Implement an ACL engine
|Assignee:||Ruben S. Montero||% Done:|
|Category:||Core & System|
|Target version:||Release 3.0|
This campaign will provide an ACL engine to authorize operations.
Each ACL rule will be formed by USER, RESOURCE, RIGHTS.
- USER can be defined by User or Group ID.
- RESOURCE is a Type and Object or Group ID.
- RIGHTS is a list of allowed actions.
This is how an ACL may look like:
USER RESOURCE RIGHTS #4 VM/#8 INFO+MANAGE+DELETE @6 VNET/@6 INFO+USE @6 HOST/* USE * HOST/#0 USE
Where #ID is an individual User or Resource ID, @ID is a group one, and * is a wild-card for any User/Resource.
Feature #687: Store acl rules in a multimap. Add error messages when adding/deleting a wrong rule
Feature #687: AuthRequest::add_auth extracts the object int id only if it is not a string template
Feature #687: Add oid to ACL Rules, one.acl.delrule now expects that ID. Modify XML to look similar to a pool
Feature #687: Let users in the oneadmin group perform any operation, instead of only manage ACL rules
Feature #687: Better default rules in AuthManager, takes into account the object's owner
Feature #687: Bug in RequestManagerPoolInfoFilter: each request has a different operation, they can't share the common auth_op attribute
feature #687: Potentiall access to freed memory in Object_XML::get_nodes. Nodes must be disposed when not needed by the calling function
feature #687: DeleteRule returns the oid of the rule. AclManager initialized in constructor
Feature #687: Fix segmentation fault, making the RM the last manager to be initialized
Feature #687: Several sunstone fixes:
Fixed UNAME / GNAME new elements.
Added user addgroup, chgrp, delgroup operations.
Improved template update dialog.
feature #687: Added an ACL Manager to the Scheduler. The ACL is base class for the new one
feature #687: The scheduler cheks user authorization for the host. Log messages for filtered hosts
Feature #687: Refactor Acl and AclPool ruby OCA classes to follow the common Pool/PoolElement structure
#1 Updated by Carlos Martín over 9 years ago
Right now an ACL can grant CREATE rights to some users, and that applies to new objects in any group.
I'm attaching a patch, maybe in the future we'll want to limit the group where the user can create those new objects.