mirror of
https://github.com/OpenNebula/one.git
synced 2024-12-23 17:33:56 +03:00
Feature #3167: Allow users to edit their VNets, add vnet restricted attributes
This commit is contained in:
parent
9167e78c46
commit
85c485182f
@ -180,6 +180,10 @@ public:
|
|||||||
int cluster_id,
|
int cluster_id,
|
||||||
const string& cluster_name);
|
const string& cluster_name);
|
||||||
|
|
||||||
|
bool allocate_authorization(Template * obj_template,
|
||||||
|
RequestAttributes& att,
|
||||||
|
PoolObjectAuth * cluster_perms);
|
||||||
|
|
||||||
int get_cluster_id(xmlrpc_c::paramList const& paramList)
|
int get_cluster_id(xmlrpc_c::paramList const& paramList)
|
||||||
{
|
{
|
||||||
return xmlrpc_c::value_int(paramList.getInt(2));
|
return xmlrpc_c::value_int(paramList.getInt(2));
|
||||||
|
@ -136,7 +136,7 @@ public:
|
|||||||
Nebula& nd = Nebula::instance();
|
Nebula& nd = Nebula::instance();
|
||||||
pool = nd.get_vnpool();
|
pool = nd.get_vnpool();
|
||||||
auth_object = PoolObjectSQL::NET;
|
auth_object = PoolObjectSQL::NET;
|
||||||
auth_op = AuthRequest::ADMIN;
|
auth_op = AuthRequest::MANAGE;
|
||||||
};
|
};
|
||||||
|
|
||||||
~VirtualNetworkUpdateTemplate(){};
|
~VirtualNetworkUpdateTemplate(){};
|
||||||
|
@ -36,6 +36,7 @@ public:
|
|||||||
VirtualNetworkPool(SqlDB * db,
|
VirtualNetworkPool(SqlDB * db,
|
||||||
const string& str_mac_prefix,
|
const string& str_mac_prefix,
|
||||||
int default_size,
|
int default_size,
|
||||||
|
vector<const Attribute *>& restricted_attrs,
|
||||||
vector<const Attribute *> hook_mads,
|
vector<const Attribute *> hook_mads,
|
||||||
const string& remotes_location,
|
const string& remotes_location,
|
||||||
const vector<const Attribute *>& _inherit_attrs);
|
const vector<const Attribute *>& _inherit_attrs);
|
||||||
|
@ -31,6 +31,48 @@ public:
|
|||||||
Template(false,'=',"TEMPLATE"){};
|
Template(false,'=',"TEMPLATE"){};
|
||||||
|
|
||||||
~VirtualNetworkTemplate(){};
|
~VirtualNetworkTemplate(){};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Checks the template for RESTRICTED ATTRIBUTES
|
||||||
|
* @param rs_attr the first restricted attribute found if any
|
||||||
|
* @return true if a restricted attribute is found in the template
|
||||||
|
*/
|
||||||
|
bool check(string& rs_attr)
|
||||||
|
{
|
||||||
|
return Template::check(rs_attr, restricted_attributes);
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Deletes all restricted attributes
|
||||||
|
*/
|
||||||
|
void remove_restricted()
|
||||||
|
{
|
||||||
|
Template::remove_restricted(restricted_attributes);
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Deletes all the attributes, except the restricted ones
|
||||||
|
*/
|
||||||
|
void remove_all_except_restricted()
|
||||||
|
{
|
||||||
|
Template::remove_all_except_restricted(restricted_attributes);
|
||||||
|
};
|
||||||
|
|
||||||
|
private:
|
||||||
|
|
||||||
|
friend class VirtualNetworkPool;
|
||||||
|
|
||||||
|
static vector<string> restricted_attributes;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Stores the attributes as restricted, these attributes will be used in
|
||||||
|
* VirtualMachineTemplate::check
|
||||||
|
* @param rattrs Attributes to restrict
|
||||||
|
*/
|
||||||
|
static void set_restricted_attributes(vector<const Attribute *>& rattrs)
|
||||||
|
{
|
||||||
|
Template::set_restricted_attributes(rattrs, restricted_attributes);
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
/* -------------------------------------------------------------------------- */
|
/* -------------------------------------------------------------------------- */
|
||||||
|
@ -731,6 +731,11 @@ VM_RESTRICTED_ATTR = "DISK/WRITE_IOPS_SEC"
|
|||||||
|
|
||||||
IMAGE_RESTRICTED_ATTR = "SOURCE"
|
IMAGE_RESTRICTED_ATTR = "SOURCE"
|
||||||
|
|
||||||
|
VNET_RESTRICTED_ATTR = "PHYDEV"
|
||||||
|
VNET_RESTRICTED_ATTR = "VLAN_ID"
|
||||||
|
VNET_RESTRICTED_ATTR = "VLAN"
|
||||||
|
VNET_RESTRICTED_ATTR = "BRIDGE"
|
||||||
|
|
||||||
#*******************************************************************************
|
#*******************************************************************************
|
||||||
# Inherited Attributes Configuration
|
# Inherited Attributes Configuration
|
||||||
#*******************************************************************************
|
#*******************************************************************************
|
||||||
|
@ -610,6 +610,19 @@ int Datastore::replace_template(
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (keep_restricted)
|
||||||
|
{
|
||||||
|
new_tmpl->remove_restricted();
|
||||||
|
|
||||||
|
if (obj_template != 0)
|
||||||
|
{
|
||||||
|
obj_template->remove_all_except_restricted();
|
||||||
|
|
||||||
|
string aux_error;
|
||||||
|
new_tmpl->merge(obj_template, aux_error);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/* ---------------------------------------------------------------------- */
|
/* ---------------------------------------------------------------------- */
|
||||||
/* Set the TYPE of the Datastore (class & template) */
|
/* Set the TYPE of the Datastore (class & template) */
|
||||||
/* ---------------------------------------------------------------------- */
|
/* ---------------------------------------------------------------------- */
|
||||||
|
@ -463,6 +463,7 @@ void Nebula::start(bool bootstrap_only)
|
|||||||
|
|
||||||
vector<const Attribute *> vm_restricted_attrs;
|
vector<const Attribute *> vm_restricted_attrs;
|
||||||
vector<const Attribute *> img_restricted_attrs;
|
vector<const Attribute *> img_restricted_attrs;
|
||||||
|
vector<const Attribute *> vnet_restricted_attrs;
|
||||||
|
|
||||||
vector<const Attribute *> inherit_image_attrs;
|
vector<const Attribute *> inherit_image_attrs;
|
||||||
vector<const Attribute *> inherit_datastore_attrs;
|
vector<const Attribute *> inherit_datastore_attrs;
|
||||||
@ -481,6 +482,7 @@ void Nebula::start(bool bootstrap_only)
|
|||||||
|
|
||||||
nebula_configuration->get("VM_RESTRICTED_ATTR", vm_restricted_attrs);
|
nebula_configuration->get("VM_RESTRICTED_ATTR", vm_restricted_attrs);
|
||||||
nebula_configuration->get("IMAGE_RESTRICTED_ATTR", img_restricted_attrs);
|
nebula_configuration->get("IMAGE_RESTRICTED_ATTR", img_restricted_attrs);
|
||||||
|
nebula_configuration->get("VNET_RESTRICTED_ATTR", vnet_restricted_attrs);
|
||||||
|
|
||||||
nebula_configuration->get("INHERIT_IMAGE_ATTR", inherit_image_attrs);
|
nebula_configuration->get("INHERIT_IMAGE_ATTR", inherit_image_attrs);
|
||||||
nebula_configuration->get("INHERIT_DATASTORE_ATTR", inherit_datastore_attrs);
|
nebula_configuration->get("INHERIT_DATASTORE_ATTR", inherit_datastore_attrs);
|
||||||
@ -510,6 +512,7 @@ void Nebula::start(bool bootstrap_only)
|
|||||||
vnpool = new VirtualNetworkPool(db,
|
vnpool = new VirtualNetworkPool(db,
|
||||||
mac_prefix,
|
mac_prefix,
|
||||||
size,
|
size,
|
||||||
|
vnet_restricted_attrs,
|
||||||
vnet_hooks,
|
vnet_hooks,
|
||||||
remotes_location,
|
remotes_location,
|
||||||
inherit_vnet_attrs);
|
inherit_vnet_attrs);
|
||||||
|
@ -125,6 +125,45 @@ bool VirtualMachineAllocate::allocate_authorization(
|
|||||||
/* -------------------------------------------------------------------------- */
|
/* -------------------------------------------------------------------------- */
|
||||||
/* -------------------------------------------------------------------------- */
|
/* -------------------------------------------------------------------------- */
|
||||||
|
|
||||||
|
bool VirtualNetworkAllocate::allocate_authorization(
|
||||||
|
Template * tmpl,
|
||||||
|
RequestAttributes& att,
|
||||||
|
PoolObjectAuth * cluster_perms)
|
||||||
|
{
|
||||||
|
string aname;
|
||||||
|
|
||||||
|
VirtualNetworkTemplate * vn_tmpl = static_cast<VirtualNetworkTemplate *>(tmpl);
|
||||||
|
|
||||||
|
bool auth = RequestManagerAllocate::allocate_authorization(
|
||||||
|
vn_tmpl, att, cluster_perms);
|
||||||
|
|
||||||
|
if ( auth )
|
||||||
|
{
|
||||||
|
// ------------ Check template for restricted attributes --------------
|
||||||
|
|
||||||
|
if ( att.uid != UserPool::ONEADMIN_ID && att.gid != GroupPool::ONEADMIN_ID )
|
||||||
|
{
|
||||||
|
if (vn_tmpl->check(aname))
|
||||||
|
{
|
||||||
|
ostringstream oss;
|
||||||
|
|
||||||
|
oss << "Template includes a restricted attribute " << aname;
|
||||||
|
|
||||||
|
failure_response(AUTHORIZATION,
|
||||||
|
authorization_error(oss.str(), att),
|
||||||
|
att);
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return auth;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* -------------------------------------------------------------------------- */
|
||||||
|
/* -------------------------------------------------------------------------- */
|
||||||
|
|
||||||
void RequestManagerAllocate::request_execute(xmlrpc_c::paramList const& params,
|
void RequestManagerAllocate::request_execute(xmlrpc_c::paramList const& params,
|
||||||
RequestAttributes& att)
|
RequestAttributes& att)
|
||||||
{
|
{
|
||||||
|
@ -327,7 +327,7 @@ tabs:
|
|||||||
Datastore.delete: false
|
Datastore.delete: false
|
||||||
vnets-tab:
|
vnets-tab:
|
||||||
panel_tabs:
|
panel_tabs:
|
||||||
vnet_info_tab: false
|
vnet_info_tab: true
|
||||||
vnet_ar_list_tab: true
|
vnet_ar_list_tab: true
|
||||||
vnet_leases_tab: true
|
vnet_leases_tab: true
|
||||||
table_columns:
|
table_columns:
|
||||||
|
@ -25,7 +25,8 @@ source_files=[
|
|||||||
'VirtualNetwork.cc',
|
'VirtualNetwork.cc',
|
||||||
'VirtualNetworkPool.cc',
|
'VirtualNetworkPool.cc',
|
||||||
'AddressRange.cc',
|
'AddressRange.cc',
|
||||||
'AddressRangePool.cc'
|
'AddressRangePool.cc',
|
||||||
|
'VirtualNetworkTemplate.cc'
|
||||||
]
|
]
|
||||||
|
|
||||||
# Build library
|
# Build library
|
||||||
|
@ -230,6 +230,19 @@ int VirtualNetwork::replace_template(
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (keep_restricted)
|
||||||
|
{
|
||||||
|
new_tmpl->remove_restricted();
|
||||||
|
|
||||||
|
if (obj_template != 0)
|
||||||
|
{
|
||||||
|
obj_template->remove_all_except_restricted();
|
||||||
|
|
||||||
|
string aux_error;
|
||||||
|
new_tmpl->merge(obj_template, aux_error);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
delete obj_template;
|
delete obj_template;
|
||||||
|
|
||||||
obj_template = new_tmpl;
|
obj_template = new_tmpl;
|
||||||
|
@ -35,6 +35,7 @@ VirtualNetworkPool::VirtualNetworkPool(
|
|||||||
SqlDB * db,
|
SqlDB * db,
|
||||||
const string& prefix,
|
const string& prefix,
|
||||||
int __default_size,
|
int __default_size,
|
||||||
|
vector<const Attribute *>& restricted_attrs,
|
||||||
vector<const Attribute *> hook_mads,
|
vector<const Attribute *> hook_mads,
|
||||||
const string& remotes_location,
|
const string& remotes_location,
|
||||||
const vector<const Attribute *>& _inherit_attrs):
|
const vector<const Attribute *>& _inherit_attrs):
|
||||||
@ -73,14 +74,16 @@ VirtualNetworkPool::VirtualNetworkPool(
|
|||||||
_mac_prefix <<= 8;
|
_mac_prefix <<= 8;
|
||||||
_mac_prefix += tmp;
|
_mac_prefix += tmp;
|
||||||
|
|
||||||
register_hooks(hook_mads, remotes_location);
|
VirtualNetworkTemplate::set_restricted_attributes(restricted_attrs);
|
||||||
|
|
||||||
for (it = _inherit_attrs.begin(); it != _inherit_attrs.end(); it++)
|
register_hooks(hook_mads, remotes_location);
|
||||||
{
|
|
||||||
const SingleAttribute* sattr = static_cast<const SingleAttribute *>(*it);
|
|
||||||
|
|
||||||
inherit_attrs.push_back(sattr->value());
|
for (it = _inherit_attrs.begin(); it != _inherit_attrs.end(); it++)
|
||||||
}
|
{
|
||||||
|
const SingleAttribute* sattr = static_cast<const SingleAttribute *>(*it);
|
||||||
|
|
||||||
|
inherit_attrs.push_back(sattr->value());
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/* -------------------------------------------------------------------------- */
|
/* -------------------------------------------------------------------------- */
|
||||||
|
25
src/vnm/VirtualNetworkTemplate.cc
Normal file
25
src/vnm/VirtualNetworkTemplate.cc
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
/* -------------------------------------------------------------------------- */
|
||||||
|
/* Copyright 2002-2014, OpenNebula Project (OpenNebula.org), C12G Labs */
|
||||||
|
/* */
|
||||||
|
/* Licensed under the Apache License, Version 2.0 (the "License"); you may */
|
||||||
|
/* not use this file except in compliance with the License. You may obtain */
|
||||||
|
/* a copy of the License at */
|
||||||
|
/* */
|
||||||
|
/* http://www.apache.org/licenses/LICENSE-2.0 */
|
||||||
|
/* */
|
||||||
|
/* Unless required by applicable law or agreed to in writing, software */
|
||||||
|
/* distributed under the License is distributed on an "AS IS" BASIS, */
|
||||||
|
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. */
|
||||||
|
/* See the License for the specific language governing permissions and */
|
||||||
|
/* limitations under the License. */
|
||||||
|
/* -------------------------------------------------------------------------- */
|
||||||
|
|
||||||
|
#include "VirtualNetworkTemplate.h"
|
||||||
|
|
||||||
|
/* -------------------------------------------------------------------------- */
|
||||||
|
/* -------------------------------------------------------------------------- */
|
||||||
|
|
||||||
|
vector<string> VirtualNetworkTemplate::restricted_attributes;
|
||||||
|
|
||||||
|
/* -------------------------------------------------------------------------- */
|
||||||
|
/* -------------------------------------------------------------------------- */
|
Loading…
Reference in New Issue
Block a user