diff --git a/include/AclManager.h b/include/AclManager.h index a510ebaa56..396be79e0a 100644 --- a/include/AclManager.h +++ b/include/AclManager.h @@ -127,6 +127,7 @@ public: * @param all True if the user can perform the operation over any object * @param oids Set of object IDs over which the user can operate * @param gids Set of object group IDs over which the user can operate + * @param cids Set of object cluster IDs over which the user can operate */ void reverse_search(int uid, int gid, @@ -134,7 +135,8 @@ public: AuthRequest::Operation op, bool& all, vector& oids, - vector& gids); + vector& gids, + vector& cids); /* ---------------------------------------------------------------------- */ /* DB management */ diff --git a/src/acl/AclManager.cc b/src/acl/AclManager.cc index e74729950d..78db213081 100644 --- a/src/acl/AclManager.cc +++ b/src/acl/AclManager.cc @@ -707,7 +707,8 @@ void AclManager::reverse_search(int uid, AuthRequest::Operation op, bool& all, vector& oids, - vector& gids) + vector& gids, + vector& cids) { ostringstream oss; @@ -719,6 +720,7 @@ void AclManager::reverse_search(int uid, long long resource_oid_req = obj_type | AclRule::INDIVIDUAL_ID; long long resource_gid_req = obj_type | AclRule::GROUP_ID; long long resource_all_req = obj_type | AclRule::ALL_ID; + long long resource_cid_req = obj_type | AclRule::CLUSTER_ID; long long rights_req = op; long long resource_oid_mask = @@ -727,6 +729,9 @@ void AclManager::reverse_search(int uid, long long resource_gid_mask = ( obj_type | AclRule::GROUP_ID ); + long long resource_cid_mask = + ( obj_type | AclRule::CLUSTER_ID ); + // Create a temporal rule, to log the request long long log_resource; @@ -789,6 +794,13 @@ void AclManager::reverse_search(int uid, { oids.push_back(it->second->resource_id()); } + + // Rule grants permission for all objects of a cluster + if ( ( it->second->resource & resource_cid_mask ) == resource_cid_req ) + { + cids.push_back(it->second->resource_id()); + } + } } @@ -798,6 +810,7 @@ void AclManager::reverse_search(int uid, { oids.clear(); gids.clear(); + cids.clear(); } } } diff --git a/src/datastore/Datastore.cc b/src/datastore/Datastore.cc index d908048e74..d008583888 100644 --- a/src/datastore/Datastore.cc +++ b/src/datastore/Datastore.cc @@ -24,13 +24,13 @@ const char * Datastore::table = "datastore_pool"; const char * Datastore::db_names = - "oid, name, body, uid, gid, owner_u, group_u, other_u"; + "oid, name, body, uid, gid, owner_u, group_u, other_u, cid"; const char * Datastore::db_bootstrap = "CREATE TABLE IF NOT EXISTS datastore_pool (" "oid INTEGER PRIMARY KEY, name VARCHAR(128), body TEXT, uid INTEGER, " "gid INTEGER, owner_u INTEGER, group_u INTEGER, other_u INTEGER, " - "UNIQUE(name))"; + "cid INTEGER, UNIQUE(name))"; /* ************************************************************************ */ /* Datastore :: Constructor/Destructor */ @@ -265,7 +265,8 @@ int Datastore::insert_replace(SqlDB *db, bool replace, string& error_str) << gid << "," << owner_u << "," << group_u << "," - << other_u << ")"; + << other_u << "," + << cluster_id << ")"; rc = db->exec(oss); diff --git a/src/host/Host.cc b/src/host/Host.cc index f6c9fe7743..896856c3c7 100644 --- a/src/host/Host.cc +++ b/src/host/Host.cc @@ -62,12 +62,12 @@ Host::~Host() const char * Host::table = "host_pool"; const char * Host::db_names = - "oid, name, body, state, last_mon_time, uid, gid, owner_u, group_u, other_u"; + "oid, name, body, state, last_mon_time, uid, gid, owner_u, group_u, other_u, cid"; const char * Host::db_bootstrap = "CREATE TABLE IF NOT EXISTS host_pool (" "oid INTEGER PRIMARY KEY, name VARCHAR(128), body TEXT, state INTEGER, " "last_mon_time INTEGER, uid INTEGER, gid INTEGER, owner_u INTEGER, " - "group_u INTEGER, other_u INTEGER, UNIQUE(name))"; + "group_u INTEGER, other_u INTEGER, cid INTEGER, UNIQUE(name))"; const char * Host::monit_table = "host_monitoring"; @@ -136,7 +136,8 @@ int Host::insert_replace(SqlDB *db, bool replace, string& error_str) << gid << "," << owner_u << "," << group_u << "," - << other_u << ")"; + << other_u << "," + << cluster_id << ")"; rc = db->exec(oss); diff --git a/src/pool/PoolSQL.cc b/src/pool/PoolSQL.cc index 6a31a2992d..bf21799c12 100644 --- a/src/pool/PoolSQL.cc +++ b/src/pool/PoolSQL.cc @@ -593,6 +593,7 @@ void PoolSQL::acl_filter(int uid, vector oids; vector gids; + vector cids; aclm->reverse_search(uid, gid, @@ -600,7 +601,8 @@ void PoolSQL::acl_filter(int uid, AuthRequest::USE, all, oids, - gids); + gids, + cids); for ( it = oids.begin(); it < oids.end(); it++ ) { @@ -612,6 +614,11 @@ void PoolSQL::acl_filter(int uid, acl_filter << " OR gid = " << *it; } + for ( it = cids.begin(); it < cids.end(); it++ ) + { + acl_filter << " OR cid = " << *it; + } + filter = acl_filter.str(); } diff --git a/src/vnm/VirtualNetwork.cc b/src/vnm/VirtualNetwork.cc index ae6282be7f..37a3201237 100644 --- a/src/vnm/VirtualNetwork.cc +++ b/src/vnm/VirtualNetwork.cc @@ -78,12 +78,13 @@ VirtualNetwork::~VirtualNetwork() const char * VirtualNetwork::table = "network_pool"; const char * VirtualNetwork::db_names = - "oid, name, body, uid, gid, owner_u, group_u, other_u"; + "oid, name, body, uid, gid, owner_u, group_u, other_u, cid"; const char * VirtualNetwork::db_bootstrap = "CREATE TABLE IF NOT EXISTS" " network_pool (oid INTEGER PRIMARY KEY, name VARCHAR(128)," - " body TEXT, uid INTEGER, gid INTEGER, " - "owner_u INTEGER, group_u INTEGER, other_u INTEGER, UNIQUE(name,uid))"; + " body TEXT, uid INTEGER, gid INTEGER," + " owner_u INTEGER, group_u INTEGER, other_u INTEGER," + " cid INTEGER, UNIQUE(name,uid))"; /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ @@ -393,7 +394,8 @@ int VirtualNetwork::insert_replace(SqlDB *db, bool replace, string& error_str) << gid << "," << owner_u << "," << group_u << "," - << other_u << ")"; + << other_u << "," + << cluster_id << ")"; rc = db->exec(oss);