequest::HOST,AuthRequest::MANAGE,&perm); + perm.obj_type = AuthRequest::HOST; + ar5.add_auth(AuthRequest::MANAGE,&perm); CPPUNIT_ASSERT(ar5.core_authorize() == true); perm.oid = 4; perm.gid = -1; perm.uid = 0; - ar6.add_auth(AuthRequest::HOST,AuthRequest::CREATE,&perm); + perm.obj_type = AuthRequest::HOST; + ar6.add_auth(AuthRequest::CREATE,&perm); CPPUNIT_ASSERT(ar6.core_authorize() == true); } diff --git a/src/host/Host.cc b/src/host/Host.cc index f692d3f0f3..4067552592 100644 --- a/src/host/Host.cc +++ b/src/host/Host.cc @@ -35,7 +35,7 @@ Host::Host( const string& _vmm_mad_name, const string& _vnm_mad_name, const string& _tm_mad_name): - PoolObjectSQL(id,_hostname,-1,-1,"","",table), + PoolObjectSQL(id,_hostname,-1,-1,"","",table,AuthRequest::HOST), state(INIT), im_mad_name(_im_mad_name), vmm_mad_name(_vmm_mad_name), diff --git a/src/image/Image.cc b/src/image/Image.cc index af74077a48..79ed7919a8 100644 --- a/src/image/Image.cc +++ b/src/image/Image.cc @@ -39,7 +39,7 @@ Image::Image(int _uid, const string& _uname, const string& _gname, ImageTemplate * _image_template): - PoolObjectSQL(-1,"",_uid,_gid,_uname,_gname,table), + PoolObjectSQL(-1,"",_uid,_gid,_uname,_gname,table,AuthRequest::IMAGE), type(OS), regtime(time(0)), source(""), diff --git a/src/image/ImagePool.cc b/src/image/ImagePool.cc index 6f1570c1ab..ceaf0564cf 100644 --- a/src/image/ImagePool.cc +++ b/src/image/ImagePool.cc @@ -329,7 +329,7 @@ void ImagePool::authorize_disk(VectorAttribute * disk,int uid, AuthRequest * ar) perm = img->get_permissions(); img->unlock(); - ar->add_auth(AuthRequest::IMAGE, AuthRequest::USE, perm); + ar->add_auth(AuthRequest::USE, perm); delete perm; } diff --git a/src/pool/test/TestPoolSQL.h b/src/pool/test/TestPoolSQL.h index db6637697b..bd74b926bc 100644 --- a/src/pool/test/TestPoolSQL.h +++ b/src/pool/test/TestPoolSQL.h @@ -30,7 +30,7 @@ class TestObjectSQL : public PoolObjectSQL { public: //OBJECT ATTRIBUTES - TestObjectSQL(int n=-1, string t="default"):PoolObjectSQL(-1,t,0,0,"","",table),number(n),text(t){}; + TestObjectSQL(int n=-1, string t="default"):PoolObjectSQL(-1,t,0,0,"","",table,AuthRequest::VM),number(n),text(t){}; ~TestObjectSQL(){}; diff --git a/src/rm/Request.cc b/src/rm/Request.cc index 7e338508df..fb65595734 100644 --- a/src/rm/Request.cc +++ b/src/rm/Request.cc @@ -83,7 +83,7 @@ bool Request::basic_authorization(int oid, AuthRequest ar(att.uid, att.gid); - ar.add_auth(auth_object, op, perms); + ar.add_auth(op, perms); if ( perms != 0 ) { diff --git a/src/rm/RequestManagerAllocate.cc b/src/rm/RequestManagerAllocate.cc index c6acc12bcd..8436251064 100644 --- a/src/rm/RequestManagerAllocate.cc +++ b/src/rm/RequestManagerAllocate.cc @@ -33,17 +33,18 @@ bool RequestManagerAllocate::allocate_authorization(Template * tmpl, PoolObjectAuth * perms = new PoolObjectAuth(); perms->uid = att.uid; + perms->obj_type = auth_object; AuthRequest ar(att.uid, att.gid); if ( tmpl == 0 ) { - ar.add_auth(auth_object, auth_op, perms); + ar.add_auth(auth_op, perms); } else { string t64; - ar.add_auth(auth_object, auth_op, perms, tmpl->to_xml(t64)); + ar.add_auth(auth_op, perms, tmpl->to_xml(t64)); } delete perms; @@ -73,6 +74,7 @@ bool VirtualMachineAllocate::allocate_authorization(Template * tmpl, PoolObjectAuth * perms = new PoolObjectAuth; perms->uid = att.uid; + perms->obj_type = auth_object; AuthRequest ar(att.uid, att.gid); @@ -80,7 +82,7 @@ bool VirtualMachineAllocate::allocate_authorization(Template * tmpl, VirtualMachineTemplate * ttmpl = static_cast(tmpl); - ar.add_auth(auth_object, auth_op, perms, tmpl->to_xml(t64)); + ar.add_auth(auth_op, perms, tmpl->to_xml(t64)); delete perms; diff --git a/src/rm/RequestManagerVMTemplate.cc b/src/rm/RequestManagerVMTemplate.cc index 149f5437c4..98fcf2742d 100644 --- a/src/rm/RequestManagerVMTemplate.cc +++ b/src/rm/RequestManagerVMTemplate.cc @@ -63,7 +63,7 @@ void VMTemplateInstantiate::request_execute(xmlrpc_c::paramList const& paramList AuthRequest ar(att.uid, att.gid); string tmpl_txt; - ar.add_auth(auth_object, auth_op, perms, tmpl->to_xml(tmpl_txt)); + ar.add_auth(auth_op, perms, tmpl->to_xml(tmpl_txt)); VirtualMachine::set_auth_request(att.uid, ar, tmpl); diff --git a/src/rm/RequestManagerVirtualMachine.cc b/src/rm/RequestManagerVirtualMachine.cc index ed6901177c..ff05ce730b 100644 --- a/src/rm/RequestManagerVirtualMachine.cc +++ b/src/rm/RequestManagerVirtualMachine.cc @@ -50,7 +50,7 @@ bool RequestManagerVirtualMachine::vm_authorization(int oid, AuthRequest ar(att.uid, att.gid); - ar.add_auth(auth_object, auth_op, vm_perms); + ar.add_auth(auth_op, vm_perms); delete vm_perms; @@ -58,8 +58,9 @@ bool RequestManagerVirtualMachine::vm_authorization(int oid, { PoolObjectAuth * host_perm = new PoolObjectAuth(); host_perm->oid = hid; + host_perm->obj_type = AuthRequest::HOST; - ar.add_auth(AuthRequest::HOST, AuthRequest::MANAGE, host_perm); + ar.add_auth(AuthRequest::MANAGE, host_perm); delete host_perm; } @@ -67,13 +68,11 @@ bool RequestManagerVirtualMachine::vm_authorization(int oid, { PoolObjectAuth * image_perm = new PoolObjectAuth(); image_perm->uid = att.uid; + image_perm->obj_type = AuthRequest::IMAGE; string t64; - ar.add_auth(AuthRequest::IMAGE, - AuthRequest::CREATE, - image_perm, - tmpl->to_xml(t64)); + ar.add_auth(AuthRequest::CREATE, image_perm, tmpl->to_xml(t64)); delete image_perm; } diff --git a/src/scheduler/src/sched/Scheduler.cc b/src/scheduler/src/sched/Scheduler.cc index 84152bee4b..9f85e1c73b 100644 --- a/src/scheduler/src/sched/Scheduler.cc +++ b/src/scheduler/src/sched/Scheduler.cc @@ -346,10 +346,10 @@ void Scheduler::match() { PoolObjectAuth * host_perms = new PoolObjectAuth(); host_perms->oid = host->get_hid(); + host_perms->obj_type = AuthRequest::HOST; matched = acls->authorize(uid, gid, - AuthRequest::HOST, host_perms, AuthRequest::MANAGE); diff --git a/src/vm/VirtualMachine.cc b/src/vm/VirtualMachine.cc index 96b9c1f42b..2d56e6b927 100644 --- a/src/vm/VirtualMachine.cc +++ b/src/vm/VirtualMachine.cc @@ -43,7 +43,7 @@ VirtualMachine::VirtualMachine(int id, const string& _uname, const string& _gname, VirtualMachineTemplate * _vm_template): - PoolObjectSQL(id,"",_uid,_gid,_uname,_gname,table), + PoolObjectSQL(id,"",_uid,_gid,_uname,_gname,table,AuthRequest::VM), last_poll(0), state(INIT), lcm_state(LCM_INIT), diff --git a/src/vm_template/VMTemplate.cc b/src/vm_template/VMTemplate.cc index 179363a784..0607a62d28 100644 --- a/src/vm_template/VMTemplate.cc +++ b/src/vm_template/VMTemplate.cc @@ -29,7 +29,7 @@ VMTemplate::VMTemplate(int id, const string& _uname, const string& _gname, VirtualMachineTemplate * _template_contents): - PoolObjectSQL(id,"",_uid,_gid,_uname,_gname,table), + PoolObjectSQL(id,"",_uid,_gid,_uname,_gname,table,AuthRequest::TEMPLATE), regtime(time(0)) { if (_template_contents != 0) diff --git a/src/vnm/VirtualNetwork.cc b/src/vnm/VirtualNetwork.cc index bd545215a0..c665e95be3 100644 --- a/src/vnm/VirtualNetwork.cc +++ b/src/vnm/VirtualNetwork.cc @@ -36,10 +36,10 @@ VirtualNetwork::VirtualNetwork(int _uid, const string& _uname, const string& _gname, VirtualNetworkTemplate * _vn_template): - PoolObjectSQL(-1,"",_uid,_gid,_uname,_gname,table), - bridge(""), - type(UNINITIALIZED), - leases(0) + PoolObjectSQL(-1,"",_uid,_gid,_uname,_gname,table,AuthRequest::NET), + bridge(""), + type(UNINITIALIZED), + leases(0) { if (_vn_template != 0) { diff --git a/src/vnm/VirtualNetworkPool.cc b/src/vnm/VirtualNetworkPool.cc index e2e1b51097..6aa923bf23 100644 --- a/src/vnm/VirtualNetworkPool.cc +++ b/src/vnm/VirtualNetworkPool.cc @@ -269,7 +269,7 @@ void VirtualNetworkPool::authorize_nic(VectorAttribute * nic, perm = vnet->get_permissions(); vnet->unlock(); - ar->add_auth(AuthRequest::NET, AuthRequest::USE, perm); + ar->add_auth(AuthRequest::USE, perm); delete perm; }