shaba/one
1
0
Fork 0
mirror of https://github.com/OpenNebula/one.git synced 2025-01-08 21:17:43 +03:00
Code Releases Wiki Activity

Add the Object type to the PoolObjectAuth class

Browse Source
This commit is contained in:
Carlos Martín 2012-01-02 22:14:43 +01:00
parent fef8cdbf08
commit 75d5e7a1fb
22 changed files with 85 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/AclManager.h
View File

@ -55,14 +55,12 @@ public:
*
* @param uid The user ID requesting to be authorized
* @param gid Group ID of the user
* @param obj_type The object over which the operation will be performed
* @param obj_perms The object's permission attributes
* @param op The operation to be authorized
* @return true if the authorization is granted by any rule
*/
const bool authorize(int uid,
int gid,
AuthRequest::Object obj_type,
PoolObjectAuth * obj_perms,
AuthRequest::Operation op);

10
include/AuthManager.h
View File

@ -349,15 +349,13 @@ public:
*
* OBJECT:OBJECT_ID:ACTION:OWNER:PUBLIC
*
* @param ob the object over which the operation will be performed
* @param op the operation to be authorized
* @param ob_perms object's permission attributes
*/
void add_auth(Object ob,
Operation op,
void add_auth(Operation op,
PoolObjectAuth * ob_perms)
{
add_auth(ob, op, ob_perms, "");
add_auth(op, ob_perms, "");
}
/**
@ -366,14 +364,12 @@ public:
*
* OBJECT:OBJECT_ID:ACTION:OWNER:PUBLIC
*
* @param ob the object over which the operation will be performed
* @param op the operation to be authorized
* @param ob_perms object's permission attributes
* @param ob_template new object's template. If it is empty,
* it will be ignored
*/
void add_auth(Object ob,
Operation op,
void add_auth(Operation op,
PoolObjectAuth * ob_perms,
string ob_template);

2
include/Group.h
View File

@ -78,7 +78,7 @@ private:
// *************************************************************************
Group(int id, const string& name):
PoolObjectSQL(id,name,-1,-1,"","",table),
PoolObjectSQL(id,name,-1,-1,"","",table,AuthRequest::GROUP),
ObjectCollection("USERS"){};
virtual ~Group(){};

2
include/PoolObjectAuth.h
View File

@ -26,6 +26,8 @@ class PoolObjectAuth
public:
PoolObjectAuth(PoolObjectSQL* obj)
{
obj_type = obj->obj_type;
oid = obj->oid;
uid = obj->uid;
gid = obj->gid;

7
include/PoolObjectSQL.h
View File

@ -20,6 +20,7 @@
#include "ObjectSQL.h"
#include "ObjectXML.h"
#include "Template.h"
#include "AuthManager.h"
#include <pthread.h>
#include <string.h>
@ -45,7 +46,8 @@ public:
int _gid,
const string& _uname,
const string& _gname,
const char * _table)
const char * _table,
AuthRequest::Object _obj_type)
:ObjectSQL(),
ObjectXML(),
oid(id),
@ -66,6 +68,7 @@ public:
other_m(0),
other_a(0),
obj_template(0),
obj_type(_obj_type),
table(_table)
{
pthread_mutex_init(&mutex,0);
@ -455,6 +458,8 @@ protected:
*/
Template * obj_template;
AuthRequest::Object obj_type;
private:
/**

2
include/User.h
View File

@ -288,7 +288,7 @@ protected:
const string& _password,
const string& _auth_driver,
bool _enabled):
PoolObjectSQL(id,_uname,-1,_gid,"",_gname,table),
PoolObjectSQL(id,_uname,-1,_gid,"",_gname,table,AuthRequest::USER),
password(_password),
auth_driver(_auth_driver),
enabled(_enabled),

11
src/acl/AclManager.cc
View File

@ -119,7 +119,6 @@ AclManager::~AclManager()
const bool AclManager::authorize(
int uid,
int gid,
AuthRequest::Object obj_type,
PoolObjectAuth * obj_perms,
AuthRequest::Operation op)
{
@ -133,7 +132,7 @@ const bool AclManager::authorize(
if ( obj_perms->oid >= 0 )
{
resource_oid_req = obj_type | AclRule::INDIVIDUAL_ID | obj_perms->oid;
resource_oid_req = obj_perms->obj_type | AclRule::INDIVIDUAL_ID | obj_perms->oid;
}
else
{
@ -144,21 +143,21 @@ const bool AclManager::authorize(
if ( obj_perms->gid >= 0 )
{
resource_gid_req = obj_type | AclRule::GROUP_ID | obj_perms->gid;
resource_gid_req = obj_perms->obj_type | AclRule::GROUP_ID | obj_perms->gid;
}
else
{
resource_gid_req = AclRule::NONE_ID;
}
long long resource_all_req = obj_type | AclRule::ALL_ID;
long long resource_all_req = obj_perms->obj_type | AclRule::ALL_ID;
long long rights_req = op;
long long resource_oid_mask =
( obj_type | AclRule::INDIVIDUAL_ID | 0x00000000FFFFFFFFLL );
( obj_perms->obj_type | AclRule::INDIVIDUAL_ID | 0x00000000FFFFFFFFLL );
long long resource_gid_mask =
( obj_type | AclRule::GROUP_ID | 0x00000000FFFFFFFFLL );
( obj_perms->obj_type | AclRule::GROUP_ID | 0x00000000FFFFFFFFLL );
// Create a temporal rule, to log the request

9
src/authm/AuthManager.cc
View File

@ -30,8 +30,7 @@ const char * AuthManager::auth_driver_name = "auth_exe";
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
void AuthRequest::add_auth(Object ob,
Operation op,
void AuthRequest::add_auth(Operation op,
PoolObjectAuth * ob_perms,
string ob_template)
{
@ -42,7 +41,7 @@ void AuthRequest::add_auth(Object ob,
ostringstream oss;
bool auth;
oss << Object_to_str(ob) << ":";
oss << Object_to_str(ob_perms->obj_type) << ":";
if ( !ob_template.empty() )
{
@ -82,7 +81,7 @@ void AuthRequest::add_auth(Object ob,
Nebula& nd = Nebula::instance();
AclManager* aclm = nd.get_aclm();
auth = aclm->authorize(uid, gid, ob, ob_perms, op);
auth = aclm->authorize(uid, gid, ob_perms, op);
}
oss << auth; // Store the ACL authorization result in the request
@ -103,7 +102,7 @@ void AuthRequest::add_auth(Object ob,
}
oss << "Not authorized to perform " << Operation_to_str(op)
<< " " << Object_to_str(ob);
<< " " << Object_to_str(ob_perms->obj_type);
if ( ob_perms->oid != -1 )
{

53
src/authm/test/AuthManagerTest.cc
View File

@ -188,34 +188,34 @@ public:
PoolObjectAuth perm;
perm.gid = 0;
perm.uid = -1;
perm.obj_type = AuthRequest::VM;
ar.add_auth(AuthRequest::VM,
AuthRequest::CREATE,
ar.add_auth(AuthRequest::CREATE,
&perm,
"This is a template\n");
perm.oid = 2;
perm.gid = 0;
perm.uid = 3;
perm.obj_type = AuthRequest::IMAGE;
ar.add_auth(AuthRequest::IMAGE,
AuthRequest::USE,
ar.add_auth(AuthRequest::USE,
&perm);
perm.oid = 4;
perm.gid = 0;
perm.uid = 5;
perm.obj_type = AuthRequest::NET;
ar.add_auth(AuthRequest::NET,
AuthRequest::MANAGE,
ar.add_auth(AuthRequest::MANAGE,
&perm);
perm.oid = 6;
perm.gid = 0;
perm.uid = 7;
perm.obj_type = AuthRequest::HOST;
ar.add_auth(AuthRequest::HOST,
AuthRequest::MANAGE,
ar.add_auth(AuthRequest::MANAGE,
&perm);
am->trigger(AuthManager::AUTHORIZE,&ar);
@ -242,9 +242,9 @@ public:
perm.oid = -1;
perm.gid = 0;
perm.uid = -1;
perm.obj_type = AuthRequest::VM;
ar1.add_auth(AuthRequest::VM,
AuthRequest::CREATE,
ar1.add_auth(AuthRequest::CREATE,
&perm,
"This is a template\n");
@ -306,18 +306,21 @@ public:
perm.oid = -1;
perm.gid = -1;
perm.uid = 2;
ar.add_auth(AuthRequest::VM,AuthRequest::CREATE,&perm,"dGhpcy");
perm.obj_type = AuthRequest::VM;
ar.add_auth(AuthRequest::CREATE,&perm,"dGhpcy");
perm.oid = 2;
perm.gid = 1;
perm.uid = 2;
ar.add_auth(AuthRequest::NET,AuthRequest::USE,&perm);
perm.obj_type = AuthRequest::NET;
ar.add_auth(AuthRequest::USE,&perm);
perm.oid = 3;
perm.gid = 1;
perm.uid = 4;
perm.group_u = 1;
ar.add_auth(AuthRequest::IMAGE,AuthRequest::USE,&perm);
perm.obj_type = AuthRequest::IMAGE;
ar.add_auth(AuthRequest::USE,&perm);
CPPUNIT_ASSERT(ar.core_authorize() == true);
@ -326,48 +329,56 @@ public:
perm.oid = -1;
perm.gid = -1;
perm.uid = 2;
ar1.add_auth(AuthRequest::VM,AuthRequest::CREATE,&perm,"dGhpcy");
perm.obj_type = AuthRequest::VM;
ar1.add_auth(AuthRequest::CREATE,&perm,"dGhpcy");
perm.oid = 2;
perm.gid = 1;
perm.uid = 2;
ar1.add_auth(AuthRequest::NET,AuthRequest::USE,&perm);
perm.obj_type = AuthRequest::NET;
ar1.add_auth(AuthRequest::USE,&perm);
perm.oid = 3;
perm.gid = 1;
perm.uid = 4;
ar1.add_auth(AuthRequest::IMAGE,AuthRequest::USE,&perm);
perm.obj_type = AuthRequest::IMAGE;
ar1.add_auth(AuthRequest::USE,&perm);
CPPUNIT_ASSERT(ar1.core_authorize() == false);
perm.oid = -1;
perm.gid = -1;
perm.uid = 0;
ar2.add_auth(AuthRequest::HOST,AuthRequest::CREATE,&perm,"dGhpcy");
perm.obj_type = AuthRequest::HOST;
ar2.add_auth(AuthRequest::CREATE,&perm,"dGhpcy");
CPPUNIT_ASSERT(ar2.core_authorize() == false);
perm.oid = 5;
perm.gid = 1;
perm.uid = 2;
ar3.add_auth(AuthRequest::VM,AuthRequest::MANAGE,&perm);
perm.obj_type = AuthRequest::VM;
ar3.add_auth(AuthRequest::MANAGE,&perm);
CPPUNIT_ASSERT(ar3.core_authorize() == false);
perm.oid = 4;
perm.gid = 1;
perm.uid = 2;
ar4.add_auth(AuthRequest::VM,AuthRequest::MANAGE,&perm);
perm.obj_type = AuthRequest::VM;
ar4.add_auth(AuthRequest::MANAGE,&perm);
CPPUNIT_ASSERT(ar4.core_authorize() == true);
perm.oid = 4;
perm.gid = -1;
perm.uid = 0;
ar5.add_auth(AuthRequest::HOST,AuthRequest::MANAGE,&perm);
perm.obj_type = AuthRequest::HOST;
ar5.add_auth(AuthRequest::MANAGE,&perm);
CPPUNIT_ASSERT(ar5.core_authorize() == true);
perm.oid = 4;
perm.gid = -1;
perm.uid = 0;
ar6.add_auth(AuthRequest::HOST,AuthRequest::CREATE,&perm);
perm.obj_type = AuthRequest::HOST;
ar6.add_auth(AuthRequest::CREATE,&perm);
CPPUNIT_ASSERT(ar6.core_authorize() == true);
}

2
src/host/Host.cc
View File

@ -35,7 +35,7 @@ Host::Host(
const string& _vmm_mad_name,
const string& _vnm_mad_name,
const string& _tm_mad_name):
PoolObjectSQL(id,_hostname,-1,-1,"","",table),
PoolObjectSQL(id,_hostname,-1,-1,"","",table,AuthRequest::HOST),
state(INIT),
im_mad_name(_im_mad_name),
vmm_mad_name(_vmm_mad_name),

2
src/image/Image.cc
View File

@ -39,7 +39,7 @@ Image::Image(int _uid,
const string& _uname,
const string& _gname,
ImageTemplate * _image_template):
PoolObjectSQL(-1,"",_uid,_gid,_uname,_gname,table),
PoolObjectSQL(-1,"",_uid,_gid,_uname,_gname,table,AuthRequest::IMAGE),
type(OS),
regtime(time(0)),
source(""),

2
src/image/ImagePool.cc
View File

@ -329,7 +329,7 @@ void ImagePool::authorize_disk(VectorAttribute * disk,int uid, AuthRequest * ar)
perm = img->get_permissions();
img->unlock();
ar->add_auth(AuthRequest::IMAGE, AuthRequest::USE, perm);
ar->add_auth(AuthRequest::USE, perm);
delete perm;
}

2
src/pool/test/TestPoolSQL.h
View File

@ -30,7 +30,7 @@ class TestObjectSQL : public PoolObjectSQL
{
public:
//OBJECT ATTRIBUTES
TestObjectSQL(int n=-1, string t="default"):PoolObjectSQL(-1,t,0,0,"","",table),number(n),text(t){};
TestObjectSQL(int n=-1, string t="default"):PoolObjectSQL(-1,t,0,0,"","",table,AuthRequest::VM),number(n),text(t){};
~TestObjectSQL(){};

2
src/rm/Request.cc
View File

@ -83,7 +83,7 @@ bool Request::basic_authorization(int oid,
AuthRequest ar(att.uid, att.gid);
ar.add_auth(auth_object, op, perms);
ar.add_auth(op, perms);
if ( perms != 0 )
{

8
src/rm/RequestManagerAllocate.cc
View File

@ -33,17 +33,18 @@ bool RequestManagerAllocate::allocate_authorization(Template * tmpl,
PoolObjectAuth * perms = new PoolObjectAuth();
perms->uid = att.uid;
perms->obj_type = auth_object;
AuthRequest ar(att.uid, att.gid);
if ( tmpl == 0 )
{
ar.add_auth(auth_object, auth_op, perms);
ar.add_auth(auth_op, perms);
}
else
{
string t64;
ar.add_auth(auth_object, auth_op, perms, tmpl->to_xml(t64));
ar.add_auth(auth_op, perms, tmpl->to_xml(t64));
}
delete perms;
@ -73,6 +74,7 @@ bool VirtualMachineAllocate::allocate_authorization(Template * tmpl,
PoolObjectAuth * perms = new PoolObjectAuth;
perms->uid = att.uid;
perms->obj_type = auth_object;
AuthRequest ar(att.uid, att.gid);
@ -80,7 +82,7 @@ bool VirtualMachineAllocate::allocate_authorization(Template * tmpl,
VirtualMachineTemplate * ttmpl = static_cast<VirtualMachineTemplate *>(tmpl);
ar.add_auth(auth_object, auth_op, perms, tmpl->to_xml(t64));
ar.add_auth(auth_op, perms, tmpl->to_xml(t64));
delete perms;

2
src/rm/RequestManagerVMTemplate.cc
View File

@ -63,7 +63,7 @@ void VMTemplateInstantiate::request_execute(xmlrpc_c::paramList const& paramList
AuthRequest ar(att.uid, att.gid);
string tmpl_txt;
ar.add_auth(auth_object, auth_op, perms, tmpl->to_xml(tmpl_txt));
ar.add_auth(auth_op, perms, tmpl->to_xml(tmpl_txt));
VirtualMachine::set_auth_request(att.uid, ar, tmpl);

11
src/rm/RequestManagerVirtualMachine.cc
View File

@ -50,7 +50,7 @@ bool RequestManagerVirtualMachine::vm_authorization(int oid,
AuthRequest ar(att.uid, att.gid);
ar.add_auth(auth_object, auth_op, vm_perms);
ar.add_auth(auth_op, vm_perms);
delete vm_perms;
@ -58,8 +58,9 @@ bool RequestManagerVirtualMachine::vm_authorization(int oid,
{
PoolObjectAuth * host_perm = new PoolObjectAuth();
host_perm->oid = hid;
host_perm->obj_type = AuthRequest::HOST;
ar.add_auth(AuthRequest::HOST, AuthRequest::MANAGE, host_perm);
ar.add_auth(AuthRequest::MANAGE, host_perm);
delete host_perm;
}
@ -67,13 +68,11 @@ bool RequestManagerVirtualMachine::vm_authorization(int oid,
{
PoolObjectAuth * image_perm = new PoolObjectAuth();
image_perm->uid = att.uid;
image_perm->obj_type = AuthRequest::IMAGE;
string t64;
ar.add_auth(AuthRequest::IMAGE,
AuthRequest::CREATE,
image_perm,
tmpl->to_xml(t64));
ar.add_auth(AuthRequest::CREATE, image_perm, tmpl->to_xml(t64));
delete image_perm;
}

2
src/scheduler/src/sched/Scheduler.cc
View File

@ -346,10 +346,10 @@ void Scheduler::match()
{
PoolObjectAuth * host_perms = new PoolObjectAuth();
host_perms->oid = host->get_hid();
host_perms->obj_type = AuthRequest::HOST;
matched = acls->authorize(uid,
gid,
AuthRequest::HOST,
host_perms,
AuthRequest::MANAGE);

2
src/vm/VirtualMachine.cc
View File

@ -43,7 +43,7 @@ VirtualMachine::VirtualMachine(int id,
const string& _uname,
const string& _gname,
VirtualMachineTemplate * _vm_template):
PoolObjectSQL(id,"",_uid,_gid,_uname,_gname,table),
PoolObjectSQL(id,"",_uid,_gid,_uname,_gname,table,AuthRequest::VM),
last_poll(0),
state(INIT),
lcm_state(LCM_INIT),

2
src/vm_template/VMTemplate.cc
View File

@ -29,7 +29,7 @@ VMTemplate::VMTemplate(int id,
const string& _uname,
const string& _gname,
VirtualMachineTemplate * _template_contents):
PoolObjectSQL(id,"",_uid,_gid,_uname,_gname,table),
PoolObjectSQL(id,"",_uid,_gid,_uname,_gname,table,AuthRequest::TEMPLATE),
regtime(time(0))
{
if (_template_contents != 0)

2
src/vnm/VirtualNetwork.cc
View File

@ -36,7 +36,7 @@ VirtualNetwork::VirtualNetwork(int _uid,
const string& _uname,
const string& _gname,
VirtualNetworkTemplate * _vn_template):
PoolObjectSQL(-1,"",_uid,_gid,_uname,_gname,table),
PoolObjectSQL(-1,"",_uid,_gid,_uname,_gname,table,AuthRequest::NET),
bridge(""),
type(UNINITIALIZED),
leases(0)

2
src/vnm/VirtualNetworkPool.cc
View File

@ -269,7 +269,7 @@ void VirtualNetworkPool::authorize_nic(VectorAttribute * nic,
perm = vnet->get_permissions();
vnet->unlock();
ar->add_auth(AuthRequest::NET, AuthRequest::USE, perm);
ar->add_auth(AuthRequest::USE, perm);
delete perm;
}