Feature #1112: Integrate clusters into acl rules

include/RequestManagerCluster.h

@@ -40,7 +40,7 @@ protected:
         dspool     = nd.get_dspool();
 
         auth_object = PoolObjectSQL::CLUSTER;
-        auth_op     = AuthRequest::MANAGE;
+        auth_op     = AuthRequest::ADMIN;
     };
 
     ~RequestManagerCluster(){};

src/acl/AclManager.cc

@@ -88,11 +88,12 @@ AclManager::AclManager(SqlDB * _db) : db(_db), lastOID(-1)
                  AuthRequest::MANAGE,
                  error_str);
 
-        // Users in USERS can use any DATASTORE
-        // @1 DATASTORE/* USE
+        // Users in USERS can use the default DATASTORE
+        // @1 DATASTORE/#1 USE
         add_rule(AclRule::GROUP_ID |
                     1,
-                 AclRule::ALL_ID |
+                 AclRule::INDIVIDUAL_ID |
+                    1 |             // TODO: use DatastorePool::DEFAULT_DS_ID
                     PoolObjectSQL::DATASTORE,
                  AuthRequest::USE,
                  error_str);

src/acl/AclRule.cc

@@ -254,12 +254,13 @@ void AclRule::build_str()
             PoolObjectSQL::USER,
             PoolObjectSQL::TEMPLATE,
             PoolObjectSQL::GROUP,
-            PoolObjectSQL::DATASTORE
+            PoolObjectSQL::DATASTORE,
+            PoolObjectSQL::CLUSTER
     };
 
     bool prefix = false;
 
-    for ( int i = 0; i < 8; i++ )
+    for ( int i = 0; i < 9; i++ )
     {
         if ( (resource & objects[i]) != 0 )
         {

src/cli/etc/oneacl.yaml

@@ -9,9 +9,9 @@
   :size: 8
   :right: true
   
-:RES_VHNIUTGD:
+:RES_VHNIUTGDC:
   :desc: Which resource the rule applies to
-  :size: 12
+  :size: 13
 
 :RID: 
   :desc: Resource ID
@@ -26,6 +26,6 @@
 :default: 
 - :ID
 - :USER 
-- :RES_VHNIUTGD
+- :RES_VHNIUTGDC
 - :RID 
 - :OPE_UMAC

src/cli/one_helper/oneacl_helper.rb

@@ -44,7 +44,7 @@ private
     def self.resource_mask(str)
         resource_type=str.split("/")[0]
 
-        mask = "--------"
+        mask = "---------"
 
         resource_type.split("+").each{|type|
             case type
@@ -64,6 +64,8 @@ private
                     mask[6] = "G"
                 when "DATASTORE"
                     mask[7] = "D"
+                when "CLUSTER"
+                    mask[8] = "C"
             end
         }
         mask
@@ -103,8 +105,8 @@ private
                 d['STRING'].split(" ")[0]
             end
 
-            column :RES_VHNIUTGD, "Resource to which the rule applies",
-                            :size => 12 do |d|
+            column :RES_VHNIUTGDC, "Resource to which the rule applies",
+                            :size => 13 do |d|
                OneAclHelper::resource_mask d['STRING'].split(" ")[1]
             end
 
@@ -117,7 +119,7 @@ private
                 OneAclHelper::right_mask d['STRING'].split(" ")[2]
             end
 
-            default :ID, :USER, :RES_VHNIUTGD, :RID, :OPE_UMAC
+            default :ID, :USER, :RES_VHNIUTGDC, :RID, :OPE_UMAC
         end
 
         table

src/oca/ruby/OpenNebula/Acl.rb

@@ -53,7 +53,8 @@ module OpenNebula
             "USER"          => 0x10000000000,
             "TEMPLATE"      => 0x20000000000,
             "GROUP"         => 0x40000000000,
-            "DATASTORE"     => 0x100000000000
+            "DATASTORE"     => 0x100000000000,
+            "CLUSTER"       => 0x200000000000
         }
 
         RIGHTS =

src/rm/RequestManagerCluster.cc

@@ -94,7 +94,7 @@ void RequestManagerCluster::add_generic(
     {
         AuthRequest ar(att.uid, att.gid);
 
-        ar.add_auth(auth_op, c_perms);              // MANAGE CLUSTER
+        ar.add_auth(auth_op, c_perms);              // ADMIN  CLUSTER
         ar.add_auth(AuthRequest::ADMIN, obj_perms); // ADMIN  OBJECT
 
         if (UserPool::authorize(ar) == -1)