Feature #687
Implement an ACL engine
| Status: | Closed | Start date: | 06/17/2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Ruben S. Montero | % Done: | 0% | |
| Category: | Core & System | |||
| Target version: | Release 3.0 | |||
| Resolution: | fixed | Pull request: |
Description
This campaign will provide an ACL engine to authorize operations.
Each ACL rule will be formed by USER, RESOURCE, RIGHTS.
- USER can be defined by User or Group ID.
- RESOURCE is a Type and Object or Group ID.
- RIGHTS is a list of allowed actions.
This is how an ACL may look like:
USER RESOURCE RIGHTS #4 VM/#8 INFO+MANAGE+DELETE @6 VNET/@6 INFO+USE @6 HOST/* USE * HOST/#0 USE
Where #ID is an individual User or Resource ID, @ID is a group one, and * is a wild-card for any User/Resource.
Associated revisions
Feature #687: Start work on ACL rules
Feature #687: Store acl rules in a multimap. Add error messages when adding/deleting a wrong rule
Feature #687: Add DB persistence to ACL rules
Feature #687: Move acl classes to their own source dir
Feature #687: AuthRequest::add_auth extracts the object int id only if it is not a string template
Feature #687: ACL rules now check the object's group
Feature #687: ACL Manager looks for rules that apply to any of the user's groups
Feature #687: Remove unneeded operators in AclRule
Feature #687: Change the way the rule string representation is built
feature #687: Add Rule class in OCA
Feature #687: Add correctness check for new rules
Feature #687: Add oid to ACL Rules, one.acl.delrule now expects that ID. Modify XML to look similar to a pool
feature #687: Human readable output for oneacl list
Feature #687: Remove duplicated search test in AclManager::add_rule
Feature #687: Add missing CLI files to install.sh
feature #687: Resources now stores the name of the owner and the group
Feature #687: Add mutex to AclManager
Feature #687: Add correctness check for ACL rule rights
feature #687: user and group name are now stored in XML descriptions
Feature #687: Let users in the oneadmin group manage ACL rules
Feature #687: ACL string syntax for oneacl
Feature #687: Add method AclRule::from_xml
Feature #687: Let users use and see public objects in their group
Feature #687: Let users in the oneadmin group perform any operation, instead of only manage ACL rules
Feature #687: Better handling of requests that don't have oid or gid
Feature #687: Additional check for new ACL rules
Feature #687: Fix oneacl delete
Feature #687: Better default rules in AuthManager, takes into account the object's owner
Feature #687: Bug in RequestManagerPoolInfoFilter: each request has a different operation, they can't share the common auth_op attribute
Feature #687: Remove trailing spaces
feature #687: Redo of commit 2b90f0237700bb5da0ef6603d66dc832cd6abd12
Feature #687: Fix oneacl addrule parser
feature #687: Scheduler uses the new filter function
feature #687: Potentiall access to freed memory in Object_XML::get_nodes. Nodes must be disposed when not needed by the calling function
feature #687: Made ObjectCollection::from_xml_node more efficient
feature #687: The scheduler now loads the pool of users
feature #687: UserXML for the Scheduler
feature #687: Place holder for ACL integration ready
feature #687: Comments and formatting for AclRule. Removed uneeded includes
feature #687: Minor changes in the ACL module
feature #687: DeleteRule returns the oid of the rule. AclManager initialized in constructor
feature #687: Fix compilation for pool tests
feature #687: Fixes tests after UNAME/GNAME elements were added
Feature #687: Fix segmentation fault, making the RM the last manager to be initialized
Feature #687: Fix wrong ACL rule matching
Feature #687: Several sunstone fixes:
Fixed UNAME / GNAME new elements.
Added user addgroup, chgrp, delgroup operations.
Improved template update dialog.
Feature #687: Add the ACL Manager to the test Nebula class
Feature #687: Make AuthManagerTest use the NebulaTest class
Feature #687: Bug in ACL rule matching, it was missing a mask
Feature #687: Bug in one.*.poolinfo xml-rpc methods, wrong WHERE clause
Feature #687: Add a default ACL rule at bootstrap
feature #687: Removed unused ObjectXML method
feature #687: AclManager can now be rebuild from an xml string
Feature #687: Change Auth. unit test to report the object groups
feature #687: Added an ACL Manager to the Scheduler. The ACL is base class for the new one
feature #687: The scheduler cheks user authorization for the host. Log messages for filtered hosts
feature #687: oneadmin user and group can use any host
feature #687: Pass user groups by reference
Feature #687: Change the default ACL rule creation
Feature #687: Refactor Acl and AclPool ruby OCA classes to follow the common Pool/PoolElement structure
Feature #687: remove trailing spaces in oneacl_helper.rb
Feature #687: Bug in Acl rule string parsing
feature #687: Fix bug in oneacl_helper
History
#1
Updated by Carlos Martín about 10 years ago
Right now an ACL can grant CREATE rights to some users, and that applies to new objects in any group.
I'm attaching a patch, maybe in the future we'll want to limit the group where the user can create those new objects.
#2
Updated by Ruben S. Montero almost 10 years ago
- Status changed from New to Closed
- Resolution set to fixed