1
0
mirror of https://github.com/OpenNebula/one.git synced 2025-03-15 18:50:09 +03:00

Feature #687: Let users in the oneadmin group manage ACL rules

This commit is contained in:
Carlos Martín 2011-06-30 15:17:58 +02:00
parent 071763887c
commit f2f9c267cb
4 changed files with 16 additions and 21 deletions

View File

@ -35,6 +35,7 @@ protected:
:Request(method_name,params,help)
{
auth_object = AuthRequest::ACL;
auth_op = AuthRequest::MANAGE;
};
~RequestManagerAcl(){};
@ -58,9 +59,7 @@ public:
RequestManagerAcl("AclAddRule",
"Adds a new ACL rule",
"A:ssss")
{
// TODO: auth_op ?
};
{};
~AclAddRule(){};
@ -77,9 +76,7 @@ public:
RequestManagerAcl("AclDelRule",
"Deletes an existing ACL rule",
"A:si")
{
// TODO: auth_op ?
};
{};
~AclDelRule(){};
@ -96,9 +93,7 @@ public:
RequestManagerAcl("AclInfo",
"Returns the ACL rule set",
"A:s")
{
// TODO: auth_op ?
};
{};
~AclInfo(){};

View File

@ -18,6 +18,7 @@
#include "AclManager.h"
#include "NebulaLog.h"
#include "GroupPool.h"
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
@ -105,6 +106,12 @@ const bool AclManager::authorize(int uid, const set<int> &user_groups,
bool auth = false;
// Only oneadmin, or someone in the oneadmin group can manage acl rules
if ( obj_type == AuthRequest::ACL )
{
return ( uid == 0 || user_groups.count( GroupPool::ONEADMIN_ID ) == 1 );
}
// Build masks for request
long long user_req;
long long resource_oid_req = obj_type + AclRule::INDIVIDUAL_ID + obj_id;

View File

@ -171,6 +171,8 @@ string Request::object_name(AuthRequest::Object ob)
return "virtual machine template";
case AuthRequest::GROUP:
return "group";
case AuthRequest::ACL:
return "ACL";
default:
return "-";
}

View File

@ -55,11 +55,8 @@ void AclAddRule::request_execute(xmlrpc_c::paramList const& paramList)
string error_msg;
// TODO: Only oneadmin can manage ACL
if ( uid != 0 )
if ( basic_authorization(-1) == false )
{
failure_response(AUTHORIZATION,
authorization_error("Only oneadmin can manage ACL rules"));
return;
}
@ -89,11 +86,8 @@ void AclDelRule::request_execute(xmlrpc_c::paramList const& paramList)
string error_msg;
// TODO: Only oneadmin can manage ACL
if ( uid != 0 )
if ( basic_authorization(-1) == false )
{
failure_response(AUTHORIZATION,
authorization_error("Only oneadmin can manage ACL rules"));
return;
}
@ -121,11 +115,8 @@ void AclInfo::request_execute(xmlrpc_c::paramList const& paramList)
ostringstream oss;
int rc;
// TODO: Only oneadmin can manage ACL
if ( uid != 0 )
if ( basic_authorization(-1) == false )
{
failure_response(AUTHORIZATION,
authorization_error("Only oneadmin can manage ACL rules"));
return;
}