Feature #687

Implement an ACL engine

Added by Carlos Martín over 9 years ago. Updated over 9 years ago.

Status:ClosedStart date:06/17/2011
Priority:NormalDue date:
Assignee:Ruben S. Montero% Done:

0%

Category:Core & System
Target version:Release 3.0
Resolution:fixed Pull request:

Description

This campaign will provide an ACL engine to authorize operations.

Each ACL rule will be formed by USER, RESOURCE, RIGHTS.

  • USER can be defined by User or Group ID.
  • RESOURCE is a Type and Object or Group ID.
  • RIGHTS is a list of allowed actions.

This is how an ACL may look like:

USER    RESOURCE    RIGHTS
#4      VM/#8       INFO+MANAGE+DELETE
@6      VNET/@6     INFO+USE
@6      HOST/*      USE
*       HOST/#0     USE

Where #ID is an individual User or Resource ID, @ID is a group one, and * is a wild-card for any User/Resource.

0001-Feature-687-Add-the-group-of-new-objects-to-be-creat.patch Magnifier (2.11 KB) Carlos Martín, 07/01/2011 08:43 AM

Associated revisions

Revision bfaabf35
Added by Carlos Martín over 9 years ago

Feature #687: Start work on ACL rules

Revision 94d1615e
Added by Carlos Martín over 9 years ago

Feature #687: Store acl rules in a multimap. Add error messages when adding/deleting a wrong rule

Revision c1a0fa6f
Added by Carlos Martín over 9 years ago

Feature #687: Add DB persistence to ACL rules

Revision 99088df9
Added by Carlos Martín over 9 years ago

Feature #687: Move acl classes to their own source dir

Revision 2da4877c
Added by Carlos Martín over 9 years ago

Feature #687: AuthRequest::add_auth extracts the object int id only if it is not a string template

Revision 05ea353f
Added by Carlos Martín over 9 years ago

Feature #687: ACL rules now check the object's group

Revision 303db36d
Added by Carlos Martín over 9 years ago

Feature #687: ACL Manager looks for rules that apply to any of the user's groups

Revision 773f5f08
Added by Carlos Martín over 9 years ago

Feature #687: Remove unneeded operators in AclRule

Revision 85fa48e6
Added by Carlos Martín over 9 years ago

Feature #687: Change the way the rule string representation is built

Revision 8d4fec64
Added by Tino Vázquez over 9 years ago

feature #687: Add Rule class in OCA

Revision 84f874bf
Added by Carlos Martín over 9 years ago

Feature #687: Add correctness check for new rules

Revision 165a8fb7
Added by Carlos Martín over 9 years ago

Feature #687: Add oid to ACL Rules, one.acl.delrule now expects that ID. Modify XML to look similar to a pool

Revision 3a321321
Added by Tino Vázquez over 9 years ago

feature #687: Human readable output for oneacl list

Revision 759d05c2
Added by Carlos Martín over 9 years ago

Feature #687: Remove duplicated search test in AclManager::add_rule

Revision 42ae602e
Added by Carlos Martín over 9 years ago

Feature #687: Add missing CLI files to install.sh

Revision 8e33e4cd
Added by Ruben S. Montero over 9 years ago

feature #687: Resources now stores the name of the owner and the group

Revision 348e0aae
Added by Carlos Martín over 9 years ago

Feature #687: Add mutex to AclManager

Revision 7520a50d
Added by Carlos Martín over 9 years ago

Feature #687: Add correctness check for ACL rule rights

Revision 255c8ff8
Added by Ruben S. Montero over 9 years ago

feature #687: user and group name are now stored in XML descriptions

Revision f2f9c267
Added by Carlos Martín over 9 years ago

Feature #687: Let users in the oneadmin group manage ACL rules

Revision 19d3db12
Added by Tino Vázquez over 9 years ago

Feature #687: ACL string syntax for oneacl

Revision d8139465
Added by Carlos Martín over 9 years ago

Feature #687: Add method AclRule::from_xml

Revision bc29eaca
Added by Carlos Martín over 9 years ago

Feature #687: Let users use and see public objects in their group

Revision 5ae5d853
Added by Carlos Martín over 9 years ago

Feature #687: Let users in the oneadmin group perform any operation, instead of only manage ACL rules

Revision dc0a1edf
Added by Carlos Martín over 9 years ago

Feature #687: Better handling of requests that don't have oid or gid

Revision 1b656b3b
Added by Carlos Martín over 9 years ago

Feature #687: Additional check for new ACL rules

Revision 32a7699c
Added by Carlos Martín over 9 years ago

Feature #687: Fix oneacl delete

Revision 27288cfc
Added by Carlos Martín over 9 years ago

Feature #687: Better default rules in AuthManager, takes into account the object's owner

Revision 2b90f023
Added by Carlos Martín over 9 years ago

Feature #687: Bug in RequestManagerPoolInfoFilter: each request has a different operation, they can't share the common auth_op attribute

Revision c1ff6fe3
Added by Carlos Martín over 9 years ago

Feature #687: Remove trailing spaces

Revision a091e52f
Added by Ruben S. Montero over 9 years ago

feature #687: Redo of commit 2b90f0237700bb5da0ef6603d66dc832cd6abd12

Revision 896385e7
Added by Carlos Martín over 9 years ago

Feature #687: Fix oneacl addrule parser

Revision ff7e7920
Added by Ruben S. Montero over 9 years ago

feature #687: Scheduler uses the new filter function

Revision 95cc8c31
Added by Ruben S. Montero over 9 years ago

feature #687: Potentiall access to freed memory in Object_XML::get_nodes. Nodes must be disposed when not needed by the calling function

Revision 72a26d47
Added by Ruben S. Montero over 9 years ago

feature #687: Made ObjectCollection::from_xml_node more efficient

Revision 9c46bb41
Added by Ruben S. Montero over 9 years ago

feature #687: The scheduler now loads the pool of users

Revision 2a122167
Added by Ruben S. Montero over 9 years ago

feature #687: UserXML for the Scheduler

Revision facdf350
Added by Ruben S. Montero over 9 years ago

feature #687: Place holder for ACL integration ready

Revision c844ccb2
Added by Ruben S. Montero over 9 years ago

feature #687: Comments and formatting for AclRule. Removed uneeded includes

Revision 84a19e69
Added by Ruben S. Montero over 9 years ago

feature #687: Minor changes in the ACL module

Revision d60c9834
Added by Ruben S. Montero over 9 years ago

feature #687: DeleteRule returns the oid of the rule. AclManager initialized in constructor

Revision 1e9050a8
Added by Ruben S. Montero over 9 years ago

feature #687: Fix compilation for pool tests

Revision 655d9f4a
Added by Ruben S. Montero over 9 years ago

feature #687: Fixes tests after UNAME/GNAME elements were added

Revision 2d46c598
Added by Carlos Martín over 9 years ago

Feature #687: Fix segmentation fault, making the RM the last manager to be initialized

Revision 90b6004c
Added by Carlos Martín over 9 years ago

Feature #687: Fix wrong ACL rule matching

Revision 0f1458a3
Added by Hector Sanjuan over 9 years ago

Feature #687: Several sunstone fixes:

Fixed UNAME / GNAME new elements.
Added user addgroup, chgrp, delgroup operations.
Improved template update dialog.

Revision b9eae8bf
Added by Carlos Martín over 9 years ago

Feature #687: Bring back the pub flag to the auth. string, deleted in 84a19e69

Revision 3db9d556
Added by Carlos Martín over 9 years ago

Feature #687: Add the ACL Manager to the test Nebula class

Revision 17701960
Added by Carlos Martín over 9 years ago

Feature #687: Make AuthManagerTest use the NebulaTest class

Revision 4173fbd4
Added by Carlos Martín over 9 years ago

Feature #687: Fix template tests for UNAME/GNAME, this continues 655d9f4a

Revision 2449b2cd
Added by Carlos Martín over 9 years ago

Feature #687: Bug in ACL rule matching, it was missing a mask

Revision e65f80a1
Added by Carlos Martín over 9 years ago

Feature #687: Bug in one.*.poolinfo xml-rpc methods, wrong WHERE clause

Revision 27e04919
Added by Carlos Martín over 9 years ago

Feature #687: Add a default ACL rule at bootstrap

Revision 2e9ed0cc
Added by Ruben S. Montero over 9 years ago

feature #687: Removed unused ObjectXML method

Revision d850f692
Added by Ruben S. Montero over 9 years ago

feature #687: AclManager can now be rebuild from an xml string

Revision 90fc30f6
Added by Carlos Martín over 9 years ago

Feature #687: Change Auth. unit test to report the object groups

Revision 37f0700a
Added by Ruben S. Montero over 9 years ago

feature #687: Added an ACL Manager to the Scheduler. The ACL is base class for the new one

Revision 5801e9c5
Added by Ruben S. Montero over 9 years ago

feature #687: The scheduler cheks user authorization for the host. Log messages for filtered hosts

Revision 3ff70fab
Added by Ruben S. Montero over 9 years ago

feature #687: oneadmin user and group can use any host

Revision bd290d8d
Added by Ruben S. Montero over 9 years ago

feature #687: Pass user groups by reference

Revision 076ebcfa
Added by Carlos Martín over 9 years ago

Feature #687: Change the default ACL rule creation

Revision 43e44040
Added by Carlos Martín over 9 years ago

Feature #687: Refactor Acl and AclPool ruby OCA classes to follow the common Pool/PoolElement structure

Revision 23928a45
Added by Carlos Martín over 9 years ago

Feature #687: remove trailing spaces in oneacl_helper.rb

Revision e33ed54c
Added by Carlos Martín over 9 years ago

Feature #687: Bug in Acl rule string parsing

Revision 02d12de7
Added by Tino Vázquez over 9 years ago

feature #687: Fix bug in oneacl_helper

History

#1 Updated by Carlos Martín over 9 years ago

Right now an ACL can grant CREATE rights to some users, and that applies to new objects in any group.
I'm attaching a patch, maybe in the future we'll want to limit the group where the user can create those new objects.

#2 Updated by Ruben S. Montero over 9 years ago

  • Status changed from New to Closed
  • Resolution set to fixed

Also available in: Atom PDF