Revision 1b6e38da

View differences:

include/AclManager.h
179 179
     *    @param user_req user/group id and flags
180 180
     *    @param resource_oid_req 64 bit request, ob. type and individual oid
181 181
     *    @param resource_gid_req 64 bit request, ob. type and group id
182
     *    @param resource_cid_req 64 bit request, ob. type and cluster id
182 183
     *    @param resource_all_req 64 bit request, ob. type and all flag
183 184
     *    @param rights_req Requested rights
184 185
     *    @param individual_obj_type Mask with ob. type and individual flags
185 186
     *    @param group_obj_type Mask with ob. type and group flags
187
     *    @param cluster_obj_type Mask with ob. type and cluster flags
186 188
     *    @param rules ACL rules to match
187 189
     *
188 190
     *    @return true if any rule grants permission
......
191 193
            long long user_req,
192 194
            long long resource_oid_req,
193 195
            long long resource_gid_req,
196
            long long resource_cid_req,
194 197
            long long resource_all_req,
195 198
            long long rights_req,
196 199
            long long individual_obj_type,
197 200
            long long group_obj_type,
201
            long long cluster_obj_type,
198 202
            multimap<long long, AclRule*> &rules);
199 203

  
200 204
    /**
......
204 208
     *    @param user_req user/group id and flags
205 209
     *    @param resource_oid_req 64 bit request, ob. type and individual oid
206 210
     *    @param resource_gid_req 64 bit request, ob. type and group id
211
     *    @param resource_cid_req 64 bit request, ob. type and cluster id
207 212
     *    @param resource_all_req 64 bit request, ob. type and all flag
208 213
     *    @param rights_req Requested rights
209 214
     *    @param individual_obj_type Mask with ob. type and individual flags
210 215
     *    @param group_obj_type Mask with ob. type and group flags
216
     *    @param cluster_obj_type Mask with ob. type and cluster flags
211 217
     *    @param tmp_rules Temporary map group of ACL rules
212 218
     *
213 219
     *    @return true if any rule grants permission
......
216 222
            long long user_req,
217 223
            long long resource_oid_req,
218 224
            long long resource_gid_req,
225
            long long resource_cid_req,
219 226
            long long resource_all_req,
220 227
            long long rights_req,
221 228
            long long individual_obj_type,
222 229
            long long group_obj_type,
230
            long long cluster_obj_type,
223 231
            multimap<long long, AclRule*> &tmp_rules);
224 232

  
225 233
    /**
include/AclRule.h
40 40
    static const long long GROUP_ID;
41 41

  
42 42
    static const long long ALL_ID;
43

  
44
    static const long long CLUSTER_ID;
43 45
    // ------------------------------------------------------------------------
44 46

  
45 47
    /**
include/PoolObjectAuth.h
34 34
        oid(-1),
35 35
        uid(-1),
36 36
        gid(-1),
37
        cid(-1),
37 38
        owner_u(1),
38 39
        owner_m(1),
39 40
        owner_a(0),
......
60 61
    int oid;
61 62
    int uid;
62 63
    int gid;
64
    int cid;
63 65

  
64 66
    int owner_u;
65 67
    int owner_m;
src/acl/AclManager.cc
168 168
        resource_gid_req = AclRule::NONE_ID;
169 169
    }
170 170

  
171
    long long resource_cid_req;
172

  
173
    if ( obj_perms.cid >= 0 )
174
    {
175
        resource_cid_req = obj_perms.obj_type |
176
                           AclRule::CLUSTER_ID |
177
                           obj_perms.cid;
178
    }
179
    else
180
    {
181
        resource_cid_req = AclRule::NONE_ID;
182
    }
183

  
171 184
    long long resource_all_req  = obj_perms.obj_type | AclRule::ALL_ID;
172 185
    long long rights_req        = op;
173 186

  
......
179 192
                                  AclRule::GROUP_ID |
180 193
                                  0x00000000FFFFFFFFLL;
181 194

  
195
    long long resource_cid_mask = obj_perms.obj_type |
196
                                  AclRule::CLUSTER_ID |
197
                                  0x00000000FFFFFFFFLL;
198

  
182 199
    // Create a temporal rule, to log the request
183 200
    long long log_resource;
184 201

  
......
190 207
    {
191 208
        log_resource = resource_gid_req;
192 209
    }
210
    else if ( obj_perms.cid >= 0 )
211
    {
212
        log_resource = resource_cid_req;
213
    }
193 214
    else
194 215
    {
195 216
        log_resource = resource_all_req;
......
226 247
    auth     = match_rules_wrapper(user_req,
227 248
                                   resource_oid_req,
228 249
                                   resource_gid_req,
250
                                   resource_cid_req,
229 251
                                   resource_all_req,
230 252
                                   rights_req,
231 253
                                   resource_oid_mask,
232 254
                                   resource_gid_mask,
255
                                   resource_cid_mask,
233 256
                                   tmp_rules);
234 257
    if ( auth == true )
235 258
    {
......
244 267
    auth     = match_rules_wrapper(user_req,
245 268
                                   resource_oid_req,
246 269
                                   resource_gid_req,
270
                                   resource_cid_req,
247 271
                                   resource_all_req,
248 272
                                   rights_req,
249 273
                                   resource_oid_mask,
250 274
                                   resource_gid_mask,
275
                                   resource_cid_mask,
251 276
                                   tmp_rules);
252 277
    if ( auth == true )
253 278
    {
......
262 287
    auth     = match_rules_wrapper(user_req,
263 288
                                   resource_oid_req,
264 289
                                   resource_gid_req,
290
                                   resource_cid_req,
265 291
                                   resource_all_req,
266 292
                                   rights_req,
267 293
                                   resource_oid_mask,
268 294
                                   resource_gid_mask,
295
                                   resource_cid_mask,
269 296
                                   tmp_rules);
270 297
    if ( auth == true )
271 298
    {
......
285 312
        long long user_req,
286 313
        long long resource_oid_req,
287 314
        long long resource_gid_req,
315
        long long resource_cid_req,
288 316
        long long resource_all_req,
289 317
        long long rights_req,
290 318
        long long individual_obj_type,
291 319
        long long group_obj_type,
320
        long long cluster_obj_type,
292 321
        multimap<long long, AclRule*> &tmp_rules)
293 322
{
294 323
    bool auth = false;
......
298 327
            user_req,
299 328
            resource_oid_req,
300 329
            resource_gid_req,
330
            resource_cid_req,
301 331
            resource_all_req,
302 332
            rights_req,
303 333
            individual_obj_type,
304 334
            group_obj_type,
335
            cluster_obj_type,
305 336
            tmp_rules);
306 337

  
307 338
    if ( auth == true )
......
316 347
            user_req,
317 348
            resource_oid_req,
318 349
            resource_gid_req,
350
            resource_cid_req,
319 351
            resource_all_req,
320 352
            rights_req,
321 353
            individual_obj_type,
322 354
            group_obj_type,
355
            cluster_obj_type,
323 356
            acl_rules);
324 357

  
325 358
    unlock();
......
334 367
        long long user_req,
335 368
        long long resource_oid_req,
336 369
        long long resource_gid_req,
370
        long long resource_cid_req,
337 371
        long long resource_all_req,
338 372
        long long rights_req,
339 373
        long long resource_oid_mask,
340 374
        long long resource_gid_mask,
375
        long long resource_cid_mask,
341 376
        multimap<long long, AclRule*> &rules)
342 377

  
343 378
{
......
370 405
            ||
371 406
            // Or rule's object type and individual object ID match
372 407
            ( ( it->second->resource & resource_oid_mask ) == resource_oid_req )
408
            ||
409
            // Or rule's object type and cluster object ID match
410
            ( ( it->second->resource & resource_cid_mask ) == resource_cid_req )
373 411
          );
374 412

  
375 413
        if ( auth == true )
src/acl/AclRule.cc
24 24
const long long AclRule::INDIVIDUAL_ID  = 0x0000000100000000LL;
25 25
const long long AclRule::GROUP_ID       = 0x0000000200000000LL;
26 26
const long long AclRule::ALL_ID         = 0x0000000400000000LL;
27
const long long AclRule::CLUSTER_ID     = 0x0000000800000000LL;
27 28

  
28 29
const long long AclRule::NONE_ID        = 0x1000000000000000LL;
29 30

  
......
122 123

  
123 124
    // Check resource
124 125

  
125
    if ( (resource & INDIVIDUAL_ID) != 0 && (resource & GROUP_ID) != 0 )
126
    if ( ( (resource & INDIVIDUAL_ID) != 0 && (resource & 0xF00000000LL) != INDIVIDUAL_ID ) ||
127
         ( (resource & GROUP_ID)      != 0 && (resource & 0xF00000000LL) != GROUP_ID ) ||
128
         ( (resource & CLUSTER_ID)    != 0 && (resource & 0xF00000000LL) != CLUSTER_ID ) ||
129
         ( (resource & ALL_ID)        != 0 && (resource & 0xF00000000LL) != ALL_ID )
130
        )
126 131
    {
127 132
        if ( error )
128 133
        {
......
130 135
        }
131 136

  
132 137
        error = true;
133
        oss << "[resource] INDIVIDUAL (#) and GROUP (@) bits are exclusive";
138
        oss << "[resource] INDIVIDUAL (#), GROUP (@), CLUSTER (%) "
139
            << "and ALL (*) bits are exclusive";
134 140
    }
135 141

  
136
    if ( (resource & INDIVIDUAL_ID) != 0 && (resource & ALL_ID) != 0 )
142
    if ( (resource & 0xF00000000LL) == 0 )
137 143
    {
138 144
        if ( error )
139 145
        {
......
141 147
        }
142 148

  
143 149
        error = true;
144
        oss << "[resource] INDIVIDUAL (#) and ALL (*) bits are exclusive";
145
    }
146

  
147
    if ( (resource & GROUP_ID) != 0 && (resource & ALL_ID) != 0 )
148
    {
149
        if ( error )
150
        {
151
            oss << "; ";
152
        }
153

  
154
        error = true;
155
        oss << "[resource] GROUP (@) and ALL (*) bits are exclusive";
156
    }
157

  
158
    if ( (resource & 0x700000000LL) == 0 )
159
    {
160
        if ( error )
161
        {
162
            oss << "; ";
163
        }
164

  
165
        error = true;
166
        oss << "[resource] is missing one of the INDIVIDUAL, GROUP or ALL bits";
150
        oss << "[resource] is missing one of the INDIVIDUAL, GROUP, CLUSTER or ALL bits";
167 151
    }
168 152

  
169 153
    if ( resource_id() < 0 )
......
294 278
    {
295 279
        oss << "#" << resource_id();
296 280
    }
281
    else if ( (resource & CLUSTER_ID) != 0 )
282
    {
283
        oss << "%" << resource_id();
284
    }
297 285
    else if ( (resource & ALL_ID) != 0 )
298 286
    {
299 287
        oss << "*";
src/pool/PoolObjectSQL.cc
17 17
#include "PoolObjectSQL.h"
18 18
#include "PoolObjectAuth.h"
19 19
#include "SSLTools.h"
20
#include "Clusterable.h"
20 21

  
21 22
/* -------------------------------------------------------------------------- */
22 23
/* -------------------------------------------------------------------------- */
......
260 261
    auth.other_u = other_u;
261 262
    auth.other_m = other_m;
262 263
    auth.other_a = other_a;
264

  
265
    Clusterable* cl = dynamic_cast<Clusterable*>(this);
266

  
267
    if(cl != 0)
268
    {
269
        auth.cid = cl->get_cluster_id();
270
    }
263 271
}
264 272

  
265 273
/* -------------------------------------------------------------------------- */

Also available in: Unified diff