1
0
mirror of https://github.com/OpenNebula/one.git synced 2025-01-05 09:17:41 +03:00

F : Added new funtion to check lock state with oneadmin. Missing

action names. Functions to test oneadmin or admin roles
This commit is contained in:
Ruben S. Montero 2018-05-23 14:42:57 +02:00
parent ad5f6ff4cf
commit d7ce29183c
28 changed files with 453 additions and 503 deletions

View File

@ -85,6 +85,17 @@ public:
const PoolObjectAuth& obj_perms,
AuthRequest::Operation op);
/**
* Takes an authorization request for oneadmin
* and checks if the resource is locked
*
* @param obj_perms The object's permission attributes
* @param op The operation to be authorized
* @return true if the authorization is granted for oneadmin
*/
const bool oneadmin_authorize(const PoolObjectAuth& obj_perms,
AuthRequest::Operation op);
/**
* Adds a new rule to the ACL rule set
*

View File

@ -61,12 +61,18 @@ public:
{
switch (op)
{
case USE: return "USE";
case MANAGE: return "MANAGE";
case ADMIN: return "ADMIN";
case CREATE: return "CREATE";
default: return "";
case USE: return "USE";
case USE_NO_LCK: return "USE";
case MANAGE: return "MANAGE";
case MANAGE_NO_LCK: return "MANAGE";
case ADMIN: return "ADMIN";
case ADMIN_NO_LCK: return "ADMIN";
case CREATE: return "CREATE";
case CREATE_NO_LCK: return "CREATE";
case NONE: return "";
}
return "";
};
static Operation str_to_operation(string str)
@ -156,7 +162,7 @@ public:
bool core_authorize()
{
return ( uid == 0 || self_authorize );
return self_authorize;
}
bool core_authenticate()

View File

@ -111,6 +111,22 @@ public:
resp_id = -1;
resp_msg = "";
};
bool is_admin()
{
return uid == UserPool::ONEADMIN_ID ||
group_ids.count(GroupPool::ONEADMIN_ID) == 1;
}
bool is_oneadmin()
{
return uid == UserPool::ONEADMIN_ID;
}
bool is_oneadmin_group()
{
return gid == GroupPool::ONEADMIN_ID;
}
};
/**

View File

@ -41,7 +41,7 @@ protected:
{
std::string xml = xmlrpc_c::value_string(pl.getString(1));
if ( att.uid != UserPool::ONEADMIN_ID )
if (!att.is_oneadmin())
{
failure_response(AUTHORIZATION, att);
return;

View File

@ -40,7 +40,7 @@ protected:
std::string error;
int oid = xmlrpc_c::value_int(pl.getInt(1));
if ( att.uid != UserPool::ONEADMIN_ID )
if (!att.is_oneadmin())
{
failure_response(AUTHORIZATION, att);
return;

View File

@ -41,7 +41,7 @@ protected:
int oid = xmlrpc_c::value_int(pl.getInt(1));
std::string xml = xmlrpc_c::value_string(pl.getString(2));
if ( att.uid != UserPool::ONEADMIN_ID )
if (!att.is_oneadmin())
{
failure_response(AUTHORIZATION, att);
return;
@ -151,7 +151,7 @@ public:
int oid = xmlrpc_c::value_int(pl.getInt(1));
std::string xml = xmlrpc_c::value_string(pl.getString(2));
if ( att.uid != UserPool::ONEADMIN_ID )
if (!att.is_oneadmin())
{
failure_response(AUTHORIZATION, att);
return;

View File

@ -154,7 +154,7 @@ public:
RequestAttributes& att,
string& error_str)
{
if (att.uid!=UserPool::ONEADMIN_ID && att.gid!=GroupPool::ONEADMIN_ID)
if (!att.is_admin())
{
return vn->update_ar(tmpl, true, error_str);
}

View File

@ -419,6 +419,25 @@ const bool AclManager::authorize(
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
const bool AclManager::oneadmin_authorize(
const PoolObjectAuth& obj_perms,
AuthRequest::Operation op)
{
if (static_cast<long long int>(op) & 0x10LL) //No lockable object
{
return true;
}
else if (obj_perms.locked > 0 && obj_perms.locked <= static_cast<long long int>(op))
{
return false;
}
return true;
}
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
bool AclManager::match_rules_wrapper(
long long user_req,
long long resource_oid_req,

View File

@ -34,6 +34,7 @@ void AuthRequest::add_auth(Operation op,
{
ostringstream oss;
bool auth;
bool lock;
oss << ob_perms.type_to_str() << ":";
@ -66,15 +67,17 @@ void AuthRequest::add_auth(Operation op,
// Default conditions that grants permission :
// User is oneadmin, or is in the oneadmin group
Nebula& nd = Nebula::instance();
AclManager* aclm = nd.get_aclm();
if ( uid == 0 || gids.count( GroupPool::ONEADMIN_ID ) == 1 )
{
auth = true;
lock = aclm->oneadmin_authorize(ob_perms, op);
auth = lock;
}
else
{
Nebula& nd = Nebula::instance();
AclManager* aclm = nd.get_aclm();
lock = false;
auth = aclm->authorize(uid, gids, ob_perms, op);
}
@ -88,15 +91,20 @@ void AuthRequest::add_auth(Operation op,
{
oss.str("");
oss << message;
if ( !message.empty() )
{
oss << "; ";
oss << message << "; ";
}
oss << "Not authorized to perform " << operation_to_str(op)
<< " " << ob_perms.type_to_str();
if ( !lock )
{
oss << "Not authorized to perform " << operation_to_str(op)
<< " " << ob_perms.type_to_str();
}
else
{
oss << ob_perms.type_to_str() << " is locked.";
}
if ( ob_perms.oid != -1 )
{

View File

@ -411,22 +411,12 @@ Request::ErrorCode Request::basic_authorization(
return NO_EXISTS;
}
if ( att.uid == 0 )
{
object->unlock();
return SUCCESS;
}
object->get_permissions(perms);
object->unlock();
}
else
{
if ( att.uid == 0 )
{
return SUCCESS;
}
perms.obj_type = auth_object;
}

View File

@ -31,11 +31,6 @@ bool RequestManagerAllocate::allocate_authorization(
RequestAttributes& att,
PoolObjectAuth * cluster_perms)
{
if ( att.uid == 0 )
{
return true;
}
string tmpl_str = "";
AuthRequest ar(att.uid, att.group_ids);
@ -72,11 +67,6 @@ bool VirtualMachineAllocate::allocate_authorization(
RequestAttributes& att,
PoolObjectAuth * cluster_perms)
{
if ( att.uid == 0 )
{
return true;
}
AuthRequest ar(att.uid, att.group_ids);
string t64;
string aname;
@ -85,7 +75,7 @@ bool VirtualMachineAllocate::allocate_authorization(
// ------------ Check template for restricted attributes -------------------
if ( att.uid != 0 && att.gid != GroupPool::ONEADMIN_ID )
if (!att.is_admin())
{
if (ttmpl->check_restricted(aname))
{
@ -545,50 +535,46 @@ void ImageAllocate::request_execute(xmlrpc_c::paramList const& params,
img_usage.add("DATASTORE", ds_id);
img_usage.add("SIZE", size_str);
if ( att.uid != 0 )
AuthRequest ar(att.uid, att.group_ids);
string tmpl_str;
string aname;
// ------------ Check template for restricted attributes --------------
if (!att.is_admin())
{
AuthRequest ar(att.uid, att.group_ids);
string tmpl_str;
string aname;
// ------------ Check template for restricted attributes --------------
if ( att.uid != UserPool::ONEADMIN_ID &&
att.gid != GroupPool::ONEADMIN_ID )
if (tmpl->check_restricted(aname))
{
if (tmpl->check_restricted(aname))
{
att.resp_msg = "Template includes a restricted attribute "+aname;
failure_response(AUTHORIZATION, att);
delete tmpl;
return;
}
}
// ------------------ Check permissions and ACLs ----------------------
tmpl->to_xml(tmpl_str);
ar.add_create_auth(att.uid, att.gid, auth_object, tmpl_str);
ar.add_auth(AuthRequest::USE, ds_perms); // USE DATASTORE
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
att.resp_msg = "Template includes a restricted attribute "+aname;
failure_response(AUTHORIZATION, att);
delete tmpl;
return;
}
}
// -------------------------- Check Quotas ----------------------------
// ------------------ Check permissions and ACLs ----------------------
tmpl->to_xml(tmpl_str);
if ( quota_authorization(&img_usage, Quotas::DATASTORE, att) == false )
{
delete tmpl;
return;
}
ar.add_create_auth(att.uid, att.gid, auth_object, tmpl_str);
ar.add_auth(AuthRequest::USE, ds_perms); // USE DATASTORE
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
delete tmpl;
return;
}
// -------------------------- Check Quotas ----------------------------
if ( quota_authorization(&img_usage, Quotas::DATASTORE, att) == false )
{
delete tmpl;
return;
}
// ------------------------- Check persistent only -------------------------
@ -678,11 +664,6 @@ bool TemplateAllocate::allocate_authorization(
RequestAttributes& att,
PoolObjectAuth * cluster_perms)
{
if ( att.uid == UserPool::ONEADMIN_ID || att.gid == GroupPool::ONEADMIN_ID )
{
return true;
}
AuthRequest ar(att.uid, att.group_ids);
string t64;
string aname;
@ -738,11 +719,6 @@ bool UserAllocate::allocate_authorization(
RequestAttributes& att,
PoolObjectAuth * cluster_perms)
{
if ( att.uid == 0 )
{
return true;
}
vector<xmlrpc_c::value> param_arr;
vector<xmlrpc_c::value>::const_iterator it;
@ -1102,11 +1078,6 @@ bool VirtualRouterAllocate::allocate_authorization(
RequestAttributes& att,
PoolObjectAuth * cluster_perms)
{
if ( att.uid == 0 )
{
return true;
}
AuthRequest ar(att.uid, att.group_ids);
string tmpl_str;

View File

@ -81,78 +81,75 @@ Request::ErrorCode RequestManagerChmod::chmod(
{
PoolObjectSQL * object;
if ( att.uid != 0 && att.gid != 0)
AuthRequest::Operation op = AuthRequest::MANAGE;
PoolObjectAuth perms;
object = pool->get(oid);
if ( object == 0 )
{
AuthRequest::Operation op = AuthRequest::MANAGE;
PoolObjectAuth perms;
att.resp_id = oid;
return NO_EXISTS;
}
object = pool->get(oid);
object->get_permissions(perms);
if ( object == 0 )
object->unlock();
if ( owner_a == perms.owner_a )
{
owner_a = -1;
}
if ( group_a == perms.group_a )
{
group_a = -1;
}
if ( other_u == perms.other_u )
{
other_u = -1;
}
if ( other_m == perms.other_m )
{
other_m = -1;
}
if ( other_a == perms.other_a )
{
other_a = -1;
}
if ( owner_a != -1 || group_a != -1 || other_a != -1 )
{
op = AuthRequest::ADMIN;
}
if ( other_u != -1 || other_m != -1 || other_a != -1 )
{
bool enable_other;
Nebula::instance().get_configuration_attribute(
"ENABLE_OTHER_PERMISSIONS", enable_other);
if ( !enable_other )
{
att.resp_id = oid;
return NO_EXISTS;
}
object->get_permissions(perms);
object->unlock();
if ( owner_a == perms.owner_a )
{
owner_a = -1;
}
if ( group_a == perms.group_a )
{
group_a = -1;
}
if ( other_u == perms.other_u )
{
other_u = -1;
}
if ( other_m == perms.other_m )
{
other_m = -1;
}
if ( other_a == perms.other_a )
{
other_a = -1;
}
if ( owner_a != -1 || group_a != -1 || other_a != -1 )
{
op = AuthRequest::ADMIN;
}
if ( other_u != -1 || other_m != -1 || other_a != -1 )
{
bool enable_other;
Nebula::instance().get_configuration_attribute(
"ENABLE_OTHER_PERMISSIONS", enable_other);
if ( !enable_other )
{
att.resp_msg = "'other' permissions is disabled in oned.conf";
return AUTHORIZATION;
}
}
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(op, perms);
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
att.resp_msg = "'other' permissions is disabled in oned.conf";
return AUTHORIZATION;
}
}
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(op, perms);
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
return AUTHORIZATION;
}
// ------------- Update the object ---------------------
object = pool->get(oid);

View File

@ -303,36 +303,33 @@ void RequestManagerChown::request_execute(xmlrpc_c::paramList const& paramList,
// ------------- Set authorization request for non-oneadmin's --------------
if ( att.uid != 0 )
AuthRequest ar(att.uid, att.group_ids);
rc = get_info(pool, oid, auth_object, att, operms, oname, true);
if ( rc == -1 )
{
AuthRequest ar(att.uid, att.group_ids);
return;
}
rc = get_info(pool, oid, auth_object, att, operms, oname, true);
ar.add_auth(auth_op, operms); // MANAGE OBJECT
if ( rc == -1 )
{
return;
}
if ( noid > -1 )
{
ar.add_auth(AuthRequest::MANAGE, nuperms); // MANAGE USER
}
ar.add_auth(auth_op, operms); // MANAGE OBJECT
if ( ngid > -1 )
{
ar.add_auth(AuthRequest::USE, ngperms); // USE GROUP
}
if ( noid > -1 )
{
ar.add_auth(AuthRequest::MANAGE, nuperms); // MANAGE USER
}
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
if ( ngid > -1 )
{
ar.add_auth(AuthRequest::USE, ngperms); // USE GROUP
}
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
return;
}
return;
}
// --------------- Check name uniqueness -----------------------------------
@ -478,20 +475,17 @@ void UserChown::request_execute(xmlrpc_c::paramList const& paramList,
return;
}
if ( att.uid != 0 )
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(auth_op, uperms); // MANAGE USER
ar.add_auth(AuthRequest::USE, ngperms); // USE GROUP
if (UserPool::authorize(ar) == -1)
{
AuthRequest ar(att.uid, att.group_ids);
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
ar.add_auth(auth_op, uperms); // MANAGE USER
ar.add_auth(AuthRequest::USE, ngperms); // USE GROUP
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
return;
}
return;
}
// ------------- Change users primary group ---------------------

View File

@ -85,25 +85,22 @@ Request::ErrorCode RequestManagerClone::clone(int source_id, const string &name,
tmpl->erase("NAME");
tmpl->set(new SingleAttribute("NAME", name));
if ( att.uid != 0 )
string tmpl_str = "";
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(auth_op, perms); //USE OBJECT
tmpl->to_xml(tmpl_str);
ar.add_create_auth(att.uid, att.gid, auth_object, tmpl_str);
if (UserPool::authorize(ar) == -1)
{
string tmpl_str = "";
att.resp_msg = ar.message;
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(auth_op, perms); //USE OBJECT
tmpl->to_xml(tmpl_str);
ar.add_create_auth(att.uid, att.gid, auth_object, tmpl_str);
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
delete tmpl;
return AUTHORIZATION;
}
delete tmpl;
return AUTHORIZATION;
}
rc = pool_allocate(source_id, tmpl, new_id, att);

View File

@ -57,20 +57,17 @@ void RequestManagerCluster::action_generic(
return;
}
if ( att.uid != 0 )
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(auth_op, c_perms); // ADMIN CLUSTER
ar.add_auth(AuthRequest::ADMIN, obj_perms); // ADMIN OBJECT
if (UserPool::authorize(ar) == -1)
{
AuthRequest ar(att.uid, att.group_ids);
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
ar.add_auth(auth_op, c_perms); // ADMIN CLUSTER
ar.add_auth(AuthRequest::ADMIN, obj_perms); // ADMIN OBJECT
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
return;
}
return;
}
// ------------- Set new cluster id in object ---------------------
@ -219,20 +216,17 @@ void RequestManagerClusterHost::add_generic(
return;
}
if ( att.uid != 0 )
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(auth_op, c_perms); // ADMIN CLUSTER
ar.add_auth(AuthRequest::ADMIN, obj_perms); // ADMIN HOST
if (UserPool::authorize(ar) == -1)
{
AuthRequest ar(att.uid, att.group_ids);
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
ar.add_auth(auth_op, c_perms); // ADMIN CLUSTER
ar.add_auth(AuthRequest::ADMIN, obj_perms); // ADMIN HOST
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
return;
}
return;
}
// ------------- Set new cluster id in object ---------------------

View File

@ -27,11 +27,6 @@ static Request::ErrorCode delete_authorization(PoolSQL* pool,
{
PoolObjectAuth perms;
if ( att.uid == 0 )
{
return Request::SUCCESS;
}
PoolObjectSQL * object = pool->get(oid);
if ( object == 0 )

View File

@ -119,21 +119,18 @@ void GroupEditAdmin::request_execute(
return;
}
if ( att.uid != 0 )
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::ADMIN, group_perms); // MANAGE GROUP
ar.add_auth(AuthRequest::ADMIN, user_perms); // MANAGE USER
if (UserPool::authorize(ar) == -1)
{
AuthRequest ar(att.uid, att.group_ids);
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
ar.add_auth(AuthRequest::ADMIN, group_perms); // MANAGE GROUP
ar.add_auth(AuthRequest::ADMIN, user_perms); // MANAGE USER
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
return;
}
return;
}
group = static_cast<GroupPool*>(pool)->get(group_id);

View File

@ -481,46 +481,43 @@ Request::ErrorCode ImageClone::request_execute(
return ACTION;
}
if ( att.uid != 0 )
AuthRequest ar(att.uid, att.group_ids);
string tmpl_str;
// ------------------ Check permissions and ACLs ----------------------
// Create image
// Use original image
// Use target datastore
// Use original datastore, if different
// ---------------------------------------------------------------------
tmpl->to_xml(tmpl_str);
ar.add_create_auth(att.uid, att.gid, PoolObjectSQL::IMAGE, tmpl_str);
ar.add_auth(AuthRequest::USE, perms);
ar.add_auth(AuthRequest::USE, ds_perms);
if (ds_id != ds_id_orig)
{
AuthRequest ar(att.uid, att.group_ids);
string tmpl_str;
ar.add_auth(AuthRequest::USE, ds_perms_orig);
}
// ------------------ Check permissions and ACLs ----------------------
// Create image
// Use original image
// Use target datastore
// Use original datastore, if different
// ---------------------------------------------------------------------
tmpl->to_xml(tmpl_str);
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
ar.add_create_auth(att.uid, att.gid, PoolObjectSQL::IMAGE, tmpl_str);
delete tmpl;
return AUTHORIZATION;
}
ar.add_auth(AuthRequest::USE, perms);
// -------------------------- Check Quotas ----------------------------
ar.add_auth(AuthRequest::USE, ds_perms);
if (ds_id != ds_id_orig)
{
ar.add_auth(AuthRequest::USE, ds_perms_orig);
}
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
delete tmpl;
return AUTHORIZATION;
}
// -------------------------- Check Quotas ----------------------------
if ( quota_authorization(&img_usage, Quotas::DATASTORE, att,
att.resp_msg) == false )
{
delete tmpl;
return AUTHORIZATION;
}
if ( quota_authorization(&img_usage, Quotas::DATASTORE, att,
att.resp_msg) == false )
{
delete tmpl;
return AUTHORIZATION;
}
rc = ipool->allocate(att.uid,

View File

@ -115,16 +115,13 @@ void TemplateInfo::request_execute(xmlrpc_c::paramList const& paramList,
VirtualMachineDisks::extended_info(att.uid, extended_tmpl);
}
if ( att.uid != UserPool::ONEADMIN_ID && att.gid != GroupPool::ONEADMIN_ID )
if (UserPool::authorize(ar) == -1)
{
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
delete extended_tmpl;
return;
}
delete extended_tmpl;
return;
}
vm_tmpl = tpool->get(oid);

View File

@ -61,19 +61,16 @@ void RequestManagerRename::request_execute(xmlrpc_c::paramList const& paramList,
// ------------- Set authorization request for non-oneadmin's --------------
if ( att.uid != 0 )
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(auth_op, operms); // MANAGE OBJECT
if (UserPool::authorize(ar) == -1)
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(auth_op, operms); // MANAGE OBJECT
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
clear_rename(oid);
return;
}
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
clear_rename(oid);
return;
}
// ----------------------- Check name uniqueness ---------------------------

View File

@ -63,7 +63,7 @@ void SystemSql::request_execute(xmlrpc_c::paramList const& paramList,
SqlDB * db;
if ( att.uid != 0 )
if (!att.is_oneadmin())
{
att.resp_id = -1;
@ -164,7 +164,7 @@ void SystemSqlQuery::request_execute(xmlrpc_c::paramList const& paramList,
std::string result;
if ( att.uid != 0 )
if (!att.is_oneadmin())
{
att.resp_id = -1;

View File

@ -27,7 +27,7 @@ int RequestManagerUpdateTemplate::replace_template(
const RequestAttributes &att,
string &error_str)
{
if (att.uid!=UserPool::ONEADMIN_ID && att.gid!=GroupPool::ONEADMIN_ID)
if (!att.is_admin())
{
return object->replace_template(tmpl, true, error_str);
}
@ -46,7 +46,7 @@ int RequestManagerUpdateTemplate::append_template(
const RequestAttributes &att,
string &error_str)
{
if (att.uid!=UserPool::ONEADMIN_ID && att.gid!=GroupPool::ONEADMIN_ID)
if (!att.is_admin())
{
return object->append_template(tmpl, true, error_str);
}

View File

@ -73,8 +73,7 @@ int UserChangePassword::user_action(int user_id,
allowed = false;
}
if (!allowed && att.uid != UserPool::ONEADMIN_ID &&
att.gid != GroupPool::ONEADMIN_ID)
if (!allowed && !att.is_admin())
{
error_str = "Password for driver " + user->get_auth_driver() +
" cannot be changed.";
@ -249,19 +248,16 @@ void UserEditGroup::
return;
}
if ( att.uid != UserPool::ONEADMIN_ID )
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::MANAGE, uperms); // MANAGE USER
ar.add_auth(AuthRequest::MANAGE, gperms); // MANAGE GROUP
if (UserPool::authorize(ar) == -1)
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::MANAGE, uperms); // MANAGE USER
ar.add_auth(AuthRequest::MANAGE, gperms); // MANAGE GROUP
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
return;
}
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
return;
}
if ( secondary_group_action(user_id, group_id, paramList, att.resp_msg) < 0 )
@ -418,32 +414,29 @@ void UserLogin::request_execute(xmlrpc_c::paramList const& paramList,
egid = xmlrpc_c::value_int(paramList.getInt(4));
}
if (att.uid != 0)
PoolObjectAuth perms;
user = static_cast<UserPool *>(pool)->get(uname);
if ( user == 0 )
{
PoolObjectAuth perms;
failure_response(NO_EXISTS, att);
return;
}
user = static_cast<UserPool *>(pool)->get(uname);
user->get_permissions(perms);
if ( user == 0 )
{
failure_response(NO_EXISTS, att);
return;
}
user->unlock();
user->get_permissions(perms);
AuthRequest ar(att.uid, att.group_ids);
user->unlock();
ar.add_auth(auth_op, perms);
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(auth_op, perms);
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
return;
}
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
return;
}
user = static_cast<UserPool *>(pool)->get(uname);

View File

@ -200,80 +200,77 @@ Request::ErrorCode VMTemplateInstantiate::request_execute(int id, string name,
//--------------------------------------------------------------------------
if ( att.uid != 0 )
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::USE, perms); //USE TEMPLATE
if (!str_uattrs.empty())
{
AuthRequest ar(att.uid, att.group_ids);
string tmpl_str;
ar.add_auth(AuthRequest::USE, perms); //USE TEMPLATE
tmpl->to_xml(tmpl_str);
if (!str_uattrs.empty())
// CREATE TEMPLATE
ar.add_create_auth(att.uid, att.gid, PoolObjectSQL::TEMPLATE,
tmpl_str);
}
VirtualMachine::set_auth_request(att.uid, ar, tmpl);
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
delete tmpl;
return AUTHORIZATION;
}
extended_tmpl = *tmpl;
VirtualMachineDisks::extended_info(att.uid, &extended_tmpl);
if (quota_authorization(&extended_tmpl, Quotas::VIRTUALMACHINE, att,
att.resp_msg) == false)
{
delete tmpl;
return AUTHORIZATION;
}
bool ds_quota_auth = true;
VirtualMachineDisks::image_ds_quotas(&extended_tmpl, ds_quotas);
for ( it = ds_quotas.begin() ; it != ds_quotas.end() ; ++it )
{
if ( quota_authorization(*it, Quotas::DATASTORE, att, att.resp_msg)
== false )
{
string tmpl_str;
tmpl->to_xml(tmpl_str);
// CREATE TEMPLATE
ar.add_create_auth(att.uid, att.gid, PoolObjectSQL::TEMPLATE,
tmpl_str);
ds_quota_auth = false;
break;
}
VirtualMachine::set_auth_request(att.uid, ar, tmpl);
if (UserPool::authorize(ar) == -1)
else
{
att.resp_msg = ar.message;
delete tmpl;
return AUTHORIZATION;
applied.push_back(*it);
}
}
extended_tmpl = *tmpl;
if ( ds_quota_auth == false )
{
quota_rollback(&extended_tmpl, Quotas::VIRTUALMACHINE, att);
VirtualMachineDisks::extended_info(att.uid, &extended_tmpl);
if (quota_authorization(&extended_tmpl, Quotas::VIRTUALMACHINE, att,
att.resp_msg) == false)
for ( it = applied.begin() ; it != applied.end() ; ++it )
{
delete tmpl;
return AUTHORIZATION;
quota_rollback(*it, Quotas::DATASTORE, att);
}
bool ds_quota_auth = true;
VirtualMachineDisks::image_ds_quotas(&extended_tmpl, ds_quotas);
for ( it = ds_quotas.begin() ; it != ds_quotas.end() ; ++it )
{
if ( quota_authorization(*it, Quotas::DATASTORE, att, att.resp_msg)
== false )
{
ds_quota_auth = false;
break;
}
else
{
applied.push_back(*it);
}
delete *it;
}
if ( ds_quota_auth == false )
{
quota_rollback(&extended_tmpl, Quotas::VIRTUALMACHINE, att);
delete tmpl;
for ( it = applied.begin() ; it != applied.end() ; ++it )
{
quota_rollback(*it, Quotas::DATASTORE, att);
}
for ( it = ds_quotas.begin() ; it != ds_quotas.end() ; ++it )
{
delete *it;
}
delete tmpl;
return AUTHORIZATION;
}
return AUTHORIZATION;
}
rc = vmpool->allocate(att.uid, att.gid, att.uname, att.gname, att.umask,
@ -326,7 +323,7 @@ Request::ErrorCode VMTemplateInstantiate::merge(
return SUCCESS;
}
if (att.uid!=UserPool::ONEADMIN_ID && att.gid!=GroupPool::ONEADMIN_ID)
if (!att.is_admin())
{
if (uattrs.check_restricted(aname, tmpl))
{

View File

@ -58,19 +58,16 @@ void VdcEditGroup::request_execute(
return;
}
if ( att.uid != 0 )
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::ADMIN, vdc_perms); // ADMIN VDC
ar.add_auth(AuthRequest::ADMIN, group_perms); // ADMIN GROUP
if (UserPool::authorize(ar) == -1)
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::ADMIN, vdc_perms); // ADMIN VDC
ar.add_auth(AuthRequest::ADMIN, group_perms); // ADMIN GROUP
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
return;
}
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
return;
}
vdc = static_cast<VdcPool*>(pool)->get(vdc_id);
@ -183,28 +180,25 @@ void VdcEditResource::request_execute(
}
}
if ( att.uid != 0 )
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::ADMIN, vdc_perms); // ADMIN VDC
if (zone_exists)
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::ADMIN, zone_perms); // ADMIN ZONE
}
ar.add_auth(AuthRequest::ADMIN, vdc_perms); // ADMIN VDC
if (res_exists)
{
ar.add_auth(AuthRequest::ADMIN, res_perms); // ADMIN RESOURCE
}
if (zone_exists)
{
ar.add_auth(AuthRequest::ADMIN, zone_perms); // ADMIN ZONE
}
if (res_exists)
{
ar.add_auth(AuthRequest::ADMIN, res_perms); // ADMIN RESOURCE
}
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
return;
}
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
return;
}
vdc = static_cast<VdcPool*>(pool)->get(vdc_id);

View File

@ -46,12 +46,6 @@ bool RequestManagerVirtualMachine::vm_authorization(
return false;
}
if ( att.uid == 0 )
{
object->unlock();
return true;
}
object->get_permissions(vm_perms);
object->unlock();
@ -1813,7 +1807,7 @@ void VirtualMachineResize::request_execute(xmlrpc_c::paramList const& paramList,
bool enforce = true;
if (att.uid == UserPool::ONEADMIN_ID || att.gid == GroupPool::ONEADMIN_ID)
if (att.is_admin())
{
enforce = enforce_param;
}
@ -1837,7 +1831,7 @@ void VirtualMachineResize::request_execute(xmlrpc_c::paramList const& paramList,
return;
}
if (att.uid != UserPool::ONEADMIN_ID && att.gid!=GroupPool::ONEADMIN_ID)
if (!att.is_admin())
{
string aname;
@ -2287,24 +2281,22 @@ Request::ErrorCode VirtualMachineAttachNic::request_execute(int id,
vm->unlock();
if ( att.uid != 0 )
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::MANAGE, vm_perms);
VirtualMachine::set_auth_request(att.uid, ar, &tmpl);
if (UserPool::authorize(ar) == -1)
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::MANAGE, vm_perms);
VirtualMachine::set_auth_request(att.uid, ar, &tmpl);
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
return AUTHORIZATION;
}
att.resp_msg = ar.message;
return AUTHORIZATION;
}
RequestAttributes att_quota(vm_perms.uid, vm_perms.gid, att);
if (att.uid != UserPool::ONEADMIN_ID && att.gid!=GroupPool::ONEADMIN_ID)
if (!att.is_admin())
{
string aname;
@ -2410,17 +2402,14 @@ Request::ErrorCode VirtualMachineDetachNic::request_execute(int id, int nic_id,
vm->unlock();
if ( att.uid != 0 )
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::MANAGE, vm_perms);
if (UserPool::authorize(ar) == -1)
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::MANAGE, vm_perms);
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
return AUTHORIZATION;
}
att.resp_msg = ar.message;
return AUTHORIZATION;
}
// -------------------------------------------------------------------------
@ -2908,7 +2897,7 @@ void VirtualMachineUpdateConf::request_execute(
return;
}
if ( att.uid != UserPool::ONEADMIN_ID && att.gid != GroupPool::ONEADMIN_ID )
if (!att.is_admin())
{
string aname;

View File

@ -83,18 +83,15 @@ void VirtualRouterInstantiate::request_execute(
return;
}
if ( att.uid != 0 )
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::MANAGE, vr_perms); // MANAGE VROUTER
if (UserPool::authorize(ar) == -1)
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::MANAGE, vr_perms); // MANAGE VROUTER
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
return;
}
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
return;
}
VMTemplate * tmpl = tpool->get(tmpl_id);
@ -223,20 +220,17 @@ void VirtualRouterAttachNic::request_execute(
vr->unlock();
if ( att.uid != 0 )
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::MANAGE, vr_perms); // MANAGE VROUTER
VirtualRouter::set_auth_request(att.uid, ar, &tmpl); // USE VNET
if (UserPool::authorize(ar) == -1)
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::MANAGE, vr_perms); // MANAGE VROUTER
VirtualRouter::set_auth_request(att.uid, ar, &tmpl); // USE VNET
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
return;
}
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
return;
}
RequestAttributes att_quota(vr_perms.uid, vr_perms.gid, att);
@ -331,18 +325,15 @@ void VirtualRouterDetachNic::request_execute(
vr->unlock();
if ( att.uid != 0 )
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::MANAGE, vr_perms); // MANAGE VROUTER
if (UserPool::authorize(ar) == -1)
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::MANAGE, vr_perms); // MANAGE VROUTER
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
return;
}
att.resp_msg = ar.message;
failure_response(AUTHORIZATION, att);
return;
}
// -------------------------------------------------------------------------

View File

@ -151,7 +151,7 @@ void ZoneAddServer::request_execute(xmlrpc_c::paramList const& paramList,
{
bool updated = false;
while (!updated)
while (!updated)
{
Zone * zone = (static_cast<ZonePool *>(pool))->get(id);
@ -281,7 +281,7 @@ void ZoneReplicateLog::request_execute(xmlrpc_c::paramList const& paramList,
LogDBRecord lr, prev_lr;
if ( att.uid != 0 )
if (!att.is_oneadmin())
{
att.resp_id = current_term;
@ -432,7 +432,7 @@ void ZoneVoteRequest::request_execute(xmlrpc_c::paramList const& paramList,
logdb->get_last_record_index(log_index, log_term);
if ( att.uid != 0 )
if (!att.is_oneadmin())
{
att.resp_id = current_term;
@ -522,7 +522,7 @@ void ZoneReplicateFedLog::request_execute(xmlrpc_c::paramList const& paramList,
int prev = xmlrpc_c::value_int(paramList.getInt(2));
string sql = xmlrpc_c::value_string(paramList.getString(3));
if ( att.uid != 0 )
if (!att.is_oneadmin())
{
att.resp_id = -1;