shaba/one
1
0
Fork 0
mirror of https://github.com/OpenNebula/one.git synced 2025-01-06 13:17:42 +03:00
Code Releases Wiki Activity

F #1377: Added new funtion to check lock state with oneadmin. Missing

Browse Source 
action names. Functions to test oneadmin or admin roles
This commit is contained in:
Ruben S. Montero 2018-05-23 14:42:57 +02:00
parent ad5f6ff4cf
commit d7ce29183c
28 changed files with 453 additions and 503 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
include/AclManager.h
View File

@ -85,6 +85,17 @@ public:
const PoolObjectAuth& obj_perms,
AuthRequest::Operation op);
/**
* Takes an authorization request for oneadmin
* and checks if the resource is locked
*
* @param obj_perms The object's permission attributes
* @param op The operation to be authorized
* @return true if the authorization is granted for oneadmin
*/
const bool oneadmin_authorize(const PoolObjectAuth& obj_perms,
AuthRequest::Operation op);
/**
* Adds a new rule to the ACL rule set
*

10
include/AuthRequest.h
View File

@ -62,11 +62,17 @@ public:
switch (op)
{
case USE: return "USE";
case USE_NO_LCK: return "USE";
case MANAGE: return "MANAGE";
case MANAGE_NO_LCK: return "MANAGE";
case ADMIN: return "ADMIN";
case ADMIN_NO_LCK: return "ADMIN";
case CREATE: return "CREATE";
default: return "";
case CREATE_NO_LCK: return "CREATE";
case NONE: return "";
}
return "";
};
static Operation str_to_operation(string str)
@ -156,7 +162,7 @@ public:
bool core_authorize()
{
return ( uid == 0 || self_authorize );
return self_authorize;
}
bool core_authenticate()

16
include/Request.h
View File

@ -111,6 +111,22 @@ public:
resp_id = -1;
resp_msg = "";
};
bool is_admin()
{
return uid == UserPool::ONEADMIN_ID ||
group_ids.count(GroupPool::ONEADMIN_ID) == 1;
}
bool is_oneadmin()
{
return uid == UserPool::ONEADMIN_ID;
}
bool is_oneadmin_group()
{
return gid == GroupPool::ONEADMIN_ID;
}
};
/**

2
include/RequestManagerAllocateDB.h
View File

@ -41,7 +41,7 @@ protected:
{
std::string xml = xmlrpc_c::value_string(pl.getString(1));
if ( att.uid != UserPool::ONEADMIN_ID )
if (!att.is_oneadmin())
{
failure_response(AUTHORIZATION, att);
return;

2
include/RequestManagerDropDB.h
View File

@ -40,7 +40,7 @@ protected:
std::string error;
int oid = xmlrpc_c::value_int(pl.getInt(1));
if ( att.uid != UserPool::ONEADMIN_ID )
if (!att.is_oneadmin())
{
failure_response(AUTHORIZATION, att);
return;

4
include/RequestManagerUpdateDB.h
View File

@ -41,7 +41,7 @@ protected:
int oid = xmlrpc_c::value_int(pl.getInt(1));
std::string xml = xmlrpc_c::value_string(pl.getString(2));
if ( att.uid != UserPool::ONEADMIN_ID )
if (!att.is_oneadmin())
{
failure_response(AUTHORIZATION, att);
return;
@ -151,7 +151,7 @@ public:
int oid = xmlrpc_c::value_int(pl.getInt(1));
std::string xml = xmlrpc_c::value_string(pl.getString(2));
if ( att.uid != UserPool::ONEADMIN_ID )
if (!att.is_oneadmin())
{
failure_response(AUTHORIZATION, att);
return;

2
include/RequestManagerVirtualNetwork.h
View File

@ -154,7 +154,7 @@ public:
RequestAttributes& att,
string& error_str)
{
if (att.uid!=UserPool::ONEADMIN_ID && att.gid!=GroupPool::ONEADMIN_ID)
if (!att.is_admin())
{
return vn->update_ar(tmpl, true, error_str);
}

19
src/acl/AclManager.cc
View File

@ -419,6 +419,25 @@ const bool AclManager::authorize(
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
const bool AclManager::oneadmin_authorize(
const PoolObjectAuth& obj_perms,
AuthRequest::Operation op)
{
if (static_cast<long long int>(op) & 0x10LL) //No lockable object
{
return true;
}
else if (obj_perms.locked > 0 && obj_perms.locked <= static_cast<long long int>(op))
{
return false;
}
return true;
}
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
bool AclManager::match_rules_wrapper(
long long user_req,
long long resource_oid_req,

26
src/authm/AuthManager.cc
View File

@ -34,6 +34,7 @@ void AuthRequest::add_auth(Operation op,
{
ostringstream oss;
bool auth;
bool lock;
oss << ob_perms.type_to_str() << ":";
@ -66,15 +67,17 @@ void AuthRequest::add_auth(Operation op,
// Default conditions that grants permission :
// User is oneadmin, or is in the oneadmin group
if ( uid == 0 || gids.count( GroupPool::ONEADMIN_ID ) == 1 )
{
auth = true;
}
else
{
Nebula& nd = Nebula::instance();
AclManager* aclm = nd.get_aclm();
if ( uid == 0 || gids.count( GroupPool::ONEADMIN_ID ) == 1 )
{
lock = aclm->oneadmin_authorize(ob_perms, op);
auth = lock;
}
else
{
lock = false;
auth = aclm->authorize(uid, gids, ob_perms, op);
}
@ -88,15 +91,20 @@ void AuthRequest::add_auth(Operation op,
{
oss.str("");
oss << message;
if ( !message.empty() )
{
oss << "; ";
oss << message << "; ";
}
if ( !lock )
{
oss << "Not authorized to perform " << operation_to_str(op)
<< " " << ob_perms.type_to_str();
}
else
{
oss << ob_perms.type_to_str() << " is locked.";
}
if ( ob_perms.oid != -1 )
{

10
src/rm/Request.cc
View File

@ -411,22 +411,12 @@ Request::ErrorCode Request::basic_authorization(
return NO_EXISTS;
}
if ( att.uid == 0 )
{
object->unlock();
return SUCCESS;
}
object->get_permissions(perms);
object->unlock();
}
else
{
if ( att.uid == 0 )
{
return SUCCESS;
}
perms.obj_type = auth_object;
}

33
src/rm/RequestManagerAllocate.cc
View File

@ -31,11 +31,6 @@ bool RequestManagerAllocate::allocate_authorization(
RequestAttributes& att,
PoolObjectAuth * cluster_perms)
{
if ( att.uid == 0 )
{
return true;
}
string tmpl_str = "";
AuthRequest ar(att.uid, att.group_ids);
@ -72,11 +67,6 @@ bool VirtualMachineAllocate::allocate_authorization(
RequestAttributes& att,
PoolObjectAuth * cluster_perms)
{
if ( att.uid == 0 )
{
return true;
}
AuthRequest ar(att.uid, att.group_ids);
string t64;
string aname;
@ -85,7 +75,7 @@ bool VirtualMachineAllocate::allocate_authorization(
// ------------ Check template for restricted attributes -------------------
if ( att.uid != 0 && att.gid != GroupPool::ONEADMIN_ID )
if (!att.is_admin())
{
if (ttmpl->check_restricted(aname))
{
@ -545,16 +535,13 @@ void ImageAllocate::request_execute(xmlrpc_c::paramList const& params,
img_usage.add("DATASTORE", ds_id);
img_usage.add("SIZE", size_str);
if ( att.uid != 0 )
{
AuthRequest ar(att.uid, att.group_ids);
string tmpl_str;
string aname;
// ------------ Check template for restricted attributes --------------
if ( att.uid != UserPool::ONEADMIN_ID &&
att.gid != GroupPool::ONEADMIN_ID )
if (!att.is_admin())
{
if (tmpl->check_restricted(aname))
{
@ -589,7 +576,6 @@ void ImageAllocate::request_execute(xmlrpc_c::paramList const& params,
delete tmpl;
return;
}
}
// ------------------------- Check persistent only -------------------------
@ -678,11 +664,6 @@ bool TemplateAllocate::allocate_authorization(
RequestAttributes& att,
PoolObjectAuth * cluster_perms)
{
if ( att.uid == UserPool::ONEADMIN_ID || att.gid == GroupPool::ONEADMIN_ID )
{
return true;
}
AuthRequest ar(att.uid, att.group_ids);
string t64;
string aname;
@ -738,11 +719,6 @@ bool UserAllocate::allocate_authorization(
RequestAttributes& att,
PoolObjectAuth * cluster_perms)
{
if ( att.uid == 0 )
{
return true;
}
vector<xmlrpc_c::value> param_arr;
vector<xmlrpc_c::value>::const_iterator it;
@ -1102,11 +1078,6 @@ bool VirtualRouterAllocate::allocate_authorization(
RequestAttributes& att,
PoolObjectAuth * cluster_perms)
{
if ( att.uid == 0 )
{
return true;
}
AuthRequest ar(att.uid, att.group_ids);
string tmpl_str;

3
src/rm/RequestManagerChmod.cc
View File

@ -81,8 +81,6 @@ Request::ErrorCode RequestManagerChmod::chmod(
{
PoolObjectSQL * object;
if ( att.uid != 0 && att.gid != 0)
{
AuthRequest::Operation op = AuthRequest::MANAGE;
PoolObjectAuth perms;
@ -151,7 +149,6 @@ Request::ErrorCode RequestManagerChmod::chmod(
att.resp_msg = ar.message;
return AUTHORIZATION;
}
}
// ------------- Update the object ---------------------

6
src/rm/RequestManagerChown.cc
View File

@ -303,8 +303,6 @@ void RequestManagerChown::request_execute(xmlrpc_c::paramList const& paramList,
// ------------- Set authorization request for non-oneadmin's --------------
if ( att.uid != 0 )
{
AuthRequest ar(att.uid, att.group_ids);
rc = get_info(pool, oid, auth_object, att, operms, oname, true);
@ -333,7 +331,6 @@ void RequestManagerChown::request_execute(xmlrpc_c::paramList const& paramList,
return;
}
}
// --------------- Check name uniqueness -----------------------------------
@ -478,8 +475,6 @@ void UserChown::request_execute(xmlrpc_c::paramList const& paramList,
return;
}
if ( att.uid != 0 )
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(auth_op, uperms); // MANAGE USER
@ -492,7 +487,6 @@ void UserChown::request_execute(xmlrpc_c::paramList const& paramList,
return;
}
}
// ------------- Change users primary group ---------------------

3
src/rm/RequestManagerClone.cc
View File

@ -85,8 +85,6 @@ Request::ErrorCode RequestManagerClone::clone(int source_id, const string &name,
tmpl->erase("NAME");
tmpl->set(new SingleAttribute("NAME", name));
if ( att.uid != 0 )
{
string tmpl_str = "";
AuthRequest ar(att.uid, att.group_ids);
@ -104,7 +102,6 @@ Request::ErrorCode RequestManagerClone::clone(int source_id, const string &name,
delete tmpl;
return AUTHORIZATION;
}
}
rc = pool_allocate(source_id, tmpl, new_id, att);

6
src/rm/RequestManagerCluster.cc
View File

@ -57,8 +57,6 @@ void RequestManagerCluster::action_generic(
return;
}
if ( att.uid != 0 )
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(auth_op, c_perms); // ADMIN CLUSTER
@ -71,7 +69,6 @@ void RequestManagerCluster::action_generic(
return;
}
}
// ------------- Set new cluster id in object ---------------------
get(object_id, &object, &cluster_obj);
@ -219,8 +216,6 @@ void RequestManagerClusterHost::add_generic(
return;
}
if ( att.uid != 0 )
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(auth_op, c_perms); // ADMIN CLUSTER
@ -233,7 +228,6 @@ void RequestManagerClusterHost::add_generic(
return;
}
}
// ------------- Set new cluster id in object ---------------------
host = hpool->get(host_id);

5
src/rm/RequestManagerDelete.cc
View File

@ -27,11 +27,6 @@ static Request::ErrorCode delete_authorization(PoolSQL* pool,
{
PoolObjectAuth perms;
if ( att.uid == 0 )
{
return Request::SUCCESS;
}
PoolObjectSQL * object = pool->get(oid);
if ( object == 0 )

3
src/rm/RequestManagerGroup.cc
View File

@ -119,8 +119,6 @@ void GroupEditAdmin::request_execute(
return;
}
if ( att.uid != 0 )
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::ADMIN, group_perms); // MANAGE GROUP
@ -134,7 +132,6 @@ void GroupEditAdmin::request_execute(
return;
}
}
group = static_cast<GroupPool*>(pool)->get(group_id);

3
src/rm/RequestManagerImage.cc
View File

@ -481,8 +481,6 @@ Request::ErrorCode ImageClone::request_execute(
return ACTION;
}
if ( att.uid != 0 )
{
AuthRequest ar(att.uid, att.group_ids);
string tmpl_str;
@ -521,7 +519,6 @@ Request::ErrorCode ImageClone::request_execute(
delete tmpl;
return AUTHORIZATION;
}
}
rc = ipool->allocate(att.uid,
att.gid,

3
src/rm/RequestManagerInfo.cc
View File

@ -115,8 +115,6 @@ void TemplateInfo::request_execute(xmlrpc_c::paramList const& paramList,
VirtualMachineDisks::extended_info(att.uid, extended_tmpl);
}
if ( att.uid != UserPool::ONEADMIN_ID && att.gid != GroupPool::ONEADMIN_ID )
{
if (UserPool::authorize(ar) == -1)
{
att.resp_msg = ar.message;
@ -125,7 +123,6 @@ void TemplateInfo::request_execute(xmlrpc_c::paramList const& paramList,
delete extended_tmpl;
return;
}
}
vm_tmpl = tpool->get(oid);

3
src/rm/RequestManagerRename.cc
View File

@ -61,8 +61,6 @@ void RequestManagerRename::request_execute(xmlrpc_c::paramList const& paramList,
// ------------- Set authorization request for non-oneadmin's --------------
if ( att.uid != 0 )
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(auth_op, operms); // MANAGE OBJECT
@ -74,7 +72,6 @@ void RequestManagerRename::request_execute(xmlrpc_c::paramList const& paramList,
clear_rename(oid);
return;
}
}
// ----------------------- Check name uniqueness ---------------------------

4
src/rm/RequestManagerSystem.cc
View File

@ -63,7 +63,7 @@ void SystemSql::request_execute(xmlrpc_c::paramList const& paramList,
SqlDB * db;
if ( att.uid != 0 )
if (!att.is_oneadmin())
{
att.resp_id = -1;
@ -164,7 +164,7 @@ void SystemSqlQuery::request_execute(xmlrpc_c::paramList const& paramList,
std::string result;
if ( att.uid != 0 )
if (!att.is_oneadmin())
{
att.resp_id = -1;

4
src/rm/RequestManagerUpdateTemplate.cc
View File

@ -27,7 +27,7 @@ int RequestManagerUpdateTemplate::replace_template(
const RequestAttributes &att,
string &error_str)
{
if (att.uid!=UserPool::ONEADMIN_ID && att.gid!=GroupPool::ONEADMIN_ID)
if (!att.is_admin())
{
return object->replace_template(tmpl, true, error_str);
}
@ -46,7 +46,7 @@ int RequestManagerUpdateTemplate::append_template(
const RequestAttributes &att,
string &error_str)
{
if (att.uid!=UserPool::ONEADMIN_ID && att.gid!=GroupPool::ONEADMIN_ID)
if (!att.is_admin())
{
return object->append_template(tmpl, true, error_str);
}

9
src/rm/RequestManagerUser.cc
View File

@ -73,8 +73,7 @@ int UserChangePassword::user_action(int user_id,
allowed = false;
}
if (!allowed && att.uid != UserPool::ONEADMIN_ID &&
att.gid != GroupPool::ONEADMIN_ID)
if (!allowed && !att.is_admin())
{
error_str = "Password for driver " + user->get_auth_driver() +
" cannot be changed.";
@ -249,8 +248,6 @@ void UserEditGroup::
return;
}
if ( att.uid != UserPool::ONEADMIN_ID )
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::MANAGE, uperms); // MANAGE USER
@ -262,7 +259,6 @@ void UserEditGroup::
failure_response(AUTHORIZATION, att);
return;
}
}
if ( secondary_group_action(user_id, group_id, paramList, att.resp_msg) < 0 )
{
@ -418,8 +414,6 @@ void UserLogin::request_execute(xmlrpc_c::paramList const& paramList,
egid = xmlrpc_c::value_int(paramList.getInt(4));
}
if (att.uid != 0)
{
PoolObjectAuth perms;
user = static_cast<UserPool *>(pool)->get(uname);
@ -444,7 +438,6 @@ void UserLogin::request_execute(xmlrpc_c::paramList const& paramList,
failure_response(AUTHORIZATION, att);
return;
}
}
user = static_cast<UserPool *>(pool)->get(uname);

5
src/rm/RequestManagerVMTemplate.cc
View File

@ -200,8 +200,6 @@ Request::ErrorCode VMTemplateInstantiate::request_execute(int id, string name,
//--------------------------------------------------------------------------
if ( att.uid != 0 )
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::USE, perms); //USE TEMPLATE
@ -274,7 +272,6 @@ Request::ErrorCode VMTemplateInstantiate::request_execute(int id, string name,
return AUTHORIZATION;
}
}
rc = vmpool->allocate(att.uid, att.gid, att.uname, att.gname, att.umask,
tmpl, &vid, att.resp_msg, on_hold);
@ -326,7 +323,7 @@ Request::ErrorCode VMTemplateInstantiate::merge(
return SUCCESS;
}
if (att.uid!=UserPool::ONEADMIN_ID && att.gid!=GroupPool::ONEADMIN_ID)
if (!att.is_admin())
{
if (uattrs.check_restricted(aname, tmpl))
{

6
src/rm/RequestManagerVdc.cc
View File

@ -58,8 +58,6 @@ void VdcEditGroup::request_execute(
return;
}
if ( att.uid != 0 )
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::ADMIN, vdc_perms); // ADMIN VDC
@ -71,7 +69,6 @@ void VdcEditGroup::request_execute(
failure_response(AUTHORIZATION, att);
return;
}
}
vdc = static_cast<VdcPool*>(pool)->get(vdc_id);
@ -183,8 +180,6 @@ void VdcEditResource::request_execute(
}
}
if ( att.uid != 0 )
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::ADMIN, vdc_perms); // ADMIN VDC
@ -205,7 +200,6 @@ void VdcEditResource::request_execute(
failure_response(AUTHORIZATION, att);
return;
}
}
vdc = static_cast<VdcPool*>(pool)->get(vdc_id);

21
src/rm/RequestManagerVirtualMachine.cc
View File

@ -46,12 +46,6 @@ bool RequestManagerVirtualMachine::vm_authorization(
return false;
}
if ( att.uid == 0 )
{
object->unlock();
return true;
}
object->get_permissions(vm_perms);
object->unlock();
@ -1813,7 +1807,7 @@ void VirtualMachineResize::request_execute(xmlrpc_c::paramList const& paramList,
bool enforce = true;
if (att.uid == UserPool::ONEADMIN_ID || att.gid == GroupPool::ONEADMIN_ID)
if (att.is_admin())
{
enforce = enforce_param;
}
@ -1837,7 +1831,7 @@ void VirtualMachineResize::request_execute(xmlrpc_c::paramList const& paramList,
return;
}
if (att.uid != UserPool::ONEADMIN_ID && att.gid!=GroupPool::ONEADMIN_ID)
if (!att.is_admin())
{
string aname;
@ -2287,8 +2281,6 @@ Request::ErrorCode VirtualMachineAttachNic::request_execute(int id,
vm->unlock();
if ( att.uid != 0 )
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::MANAGE, vm_perms);
@ -2300,11 +2292,11 @@ Request::ErrorCode VirtualMachineAttachNic::request_execute(int id,
att.resp_msg = ar.message;
return AUTHORIZATION;
}
}
RequestAttributes att_quota(vm_perms.uid, vm_perms.gid, att);
if (att.uid != UserPool::ONEADMIN_ID && att.gid!=GroupPool::ONEADMIN_ID)
if (!att.is_admin())
{
string aname;
@ -2410,8 +2402,6 @@ Request::ErrorCode VirtualMachineDetachNic::request_execute(int id, int nic_id,
vm->unlock();
if ( att.uid != 0 )
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::MANAGE, vm_perms);
@ -2421,7 +2411,6 @@ Request::ErrorCode VirtualMachineDetachNic::request_execute(int id, int nic_id,
att.resp_msg = ar.message;
return AUTHORIZATION;
}
}
// -------------------------------------------------------------------------
// Perform the detach
@ -2908,7 +2897,7 @@ void VirtualMachineUpdateConf::request_execute(
return;
}
if ( att.uid != UserPool::ONEADMIN_ID && att.gid != GroupPool::ONEADMIN_ID )
if (!att.is_admin())
{
string aname;

9
src/rm/RequestManagerVirtualRouter.cc
View File

@ -83,8 +83,6 @@ void VirtualRouterInstantiate::request_execute(
return;
}
if ( att.uid != 0 )
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::MANAGE, vr_perms); // MANAGE VROUTER
@ -95,7 +93,6 @@ void VirtualRouterInstantiate::request_execute(
failure_response(AUTHORIZATION, att);
return;
}
}
VMTemplate * tmpl = tpool->get(tmpl_id);
@ -223,8 +220,6 @@ void VirtualRouterAttachNic::request_execute(
vr->unlock();
if ( att.uid != 0 )
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::MANAGE, vr_perms); // MANAGE VROUTER
@ -237,7 +232,6 @@ void VirtualRouterAttachNic::request_execute(
failure_response(AUTHORIZATION, att);
return;
}
}
RequestAttributes att_quota(vr_perms.uid, vr_perms.gid, att);
@ -331,8 +325,6 @@ void VirtualRouterDetachNic::request_execute(
vr->unlock();
if ( att.uid != 0 )
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::MANAGE, vr_perms); // MANAGE VROUTER
@ -343,7 +335,6 @@ void VirtualRouterDetachNic::request_execute(
failure_response(AUTHORIZATION, att);
return;
}
}
// -------------------------------------------------------------------------
// Detach the NIC from the Virtual Router

6
src/rm/RequestManagerZone.cc
View File

@ -281,7 +281,7 @@ void ZoneReplicateLog::request_execute(xmlrpc_c::paramList const& paramList,
LogDBRecord lr, prev_lr;
if ( att.uid != 0 )
if (!att.is_oneadmin())
{
att.resp_id = current_term;
@ -432,7 +432,7 @@ void ZoneVoteRequest::request_execute(xmlrpc_c::paramList const& paramList,
logdb->get_last_record_index(log_index, log_term);
if ( att.uid != 0 )
if (!att.is_oneadmin())
{
att.resp_id = current_term;
@ -522,7 +522,7 @@ void ZoneReplicateFedLog::request_execute(xmlrpc_c::paramList const& paramList,
int prev = xmlrpc_c::value_int(paramList.getInt(2));
string sql = xmlrpc_c::value_string(paramList.getString(3));
if ( att.uid != 0 )
if (!att.is_oneadmin())
{
att.resp_id = -1;