diff --git a/include/RequestManagerCluster.h b/include/RequestManagerCluster.h index 4e1dc04fec..94958600d7 100644 --- a/include/RequestManagerCluster.h +++ b/include/RequestManagerCluster.h @@ -40,7 +40,7 @@ protected: dspool = nd.get_dspool(); auth_object = PoolObjectSQL::CLUSTER; - auth_op = AuthRequest::MANAGE; + auth_op = AuthRequest::ADMIN; }; ~RequestManagerCluster(){}; diff --git a/src/acl/AclManager.cc b/src/acl/AclManager.cc index 38d5e4886a..0fe8664fcd 100644 --- a/src/acl/AclManager.cc +++ b/src/acl/AclManager.cc @@ -88,11 +88,12 @@ AclManager::AclManager(SqlDB * _db) : db(_db), lastOID(-1) AuthRequest::MANAGE, error_str); - // Users in USERS can use any DATASTORE - // @1 DATASTORE/* USE + // Users in USERS can use the default DATASTORE + // @1 DATASTORE/#1 USE add_rule(AclRule::GROUP_ID | 1, - AclRule::ALL_ID | + AclRule::INDIVIDUAL_ID | + 1 | // TODO: use DatastorePool::DEFAULT_DS_ID PoolObjectSQL::DATASTORE, AuthRequest::USE, error_str); diff --git a/src/acl/AclRule.cc b/src/acl/AclRule.cc index 1a941d3818..e65a1071e2 100644 --- a/src/acl/AclRule.cc +++ b/src/acl/AclRule.cc @@ -254,12 +254,13 @@ void AclRule::build_str() PoolObjectSQL::USER, PoolObjectSQL::TEMPLATE, PoolObjectSQL::GROUP, - PoolObjectSQL::DATASTORE + PoolObjectSQL::DATASTORE, + PoolObjectSQL::CLUSTER }; bool prefix = false; - for ( int i = 0; i < 8; i++ ) + for ( int i = 0; i < 9; i++ ) { if ( (resource & objects[i]) != 0 ) { diff --git a/src/cli/etc/oneacl.yaml b/src/cli/etc/oneacl.yaml index 170942867b..220671a5fd 100644 --- a/src/cli/etc/oneacl.yaml +++ b/src/cli/etc/oneacl.yaml @@ -9,9 +9,9 @@ :size: 8 :right: true -:RES_VHNIUTGD: +:RES_VHNIUTGDC: :desc: Which resource the rule applies to - :size: 12 + :size: 13 :RID: :desc: Resource ID @@ -26,6 +26,6 @@ :default: - :ID - :USER -- :RES_VHNIUTGD +- :RES_VHNIUTGDC - :RID - :OPE_UMAC diff --git a/src/cli/one_helper/oneacl_helper.rb b/src/cli/one_helper/oneacl_helper.rb index 90445607a8..fbd4030c1c 100644 --- a/src/cli/one_helper/oneacl_helper.rb +++ b/src/cli/one_helper/oneacl_helper.rb @@ -44,7 +44,7 @@ private def self.resource_mask(str) resource_type=str.split("/")[0] - mask = "--------" + mask = "---------" resource_type.split("+").each{|type| case type @@ -64,6 +64,8 @@ private mask[6] = "G" when "DATASTORE" mask[7] = "D" + when "CLUSTER" + mask[8] = "C" end } mask @@ -103,8 +105,8 @@ private d['STRING'].split(" ")[0] end - column :RES_VHNIUTGD, "Resource to which the rule applies", - :size => 12 do |d| + column :RES_VHNIUTGDC, "Resource to which the rule applies", + :size => 13 do |d| OneAclHelper::resource_mask d['STRING'].split(" ")[1] end @@ -117,7 +119,7 @@ private OneAclHelper::right_mask d['STRING'].split(" ")[2] end - default :ID, :USER, :RES_VHNIUTGD, :RID, :OPE_UMAC + default :ID, :USER, :RES_VHNIUTGDC, :RID, :OPE_UMAC end table diff --git a/src/oca/ruby/OpenNebula/Acl.rb b/src/oca/ruby/OpenNebula/Acl.rb index 484bcc8beb..de423a1627 100644 --- a/src/oca/ruby/OpenNebula/Acl.rb +++ b/src/oca/ruby/OpenNebula/Acl.rb @@ -53,7 +53,8 @@ module OpenNebula "USER" => 0x10000000000, "TEMPLATE" => 0x20000000000, "GROUP" => 0x40000000000, - "DATASTORE" => 0x100000000000 + "DATASTORE" => 0x100000000000, + "CLUSTER" => 0x200000000000 } RIGHTS = diff --git a/src/rm/RequestManagerCluster.cc b/src/rm/RequestManagerCluster.cc index 0f2cd79709..91584334ea 100644 --- a/src/rm/RequestManagerCluster.cc +++ b/src/rm/RequestManagerCluster.cc @@ -94,7 +94,7 @@ void RequestManagerCluster::add_generic( { AuthRequest ar(att.uid, att.gid); - ar.add_auth(auth_op, c_perms); // MANAGE CLUSTER + ar.add_auth(auth_op, c_perms); // ADMIN CLUSTER ar.add_auth(AuthRequest::ADMIN, obj_perms); // ADMIN OBJECT if (UserPool::authorize(ar) == -1)