From d8e579d5a3de99c6c0b82b794ca56fe9b38b3f45 Mon Sep 17 00:00:00 2001 From: "Ruben S. Montero" Date: Thu, 31 May 2018 12:50:02 +0200 Subject: [PATCH] Extend auth methods to set lock checks --- include/VirtualMachine.h | 2 +- include/VirtualMachineDisk.h | 2 +- include/VirtualMachineNic.h | 11 ++++++----- include/VirtualNetworkPool.h | 3 ++- include/VirtualRouter.h | 3 ++- src/rm/RequestManagerAllocate.cc | 4 ++-- src/rm/RequestManagerInfo.cc | 2 +- src/rm/RequestManagerVMTemplate.cc | 2 +- src/rm/RequestManagerVirtualMachine.cc | 4 ++-- src/rm/RequestManagerVirtualRouter.cc | 2 +- src/vm/VirtualMachine.cc | 7 ++++--- src/vm/VirtualMachineDisk.cc | 4 ++-- src/vm/VirtualMachineNic.cc | 13 ++++++++++--- src/vnm/VirtualNetworkPool.cc | 12 ++++++++++-- src/vrouter/VirtualRouter.cc | 5 +++-- 15 files changed, 48 insertions(+), 28 deletions(-) diff --git a/include/VirtualMachine.h b/include/VirtualMachine.h index 4cc96408af..78e0d6d112 100644 --- a/include/VirtualMachine.h +++ b/include/VirtualMachine.h @@ -1260,7 +1260,7 @@ public: * @param tmpl the virtual machine template */ static void set_auth_request(int uid, AuthRequest& ar, - VirtualMachineTemplate *tmpl); + VirtualMachineTemplate *tmpl, bool check_lock); // ------------------------------------------------------------------------- // Attach Disk Interface diff --git a/include/VirtualMachineDisk.h b/include/VirtualMachineDisk.h index 2b5cde01da..3185f81f81 100644 --- a/include/VirtualMachineDisk.h +++ b/include/VirtualMachineDisk.h @@ -181,7 +181,7 @@ public: * @param uid of user making the request * @param ar auth request */ - void authorize(int uid, AuthRequest* ar); + void authorize(int uid, AuthRequest* ar, bool check_lock); /* ---------------------------------------------------------------------- */ /* Snapshots Interface */ diff --git a/include/VirtualMachineNic.h b/include/VirtualMachineNic.h index abb1a86239..d80bbae6a3 100644 --- a/include/VirtualMachineNic.h +++ b/include/VirtualMachineNic.h @@ -77,14 +77,14 @@ public: * @param uid of user making the request * @param ar auth request */ - void authorize(int uid, AuthRequest* ar) + void authorize(int uid, AuthRequest* ar, bool check_lock) { - authorize(PoolObjectSQL::VM, uid, ar); + authorize(PoolObjectSQL::VM, uid, ar, check_lock); } - void authorize_vrouter(int uid, AuthRequest* ar) + void authorize_vrouter(int uid, AuthRequest* ar, bool check_lock) { - authorize(PoolObjectSQL::VROUTER, uid, ar); + authorize(PoolObjectSQL::VROUTER, uid, ar, check_lock); } /** @@ -102,7 +102,8 @@ private: * @param uid of user making the request * @param ar auth request */ - void authorize(PoolObjectSQL::ObjectType ot, int uid, AuthRequest* ar); + void authorize(PoolObjectSQL::ObjectType ot, int uid, AuthRequest* ar, + bool check_lock); }; diff --git a/include/VirtualNetworkPool.h b/include/VirtualNetworkPool.h index 97376243a3..f2adda3e26 100644 --- a/include/VirtualNetworkPool.h +++ b/include/VirtualNetworkPool.h @@ -204,7 +204,8 @@ public: VirtualMachineNic * nic, int uid, AuthRequest * ar, - set & sgs); + set & sgs, + bool check_lock); //-------------------------------------------------------------------------- // VNET Reservation interface diff --git a/include/VirtualRouter.h b/include/VirtualRouter.h index d5b2f35190..a79ca58ffc 100644 --- a/include/VirtualRouter.h +++ b/include/VirtualRouter.h @@ -156,7 +156,8 @@ public: * @param ar the AuthRequest object * @param tmpl the virtual router template */ - static void set_auth_request(int uid, AuthRequest& ar, Template *tmpl); + static void set_auth_request(int uid, AuthRequest& ar, Template *tmpl, + bool check_lock); /** * Checks if the given action is supported for Virtual Router VMs diff --git a/src/rm/RequestManagerAllocate.cc b/src/rm/RequestManagerAllocate.cc index 984c89a543..1d68f6773b 100644 --- a/src/rm/RequestManagerAllocate.cc +++ b/src/rm/RequestManagerAllocate.cc @@ -90,7 +90,7 @@ bool VirtualMachineAllocate::allocate_authorization( ar.add_create_auth(att.uid, att.gid, auth_object, tmpl->to_xml(t64)); - VirtualMachine::set_auth_request(att.uid, ar, ttmpl); + VirtualMachine::set_auth_request(att.uid, ar, ttmpl, true); if (UserPool::authorize(ar) == -1) { @@ -1088,7 +1088,7 @@ bool VirtualRouterAllocate::allocate_authorization( ar.add_create_auth(att.uid, att.gid, auth_object, tmpl->to_xml(tmpl_str)); - VirtualRouter::set_auth_request(att.uid, ar, tmpl); + VirtualRouter::set_auth_request(att.uid, ar, tmpl, true); if (UserPool::authorize(ar) == -1) { diff --git a/src/rm/RequestManagerInfo.cc b/src/rm/RequestManagerInfo.cc index 9b8c4e653c..80c8aab1b0 100644 --- a/src/rm/RequestManagerInfo.cc +++ b/src/rm/RequestManagerInfo.cc @@ -110,7 +110,7 @@ void TemplateInfo::request_execute(xmlrpc_c::paramList const& paramList, if (extended) { - VirtualMachine::set_auth_request(att.uid, ar, extended_tmpl); + VirtualMachine::set_auth_request(att.uid, ar, extended_tmpl, false); VirtualMachineDisks::extended_info(att.uid, extended_tmpl); } diff --git a/src/rm/RequestManagerVMTemplate.cc b/src/rm/RequestManagerVMTemplate.cc index 4040991a4b..a0087b0aef 100644 --- a/src/rm/RequestManagerVMTemplate.cc +++ b/src/rm/RequestManagerVMTemplate.cc @@ -215,7 +215,7 @@ Request::ErrorCode VMTemplateInstantiate::request_execute(int id, string name, tmpl_str); } - VirtualMachine::set_auth_request(att.uid, ar, tmpl); + VirtualMachine::set_auth_request(att.uid, ar, tmpl, true); if (UserPool::authorize(ar) == -1) { diff --git a/src/rm/RequestManagerVirtualMachine.cc b/src/rm/RequestManagerVirtualMachine.cc index 36e1a876df..eebb304ae0 100644 --- a/src/rm/RequestManagerVirtualMachine.cc +++ b/src/rm/RequestManagerVirtualMachine.cc @@ -69,7 +69,7 @@ bool RequestManagerVirtualMachine::vm_authorization( if ( vtmpl != 0 ) { - VirtualMachine::set_auth_request(att.uid, ar, vtmpl); + VirtualMachine::set_auth_request(att.uid, ar, vtmpl, true); } if ( ds_perm != 0 ) @@ -2285,7 +2285,7 @@ Request::ErrorCode VirtualMachineAttachNic::request_execute(int id, ar.add_auth(AuthRequest::MANAGE, vm_perms); - VirtualMachine::set_auth_request(att.uid, ar, &tmpl); + VirtualMachine::set_auth_request(att.uid, ar, &tmpl, true); if (UserPool::authorize(ar) == -1) { diff --git a/src/rm/RequestManagerVirtualRouter.cc b/src/rm/RequestManagerVirtualRouter.cc index 6fd4b71fd1..547f62573c 100644 --- a/src/rm/RequestManagerVirtualRouter.cc +++ b/src/rm/RequestManagerVirtualRouter.cc @@ -224,7 +224,7 @@ void VirtualRouterAttachNic::request_execute( ar.add_auth(AuthRequest::MANAGE, vr_perms); // MANAGE VROUTER - VirtualRouter::set_auth_request(att.uid, ar, &tmpl); // USE VNET + VirtualRouter::set_auth_request(att.uid, ar, &tmpl, true); // USE VNET if (UserPool::authorize(ar) == -1) { diff --git a/src/vm/VirtualMachine.cc b/src/vm/VirtualMachine.cc index 95bd3c8c9e..ad17c0eeec 100644 --- a/src/vm/VirtualMachine.cc +++ b/src/vm/VirtualMachine.cc @@ -1946,14 +1946,15 @@ bool VirtualMachine::is_vrouter() void VirtualMachine::set_auth_request(int uid, AuthRequest& ar, - VirtualMachineTemplate *tmpl) + VirtualMachineTemplate *tmpl, + bool check_lock) { VirtualMachineDisks::disk_iterator disk; VirtualMachineDisks tdisks(tmpl, false); for( disk = tdisks.begin(); disk != tdisks.end(); ++disk) { - (*disk)->authorize(uid, &ar); + (*disk)->authorize(uid, &ar, check_lock); } VirtualMachineNics::nic_iterator nic; @@ -1961,7 +1962,7 @@ void VirtualMachine::set_auth_request(int uid, for( nic = tnics.begin(); nic != tnics.end(); ++nic) { - (*nic)->authorize(uid, &ar); + (*nic)->authorize(uid, &ar, check_lock); } const VectorAttribute * vmgroup = tmpl->get("VMGROUP"); diff --git a/src/vm/VirtualMachineDisk.cc b/src/vm/VirtualMachineDisk.cc index 8757a25558..9c9f327496 100644 --- a/src/vm/VirtualMachineDisk.cc +++ b/src/vm/VirtualMachineDisk.cc @@ -165,7 +165,7 @@ void VirtualMachineDisk::extended_info(int uid) /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ -void VirtualMachineDisk::authorize(int uid, AuthRequest* ar) +void VirtualMachineDisk::authorize(int uid, AuthRequest* ar, bool check_lock) { string source; Image * img = 0; @@ -207,7 +207,7 @@ void VirtualMachineDisk::authorize(int uid, AuthRequest* ar) img->unlock(); //cloning disks can be used with lock, lcm will track image state updates. - if (is_cloning()) + if (is_cloning() || !check_lock) { ar->add_auth(AuthRequest::USE_NO_LCK, perm); } diff --git a/src/vm/VirtualMachineNic.cc b/src/vm/VirtualMachineNic.cc index f91e9f3263..f3569d02eb 100644 --- a/src/vm/VirtualMachineNic.cc +++ b/src/vm/VirtualMachineNic.cc @@ -121,7 +121,7 @@ int VirtualMachineNic::get_uid(int _uid, string& error) /* -------------------------------------------------------------------------- */ void VirtualMachineNic::authorize(PoolObjectSQL::ObjectType ot, int uid, - AuthRequest* ar) + AuthRequest* ar, bool check_lock) { Nebula& nd = Nebula::instance(); @@ -132,7 +132,7 @@ void VirtualMachineNic::authorize(PoolObjectSQL::ObjectType ot, int uid, get_security_groups(sgroups); - vnpool->authorize_nic(ot, this, uid, ar, sgroups); + vnpool->authorize_nic(ot, this, uid, ar, sgroups, check_lock); for(set::iterator it = sgroups.begin(); it != sgroups.end(); it++) { @@ -146,7 +146,14 @@ void VirtualMachineNic::authorize(PoolObjectSQL::ObjectType ot, int uid, sgroup->unlock(); - ar->add_auth(AuthRequest::USE, perm); + if ( check_lock ) + { + ar->add_auth(AuthRequest::USE, perm); + } + else + { + ar->add_auth(AuthRequest::USE_NO_LCK, perm); + } } } } diff --git a/src/vnm/VirtualNetworkPool.cc b/src/vnm/VirtualNetworkPool.cc index 91da57ace6..3f6aed8a26 100644 --- a/src/vnm/VirtualNetworkPool.cc +++ b/src/vnm/VirtualNetworkPool.cc @@ -303,7 +303,8 @@ void VirtualNetworkPool::authorize_nic( VirtualMachineNic * nic, int uid, AuthRequest * ar, - set & sgs) + set & sgs, + bool check_lock) { string network; VirtualNetwork * vnet = 0; @@ -339,7 +340,14 @@ void VirtualNetworkPool::authorize_nic( vnet->unlock(); - ar->add_auth(AuthRequest::USE, perm); + if ( check_lock ) + { + ar->add_auth(AuthRequest::USE, perm); + } + else + { + ar->add_auth(AuthRequest::USE_NO_LCK, perm); + } } /* -------------------------------------------------------------------------- */ diff --git a/src/vrouter/VirtualRouter.cc b/src/vrouter/VirtualRouter.cc index c8faf9dc32..87b070cffe 100644 --- a/src/vrouter/VirtualRouter.cc +++ b/src/vrouter/VirtualRouter.cc @@ -707,14 +707,15 @@ VectorAttribute* VirtualRouter::get_nic(int nic_id) const /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ -void VirtualRouter::set_auth_request(int uid, AuthRequest& ar, Template *tmpl) +void VirtualRouter::set_auth_request(int uid, AuthRequest& ar, Template *tmpl, + bool check_lock) { VirtualMachineNics::nic_iterator nic; VirtualMachineNics tnics(tmpl); for( nic = tnics.begin(); nic != tnics.end(); ++nic) { - (*nic)->authorize_vrouter(uid, &ar); + (*nic)->authorize_vrouter(uid, &ar, check_lock); } }