shaba/one
1
0
Fork 0
mirror of https://github.com/OpenNebula/one.git synced 2025-03-21 14:50:08 +03:00
Code Releases Wiki Activity

B #5210: Make LDAP group_admin configurable (code)

Browse Source 
(cherry picked from commit 960380acf82a42d7bb805c7550901ac743152422)
This commit is contained in:
Jan Orel 2020-12-17 19:49:06 +01:00 committed by Ruben S. Montero
parent c3eb9e73bc
commit f4c48b7724
No known key found for this signature in database
GPG Key ID: A0CEA6FA880A1D87
3 changed files with 60 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/OpenNebulaTemplate.h
View File

@ -130,6 +130,7 @@ private:
void set_conf_auth(const std::string& name,
const std::string& change_password,
const std::string& driver_managed_groups,
const std::string& driver_managed_group_admin,
const std::string& max_token_time);
/**

16
src/template/OpenNebulaTemplate.cc
View File

@ -138,13 +138,13 @@ void OpenNebulaTemplate::set_multiple_conf_default()
# server_x509
#******
*/
set_conf_auth("core", "YES", "NO", "-1");
set_conf_auth("public", "NO", "NO", "-1");
set_conf_auth("ssh", "YES", "NO", "-1");
set_conf_auth("x509", "NO", "NO", "-1");
set_conf_auth("ldap", "YES", "YES", "86400");
set_conf_auth("server_cipher", "NO", "NO", "-1");
set_conf_auth("server_x509", "NO", "NO", "-1");
set_conf_auth("core", "YES", "NO", "NO", "-1");
set_conf_auth("public", "NO", "NO", "NO", "-1");
set_conf_auth("ssh", "YES", "NO", "NO", "-1");
set_conf_auth("x509", "NO", "NO", "NO", "-1");
set_conf_auth("ldap", "YES", "YES", "YES", "86400");
set_conf_auth("server_cipher", "NO", "NO", "NO", "-1");
set_conf_auth("server_x509", "NO", "NO", "NO", "-1");
register_multiple_conf_default("AUTH_MAD_CONF");
@ -304,6 +304,7 @@ void OpenNebulaTemplate::set_conf_market(const std::string& name,
void OpenNebulaTemplate::set_conf_auth(const std::string& name,
const std::string& password_change,
const std::string& driver_managed_groups,
const std::string& driver_managed_group_admin,
const std::string& max_token_time)
{
VectorAttribute * vattribute;
@ -312,6 +313,7 @@ void OpenNebulaTemplate::set_conf_auth(const std::string& name,
vvalue.insert(make_pair("NAME", name));
vvalue.insert(make_pair("PASSWORD_CHANGE", password_change));
vvalue.insert(make_pair("DRIVER_MANAGED_GROUPS", driver_managed_groups));
vvalue.insert(make_pair("DRIVER_MANAGED_GROUP_ADMIN", driver_managed_group_admin));
vvalue.insert(make_pair("MAX_TOKEN_TIME", max_token_time));
vattribute = new VectorAttribute("AUTH_MAD_CONF", vvalue);

79
src/um/UserPool.cc
View File

@ -327,6 +327,7 @@ int UserPool::allocate(
string upass = password;
string gname;
bool driver_managed_group_admin = false;
ostringstream oss;
@ -427,21 +428,30 @@ int UserPool::allocate(
group->unlock();
}
// Set the user group admin
for(set<int>::const_iterator it = agids.begin(); it != agids.end(); it++)
if (nd.get_auth_conf_attribute(auth_driver, "DRIVER_MANAGED_GROUP_ADMIN",
driver_managed_group_admin) != 0)
{
Group * group = gpool->get(*it);
driver_managed_group_admin = false;
}
if( group == 0 ) //Secondary group no longer exists
if ( driver_managed_group_admin )
{
// Set the user group admin
for(set<int>::const_iterator it = agids.begin(); it != agids.end(); it++)
{
goto error_group;
Group * group = gpool->get(*it);
if( group == 0 ) //Secondary group no longer exists
{
goto error_group;
}
group->add_admin(*oid, error_str);
gpool->update(group);
group->unlock();
}
group->add_admin(*oid, error_str);
gpool->update(group);
group->unlock();
}
return *oid;
@ -652,6 +662,7 @@ bool UserPool::authenticate_internal(User * user,
string error_str;
bool driver_managed_groups = false;
bool driver_managed_group_admin = false;
int egid = -1;
int new_gid = -1;
@ -696,6 +707,12 @@ bool UserPool::authenticate_internal(User * user,
driver_managed_groups = false;
}
if (nd.get_auth_conf_attribute(auth_driver, "DRIVER_MANAGED_GROUP_ADMIN",
driver_managed_group_admin) != 0)
{
driver_managed_group_admin = false;
}
AuthRequest ar(user_id, group_ids);
// -------------------------------------------------------------------------
@ -897,7 +914,8 @@ bool UserPool::authenticate_internal(User * user,
continue;
}
if ( new_group_admin_ids.find(*it) != new_group_admin_ids.end() )
if ( driver_managed_group_admin &&
new_group_admin_ids.find(*it) != new_group_admin_ids.end() )
{
group->add_admin(user_id, error_str);
}
@ -929,32 +947,35 @@ bool UserPool::authenticate_internal(User * user,
// For groups which user remained member also check if the admin status
// did not changed
// -------------------------------------------------------------------------
for(it = groups_same.begin(); it != groups_same.end(); it++)
if ( driver_managed_group_admin )
{
// user was admin before but is not now
if ( group_admin_ids.find(*it) != group_admin_ids.end()
&& new_group_admin_ids.find(*it) == new_group_admin_ids.end() )
for(it = groups_same.begin(); it != groups_same.end(); it++)
{
group = gpool->get(*it);
// user was admin before but is not now
if ( group_admin_ids.find(*it) != group_admin_ids.end()
&& new_group_admin_ids.find(*it) == new_group_admin_ids.end() )
{
group = gpool->get(*it);
group->del_admin(user_id, error_str);
group->del_admin(user_id, error_str);
gpool->update(group);
gpool->update(group);
group->unlock();
}
group->unlock();
}
// user was not admin before but is now
if ( group_admin_ids.find(*it) == group_admin_ids.end()
&& new_group_admin_ids.find(*it) != new_group_admin_ids.end() )
{
group = gpool->get(*it);
// user was not admin before but is now
if ( group_admin_ids.find(*it) == group_admin_ids.end()
&& new_group_admin_ids.find(*it) != new_group_admin_ids.end() )
{
group = gpool->get(*it);
group->add_admin(user_id, error_str);
group->add_admin(user_id, error_str);
gpool->update(group);
gpool->update(group);
group->unlock();
group->unlock();
}
}
}