diff --git a/include/RequestManagerAcl.h b/include/RequestManagerAcl.h index fce48369a6..364cd9ea08 100644 --- a/include/RequestManagerAcl.h +++ b/include/RequestManagerAcl.h @@ -35,6 +35,7 @@ protected: :Request(method_name,params,help) { auth_object = AuthRequest::ACL; + auth_op = AuthRequest::MANAGE; }; ~RequestManagerAcl(){}; @@ -58,9 +59,7 @@ public: RequestManagerAcl("AclAddRule", "Adds a new ACL rule", "A:ssss") - { - // TODO: auth_op ? - }; + {}; ~AclAddRule(){}; @@ -77,9 +76,7 @@ public: RequestManagerAcl("AclDelRule", "Deletes an existing ACL rule", "A:si") - { - // TODO: auth_op ? - }; + {}; ~AclDelRule(){}; @@ -96,9 +93,7 @@ public: RequestManagerAcl("AclInfo", "Returns the ACL rule set", "A:s") - { - // TODO: auth_op ? - }; + {}; ~AclInfo(){}; diff --git a/src/acl/AclManager.cc b/src/acl/AclManager.cc index d950a6075d..23a847e3c8 100644 --- a/src/acl/AclManager.cc +++ b/src/acl/AclManager.cc @@ -18,6 +18,7 @@ #include "AclManager.h" #include "NebulaLog.h" +#include "GroupPool.h" /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ @@ -105,6 +106,12 @@ const bool AclManager::authorize(int uid, const set &user_groups, bool auth = false; + // Only oneadmin, or someone in the oneadmin group can manage acl rules + if ( obj_type == AuthRequest::ACL ) + { + return ( uid == 0 || user_groups.count( GroupPool::ONEADMIN_ID ) == 1 ); + } + // Build masks for request long long user_req; long long resource_oid_req = obj_type + AclRule::INDIVIDUAL_ID + obj_id; diff --git a/src/rm/Request.cc b/src/rm/Request.cc index 19f3584012..2a32ee6a64 100644 --- a/src/rm/Request.cc +++ b/src/rm/Request.cc @@ -171,6 +171,8 @@ string Request::object_name(AuthRequest::Object ob) return "virtual machine template"; case AuthRequest::GROUP: return "group"; + case AuthRequest::ACL: + return "ACL"; default: return "-"; } diff --git a/src/rm/RequestManagerAcl.cc b/src/rm/RequestManagerAcl.cc index aa30f041e1..676d54ce89 100644 --- a/src/rm/RequestManagerAcl.cc +++ b/src/rm/RequestManagerAcl.cc @@ -55,11 +55,8 @@ void AclAddRule::request_execute(xmlrpc_c::paramList const& paramList) string error_msg; - // TODO: Only oneadmin can manage ACL - if ( uid != 0 ) + if ( basic_authorization(-1) == false ) { - failure_response(AUTHORIZATION, - authorization_error("Only oneadmin can manage ACL rules")); return; } @@ -89,11 +86,8 @@ void AclDelRule::request_execute(xmlrpc_c::paramList const& paramList) string error_msg; - // TODO: Only oneadmin can manage ACL - if ( uid != 0 ) + if ( basic_authorization(-1) == false ) { - failure_response(AUTHORIZATION, - authorization_error("Only oneadmin can manage ACL rules")); return; } @@ -121,11 +115,8 @@ void AclInfo::request_execute(xmlrpc_c::paramList const& paramList) ostringstream oss; int rc; - // TODO: Only oneadmin can manage ACL - if ( uid != 0 ) + if ( basic_authorization(-1) == false ) { - failure_response(AUTHORIZATION, - authorization_error("Only oneadmin can manage ACL rules")); return; }