diff --git a/include/AuthManager.h b/include/AuthManager.h index e2331d7cb9..2f330c8225 100644 --- a/include/AuthManager.h +++ b/include/AuthManager.h @@ -285,7 +285,8 @@ public: INFO_POOL = 0x20LL, /**< Auth. to view any object in the pool */ INFO_POOL_MINE= 0x40LL, /**< Auth. to view user and/or group objects */ INSTANTIATE = 0x80LL, /**< Auth. to instantiate a VM from a TEMPLATE*/ - CHOWN = 0x100LL /**< Auth. to change ownership of an object */ + CHOWN = 0x100LL,/**< Auth. to change ownership of an object */ + DEPLOY = 0x200LL /**< Auth. to deploy a VM in a Host */ }; static string Operation_to_str(Operation op) @@ -301,6 +302,7 @@ public: case INFO_POOL_MINE: return "INFO_POOL_MINE"; case INSTANTIATE: return "INSTANTIATE"; case CHOWN: return "CHOWN"; + case DEPLOY: return "DEPLOY"; default: return ""; } }; diff --git a/src/acl/AclRule.cc b/src/acl/AclRule.cc index 92243bb55e..2ec3503de4 100644 --- a/src/acl/AclRule.cc +++ b/src/acl/AclRule.cc @@ -201,7 +201,7 @@ bool AclRule::malformed(string& error_str) const oss << "wrong [rights], it cannot be 0"; } - if ( rights > 0x1FFLL ) + if ( rights > 0x2FFLL ) { if ( error ) { @@ -209,7 +209,7 @@ bool AclRule::malformed(string& error_str) const } error = true; - oss << "wrong [rights], it cannot be bigger than 0x1FF"; + oss << "wrong [rights], it cannot be bigger than 0x2FF"; } if ( error ) @@ -304,12 +304,13 @@ void AclRule::build_str() AuthRequest::INFO_POOL, AuthRequest::INFO_POOL_MINE, AuthRequest::INSTANTIATE, - AuthRequest::CHOWN + AuthRequest::CHOWN, + AuthRequest::DEPLOY }; prefix = false; - for ( int i = 0; i < 9; i++ ) + for ( int i = 0; i < 10; i++ ) { if ( (rights & operations[i]) != 0 ) { diff --git a/src/cli/etc/oneacl.yaml b/src/cli/etc/oneacl.yaml index 19402950a1..7aa5a34c0a 100644 --- a/src/cli/etc/oneacl.yaml +++ b/src/cli/etc/oneacl.yaml @@ -18,9 +18,9 @@ :size: 5 :right: true -:OPE_CDUMIPpTW: +:OPE_CDUMIPpTWd: :desc: Operation to which the rule applies - :size: 13 + :size: 14 :right: true :default: @@ -28,4 +28,4 @@ - :USER - :RES_VHNIUTG - :RID -- :OPE_CDUMIPpTW +- :OPE_CDUMIPpTWd diff --git a/src/cli/one_helper/oneacl_helper.rb b/src/cli/one_helper/oneacl_helper.rb index db06e5f5a0..40e03192f0 100644 --- a/src/cli/one_helper/oneacl_helper.rb +++ b/src/cli/one_helper/oneacl_helper.rb @@ -69,7 +69,7 @@ private # TODO check that @content[:resources_str] is valid def self.right_mask(str) - mask = "---------" + mask = "----------" str.split("+").each{|type| case type @@ -91,6 +91,8 @@ private mask[7] = "T" when "CHOWN" mask[8] = "W" + when "DEPLOY" + mask[9] = "d" end } @@ -111,20 +113,21 @@ private d['STRING'].split(" ")[0] end - column :RES_VHNIUTG, "Resource to which the rule applies" do |d| + column :RES_VHNIUTG, "Resource to which the rule applies", + :size => 11 do |d| OneAclHelper::resource_mask d['STRING'].split(" ")[1] end - column :RID, "Resource ID", :right, :size=>8 do |d| + column :RID, "Resource ID", :right, :size=>5 do |d| d['STRING'].split(" ")[1].split("/")[1] end - column :OPE_CDUMIPpTW, - "Operation to which the rule applies" do |d| + column :OPE_CDUMIPpTWd, + "Operation to which the rule applies", :size =>14 do |d| OneAclHelper::right_mask d['STRING'].split(" ")[2] end - default :ID, :USER, :RES_VHNIUTG, :RID, :OPE_CDUMIPpTW + default :ID, :USER, :RES_VHNIUTG, :RID, :OPE_CDUMIPpTWd end table diff --git a/src/oca/java/src/org/opennebula/client/acl/Acl.java b/src/oca/java/src/org/opennebula/client/acl/Acl.java index 357d40563d..d62ba502ff 100644 --- a/src/oca/java/src/org/opennebula/client/acl/Acl.java +++ b/src/oca/java/src/org/opennebula/client/acl/Acl.java @@ -78,6 +78,7 @@ public class Acl extends PoolElement{ tmpRights.put("INFO_POOL_MINE", 0x40L); tmpRights.put("INSTANTIATE" , 0x80L); tmpRights.put("CHOWN" , 0x100L); + tmpRights.put("DEPLOY" , 0x200L); RIGHTS = Collections.unmodifiableMap(tmpRights); } diff --git a/src/oca/java/test/AclTest.java b/src/oca/java/test/AclTest.java index a48d9c5d8e..8cb06f98b0 100644 --- a/src/oca/java/test/AclTest.java +++ b/src/oca/java/test/AclTest.java @@ -155,7 +155,8 @@ public class AclTest "#2 IMAGE/#0 INFO", "@107 IMAGE+TEMPLATE/@100 INFO", "* VM+IMAGE+TEMPLATE/@100 CREATE+INFO+INFO_POOL", - "#2345 VM+IMAGE+TEMPLATE/* CREATE+INFO+INFO_POOL+INFO_POOL_MINE+INSTANTIATE" + "#2345 VM+IMAGE+TEMPLATE/* CREATE+INFO+INFO_POOL+INFO_POOL_MINE+INSTANTIATE", + "@7 HOST/@100 INFO+INFO_POOL+USE+DEPLOY", }; long[] users = { @@ -163,7 +164,8 @@ public class AclTest 0x100000002L, 0x20000006bL, 0x400000000L, - 0x100000929L + 0x100000929L, + 0x200000007L }; long[] resources = { @@ -171,7 +173,8 @@ public class AclTest 0x8100000000L, 0x28200000064L, 0x29200000064L, - 0x29400000000L + 0x29400000000L, + 0x2200000064L }; long[] rights = { @@ -179,7 +182,8 @@ public class AclTest 0x10L, 0x10L, 0x31L, - 0xf1L + 0xf1L, + 0x234L }; for( int i = 0; i < rules.length; i++ ) diff --git a/src/oca/ruby/OpenNebula/Acl.rb b/src/oca/ruby/OpenNebula/Acl.rb index 8a1e7bb95d..b61bb24d22 100644 --- a/src/oca/ruby/OpenNebula/Acl.rb +++ b/src/oca/ruby/OpenNebula/Acl.rb @@ -39,6 +39,7 @@ module OpenNebula # INFO_POOL_MINE # INSTANTIATE # CHOWN + # DEPLOY class Acl < PoolElement USERS = { @@ -68,7 +69,8 @@ module OpenNebula "INFO_POOL" => 0x20, # Auth. to view any object in the pool "INFO_POOL_MINE"=> 0x40, # Auth. to view user and/or group objects "INSTANTIATE" => 0x80, # Auth. to instantiate a VM from a TEMPLATE - "CHOWN" => 0x100 # Auth. to change ownership of an object + "CHOWN" => 0x100,# Auth. to change ownership of an object + "DEPLOY" => 0x200 # Auth. to deploy a VM in a Host } # Constructor diff --git a/src/rm/RequestManagerVirtualMachine.cc b/src/rm/RequestManagerVirtualMachine.cc index efae90e0f7..e323d6652f 100644 --- a/src/rm/RequestManagerVirtualMachine.cc +++ b/src/rm/RequestManagerVirtualMachine.cc @@ -58,6 +58,7 @@ bool RequestManagerVirtualMachine::vm_authorization(int oid, if (hid != -1) { ar.add_auth(AuthRequest::HOST,hid,-1,AuthRequest::USE,0,false); + ar.add_auth(AuthRequest::HOST,hid,-1,AuthRequest::DEPLOY,0,false); } else if (tmpl != 0) {