mirror of
https://github.com/OpenNebula/one.git
synced 2025-01-08 21:17:43 +03:00
feature #3183: Do not include reservations in VNET/* and VNET/% rules for pool list and vnet show API calls
This commit is contained in:
parent
b5b22ced39
commit
acf5052009
@ -174,6 +174,9 @@ public:
|
||||
const set<int>& user_groups,
|
||||
PoolObjectSQL::ObjectType obj_type,
|
||||
AuthRequest::Operation op,
|
||||
bool disable_all_acl,
|
||||
bool disable_cluster_acl,
|
||||
bool disable_group_acl,
|
||||
bool& all,
|
||||
vector<int>& oids,
|
||||
vector<int>& gids,
|
||||
|
@ -201,14 +201,20 @@ public:
|
||||
* @param user_groups Set of group IDs that the user is part of
|
||||
* @param auth_object object type
|
||||
* @param all returns if the user can access all objects
|
||||
* @param disable_all_acl e.g. NET\*
|
||||
* @param disable_cluster_acl e.g. NET/%100
|
||||
* @param disable_group_acl e.g. NET/@102
|
||||
* @param filter the resulting filter string
|
||||
*
|
||||
*/
|
||||
static void acl_filter(int uid,
|
||||
const set<int>& user_groups,
|
||||
PoolObjectSQL::ObjectType auth_object,
|
||||
bool& all,
|
||||
bool disable_all_acl,
|
||||
bool disable_cluster_acl,
|
||||
bool disable_group_acl,
|
||||
string& filter);
|
||||
|
||||
/**
|
||||
* Creates a filter for the objects owned by a given user/group
|
||||
* @param uid the user id
|
||||
|
@ -47,8 +47,13 @@ public:
|
||||
* @return true if the use_filter is empty and access to all objects
|
||||
* should be granted.
|
||||
*/
|
||||
static bool use_filter(RequestAttributes& att, PoolObjectSQL::ObjectType aobj,
|
||||
string& where_str);
|
||||
static bool use_filter(RequestAttributes& att,
|
||||
PoolObjectSQL::ObjectType aobj,
|
||||
bool disable_all_acl,
|
||||
bool disable_cluster_acl,
|
||||
bool disable_group_acl,
|
||||
const string& and_str,
|
||||
string& where_str);
|
||||
|
||||
protected:
|
||||
RequestManagerPoolInfoFilter(const string& method_name,
|
||||
@ -72,6 +77,9 @@ protected:
|
||||
int end_id,
|
||||
const string& and_clause,
|
||||
const string& or_clause,
|
||||
bool disable_all_acl,
|
||||
bool disable_cluster_acl,
|
||||
bool disable_group_acl,
|
||||
string& where_string);
|
||||
|
||||
/* -------------------------------------------------------------------- */
|
||||
@ -201,6 +209,9 @@ public:
|
||||
};
|
||||
|
||||
~VirtualNetworkPoolInfo(){};
|
||||
|
||||
void request_execute(
|
||||
xmlrpc_c::paramList const& paramList, RequestAttributes& att);
|
||||
};
|
||||
|
||||
/* ------------------------------------------------------------------------- */
|
||||
|
@ -917,6 +917,9 @@ void AclManager::reverse_search(int uid,
|
||||
const set<int>& user_groups,
|
||||
PoolObjectSQL::ObjectType obj_type,
|
||||
AuthRequest::Operation op,
|
||||
bool disable_all_acl,
|
||||
bool disable_cluster_acl,
|
||||
bool disable_group_acl,
|
||||
bool& all,
|
||||
vector<int>& oids,
|
||||
vector<int>& gids,
|
||||
@ -1009,30 +1012,29 @@ void AclManager::reverse_search(int uid,
|
||||
NebulaLog::log("ACL",Log::DDEBUG,oss);
|
||||
|
||||
// Rule grants permission for all objects of this type
|
||||
if ( ( it->second->resource & resource_all_req ) == resource_all_req )
|
||||
if ((!disable_all_acl) &&
|
||||
((it->second->resource & resource_all_req) == resource_all_req))
|
||||
{
|
||||
all = true;
|
||||
break;
|
||||
}
|
||||
|
||||
// Rule grants permission for all objects of a group
|
||||
if ( ( it->second->resource & resource_gid_mask ) == resource_gid_req )
|
||||
else if ((!disable_group_acl) &&
|
||||
((it->second->resource & resource_gid_mask) == resource_gid_req))
|
||||
{
|
||||
gids.push_back(it->second->resource_id());
|
||||
}
|
||||
|
||||
// Rule grants permission for an individual object
|
||||
else if ( ( it->second->resource & resource_oid_mask ) == resource_oid_req )
|
||||
{
|
||||
oids.push_back(it->second->resource_id());
|
||||
}
|
||||
|
||||
// Rule grants permission for all objects of a cluster
|
||||
if ( ( it->second->resource & resource_cid_mask ) == resource_cid_req )
|
||||
else if ((!disable_cluster_acl) &&
|
||||
((it->second->resource & resource_cid_mask) == resource_cid_req))
|
||||
{
|
||||
cids.push_back(it->second->resource_id());
|
||||
}
|
||||
|
||||
// Rule grants permission for an individual object
|
||||
else if ((it->second->resource & resource_oid_mask) == resource_oid_req)
|
||||
{
|
||||
oids.push_back(it->second->resource_id());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -695,6 +695,9 @@ void PoolSQL::acl_filter(int uid,
|
||||
const set<int>& user_groups,
|
||||
PoolObjectSQL::ObjectType auth_object,
|
||||
bool& all,
|
||||
bool disable_all_acl,
|
||||
bool disable_cluster_acl,
|
||||
bool disable_group_acl,
|
||||
string& filter)
|
||||
{
|
||||
filter.clear();
|
||||
@ -719,6 +722,9 @@ void PoolSQL::acl_filter(int uid,
|
||||
user_groups,
|
||||
auth_object,
|
||||
AuthRequest::USE,
|
||||
disable_all_acl,
|
||||
disable_cluster_acl,
|
||||
disable_group_acl,
|
||||
all,
|
||||
oids,
|
||||
gids,
|
||||
|
@ -74,31 +74,31 @@ void VirtualNetworkInfo::to_xml(RequestAttributes& att, PoolObjectSQL * object,
|
||||
vector<int> vms;
|
||||
vector<int> vnets;
|
||||
|
||||
string where_str;
|
||||
string where_vnets;
|
||||
string where_vms;
|
||||
|
||||
bool all = RequestManagerPoolInfoFilter::use_filter(att, PoolObjectSQL::NET,
|
||||
where_str);
|
||||
bool all_reservations = RequestManagerPoolInfoFilter::use_filter(att,
|
||||
PoolObjectSQL::NET, true, true, false, "(pid != -1)", where_vnets);
|
||||
|
||||
if (all)
|
||||
bool all_vms = RequestManagerPoolInfoFilter::use_filter(att,
|
||||
PoolObjectSQL::VM, false, false, false, "", where_vms);
|
||||
|
||||
if ( all_reservations == true )
|
||||
{
|
||||
vnets.push_back(-1);
|
||||
}
|
||||
else
|
||||
{
|
||||
Nebula::instance().get_vnpool()->search(vnets, where_vnets);
|
||||
}
|
||||
|
||||
if ( all_vms == true )
|
||||
{
|
||||
vms.push_back(-1);
|
||||
}
|
||||
else
|
||||
{
|
||||
if ( Nebula::instance().get_vnpool()->search(vnets, where_str) != 0 )
|
||||
{
|
||||
//Log warning
|
||||
}
|
||||
|
||||
where_str = "";
|
||||
|
||||
RequestManagerPoolInfoFilter::use_filter(att, PoolObjectSQL::VM, where_str);
|
||||
|
||||
if ( Nebula::instance().get_vmpool()->search(vms, where_str) != 0 )
|
||||
{
|
||||
//Log warning
|
||||
}
|
||||
Nebula::instance().get_vmpool()->search(vms, where_vms);
|
||||
}
|
||||
|
||||
static_cast<VirtualNetwork*>(object)->to_xml_extended(str, vms, vnets);
|
||||
|
@ -52,16 +52,32 @@ void RequestManagerPoolInfoFilter::request_execute(
|
||||
|
||||
bool RequestManagerPoolInfoFilter::use_filter(RequestAttributes& att,
|
||||
PoolObjectSQL::ObjectType aobj,
|
||||
bool disable_all_acl,
|
||||
bool disable_cluster_acl,
|
||||
bool disable_group_acl,
|
||||
const string& and_str,
|
||||
string& where_str)
|
||||
{
|
||||
bool all;
|
||||
|
||||
string acl_str;
|
||||
string usr_str;
|
||||
|
||||
PoolSQL::acl_filter(att.uid, att.group_ids, aobj, all, acl_str);
|
||||
|
||||
PoolSQL::acl_filter(att.uid, att.group_ids, aobj, all,
|
||||
disable_all_acl, disable_cluster_acl, disable_group_acl, acl_str);
|
||||
|
||||
PoolSQL::usr_filter(att.uid, att.group_ids, ALL, all, acl_str, where_str);
|
||||
|
||||
if (!and_str.empty())
|
||||
{
|
||||
ostringstream filter;
|
||||
|
||||
filter << "( " << where_str << " ) AND ( " << and_str << " )";
|
||||
|
||||
where_str = filter.str();
|
||||
}
|
||||
|
||||
return all;
|
||||
};
|
||||
|
||||
@ -129,7 +145,7 @@ void VirtualMachinePoolAccounting::request_execute(
|
||||
return;
|
||||
}
|
||||
|
||||
where_filter(att, filter_flag, -1, -1, "", "", where);
|
||||
where_filter(att, filter_flag, -1, -1, "", "", false, false, false, where);
|
||||
|
||||
rc = (static_cast<VirtualMachinePool *>(pool))->dump_acct(oss,
|
||||
where,
|
||||
@ -167,7 +183,7 @@ void VirtualMachinePoolMonitoring::request_execute(
|
||||
return;
|
||||
}
|
||||
|
||||
where_filter(att, filter_flag, -1, -1, "", "", where);
|
||||
where_filter(att, filter_flag, -1, -1, "", "", false, false, false, where);
|
||||
|
||||
rc = (static_cast<VirtualMachinePool *>(pool))->dump_monitoring(oss, where);
|
||||
|
||||
@ -203,7 +219,7 @@ void HostPoolMonitoring::request_execute(
|
||||
string where;
|
||||
int rc;
|
||||
|
||||
where_filter(att, ALL, -1, -1, "", "", where);
|
||||
where_filter(att, ALL, -1, -1, "", "", false, false, false, where);
|
||||
|
||||
rc = (static_cast<HostPool *>(pool))->dump_monitoring(oss, where);
|
||||
|
||||
@ -296,6 +312,9 @@ void RequestManagerPoolInfoFilter::where_filter(
|
||||
int end_id,
|
||||
const string& and_clause,
|
||||
const string& or_clause,
|
||||
bool disable_all_acl,
|
||||
bool disable_cluster_acl,
|
||||
bool disable_group_acl,
|
||||
string& filter_str)
|
||||
{
|
||||
bool empty = true;
|
||||
@ -307,7 +326,8 @@ void RequestManagerPoolInfoFilter::where_filter(
|
||||
|
||||
ostringstream filter;
|
||||
|
||||
PoolSQL::acl_filter(att.uid, att.group_ids, auth_object, all, acl_str);
|
||||
PoolSQL::acl_filter(att.uid, att.group_ids, auth_object, all,
|
||||
disable_all_acl, disable_cluster_acl, disable_group_acl, acl_str);
|
||||
|
||||
PoolSQL::usr_filter(att.uid, att.group_ids, filter_flag, all, acl_str, uid_str);
|
||||
|
||||
@ -388,6 +408,9 @@ void RequestManagerPoolInfoFilter::dump(
|
||||
end_id,
|
||||
and_clause,
|
||||
or_clause,
|
||||
false,
|
||||
false,
|
||||
false,
|
||||
where_string);
|
||||
|
||||
if ( end_id < -1 )
|
||||
@ -409,3 +432,69 @@ void RequestManagerPoolInfoFilter::dump(
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------------------- */
|
||||
/* ------------------------------------------------------------------------- */
|
||||
|
||||
void VirtualNetworkPoolInfo::request_execute(
|
||||
xmlrpc_c::paramList const& paramList, RequestAttributes& att)
|
||||
{
|
||||
int filter_flag = xmlrpc_c::value_int(paramList.getInt(1));
|
||||
int start_id = xmlrpc_c::value_int(paramList.getInt(2));
|
||||
int end_id = xmlrpc_c::value_int(paramList.getInt(3));
|
||||
|
||||
if ( filter_flag < MINE )
|
||||
{
|
||||
failure_response(XML_RPC_API,
|
||||
request_error("Incorrect filter_flag",""),
|
||||
att);
|
||||
return;
|
||||
}
|
||||
|
||||
/* ---------------------------------------------------------------------- */
|
||||
/* Build where filters to get ois from: */
|
||||
/* - vnets (owner, permissions & ACL) */
|
||||
/* - reservations (owner, permission & not VNET\* nor VNET/% ACLs) */
|
||||
/* ---------------------------------------------------------------------- */
|
||||
|
||||
string where_vnets, where_reserv;
|
||||
ostringstream where_string;
|
||||
|
||||
where_filter(att, filter_flag, start_id, end_id, "pid == -1", "", false,
|
||||
false, false, where_vnets);
|
||||
|
||||
where_filter(att, filter_flag, -1, -1, "pid != -1", "", true, true, false,
|
||||
where_reserv);
|
||||
|
||||
where_string << "( " << where_vnets << " ) OR ( " << where_reserv << " ) ";
|
||||
|
||||
/* ---------------------------------------------------------------------- */
|
||||
/* Build pagination limits */
|
||||
/* ---------------------------------------------------------------------- */
|
||||
|
||||
ostringstream limit_clause;
|
||||
|
||||
if ( end_id < -1 )
|
||||
{
|
||||
limit_clause << start_id << "," << -end_id;
|
||||
}
|
||||
|
||||
/* ---------------------------------------------------------------------- */
|
||||
/* Get the VNET pool */
|
||||
/* ---------------------------------------------------------------------- */
|
||||
|
||||
ostringstream pool_oss;
|
||||
|
||||
int rc = pool->dump(pool_oss, where_string.str(), limit_clause.str());
|
||||
|
||||
if ( rc != 0 )
|
||||
{
|
||||
failure_response(INTERNAL,request_error("Internal Error",""), att);
|
||||
return;
|
||||
}
|
||||
|
||||
success_response(pool_oss.str(), att);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user