1
0
mirror of https://github.com/OpenNebula/one.git synced 2024-12-23 17:33:56 +03:00

B #6022: Fix lock override and --all flag (#2427)

* This commit syncs oned and API specification for the ALL flag. The internal defines were not consistent with the API specification.
This commit is contained in:
Pavel Czerný 2023-01-04 15:53:50 +01:00 committed by GitHub
parent 9959ceac06
commit 82d2191dfd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 52 additions and 14 deletions

View File

@ -75,10 +75,10 @@ public:
*/
enum LockStates
{
ST_NONE = 0x0LL,
ST_USE = 0x1LL,
ST_MANAGE = 0x2LL,
ST_ADMIN = 0x4LL
ST_NONE = 0,
ST_USE = 1,
ST_MANAGE = 2,
ST_ADMIN = 3
};
static const long int LockableObject;
@ -530,7 +530,10 @@ public:
*
* @return 0 if the lock was granted, -1 if the object is already locked
*/
int lock_db(const int owner, const int req_id, const int level);
int lock_db(const int owner,
const int req_id,
const int level,
const bool is_admin);
/**
* Unlocks the DB lock for external applications. The object must be locked

View File

@ -40,9 +40,13 @@ protected:
void request_execute(xmlrpc_c::paramList const& _paramList,
RequestAttributes& att) override;
int lock_db(PoolObjectSQL * object, const int owner, const int req_id, const int level)
int lock_db(PoolObjectSQL * object,
const int owner,
const int req_id,
const int level,
const bool is_admin)
{
return object->lock_db(owner, req_id, level);
return object->lock_db(owner, req_id, level, is_admin);
};
};

View File

@ -195,11 +195,11 @@ bool AclManager::authorize(
long long user_req;
long long resource_oid_req;
if (static_cast<long long int>(op) & 0x10LL) //No lockable object
if (op & 0x10LL) //No lockable object
{
op = static_cast<AuthRequest::Operation>(op & 0x0FLL);
}
else if (obj_perms.locked > 0 && obj_perms.locked <= static_cast<long long int>(op))
else if (obj_perms.locked > 0 && obj_perms.locked <= op)
{
return false;
}
@ -385,11 +385,11 @@ bool AclManager::oneadmin_authorize(
const PoolObjectAuth& obj_perms,
AuthRequest::Operation op) const
{
if (static_cast<long long int>(op) & 0x10LL) //No lockable object
if (op & 0x10LL) //No lockable object
{
return true;
}
else if (obj_perms.locked > 0 && obj_perms.locked <= static_cast<long long int>(op))
else if (obj_perms.locked > 0 && obj_perms.locked <= op)
{
return false;
}

View File

@ -1016,7 +1016,7 @@ void Image::set_state(ImageState _state)
}
else if (state == LOCKED)
{
lock_db(-1,-1, PoolObjectSQL::LockStates::ST_USE);
lock_db(-1,-1, PoolObjectSQL::LockStates::ST_USE, true);
}
if (_state != LOCKED )

View File

@ -587,13 +587,22 @@ bool PoolObjectSQL::name_is_valid(const string& obj_name,
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
int PoolObjectSQL::lock_db(const int owner, const int req_id, const int level)
int PoolObjectSQL::lock_db(const int owner,
const int req_id,
const int level,
const bool is_admin)
{
if ( level < ST_NONE || level > ST_ADMIN )
{
return -1;
}
if (locked != ST_NONE && lock_owner != owner && !is_admin)
{
// Only admin can override lock
return -1;
}
locked = static_cast<LockStates>(level);
lock_time = time(0);
lock_owner = owner;

View File

@ -62,6 +62,27 @@ void RequestManagerLock::request_execute(xmlrpc_c::paramList const& paramList,
return;
}
switch(level)
{
case 1: //USE + MANAGE + ADMIN
level = PoolObjectSQL::ST_USE;
break;
case 2: //MANAGE + ADMIN
level = PoolObjectSQL::ST_MANAGE;
break;
case 3: //ADMIN
level = PoolObjectSQL::ST_ADMIN;
break;
case 4: //ALL equals USE
level = PoolObjectSQL::ST_USE;
break;
default:
att.resp_msg = "Wrong lock level specified";
failure_response(ACTION, att);
return;
}
if ((auth_object & PoolObjectSQL::LockableObject) != 0)
{
if ( test && object->test_lock_db(att.resp_msg) != 0 )
@ -70,7 +91,7 @@ void RequestManagerLock::request_execute(xmlrpc_c::paramList const& paramList,
}
else
{
rc = lock_db(object.get(), owner, att.req_id, level);
rc = lock_db(object.get(), owner, att.req_id, level, att.is_admin());
pool->update(object.get());
@ -87,6 +108,7 @@ void RequestManagerLock::request_execute(xmlrpc_c::paramList const& paramList,
}
else
{
att.resp_msg = "Object cannot be locked.";
failure_response(AUTHORIZATION, att);
}