shaba/one
1
0
Fork 0
mirror of https://github.com/OpenNebula/one.git synced 2025-03-28 14:50:08 +03:00
Code Releases Wiki Activity

Feature : Implement reverse search for ACLs that apply to objects in a cluster

Browse Source
This commit is contained in:
Carlos Martín 2013-01-17 12:33:33 +01:00
parent 9ff398d03f
commit dafbc5d349
6 changed files with 39 additions and 13 deletions

4
include/AclManager.h

@ -127,6 +127,7 @@ public:
* @param all True if the user can perform the operation over any object
* @param oids Set of object IDs over which the user can operate
* @param gids Set of object group IDs over which the user can operate
* @param cids Set of object cluster IDs over which the user can operate
*/
void reverse_search(int uid,
int gid,
@ -134,7 +135,8 @@ public:
AuthRequest::Operation op,
bool& all,
vector<int>& oids,
vector<int>& gids);
vector<int>& gids,
vector<int>& cids);
/* ---------------------------------------------------------------------- */
/* DB management */

15
src/acl/AclManager.cc

@ -707,7 +707,8 @@ void AclManager::reverse_search(int uid,
AuthRequest::Operation op,
bool& all,
vector<int>& oids,
vector<int>& gids)
vector<int>& gids,
vector<int>& cids)
{
ostringstream oss;
@ -719,6 +720,7 @@ void AclManager::reverse_search(int uid,
long long resource_oid_req = obj_type | AclRule::INDIVIDUAL_ID;
long long resource_gid_req = obj_type | AclRule::GROUP_ID;
long long resource_all_req = obj_type | AclRule::ALL_ID;
long long resource_cid_req = obj_type | AclRule::CLUSTER_ID;
long long rights_req = op;
long long resource_oid_mask =
@ -727,6 +729,9 @@ void AclManager::reverse_search(int uid,
long long resource_gid_mask =
( obj_type | AclRule::GROUP_ID );
long long resource_cid_mask =
( obj_type | AclRule::CLUSTER_ID );
// Create a temporal rule, to log the request
long long log_resource;
@ -789,6 +794,13 @@ void AclManager::reverse_search(int uid,
{
oids.push_back(it->second->resource_id());
}
// Rule grants permission for all objects of a cluster
if ( ( it->second->resource & resource_cid_mask ) == resource_cid_req )
{
cids.push_back(it->second->resource_id());
}
}
}
@ -798,6 +810,7 @@ void AclManager::reverse_search(int uid,
{
oids.clear();
gids.clear();
cids.clear();
}
}
}

7
src/datastore/Datastore.cc

@ -24,13 +24,13 @@
const char * Datastore::table = "datastore_pool";
const char * Datastore::db_names =
"oid, name, body, uid, gid, owner_u, group_u, other_u";
"oid, name, body, uid, gid, owner_u, group_u, other_u, cid";
const char * Datastore::db_bootstrap =
"CREATE TABLE IF NOT EXISTS datastore_pool ("
"oid INTEGER PRIMARY KEY, name VARCHAR(128), body TEXT, uid INTEGER, "
"gid INTEGER, owner_u INTEGER, group_u INTEGER, other_u INTEGER, "
"UNIQUE(name))";
"cid INTEGER, UNIQUE(name))";
/* ************************************************************************ */
/* Datastore :: Constructor/Destructor */
@ -265,7 +265,8 @@ int Datastore::insert_replace(SqlDB *db, bool replace, string& error_str)
<< gid << ","
<< owner_u << ","
<< group_u << ","
<< other_u << ")";
<< other_u << ","
<< cluster_id << ")";
rc = db->exec(oss);

7
src/host/Host.cc

@ -62,12 +62,12 @@ Host::~Host()
const char * Host::table = "host_pool";
const char * Host::db_names =
"oid, name, body, state, last_mon_time, uid, gid, owner_u, group_u, other_u";
"oid, name, body, state, last_mon_time, uid, gid, owner_u, group_u, other_u, cid";
const char * Host::db_bootstrap = "CREATE TABLE IF NOT EXISTS host_pool ("
"oid INTEGER PRIMARY KEY, name VARCHAR(128), body TEXT, state INTEGER, "
"last_mon_time INTEGER, uid INTEGER, gid INTEGER, owner_u INTEGER, "
"group_u INTEGER, other_u INTEGER, UNIQUE(name))";
"group_u INTEGER, other_u INTEGER, cid INTEGER, UNIQUE(name))";
const char * Host::monit_table = "host_monitoring";
@ -136,7 +136,8 @@ int Host::insert_replace(SqlDB *db, bool replace, string& error_str)
<< gid << ","
<< owner_u << ","
<< group_u << ","
<< other_u << ")";
<< other_u << ","
<< cluster_id << ")";
rc = db->exec(oss);

9
src/pool/PoolSQL.cc

@ -593,6 +593,7 @@ void PoolSQL::acl_filter(int uid,
vector<int> oids;
vector<int> gids;
vector<int> cids;
aclm->reverse_search(uid,
gid,
@ -600,7 +601,8 @@ void PoolSQL::acl_filter(int uid,
AuthRequest::USE,
all,
oids,
gids);
gids,
cids);
for ( it = oids.begin(); it < oids.end(); it++ )
{
@ -612,6 +614,11 @@ void PoolSQL::acl_filter(int uid,
acl_filter << " OR gid = " << *it;
}
for ( it = cids.begin(); it < cids.end(); it++ )
{
acl_filter << " OR cid = " << *it;
}
filter = acl_filter.str();
}

10
src/vnm/VirtualNetwork.cc

@ -78,12 +78,13 @@ VirtualNetwork::~VirtualNetwork()
const char * VirtualNetwork::table = "network_pool";
const char * VirtualNetwork::db_names =
"oid, name, body, uid, gid, owner_u, group_u, other_u";
"oid, name, body, uid, gid, owner_u, group_u, other_u, cid";
const char * VirtualNetwork::db_bootstrap = "CREATE TABLE IF NOT EXISTS"
" network_pool (oid INTEGER PRIMARY KEY, name VARCHAR(128),"
" body TEXT, uid INTEGER, gid INTEGER, "
"owner_u INTEGER, group_u INTEGER, other_u INTEGER, UNIQUE(name,uid))";
" body TEXT, uid INTEGER, gid INTEGER,"
" owner_u INTEGER, group_u INTEGER, other_u INTEGER,"
" cid INTEGER, UNIQUE(name,uid))";
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
@ -393,7 +394,8 @@ int VirtualNetwork::insert_replace(SqlDB *db, bool replace, string& error_str)
<< gid << ","
<< owner_u << ","
<< group_u << ","
<< other_u << ")";
<< other_u << ","
<< cluster_id << ")";
rc = db->exec(oss);