shaba/one
1
0
Fork 0
mirror of https://github.com/OpenNebula/one.git synced 2025-02-27 13:57:23 +03:00
Code Releases Wiki Activity

Rename Permissions class to PoolObjectAuth and move it to its own .h file

Browse Source
This commit is contained in:
Carlos Martín 2012-01-02 21:17:20 +01:00
parent eaa257103e
commit fef8cdbf08
16 changed files with 205 additions and 166 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/AclManager.h
View File

@ -63,7 +63,7 @@ public:
const bool authorize(int uid,
int gid,
AuthRequest::Object obj_type,
Permissions * obj_perms,
PoolObjectAuth * obj_perms,
AuthRequest::Operation op);
/**

6
include/AuthManager.h
View File

@ -29,7 +29,7 @@ using namespace std;
//Forward definitions
class AuthRequest;
class Permissions;
class PoolObjectAuth;
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
@ -355,7 +355,7 @@ public:
*/
void add_auth(Object ob,
Operation op,
Permissions* ob_perms)
PoolObjectAuth * ob_perms)
{
add_auth(ob, op, ob_perms, "");
}
@ -374,7 +374,7 @@ public:
*/
void add_auth(Object ob,
Operation op,
Permissions* ob_perms,
PoolObjectAuth * ob_perms,
string ob_template);
/**

147
include/PoolObjectAuth.h Normal file
View File

@ -0,0 +1,147 @@
/* -------------------------------------------------------------------------- */
/* Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org) */
/* */
/* Licensed under the Apache License, Version 2.0 (the "License"); you may */
/* not use this file except in compliance with the License. You may obtain */
/* a copy of the License at */
/* */
/* http://www.apache.org/licenses/LICENSE-2.0 */
/* */
/* Unless required by applicable law or agreed to in writing, software */
/* distributed under the License is distributed on an "AS IS" BASIS, */
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. */
/* See the License for the specific language governing permissions and */
/* limitations under the License. */
/* -------------------------------------------------------------------------- */
#ifndef POOL_OBJECT_AUTH_H_
#define POOL_OBJECT_AUTH_H_
#include "PoolObjectSQL.h"
#include "AuthManager.h"
#include "AclRule.h"
class PoolObjectAuth
{
public:
PoolObjectAuth(PoolObjectSQL* obj)
{
oid = obj->oid;
uid = obj->uid;
gid = obj->gid;
owner_u = obj->owner_u;
owner_m = obj->owner_m;
owner_a = obj->owner_a;
group_u = obj->group_u;
group_m = obj->group_m;
group_a = obj->group_a;
other_u = obj->other_u;
other_m = obj->other_m;
other_a = obj->other_a;
};
PoolObjectAuth():
oid(-1),
uid(-1),
gid(-1),
owner_u(1),
owner_m(1),
owner_a(0),
group_u(0),
group_m(0),
group_a(0),
other_u(0),
other_m(0),
other_a(0)
{};
void get_acl_rules( AclRule* owner_rule,
AclRule* group_rule,
AclRule* other_rule)
{
long long perm_user, perm_resource, perm_rights;
perm_resource = obj_type | AclRule::INDIVIDUAL_ID | oid;
// Rule "#uid ob_type/#oid user_rights"
perm_user = AclRule::INDIVIDUAL_ID | uid;
perm_rights = 0;
if ( owner_u == 1 )
{
perm_rights = perm_rights | AuthRequest::USE;
}
if ( owner_m == 1 )
{
perm_rights = perm_rights | AuthRequest::MANAGE;
}
if ( owner_a == 1 )
{
perm_rights = perm_rights | AuthRequest::ADMIN;
}
owner_rule = new AclRule(0, perm_user, perm_resource, perm_rights);
// Rule "@gid ob_type/#oid group_rights"
perm_user = AclRule::GROUP_ID | gid;
perm_rights = 0;
if ( group_u == 1 )
{
perm_rights = perm_rights | AuthRequest::USE;
}
if ( group_m == 1 )
{
perm_rights = perm_rights | AuthRequest::MANAGE;
}
if ( group_a == 1 )
{
perm_rights = perm_rights | AuthRequest::ADMIN;
}
group_rule = new AclRule(0, perm_user, perm_resource, perm_rights);
// Rule "* ob_type/#oid others_rights"
perm_user = AclRule::ALL_ID;
perm_rights = 0;
if ( other_u == 1 )
{
perm_rights = perm_rights | AuthRequest::USE;
}
if ( other_m == 1 )
{
perm_rights = perm_rights | AuthRequest::MANAGE;
}
if ( other_a == 1 )
{
perm_rights = perm_rights | AuthRequest::ADMIN;
}
other_rule = new AclRule(0, perm_user, perm_resource, perm_rights);
};
AuthRequest::Object obj_type;
int oid;
int uid;
int gid;
int owner_u;
int owner_m;
int owner_a;
int group_u;
int group_m;
int group_a;
int other_u;
int other_m;
int other_a;
};
#endif /*POOL_OBJECT_AUTH_H_*/

64
include/PoolObjectSQL.h
View File

@ -20,13 +20,13 @@
#include "ObjectSQL.h"
#include "ObjectXML.h"
#include "Template.h"
#include "AclRule.h"
#include <pthread.h>
#include <string.h>
using namespace std;
class Permissions;
class PoolObjectAuth;
/**
* PoolObject class. Provides a SQL backend interface for Pool components. Each
@ -313,7 +313,7 @@ public:
// Permissions
// ------------------------------------------------------------------------
Permissions* get_permissions();
PoolObjectAuth* get_permissions();
protected:
@ -462,7 +462,7 @@ private:
*/
friend class PoolSQL;
friend class Permissions;
friend class PoolObjectAuth;
/**
* The mutex for the PoolObject. This implementation assumes that the mutex
@ -481,60 +481,4 @@ private:
static const char * error_attribute_name;
};
class Permissions
{
public:
Permissions(PoolObjectSQL* obj)
{
oid = obj->oid;
uid = obj->uid;
gid = obj->gid;
owner_u = obj->owner_u;
owner_m = obj->owner_m;
owner_a = obj->owner_a;
group_u = obj->group_u;
group_m = obj->group_m;
group_a = obj->group_a;
other_u = obj->other_u;
other_m = obj->other_m;
other_a = obj->other_a;
};
Permissions():
oid(-1),
uid(-1),
gid(-1),
owner_u(1),
owner_m(1),
owner_a(0),
group_u(0),
group_m(0),
group_a(0),
other_u(0),
other_m(0),
other_a(0)
{};
// AuthRequest::Object obj_type;
int oid;
int uid;
int gid;
int owner_u;
int owner_m;
int owner_a;
int group_u;
int group_m;
int group_a;
int other_u;
int other_m;
int other_a;
};
#endif /*POOL_OBJECT_SQL_H_*/

1
include/Request.h
View File

@ -22,6 +22,7 @@
#include "RequestManager.h"
#include "AuthManager.h"
#include "PoolObjectAuth.h"
using namespace std;

80
src/acl/AclManager.cc
View File

@ -18,7 +18,7 @@
#include "AclManager.h"
#include "NebulaLog.h"
#include "PoolObjectSQL.h"
#include "PoolObjectAuth.h"
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
@ -120,7 +120,7 @@ const bool AclManager::authorize(
int uid,
int gid,
AuthRequest::Object obj_type,
Permissions * obj_perms,
PoolObjectAuth * obj_perms,
AuthRequest::Operation op)
{
ostringstream oss;
@ -188,78 +188,18 @@ const bool AclManager::authorize(
// ---------------------------------------------------
// Create temporary rules from the object permissions
// ---------------------------------------------------
AclRule * owner_rule = 0;
AclRule * group_rule = 0;
AclRule * other_rule = 0;
multimap<long long, AclRule*> tmp_rules;
if ( obj_perms->oid >= 0 ) // If oid is -1, this is a new obj. creation
{
long long perm_user, perm_resource, perm_rights;
AclRule * tmp_rule;
obj_perms->get_acl_rules(owner_rule, group_rule, other_rule);
perm_resource = obj_type | AclRule::INDIVIDUAL_ID | obj_perms->oid;
tmp_rules.insert( make_pair(owner_rule->user, owner_rule) );
tmp_rules.insert( make_pair(group_rule->user, group_rule) );
tmp_rules.insert( make_pair(other_rule->user, other_rule) );
// Rule "#uid ob_type/#oid user_rights"
perm_user = AclRule::INDIVIDUAL_ID | obj_perms->uid;
perm_rights = 0;
if ( obj_perms->owner_u == 1 )
{
perm_rights = perm_rights | AuthRequest::USE;
}
if ( obj_perms->owner_m == 1 )
{
perm_rights = perm_rights | AuthRequest::MANAGE;
}
if ( obj_perms->owner_a == 1 )
{
perm_rights = perm_rights | AuthRequest::ADMIN;
}
tmp_rule = new AclRule(0, perm_user, perm_resource, perm_rights);
tmp_rules.insert( make_pair(tmp_rule->user, tmp_rule) );
// Rule "@gid ob_type/#oid group_rights"
perm_user = AclRule::GROUP_ID | obj_perms->gid;
perm_rights = 0;
if ( obj_perms->group_u == 1 )
{
perm_rights = perm_rights | AuthRequest::USE;
}
if ( obj_perms->group_m == 1 )
{
perm_rights = perm_rights | AuthRequest::MANAGE;
}
if ( obj_perms->group_a == 1 )
{
perm_rights = perm_rights | AuthRequest::ADMIN;
}
tmp_rule = new AclRule(0, perm_user, perm_resource, perm_rights);
tmp_rules.insert( make_pair(tmp_rule->user, tmp_rule) );
// Rule "* ob_type/#oid others_rights"
perm_user = AclRule::ALL_ID;
perm_rights = 0;
if ( obj_perms->other_u == 1 )
{
perm_rights = perm_rights | AuthRequest::USE;
}
if ( obj_perms->other_m == 1 )
{
perm_rights = perm_rights | AuthRequest::MANAGE;
}
if ( obj_perms->other_a == 1 )
{
perm_rights = perm_rights | AuthRequest::ADMIN;
}
tmp_rule = new AclRule(0, perm_user, perm_resource, perm_rights);
tmp_rules.insert( make_pair(tmp_rule->user, tmp_rule) );
}
// ---------------------------------------------------
// Look for rules that apply to everyone
// ---------------------------------------------------

4
src/authm/AuthManager.cc
View File

@ -17,7 +17,7 @@
#include "AuthManager.h"
#include "NebulaLog.h"
#include "SSLTools.h"
#include "PoolObjectSQL.h"
#include "PoolObjectAuth.h"
#include "Nebula.h"
/* -------------------------------------------------------------------------- */
@ -32,7 +32,7 @@ const char * AuthManager::auth_driver_name = "auth_exe";
void AuthRequest::add_auth(Object ob,
Operation op,
Permissions* ob_perms,
PoolObjectAuth * ob_perms,
string ob_template)
{
// TODO: object's public flag is not used, it will disappear

7
src/authm/test/AuthManagerTest.cc
View File

@ -26,6 +26,7 @@
#include "AuthManager.h"
#include "Template.h"
#include "NebulaLog.h"
#include "PoolObjectAuth.h"
#include <openssl/evp.h>
#include <openssl/bio.h>
@ -184,7 +185,7 @@ public:
"NET:4:MANAGE:5:1:0 "
"HOST:6:MANAGE:7:1:0 0";
Permissions perm;
PoolObjectAuth perm;
perm.gid = 0;
perm.uid = -1;
@ -300,7 +301,7 @@ public:
AuthRequest ar5(0, 1);
AuthRequest ar6(0, 1);
Permissions perm;
PoolObjectAuth perm;
perm.oid = -1;
perm.gid = -1;
@ -320,7 +321,7 @@ public:
CPPUNIT_ASSERT(ar.core_authorize() == true);
perm = Permissions();
perm = PoolObjectAuth();
perm.oid = -1;
perm.gid = -1;

6
src/image/ImagePool.cc
View File

@ -21,6 +21,7 @@
#include "ImagePool.h"
#include "AuthManager.h"
#include "Nebula.h"
#include "PoolObjectAuth.h"
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
@ -295,6 +296,7 @@ void ImagePool::authorize_disk(VectorAttribute * disk,int uid, AuthRequest * ar)
{
string source;
Image * img = 0;
PoolObjectAuth * perm = 0;
if (!(source = disk->vector_value("IMAGE")).empty())
{
@ -324,10 +326,10 @@ void ImagePool::authorize_disk(VectorAttribute * disk,int uid, AuthRequest * ar)
return;
}
Permissions* perm = img->get_permissions();
perm = img->get_permissions();
img->unlock();
ar->add_auth(AuthRequest::IMAGE, AuthRequest::USE, perm);
img->unlock();
delete perm;
}

6
src/pool/PoolObjectSQL.cc
View File

@ -15,7 +15,7 @@
/* -------------------------------------------------------------------------- */
#include "PoolObjectSQL.h"
#include "AuthManager.h"
#include "PoolObjectAuth.h"
#include "SSLTools.h"
/* -------------------------------------------------------------------------- */
@ -246,9 +246,9 @@ int PoolObjectSQL::perms_from_xml()
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
Permissions* PoolObjectSQL::get_permissions()
PoolObjectAuth* PoolObjectSQL::get_permissions()
{
return new Permissions(this);
return new PoolObjectAuth(this);
}
/* -------------------------------------------------------------------------- */

2
src/rm/Request.cc
View File

@ -57,7 +57,7 @@ bool Request::basic_authorization(int oid,
RequestAttributes& att)
{
PoolObjectSQL * object;
Permissions * perms = 0;
PoolObjectAuth * perms = 0;
if ( att.uid == 0 )
{

4
src/rm/RequestManagerAllocate.cc
View File

@ -31,7 +31,7 @@ bool RequestManagerAllocate::allocate_authorization(Template * tmpl,
return true;
}
Permissions * perms = new Permissions();
PoolObjectAuth * perms = new PoolObjectAuth();
perms->uid = att.uid;
AuthRequest ar(att.uid, att.gid);
@ -71,7 +71,7 @@ bool VirtualMachineAllocate::allocate_authorization(Template * tmpl,
return true;
}
Permissions * perms = new Permissions;
PoolObjectAuth * perms = new PoolObjectAuth;
perms->uid = att.uid;
AuthRequest ar(att.uid, att.gid);

2
src/rm/RequestManagerVMTemplate.cc
View File

@ -28,7 +28,7 @@ void VMTemplateInstantiate::request_execute(xmlrpc_c::paramList const& paramList
int rc, vid;
Permissions * perms;
PoolObjectAuth * perms;
Nebula& nd = Nebula::instance();
VirtualMachinePool* vmpool = nd.get_vmpool();

6
src/rm/RequestManagerVirtualMachine.cc
View File

@ -26,7 +26,7 @@ bool RequestManagerVirtualMachine::vm_authorization(int oid,
RequestAttributes& att)
{
PoolObjectSQL * object;
Permissions * vm_perms;
PoolObjectAuth * vm_perms;
if ( att.uid == 0 )
{
@ -56,7 +56,7 @@ bool RequestManagerVirtualMachine::vm_authorization(int oid,
if (hid != -1)
{
Permissions * host_perm = new Permissions();
PoolObjectAuth * host_perm = new PoolObjectAuth();
host_perm->oid = hid;
ar.add_auth(AuthRequest::HOST, AuthRequest::MANAGE, host_perm);
@ -65,7 +65,7 @@ bool RequestManagerVirtualMachine::vm_authorization(int oid,
}
else if (tmpl != 0)
{
Permissions * image_perm;
PoolObjectAuth * image_perm = new PoolObjectAuth();
image_perm->uid = att.uid;
string t64;

4
src/scheduler/src/sched/Scheduler.cc
View File

@ -32,7 +32,7 @@
#include "Scheduler.h"
#include "RankPolicy.h"
#include "NebulaLog.h"
#include "PoolObjectSQL.h"
#include "PoolObjectAuth.h"
using namespace std;
@ -344,7 +344,7 @@ void Scheduler::match()
}
else
{
Permissions * host_perms = new Permissions();
PoolObjectAuth * host_perms = new PoolObjectAuth();
host_perms->oid = host->get_hid();
matched = acls->authorize(uid,

10
src/vnm/VirtualNetworkPool.cc
View File

@ -18,7 +18,7 @@
#include "UserPool.h"
#include "NebulaLog.h"
#include "Nebula.h"
#include "PoolObjectAuth.h"
#include "AuthManager.h"
#include <sstream>
#include <ctype.h>
@ -246,6 +246,7 @@ void VirtualNetworkPool::authorize_nic(VectorAttribute * nic,
{
string network;
VirtualNetwork * vnet = 0;
PoolObjectAuth * perm = 0;
if (!(network = nic->vector_value("NETWORK")).empty())
{
@ -265,7 +266,10 @@ void VirtualNetworkPool::authorize_nic(VectorAttribute * nic,
return;
}
ar->add_auth(AuthRequest::NET, AuthRequest::USE, vnet->get_permissions());
perm = vnet->get_permissions();
vnet->unlock();
ar->add_auth(AuthRequest::NET, AuthRequest::USE, perm);
delete perm;
}