mirror of
https://github.com/OpenNebula/one.git
synced 2025-03-15 18:50:09 +03:00
Feature #687: Let users in the oneadmin group manage ACL rules
This commit is contained in:
parent
071763887c
commit
f2f9c267cb
@ -35,6 +35,7 @@ protected:
|
||||
:Request(method_name,params,help)
|
||||
{
|
||||
auth_object = AuthRequest::ACL;
|
||||
auth_op = AuthRequest::MANAGE;
|
||||
};
|
||||
|
||||
~RequestManagerAcl(){};
|
||||
@ -58,9 +59,7 @@ public:
|
||||
RequestManagerAcl("AclAddRule",
|
||||
"Adds a new ACL rule",
|
||||
"A:ssss")
|
||||
{
|
||||
// TODO: auth_op ?
|
||||
};
|
||||
{};
|
||||
|
||||
~AclAddRule(){};
|
||||
|
||||
@ -77,9 +76,7 @@ public:
|
||||
RequestManagerAcl("AclDelRule",
|
||||
"Deletes an existing ACL rule",
|
||||
"A:si")
|
||||
{
|
||||
// TODO: auth_op ?
|
||||
};
|
||||
{};
|
||||
|
||||
~AclDelRule(){};
|
||||
|
||||
@ -96,9 +93,7 @@ public:
|
||||
RequestManagerAcl("AclInfo",
|
||||
"Returns the ACL rule set",
|
||||
"A:s")
|
||||
{
|
||||
// TODO: auth_op ?
|
||||
};
|
||||
{};
|
||||
|
||||
~AclInfo(){};
|
||||
|
||||
|
@ -18,6 +18,7 @@
|
||||
|
||||
#include "AclManager.h"
|
||||
#include "NebulaLog.h"
|
||||
#include "GroupPool.h"
|
||||
|
||||
/* -------------------------------------------------------------------------- */
|
||||
/* -------------------------------------------------------------------------- */
|
||||
@ -105,6 +106,12 @@ const bool AclManager::authorize(int uid, const set<int> &user_groups,
|
||||
|
||||
bool auth = false;
|
||||
|
||||
// Only oneadmin, or someone in the oneadmin group can manage acl rules
|
||||
if ( obj_type == AuthRequest::ACL )
|
||||
{
|
||||
return ( uid == 0 || user_groups.count( GroupPool::ONEADMIN_ID ) == 1 );
|
||||
}
|
||||
|
||||
// Build masks for request
|
||||
long long user_req;
|
||||
long long resource_oid_req = obj_type + AclRule::INDIVIDUAL_ID + obj_id;
|
||||
|
@ -171,6 +171,8 @@ string Request::object_name(AuthRequest::Object ob)
|
||||
return "virtual machine template";
|
||||
case AuthRequest::GROUP:
|
||||
return "group";
|
||||
case AuthRequest::ACL:
|
||||
return "ACL";
|
||||
default:
|
||||
return "-";
|
||||
}
|
||||
|
@ -55,11 +55,8 @@ void AclAddRule::request_execute(xmlrpc_c::paramList const& paramList)
|
||||
|
||||
string error_msg;
|
||||
|
||||
// TODO: Only oneadmin can manage ACL
|
||||
if ( uid != 0 )
|
||||
if ( basic_authorization(-1) == false )
|
||||
{
|
||||
failure_response(AUTHORIZATION,
|
||||
authorization_error("Only oneadmin can manage ACL rules"));
|
||||
return;
|
||||
}
|
||||
|
||||
@ -89,11 +86,8 @@ void AclDelRule::request_execute(xmlrpc_c::paramList const& paramList)
|
||||
|
||||
string error_msg;
|
||||
|
||||
// TODO: Only oneadmin can manage ACL
|
||||
if ( uid != 0 )
|
||||
if ( basic_authorization(-1) == false )
|
||||
{
|
||||
failure_response(AUTHORIZATION,
|
||||
authorization_error("Only oneadmin can manage ACL rules"));
|
||||
return;
|
||||
}
|
||||
|
||||
@ -121,11 +115,8 @@ void AclInfo::request_execute(xmlrpc_c::paramList const& paramList)
|
||||
ostringstream oss;
|
||||
int rc;
|
||||
|
||||
// TODO: Only oneadmin can manage ACL
|
||||
if ( uid != 0 )
|
||||
if ( basic_authorization(-1) == false )
|
||||
{
|
||||
failure_response(AUTHORIZATION,
|
||||
authorization_error("Only oneadmin can manage ACL rules"));
|
||||
return;
|
||||
}
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user