Feature #687: Let users in the oneadmin group manage ACL rules

2025-03-15 18:50:09 +03:00 · 2011-06-30 15:17:58 +02:00 · 2011-06-30 15:17:58 +02:00 · f2f9c267cb
commit f2f9c267cb
parent 071763887c
4 changed files with 16 additions and 21 deletions
--- a/include/RequestManagerAcl.h
+++ b/include/RequestManagerAcl.h
@ -35,6 +35,7 @@ protected:
        :Request(method_name,params,help)
    {
        auth_object = AuthRequest::ACL;
+        auth_op     = AuthRequest::MANAGE;
    };

    ~RequestManagerAcl(){};
@ -58,9 +59,7 @@ public:
        RequestManagerAcl("AclAddRule",
                            "Adds a new ACL rule",
                            "A:ssss")
-    {
-        // TODO: auth_op ?
-    };
+    {};

    ~AclAddRule(){};

@ -77,9 +76,7 @@ public:
        RequestManagerAcl("AclDelRule",
                            "Deletes an existing ACL rule",
                            "A:si")
-    {
-        // TODO: auth_op ?
-    };
+    {};

    ~AclDelRule(){};

@ -96,9 +93,7 @@ public:
        RequestManagerAcl("AclInfo",
                            "Returns the ACL rule set",
                            "A:s")
-    {
-        // TODO: auth_op ?
-    };
+    {};

    ~AclInfo(){};

--- a/src/acl/AclManager.cc
+++ b/src/acl/AclManager.cc
@ -18,6 +18,7 @@

 #include "AclManager.h"
 #include "NebulaLog.h"
+#include "GroupPool.h"

 /* -------------------------------------------------------------------------- */
 /* -------------------------------------------------------------------------- */
@ -105,6 +106,12 @@ const bool AclManager::authorize(int uid, const set<int> &user_groups,

    bool auth = false;

+    // Only oneadmin, or someone in the oneadmin group can manage acl rules
+    if ( obj_type == AuthRequest::ACL )
+    {
+        return ( uid == 0 || user_groups.count( GroupPool::ONEADMIN_ID ) == 1 );
+    }
+
    // Build masks for request
    long long user_req;
    long long resource_oid_req  = obj_type + AclRule::INDIVIDUAL_ID + obj_id;
--- a/src/rm/Request.cc
+++ b/src/rm/Request.cc
@ -171,6 +171,8 @@ string Request::object_name(AuthRequest::Object ob)
            return "virtual machine template";
        case AuthRequest::GROUP:
            return "group";
+        case AuthRequest::ACL:
+            return "ACL";
        default:
            return "-";
      }
--- a/src/rm/RequestManagerAcl.cc
+++ b/src/rm/RequestManagerAcl.cc
@ -55,11 +55,8 @@ void AclAddRule::request_execute(xmlrpc_c::paramList const& paramList)

    string error_msg;

-    // TODO: Only oneadmin can manage ACL
-    if ( uid != 0 )
+    if ( basic_authorization(-1) == false )
    {
-        failure_response(AUTHORIZATION,
-                authorization_error("Only oneadmin can manage ACL rules"));
        return;
    }

@ -89,11 +86,8 @@ void AclDelRule::request_execute(xmlrpc_c::paramList const& paramList)

    string error_msg;

-    // TODO: Only oneadmin can manage ACL
-    if ( uid != 0 )
+    if ( basic_authorization(-1) == false )
    {
-        failure_response(AUTHORIZATION,
-                authorization_error("Only oneadmin can manage ACL rules"));
        return;
    }

@ -121,11 +115,8 @@ void AclInfo::request_execute(xmlrpc_c::paramList const& paramList)
    ostringstream oss;
    int rc;

-    // TODO: Only oneadmin can manage ACL
-    if ( uid != 0 )
+    if ( basic_authorization(-1) == false )
    {
-        failure_response(AUTHORIZATION,
-                authorization_error("Only oneadmin can manage ACL rules"));
        return;
    }