mirror of
https://github.com/OpenNebula/one.git
synced 2025-01-05 09:17:41 +03:00
F #1377: Added new funtion to check lock state with oneadmin. Missing
action names. Functions to test oneadmin or admin roles
This commit is contained in:
parent
ad5f6ff4cf
commit
d7ce29183c
include
AclManager.hAuthRequest.hRequest.hRequestManagerAllocateDB.hRequestManagerDropDB.hRequestManagerUpdateDB.hRequestManagerVirtualNetwork.h
src
acl
authm
rm
Request.ccRequestManagerAllocate.ccRequestManagerChmod.ccRequestManagerChown.ccRequestManagerClone.ccRequestManagerCluster.ccRequestManagerDelete.ccRequestManagerGroup.ccRequestManagerImage.ccRequestManagerInfo.ccRequestManagerRename.ccRequestManagerSystem.ccRequestManagerUpdateTemplate.ccRequestManagerUser.ccRequestManagerVMTemplate.ccRequestManagerVdc.ccRequestManagerVirtualMachine.ccRequestManagerVirtualRouter.ccRequestManagerZone.cc
@ -85,6 +85,17 @@ public:
|
||||
const PoolObjectAuth& obj_perms,
|
||||
AuthRequest::Operation op);
|
||||
|
||||
/**
|
||||
* Takes an authorization request for oneadmin
|
||||
* and checks if the resource is locked
|
||||
*
|
||||
* @param obj_perms The object's permission attributes
|
||||
* @param op The operation to be authorized
|
||||
* @return true if the authorization is granted for oneadmin
|
||||
*/
|
||||
const bool oneadmin_authorize(const PoolObjectAuth& obj_perms,
|
||||
AuthRequest::Operation op);
|
||||
|
||||
/**
|
||||
* Adds a new rule to the ACL rule set
|
||||
*
|
||||
|
@ -61,12 +61,18 @@ public:
|
||||
{
|
||||
switch (op)
|
||||
{
|
||||
case USE: return "USE";
|
||||
case MANAGE: return "MANAGE";
|
||||
case ADMIN: return "ADMIN";
|
||||
case CREATE: return "CREATE";
|
||||
default: return "";
|
||||
case USE: return "USE";
|
||||
case USE_NO_LCK: return "USE";
|
||||
case MANAGE: return "MANAGE";
|
||||
case MANAGE_NO_LCK: return "MANAGE";
|
||||
case ADMIN: return "ADMIN";
|
||||
case ADMIN_NO_LCK: return "ADMIN";
|
||||
case CREATE: return "CREATE";
|
||||
case CREATE_NO_LCK: return "CREATE";
|
||||
case NONE: return "";
|
||||
}
|
||||
|
||||
return "";
|
||||
};
|
||||
|
||||
static Operation str_to_operation(string str)
|
||||
@ -156,7 +162,7 @@ public:
|
||||
|
||||
bool core_authorize()
|
||||
{
|
||||
return ( uid == 0 || self_authorize );
|
||||
return self_authorize;
|
||||
}
|
||||
|
||||
bool core_authenticate()
|
||||
|
@ -111,6 +111,22 @@ public:
|
||||
resp_id = -1;
|
||||
resp_msg = "";
|
||||
};
|
||||
|
||||
bool is_admin()
|
||||
{
|
||||
return uid == UserPool::ONEADMIN_ID ||
|
||||
group_ids.count(GroupPool::ONEADMIN_ID) == 1;
|
||||
}
|
||||
|
||||
bool is_oneadmin()
|
||||
{
|
||||
return uid == UserPool::ONEADMIN_ID;
|
||||
}
|
||||
|
||||
bool is_oneadmin_group()
|
||||
{
|
||||
return gid == GroupPool::ONEADMIN_ID;
|
||||
}
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -41,7 +41,7 @@ protected:
|
||||
{
|
||||
std::string xml = xmlrpc_c::value_string(pl.getString(1));
|
||||
|
||||
if ( att.uid != UserPool::ONEADMIN_ID )
|
||||
if (!att.is_oneadmin())
|
||||
{
|
||||
failure_response(AUTHORIZATION, att);
|
||||
return;
|
||||
|
@ -40,7 +40,7 @@ protected:
|
||||
std::string error;
|
||||
int oid = xmlrpc_c::value_int(pl.getInt(1));
|
||||
|
||||
if ( att.uid != UserPool::ONEADMIN_ID )
|
||||
if (!att.is_oneadmin())
|
||||
{
|
||||
failure_response(AUTHORIZATION, att);
|
||||
return;
|
||||
|
@ -41,7 +41,7 @@ protected:
|
||||
int oid = xmlrpc_c::value_int(pl.getInt(1));
|
||||
std::string xml = xmlrpc_c::value_string(pl.getString(2));
|
||||
|
||||
if ( att.uid != UserPool::ONEADMIN_ID )
|
||||
if (!att.is_oneadmin())
|
||||
{
|
||||
failure_response(AUTHORIZATION, att);
|
||||
return;
|
||||
@ -151,7 +151,7 @@ public:
|
||||
int oid = xmlrpc_c::value_int(pl.getInt(1));
|
||||
std::string xml = xmlrpc_c::value_string(pl.getString(2));
|
||||
|
||||
if ( att.uid != UserPool::ONEADMIN_ID )
|
||||
if (!att.is_oneadmin())
|
||||
{
|
||||
failure_response(AUTHORIZATION, att);
|
||||
return;
|
||||
|
@ -154,7 +154,7 @@ public:
|
||||
RequestAttributes& att,
|
||||
string& error_str)
|
||||
{
|
||||
if (att.uid!=UserPool::ONEADMIN_ID && att.gid!=GroupPool::ONEADMIN_ID)
|
||||
if (!att.is_admin())
|
||||
{
|
||||
return vn->update_ar(tmpl, true, error_str);
|
||||
}
|
||||
|
@ -419,6 +419,25 @@ const bool AclManager::authorize(
|
||||
/* -------------------------------------------------------------------------- */
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
const bool AclManager::oneadmin_authorize(
|
||||
const PoolObjectAuth& obj_perms,
|
||||
AuthRequest::Operation op)
|
||||
{
|
||||
if (static_cast<long long int>(op) & 0x10LL) //No lockable object
|
||||
{
|
||||
return true;
|
||||
}
|
||||
else if (obj_perms.locked > 0 && obj_perms.locked <= static_cast<long long int>(op))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/* -------------------------------------------------------------------------- */
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
bool AclManager::match_rules_wrapper(
|
||||
long long user_req,
|
||||
long long resource_oid_req,
|
||||
|
@ -34,6 +34,7 @@ void AuthRequest::add_auth(Operation op,
|
||||
{
|
||||
ostringstream oss;
|
||||
bool auth;
|
||||
bool lock;
|
||||
|
||||
oss << ob_perms.type_to_str() << ":";
|
||||
|
||||
@ -66,15 +67,17 @@ void AuthRequest::add_auth(Operation op,
|
||||
|
||||
// Default conditions that grants permission :
|
||||
// User is oneadmin, or is in the oneadmin group
|
||||
Nebula& nd = Nebula::instance();
|
||||
AclManager* aclm = nd.get_aclm();
|
||||
|
||||
if ( uid == 0 || gids.count( GroupPool::ONEADMIN_ID ) == 1 )
|
||||
{
|
||||
auth = true;
|
||||
lock = aclm->oneadmin_authorize(ob_perms, op);
|
||||
auth = lock;
|
||||
}
|
||||
else
|
||||
{
|
||||
Nebula& nd = Nebula::instance();
|
||||
AclManager* aclm = nd.get_aclm();
|
||||
|
||||
lock = false;
|
||||
auth = aclm->authorize(uid, gids, ob_perms, op);
|
||||
}
|
||||
|
||||
@ -88,15 +91,20 @@ void AuthRequest::add_auth(Operation op,
|
||||
{
|
||||
oss.str("");
|
||||
|
||||
oss << message;
|
||||
|
||||
if ( !message.empty() )
|
||||
{
|
||||
oss << "; ";
|
||||
oss << message << "; ";
|
||||
}
|
||||
|
||||
oss << "Not authorized to perform " << operation_to_str(op)
|
||||
<< " " << ob_perms.type_to_str();
|
||||
if ( !lock )
|
||||
{
|
||||
oss << "Not authorized to perform " << operation_to_str(op)
|
||||
<< " " << ob_perms.type_to_str();
|
||||
}
|
||||
else
|
||||
{
|
||||
oss << ob_perms.type_to_str() << " is locked.";
|
||||
}
|
||||
|
||||
if ( ob_perms.oid != -1 )
|
||||
{
|
||||
|
@ -411,22 +411,12 @@ Request::ErrorCode Request::basic_authorization(
|
||||
return NO_EXISTS;
|
||||
}
|
||||
|
||||
if ( att.uid == 0 )
|
||||
{
|
||||
object->unlock();
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
object->get_permissions(perms);
|
||||
|
||||
object->unlock();
|
||||
}
|
||||
else
|
||||
{
|
||||
if ( att.uid == 0 )
|
||||
{
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
perms.obj_type = auth_object;
|
||||
}
|
||||
|
@ -31,11 +31,6 @@ bool RequestManagerAllocate::allocate_authorization(
|
||||
RequestAttributes& att,
|
||||
PoolObjectAuth * cluster_perms)
|
||||
{
|
||||
if ( att.uid == 0 )
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
string tmpl_str = "";
|
||||
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
@ -72,11 +67,6 @@ bool VirtualMachineAllocate::allocate_authorization(
|
||||
RequestAttributes& att,
|
||||
PoolObjectAuth * cluster_perms)
|
||||
{
|
||||
if ( att.uid == 0 )
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
string t64;
|
||||
string aname;
|
||||
@ -85,7 +75,7 @@ bool VirtualMachineAllocate::allocate_authorization(
|
||||
|
||||
// ------------ Check template for restricted attributes -------------------
|
||||
|
||||
if ( att.uid != 0 && att.gid != GroupPool::ONEADMIN_ID )
|
||||
if (!att.is_admin())
|
||||
{
|
||||
if (ttmpl->check_restricted(aname))
|
||||
{
|
||||
@ -545,50 +535,46 @@ void ImageAllocate::request_execute(xmlrpc_c::paramList const& params,
|
||||
img_usage.add("DATASTORE", ds_id);
|
||||
img_usage.add("SIZE", size_str);
|
||||
|
||||
if ( att.uid != 0 )
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
string tmpl_str;
|
||||
string aname;
|
||||
|
||||
// ------------ Check template for restricted attributes --------------
|
||||
|
||||
if (!att.is_admin())
|
||||
{
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
string tmpl_str;
|
||||
string aname;
|
||||
|
||||
// ------------ Check template for restricted attributes --------------
|
||||
|
||||
if ( att.uid != UserPool::ONEADMIN_ID &&
|
||||
att.gid != GroupPool::ONEADMIN_ID )
|
||||
if (tmpl->check_restricted(aname))
|
||||
{
|
||||
if (tmpl->check_restricted(aname))
|
||||
{
|
||||
att.resp_msg = "Template includes a restricted attribute "+aname;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
|
||||
delete tmpl;
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
// ------------------ Check permissions and ACLs ----------------------
|
||||
tmpl->to_xml(tmpl_str);
|
||||
|
||||
ar.add_create_auth(att.uid, att.gid, auth_object, tmpl_str);
|
||||
|
||||
ar.add_auth(AuthRequest::USE, ds_perms); // USE DATASTORE
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
att.resp_msg = "Template includes a restricted attribute "+aname;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
|
||||
delete tmpl;
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
// -------------------------- Check Quotas ----------------------------
|
||||
// ------------------ Check permissions and ACLs ----------------------
|
||||
tmpl->to_xml(tmpl_str);
|
||||
|
||||
if ( quota_authorization(&img_usage, Quotas::DATASTORE, att) == false )
|
||||
{
|
||||
delete tmpl;
|
||||
return;
|
||||
}
|
||||
ar.add_create_auth(att.uid, att.gid, auth_object, tmpl_str);
|
||||
|
||||
ar.add_auth(AuthRequest::USE, ds_perms); // USE DATASTORE
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
|
||||
delete tmpl;
|
||||
return;
|
||||
}
|
||||
|
||||
// -------------------------- Check Quotas ----------------------------
|
||||
|
||||
if ( quota_authorization(&img_usage, Quotas::DATASTORE, att) == false )
|
||||
{
|
||||
delete tmpl;
|
||||
return;
|
||||
}
|
||||
|
||||
// ------------------------- Check persistent only -------------------------
|
||||
@ -678,11 +664,6 @@ bool TemplateAllocate::allocate_authorization(
|
||||
RequestAttributes& att,
|
||||
PoolObjectAuth * cluster_perms)
|
||||
{
|
||||
if ( att.uid == UserPool::ONEADMIN_ID || att.gid == GroupPool::ONEADMIN_ID )
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
string t64;
|
||||
string aname;
|
||||
@ -738,11 +719,6 @@ bool UserAllocate::allocate_authorization(
|
||||
RequestAttributes& att,
|
||||
PoolObjectAuth * cluster_perms)
|
||||
{
|
||||
if ( att.uid == 0 )
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
vector<xmlrpc_c::value> param_arr;
|
||||
vector<xmlrpc_c::value>::const_iterator it;
|
||||
|
||||
@ -1102,11 +1078,6 @@ bool VirtualRouterAllocate::allocate_authorization(
|
||||
RequestAttributes& att,
|
||||
PoolObjectAuth * cluster_perms)
|
||||
{
|
||||
if ( att.uid == 0 )
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
string tmpl_str;
|
||||
|
||||
|
@ -81,78 +81,75 @@ Request::ErrorCode RequestManagerChmod::chmod(
|
||||
{
|
||||
PoolObjectSQL * object;
|
||||
|
||||
if ( att.uid != 0 && att.gid != 0)
|
||||
AuthRequest::Operation op = AuthRequest::MANAGE;
|
||||
PoolObjectAuth perms;
|
||||
|
||||
object = pool->get(oid);
|
||||
|
||||
if ( object == 0 )
|
||||
{
|
||||
AuthRequest::Operation op = AuthRequest::MANAGE;
|
||||
PoolObjectAuth perms;
|
||||
att.resp_id = oid;
|
||||
return NO_EXISTS;
|
||||
}
|
||||
|
||||
object = pool->get(oid);
|
||||
object->get_permissions(perms);
|
||||
|
||||
if ( object == 0 )
|
||||
object->unlock();
|
||||
|
||||
if ( owner_a == perms.owner_a )
|
||||
{
|
||||
owner_a = -1;
|
||||
}
|
||||
|
||||
if ( group_a == perms.group_a )
|
||||
{
|
||||
group_a = -1;
|
||||
}
|
||||
|
||||
if ( other_u == perms.other_u )
|
||||
{
|
||||
other_u = -1;
|
||||
}
|
||||
|
||||
if ( other_m == perms.other_m )
|
||||
{
|
||||
other_m = -1;
|
||||
}
|
||||
|
||||
if ( other_a == perms.other_a )
|
||||
{
|
||||
other_a = -1;
|
||||
}
|
||||
|
||||
if ( owner_a != -1 || group_a != -1 || other_a != -1 )
|
||||
{
|
||||
op = AuthRequest::ADMIN;
|
||||
}
|
||||
|
||||
if ( other_u != -1 || other_m != -1 || other_a != -1 )
|
||||
{
|
||||
bool enable_other;
|
||||
|
||||
Nebula::instance().get_configuration_attribute(
|
||||
"ENABLE_OTHER_PERMISSIONS", enable_other);
|
||||
|
||||
if ( !enable_other )
|
||||
{
|
||||
att.resp_id = oid;
|
||||
return NO_EXISTS;
|
||||
}
|
||||
|
||||
object->get_permissions(perms);
|
||||
|
||||
object->unlock();
|
||||
|
||||
if ( owner_a == perms.owner_a )
|
||||
{
|
||||
owner_a = -1;
|
||||
}
|
||||
|
||||
if ( group_a == perms.group_a )
|
||||
{
|
||||
group_a = -1;
|
||||
}
|
||||
|
||||
if ( other_u == perms.other_u )
|
||||
{
|
||||
other_u = -1;
|
||||
}
|
||||
|
||||
if ( other_m == perms.other_m )
|
||||
{
|
||||
other_m = -1;
|
||||
}
|
||||
|
||||
if ( other_a == perms.other_a )
|
||||
{
|
||||
other_a = -1;
|
||||
}
|
||||
|
||||
if ( owner_a != -1 || group_a != -1 || other_a != -1 )
|
||||
{
|
||||
op = AuthRequest::ADMIN;
|
||||
}
|
||||
|
||||
if ( other_u != -1 || other_m != -1 || other_a != -1 )
|
||||
{
|
||||
bool enable_other;
|
||||
|
||||
Nebula::instance().get_configuration_attribute(
|
||||
"ENABLE_OTHER_PERMISSIONS", enable_other);
|
||||
|
||||
if ( !enable_other )
|
||||
{
|
||||
att.resp_msg = "'other' permissions is disabled in oned.conf";
|
||||
return AUTHORIZATION;
|
||||
}
|
||||
}
|
||||
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(op, perms);
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
att.resp_msg = "'other' permissions is disabled in oned.conf";
|
||||
return AUTHORIZATION;
|
||||
}
|
||||
}
|
||||
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(op, perms);
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
return AUTHORIZATION;
|
||||
}
|
||||
|
||||
// ------------- Update the object ---------------------
|
||||
|
||||
object = pool->get(oid);
|
||||
|
@ -303,36 +303,33 @@ void RequestManagerChown::request_execute(xmlrpc_c::paramList const& paramList,
|
||||
|
||||
// ------------- Set authorization request for non-oneadmin's --------------
|
||||
|
||||
if ( att.uid != 0 )
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
rc = get_info(pool, oid, auth_object, att, operms, oname, true);
|
||||
|
||||
if ( rc == -1 )
|
||||
{
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
return;
|
||||
}
|
||||
|
||||
rc = get_info(pool, oid, auth_object, att, operms, oname, true);
|
||||
ar.add_auth(auth_op, operms); // MANAGE OBJECT
|
||||
|
||||
if ( rc == -1 )
|
||||
{
|
||||
return;
|
||||
}
|
||||
if ( noid > -1 )
|
||||
{
|
||||
ar.add_auth(AuthRequest::MANAGE, nuperms); // MANAGE USER
|
||||
}
|
||||
|
||||
ar.add_auth(auth_op, operms); // MANAGE OBJECT
|
||||
if ( ngid > -1 )
|
||||
{
|
||||
ar.add_auth(AuthRequest::USE, ngperms); // USE GROUP
|
||||
}
|
||||
|
||||
if ( noid > -1 )
|
||||
{
|
||||
ar.add_auth(AuthRequest::MANAGE, nuperms); // MANAGE USER
|
||||
}
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
|
||||
if ( ngid > -1 )
|
||||
{
|
||||
ar.add_auth(AuthRequest::USE, ngperms); // USE GROUP
|
||||
}
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
|
||||
return;
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
// --------------- Check name uniqueness -----------------------------------
|
||||
@ -478,20 +475,17 @@ void UserChown::request_execute(xmlrpc_c::paramList const& paramList,
|
||||
return;
|
||||
}
|
||||
|
||||
if ( att.uid != 0 )
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(auth_op, uperms); // MANAGE USER
|
||||
ar.add_auth(AuthRequest::USE, ngperms); // USE GROUP
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
|
||||
ar.add_auth(auth_op, uperms); // MANAGE USER
|
||||
ar.add_auth(AuthRequest::USE, ngperms); // USE GROUP
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
|
||||
return;
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
// ------------- Change users primary group ---------------------
|
||||
|
@ -85,25 +85,22 @@ Request::ErrorCode RequestManagerClone::clone(int source_id, const string &name,
|
||||
tmpl->erase("NAME");
|
||||
tmpl->set(new SingleAttribute("NAME", name));
|
||||
|
||||
if ( att.uid != 0 )
|
||||
string tmpl_str = "";
|
||||
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(auth_op, perms); //USE OBJECT
|
||||
|
||||
tmpl->to_xml(tmpl_str);
|
||||
|
||||
ar.add_create_auth(att.uid, att.gid, auth_object, tmpl_str);
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
string tmpl_str = "";
|
||||
att.resp_msg = ar.message;
|
||||
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(auth_op, perms); //USE OBJECT
|
||||
|
||||
tmpl->to_xml(tmpl_str);
|
||||
|
||||
ar.add_create_auth(att.uid, att.gid, auth_object, tmpl_str);
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
|
||||
delete tmpl;
|
||||
return AUTHORIZATION;
|
||||
}
|
||||
delete tmpl;
|
||||
return AUTHORIZATION;
|
||||
}
|
||||
|
||||
rc = pool_allocate(source_id, tmpl, new_id, att);
|
||||
|
@ -57,20 +57,17 @@ void RequestManagerCluster::action_generic(
|
||||
return;
|
||||
}
|
||||
|
||||
if ( att.uid != 0 )
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(auth_op, c_perms); // ADMIN CLUSTER
|
||||
ar.add_auth(AuthRequest::ADMIN, obj_perms); // ADMIN OBJECT
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
|
||||
ar.add_auth(auth_op, c_perms); // ADMIN CLUSTER
|
||||
ar.add_auth(AuthRequest::ADMIN, obj_perms); // ADMIN OBJECT
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
|
||||
return;
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
// ------------- Set new cluster id in object ---------------------
|
||||
@ -219,20 +216,17 @@ void RequestManagerClusterHost::add_generic(
|
||||
return;
|
||||
}
|
||||
|
||||
if ( att.uid != 0 )
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(auth_op, c_perms); // ADMIN CLUSTER
|
||||
ar.add_auth(AuthRequest::ADMIN, obj_perms); // ADMIN HOST
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
|
||||
ar.add_auth(auth_op, c_perms); // ADMIN CLUSTER
|
||||
ar.add_auth(AuthRequest::ADMIN, obj_perms); // ADMIN HOST
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
|
||||
return;
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
// ------------- Set new cluster id in object ---------------------
|
||||
|
@ -27,11 +27,6 @@ static Request::ErrorCode delete_authorization(PoolSQL* pool,
|
||||
{
|
||||
PoolObjectAuth perms;
|
||||
|
||||
if ( att.uid == 0 )
|
||||
{
|
||||
return Request::SUCCESS;
|
||||
}
|
||||
|
||||
PoolObjectSQL * object = pool->get(oid);
|
||||
|
||||
if ( object == 0 )
|
||||
|
@ -119,21 +119,18 @@ void GroupEditAdmin::request_execute(
|
||||
return;
|
||||
}
|
||||
|
||||
if ( att.uid != 0 )
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(AuthRequest::ADMIN, group_perms); // MANAGE GROUP
|
||||
|
||||
ar.add_auth(AuthRequest::ADMIN, user_perms); // MANAGE USER
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
|
||||
ar.add_auth(AuthRequest::ADMIN, group_perms); // MANAGE GROUP
|
||||
|
||||
ar.add_auth(AuthRequest::ADMIN, user_perms); // MANAGE USER
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
|
||||
return;
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
group = static_cast<GroupPool*>(pool)->get(group_id);
|
||||
|
@ -481,46 +481,43 @@ Request::ErrorCode ImageClone::request_execute(
|
||||
return ACTION;
|
||||
}
|
||||
|
||||
if ( att.uid != 0 )
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
string tmpl_str;
|
||||
|
||||
// ------------------ Check permissions and ACLs ----------------------
|
||||
// Create image
|
||||
// Use original image
|
||||
// Use target datastore
|
||||
// Use original datastore, if different
|
||||
// ---------------------------------------------------------------------
|
||||
tmpl->to_xml(tmpl_str);
|
||||
|
||||
ar.add_create_auth(att.uid, att.gid, PoolObjectSQL::IMAGE, tmpl_str);
|
||||
|
||||
ar.add_auth(AuthRequest::USE, perms);
|
||||
|
||||
ar.add_auth(AuthRequest::USE, ds_perms);
|
||||
|
||||
if (ds_id != ds_id_orig)
|
||||
{
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
string tmpl_str;
|
||||
ar.add_auth(AuthRequest::USE, ds_perms_orig);
|
||||
}
|
||||
|
||||
// ------------------ Check permissions and ACLs ----------------------
|
||||
// Create image
|
||||
// Use original image
|
||||
// Use target datastore
|
||||
// Use original datastore, if different
|
||||
// ---------------------------------------------------------------------
|
||||
tmpl->to_xml(tmpl_str);
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
|
||||
ar.add_create_auth(att.uid, att.gid, PoolObjectSQL::IMAGE, tmpl_str);
|
||||
delete tmpl;
|
||||
return AUTHORIZATION;
|
||||
}
|
||||
|
||||
ar.add_auth(AuthRequest::USE, perms);
|
||||
// -------------------------- Check Quotas ----------------------------
|
||||
|
||||
ar.add_auth(AuthRequest::USE, ds_perms);
|
||||
|
||||
if (ds_id != ds_id_orig)
|
||||
{
|
||||
ar.add_auth(AuthRequest::USE, ds_perms_orig);
|
||||
}
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
|
||||
delete tmpl;
|
||||
return AUTHORIZATION;
|
||||
}
|
||||
|
||||
// -------------------------- Check Quotas ----------------------------
|
||||
|
||||
if ( quota_authorization(&img_usage, Quotas::DATASTORE, att,
|
||||
att.resp_msg) == false )
|
||||
{
|
||||
delete tmpl;
|
||||
return AUTHORIZATION;
|
||||
}
|
||||
if ( quota_authorization(&img_usage, Quotas::DATASTORE, att,
|
||||
att.resp_msg) == false )
|
||||
{
|
||||
delete tmpl;
|
||||
return AUTHORIZATION;
|
||||
}
|
||||
|
||||
rc = ipool->allocate(att.uid,
|
||||
|
@ -115,16 +115,13 @@ void TemplateInfo::request_execute(xmlrpc_c::paramList const& paramList,
|
||||
VirtualMachineDisks::extended_info(att.uid, extended_tmpl);
|
||||
}
|
||||
|
||||
if ( att.uid != UserPool::ONEADMIN_ID && att.gid != GroupPool::ONEADMIN_ID )
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
|
||||
delete extended_tmpl;
|
||||
return;
|
||||
}
|
||||
delete extended_tmpl;
|
||||
return;
|
||||
}
|
||||
|
||||
vm_tmpl = tpool->get(oid);
|
||||
|
@ -61,19 +61,16 @@ void RequestManagerRename::request_execute(xmlrpc_c::paramList const& paramList,
|
||||
|
||||
// ------------- Set authorization request for non-oneadmin's --------------
|
||||
|
||||
if ( att.uid != 0 )
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(auth_op, operms); // MANAGE OBJECT
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(auth_op, operms); // MANAGE OBJECT
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
clear_rename(oid);
|
||||
return;
|
||||
}
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
clear_rename(oid);
|
||||
return;
|
||||
}
|
||||
|
||||
// ----------------------- Check name uniqueness ---------------------------
|
||||
|
@ -63,7 +63,7 @@ void SystemSql::request_execute(xmlrpc_c::paramList const& paramList,
|
||||
|
||||
SqlDB * db;
|
||||
|
||||
if ( att.uid != 0 )
|
||||
if (!att.is_oneadmin())
|
||||
{
|
||||
att.resp_id = -1;
|
||||
|
||||
@ -164,7 +164,7 @@ void SystemSqlQuery::request_execute(xmlrpc_c::paramList const& paramList,
|
||||
|
||||
std::string result;
|
||||
|
||||
if ( att.uid != 0 )
|
||||
if (!att.is_oneadmin())
|
||||
{
|
||||
att.resp_id = -1;
|
||||
|
||||
|
@ -27,7 +27,7 @@ int RequestManagerUpdateTemplate::replace_template(
|
||||
const RequestAttributes &att,
|
||||
string &error_str)
|
||||
{
|
||||
if (att.uid!=UserPool::ONEADMIN_ID && att.gid!=GroupPool::ONEADMIN_ID)
|
||||
if (!att.is_admin())
|
||||
{
|
||||
return object->replace_template(tmpl, true, error_str);
|
||||
}
|
||||
@ -46,7 +46,7 @@ int RequestManagerUpdateTemplate::append_template(
|
||||
const RequestAttributes &att,
|
||||
string &error_str)
|
||||
{
|
||||
if (att.uid!=UserPool::ONEADMIN_ID && att.gid!=GroupPool::ONEADMIN_ID)
|
||||
if (!att.is_admin())
|
||||
{
|
||||
return object->append_template(tmpl, true, error_str);
|
||||
}
|
||||
|
@ -73,8 +73,7 @@ int UserChangePassword::user_action(int user_id,
|
||||
allowed = false;
|
||||
}
|
||||
|
||||
if (!allowed && att.uid != UserPool::ONEADMIN_ID &&
|
||||
att.gid != GroupPool::ONEADMIN_ID)
|
||||
if (!allowed && !att.is_admin())
|
||||
{
|
||||
error_str = "Password for driver " + user->get_auth_driver() +
|
||||
" cannot be changed.";
|
||||
@ -249,19 +248,16 @@ void UserEditGroup::
|
||||
return;
|
||||
}
|
||||
|
||||
if ( att.uid != UserPool::ONEADMIN_ID )
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(AuthRequest::MANAGE, uperms); // MANAGE USER
|
||||
ar.add_auth(AuthRequest::MANAGE, gperms); // MANAGE GROUP
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(AuthRequest::MANAGE, uperms); // MANAGE USER
|
||||
ar.add_auth(AuthRequest::MANAGE, gperms); // MANAGE GROUP
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
return;
|
||||
}
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
return;
|
||||
}
|
||||
|
||||
if ( secondary_group_action(user_id, group_id, paramList, att.resp_msg) < 0 )
|
||||
@ -418,32 +414,29 @@ void UserLogin::request_execute(xmlrpc_c::paramList const& paramList,
|
||||
egid = xmlrpc_c::value_int(paramList.getInt(4));
|
||||
}
|
||||
|
||||
if (att.uid != 0)
|
||||
PoolObjectAuth perms;
|
||||
|
||||
user = static_cast<UserPool *>(pool)->get(uname);
|
||||
|
||||
if ( user == 0 )
|
||||
{
|
||||
PoolObjectAuth perms;
|
||||
failure_response(NO_EXISTS, att);
|
||||
return;
|
||||
}
|
||||
|
||||
user = static_cast<UserPool *>(pool)->get(uname);
|
||||
user->get_permissions(perms);
|
||||
|
||||
if ( user == 0 )
|
||||
{
|
||||
failure_response(NO_EXISTS, att);
|
||||
return;
|
||||
}
|
||||
user->unlock();
|
||||
|
||||
user->get_permissions(perms);
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
user->unlock();
|
||||
ar.add_auth(auth_op, perms);
|
||||
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(auth_op, perms);
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
return;
|
||||
}
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
return;
|
||||
}
|
||||
|
||||
user = static_cast<UserPool *>(pool)->get(uname);
|
||||
|
@ -200,80 +200,77 @@ Request::ErrorCode VMTemplateInstantiate::request_execute(int id, string name,
|
||||
|
||||
//--------------------------------------------------------------------------
|
||||
|
||||
if ( att.uid != 0 )
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(AuthRequest::USE, perms); //USE TEMPLATE
|
||||
|
||||
if (!str_uattrs.empty())
|
||||
{
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
string tmpl_str;
|
||||
|
||||
ar.add_auth(AuthRequest::USE, perms); //USE TEMPLATE
|
||||
tmpl->to_xml(tmpl_str);
|
||||
|
||||
if (!str_uattrs.empty())
|
||||
// CREATE TEMPLATE
|
||||
ar.add_create_auth(att.uid, att.gid, PoolObjectSQL::TEMPLATE,
|
||||
tmpl_str);
|
||||
}
|
||||
|
||||
VirtualMachine::set_auth_request(att.uid, ar, tmpl);
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
|
||||
delete tmpl;
|
||||
return AUTHORIZATION;
|
||||
}
|
||||
|
||||
extended_tmpl = *tmpl;
|
||||
|
||||
VirtualMachineDisks::extended_info(att.uid, &extended_tmpl);
|
||||
|
||||
if (quota_authorization(&extended_tmpl, Quotas::VIRTUALMACHINE, att,
|
||||
att.resp_msg) == false)
|
||||
{
|
||||
delete tmpl;
|
||||
return AUTHORIZATION;
|
||||
}
|
||||
|
||||
bool ds_quota_auth = true;
|
||||
|
||||
VirtualMachineDisks::image_ds_quotas(&extended_tmpl, ds_quotas);
|
||||
|
||||
for ( it = ds_quotas.begin() ; it != ds_quotas.end() ; ++it )
|
||||
{
|
||||
if ( quota_authorization(*it, Quotas::DATASTORE, att, att.resp_msg)
|
||||
== false )
|
||||
{
|
||||
string tmpl_str;
|
||||
|
||||
tmpl->to_xml(tmpl_str);
|
||||
|
||||
// CREATE TEMPLATE
|
||||
ar.add_create_auth(att.uid, att.gid, PoolObjectSQL::TEMPLATE,
|
||||
tmpl_str);
|
||||
ds_quota_auth = false;
|
||||
break;
|
||||
}
|
||||
|
||||
VirtualMachine::set_auth_request(att.uid, ar, tmpl);
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
else
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
|
||||
delete tmpl;
|
||||
return AUTHORIZATION;
|
||||
applied.push_back(*it);
|
||||
}
|
||||
}
|
||||
|
||||
extended_tmpl = *tmpl;
|
||||
if ( ds_quota_auth == false )
|
||||
{
|
||||
quota_rollback(&extended_tmpl, Quotas::VIRTUALMACHINE, att);
|
||||
|
||||
VirtualMachineDisks::extended_info(att.uid, &extended_tmpl);
|
||||
|
||||
if (quota_authorization(&extended_tmpl, Quotas::VIRTUALMACHINE, att,
|
||||
att.resp_msg) == false)
|
||||
for ( it = applied.begin() ; it != applied.end() ; ++it )
|
||||
{
|
||||
delete tmpl;
|
||||
return AUTHORIZATION;
|
||||
quota_rollback(*it, Quotas::DATASTORE, att);
|
||||
}
|
||||
|
||||
bool ds_quota_auth = true;
|
||||
|
||||
VirtualMachineDisks::image_ds_quotas(&extended_tmpl, ds_quotas);
|
||||
|
||||
for ( it = ds_quotas.begin() ; it != ds_quotas.end() ; ++it )
|
||||
{
|
||||
if ( quota_authorization(*it, Quotas::DATASTORE, att, att.resp_msg)
|
||||
== false )
|
||||
{
|
||||
ds_quota_auth = false;
|
||||
break;
|
||||
}
|
||||
else
|
||||
{
|
||||
applied.push_back(*it);
|
||||
}
|
||||
delete *it;
|
||||
}
|
||||
|
||||
if ( ds_quota_auth == false )
|
||||
{
|
||||
quota_rollback(&extended_tmpl, Quotas::VIRTUALMACHINE, att);
|
||||
delete tmpl;
|
||||
|
||||
for ( it = applied.begin() ; it != applied.end() ; ++it )
|
||||
{
|
||||
quota_rollback(*it, Quotas::DATASTORE, att);
|
||||
}
|
||||
|
||||
for ( it = ds_quotas.begin() ; it != ds_quotas.end() ; ++it )
|
||||
{
|
||||
delete *it;
|
||||
}
|
||||
|
||||
delete tmpl;
|
||||
|
||||
return AUTHORIZATION;
|
||||
}
|
||||
return AUTHORIZATION;
|
||||
}
|
||||
|
||||
rc = vmpool->allocate(att.uid, att.gid, att.uname, att.gname, att.umask,
|
||||
@ -326,7 +323,7 @@ Request::ErrorCode VMTemplateInstantiate::merge(
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
if (att.uid!=UserPool::ONEADMIN_ID && att.gid!=GroupPool::ONEADMIN_ID)
|
||||
if (!att.is_admin())
|
||||
{
|
||||
if (uattrs.check_restricted(aname, tmpl))
|
||||
{
|
||||
|
@ -58,19 +58,16 @@ void VdcEditGroup::request_execute(
|
||||
return;
|
||||
}
|
||||
|
||||
if ( att.uid != 0 )
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(AuthRequest::ADMIN, vdc_perms); // ADMIN VDC
|
||||
ar.add_auth(AuthRequest::ADMIN, group_perms); // ADMIN GROUP
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(AuthRequest::ADMIN, vdc_perms); // ADMIN VDC
|
||||
ar.add_auth(AuthRequest::ADMIN, group_perms); // ADMIN GROUP
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
return;
|
||||
}
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
return;
|
||||
}
|
||||
|
||||
vdc = static_cast<VdcPool*>(pool)->get(vdc_id);
|
||||
@ -183,28 +180,25 @@ void VdcEditResource::request_execute(
|
||||
}
|
||||
}
|
||||
|
||||
if ( att.uid != 0 )
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(AuthRequest::ADMIN, vdc_perms); // ADMIN VDC
|
||||
|
||||
if (zone_exists)
|
||||
{
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
ar.add_auth(AuthRequest::ADMIN, zone_perms); // ADMIN ZONE
|
||||
}
|
||||
|
||||
ar.add_auth(AuthRequest::ADMIN, vdc_perms); // ADMIN VDC
|
||||
if (res_exists)
|
||||
{
|
||||
ar.add_auth(AuthRequest::ADMIN, res_perms); // ADMIN RESOURCE
|
||||
}
|
||||
|
||||
if (zone_exists)
|
||||
{
|
||||
ar.add_auth(AuthRequest::ADMIN, zone_perms); // ADMIN ZONE
|
||||
}
|
||||
|
||||
if (res_exists)
|
||||
{
|
||||
ar.add_auth(AuthRequest::ADMIN, res_perms); // ADMIN RESOURCE
|
||||
}
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
return;
|
||||
}
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
return;
|
||||
}
|
||||
|
||||
vdc = static_cast<VdcPool*>(pool)->get(vdc_id);
|
||||
|
@ -46,12 +46,6 @@ bool RequestManagerVirtualMachine::vm_authorization(
|
||||
return false;
|
||||
}
|
||||
|
||||
if ( att.uid == 0 )
|
||||
{
|
||||
object->unlock();
|
||||
return true;
|
||||
}
|
||||
|
||||
object->get_permissions(vm_perms);
|
||||
|
||||
object->unlock();
|
||||
@ -1813,7 +1807,7 @@ void VirtualMachineResize::request_execute(xmlrpc_c::paramList const& paramList,
|
||||
|
||||
bool enforce = true;
|
||||
|
||||
if (att.uid == UserPool::ONEADMIN_ID || att.gid == GroupPool::ONEADMIN_ID)
|
||||
if (att.is_admin())
|
||||
{
|
||||
enforce = enforce_param;
|
||||
}
|
||||
@ -1837,7 +1831,7 @@ void VirtualMachineResize::request_execute(xmlrpc_c::paramList const& paramList,
|
||||
return;
|
||||
}
|
||||
|
||||
if (att.uid != UserPool::ONEADMIN_ID && att.gid!=GroupPool::ONEADMIN_ID)
|
||||
if (!att.is_admin())
|
||||
{
|
||||
string aname;
|
||||
|
||||
@ -2287,24 +2281,22 @@ Request::ErrorCode VirtualMachineAttachNic::request_execute(int id,
|
||||
|
||||
vm->unlock();
|
||||
|
||||
if ( att.uid != 0 )
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(AuthRequest::MANAGE, vm_perms);
|
||||
|
||||
VirtualMachine::set_auth_request(att.uid, ar, &tmpl);
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(AuthRequest::MANAGE, vm_perms);
|
||||
|
||||
VirtualMachine::set_auth_request(att.uid, ar, &tmpl);
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
return AUTHORIZATION;
|
||||
}
|
||||
att.resp_msg = ar.message;
|
||||
return AUTHORIZATION;
|
||||
}
|
||||
|
||||
|
||||
RequestAttributes att_quota(vm_perms.uid, vm_perms.gid, att);
|
||||
|
||||
if (att.uid != UserPool::ONEADMIN_ID && att.gid!=GroupPool::ONEADMIN_ID)
|
||||
if (!att.is_admin())
|
||||
{
|
||||
string aname;
|
||||
|
||||
@ -2410,17 +2402,14 @@ Request::ErrorCode VirtualMachineDetachNic::request_execute(int id, int nic_id,
|
||||
|
||||
vm->unlock();
|
||||
|
||||
if ( att.uid != 0 )
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(AuthRequest::MANAGE, vm_perms);
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(AuthRequest::MANAGE, vm_perms);
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
return AUTHORIZATION;
|
||||
}
|
||||
att.resp_msg = ar.message;
|
||||
return AUTHORIZATION;
|
||||
}
|
||||
|
||||
// -------------------------------------------------------------------------
|
||||
@ -2908,7 +2897,7 @@ void VirtualMachineUpdateConf::request_execute(
|
||||
return;
|
||||
}
|
||||
|
||||
if ( att.uid != UserPool::ONEADMIN_ID && att.gid != GroupPool::ONEADMIN_ID )
|
||||
if (!att.is_admin())
|
||||
{
|
||||
string aname;
|
||||
|
||||
|
@ -83,18 +83,15 @@ void VirtualRouterInstantiate::request_execute(
|
||||
return;
|
||||
}
|
||||
|
||||
if ( att.uid != 0 )
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(AuthRequest::MANAGE, vr_perms); // MANAGE VROUTER
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(AuthRequest::MANAGE, vr_perms); // MANAGE VROUTER
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
return;
|
||||
}
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
return;
|
||||
}
|
||||
|
||||
VMTemplate * tmpl = tpool->get(tmpl_id);
|
||||
@ -223,20 +220,17 @@ void VirtualRouterAttachNic::request_execute(
|
||||
|
||||
vr->unlock();
|
||||
|
||||
if ( att.uid != 0 )
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(AuthRequest::MANAGE, vr_perms); // MANAGE VROUTER
|
||||
|
||||
VirtualRouter::set_auth_request(att.uid, ar, &tmpl); // USE VNET
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(AuthRequest::MANAGE, vr_perms); // MANAGE VROUTER
|
||||
|
||||
VirtualRouter::set_auth_request(att.uid, ar, &tmpl); // USE VNET
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
return;
|
||||
}
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
return;
|
||||
}
|
||||
|
||||
RequestAttributes att_quota(vr_perms.uid, vr_perms.gid, att);
|
||||
@ -331,18 +325,15 @@ void VirtualRouterDetachNic::request_execute(
|
||||
|
||||
vr->unlock();
|
||||
|
||||
if ( att.uid != 0 )
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(AuthRequest::MANAGE, vr_perms); // MANAGE VROUTER
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
AuthRequest ar(att.uid, att.group_ids);
|
||||
|
||||
ar.add_auth(AuthRequest::MANAGE, vr_perms); // MANAGE VROUTER
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
return;
|
||||
}
|
||||
att.resp_msg = ar.message;
|
||||
failure_response(AUTHORIZATION, att);
|
||||
return;
|
||||
}
|
||||
|
||||
// -------------------------------------------------------------------------
|
||||
|
@ -151,7 +151,7 @@ void ZoneAddServer::request_execute(xmlrpc_c::paramList const& paramList,
|
||||
{
|
||||
bool updated = false;
|
||||
|
||||
while (!updated)
|
||||
while (!updated)
|
||||
{
|
||||
Zone * zone = (static_cast<ZonePool *>(pool))->get(id);
|
||||
|
||||
@ -281,7 +281,7 @@ void ZoneReplicateLog::request_execute(xmlrpc_c::paramList const& paramList,
|
||||
|
||||
LogDBRecord lr, prev_lr;
|
||||
|
||||
if ( att.uid != 0 )
|
||||
if (!att.is_oneadmin())
|
||||
{
|
||||
att.resp_id = current_term;
|
||||
|
||||
@ -432,7 +432,7 @@ void ZoneVoteRequest::request_execute(xmlrpc_c::paramList const& paramList,
|
||||
|
||||
logdb->get_last_record_index(log_index, log_term);
|
||||
|
||||
if ( att.uid != 0 )
|
||||
if (!att.is_oneadmin())
|
||||
{
|
||||
att.resp_id = current_term;
|
||||
|
||||
@ -522,7 +522,7 @@ void ZoneReplicateFedLog::request_execute(xmlrpc_c::paramList const& paramList,
|
||||
int prev = xmlrpc_c::value_int(paramList.getInt(2));
|
||||
string sql = xmlrpc_c::value_string(paramList.getString(3));
|
||||
|
||||
if ( att.uid != 0 )
|
||||
if (!att.is_oneadmin())
|
||||
{
|
||||
att.resp_id = -1;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user