Revision 3f0a7fc0

View differences:

src/rm/RequestManagerVirtualMachine.cc
643 643
{
644 644
    Nebula&             nd = Nebula::instance();
645 645
    DispatchManager *   dm = nd.get_dm();
646
    DatastorePool * dspool = nd.get_dspool();
646 647

  
647 648
    VirtualMachine * vm;
648 649

  
......
652 653
    int    cluster_id;
653 654
    string ds_location;
654 655
    bool   is_public_cloud;
655
    PoolObjectAuth host_perms;
656

  
657
    PoolObjectAuth host_perms, ds_perms;
658
    PoolObjectAuth * auth_ds_perms;
656 659

  
657 660
    string tm_mad;
658 661

  
......
691 694
    }
692 695

  
693 696
    // ------------------------------------------------------------------------
694
    // Authorize request
697
    // Get information about the system DS to use (tm_mad & permissions)
695 698
    // ------------------------------------------------------------------------
696 699

  
697
    auth = vm_authorization(id, 0, 0, att, &host_perms, 0, auth_op);
698

  
699
    if (auth == false)
700
    {
701
        return;
702
    }
703

  
704 700
    if ((vm = get_vm(id, att)) == 0)
705 701
    {
706 702
        return;
......
716 712

  
717 713
    vm->unlock();
718 714

  
719
    // ------------------------------------------------------------------------
720
    // Get information about the system DS to use (tm_mad)
721
    // ------------------------------------------------------------------------
722

  
723 715
    if (is_public_cloud) // Set ds_id to -1 and tm_mad empty(). This is used by
724 716
    {                    // by VirtualMachine::get_host_is_cloud()
725 717
        ds_id  = -1;
......
758 750
        }
759 751
    }
760 752

  
753
    if (ds_id == -1)
754
    {
755
       auth_ds_perms = 0;
756
    }
757
    else
758
    {
759
        Datastore * ds = dspool->get(ds_id, true);
760

  
761
        if (ds == 0 )
762
        {
763
            failure_response(NO_EXISTS,
764
                get_error(object_name(PoolObjectSQL::DATASTORE), ds_id),
765
                att);
766

  
767
            return;
768
        }
769

  
770
        ds->get_permissions(ds_perms);
771

  
772
        ds->unlock();
773

  
774
        auth_ds_perms = &ds_perms;
775
    }
776

  
777
    // ------------------------------------------------------------------------
778
    // Authorize request
779
    // ------------------------------------------------------------------------
780

  
781
    auth = vm_authorization(id, 0, 0, att, &host_perms, auth_ds_perms, auth_op);
782

  
783
    if (auth == false)
784
    {
785
        return;
786
    }
787

  
761 788
    // ------------------------------------------------------------------------
762 789
    // Check request consistency:
763 790
    // - VM States are right
src/scheduler/src/sched/Scheduler.cc
617 617
 *  @param vm the virtual machine
618 618
 *  @param vdisk vm requirement
619 619
 *  @param ds to evaluate vm assgiment
620
 *  @param n_auth number of ds authorized for the user, incremented if needed
620 621
 *  @param n_error number of requirement errors, incremented if needed
621 622
 *  @param n_matched number of system ds that fullfil VM sched_requirements
622 623
 *  @param n_fits number of system ds with capacity that fits the VM requirements
623 624
 *  @param error, string describing why the host is not valid
624 625
 *  @return true for a positive match
625 626
 */
626
static bool match_system_ds(VirtualMachineXML* vm, long long vdisk,
627
    DatastoreXML * ds, int& n_error, int& n_fits, int &n_matched, string &error)
627
static bool match_system_ds(AclXML * acls, VirtualMachineXML* vm, long long vdisk,
628
    DatastoreXML * ds, int& n_auth, int& n_error, int& n_fits, int &n_matched,
629
    string &error)
628 630
{
629 631
    // -------------------------------------------------------------------------
630 632
    // Check datastore capacity for shared systems DS (non-shared will be
......
639 641
    n_fits++;
640 642

  
641 643
    // -------------------------------------------------------------------------
644
    // Check if user is authorized
645
    // -------------------------------------------------------------------------
646
    if ( vm->get_uid() != 0 && vm->get_gid() != 0 )
647
    {
648
        PoolObjectAuth dsperms;
649

  
650
        dsperms.oid      = ds->get_oid();
651
        dsperms.cid      = ds->get_cid();
652
        dsperms.obj_type = PoolObjectSQL::DATASTORE;
653

  
654
        // Only include the VM group ID
655

  
656
        set<int> gids;
657
        gids.insert(vm->get_gid());
658

  
659
        if ( !acls->authorize(vm->get_uid(), gids, dsperms, AuthRequest::USE))
660
        {
661
            error = "Permission denied.";
662
            return false;
663
        }
664
    }
665

  
666
    n_auth++;
667

  
668
    // -------------------------------------------------------------------------
642 669
    // Evaluate VM requirements
643 670
    // -------------------------------------------------------------------------
644 671
    if (!vm->get_ds_requirements().empty())
......
840 867
        // ---------------------------------------------------------------------
841 868

  
842 869
        n_resources = 0;
870
        n_auth    = 0;
843 871
        n_matched = 0;
844 872
        n_error   = 0;
845 873
        n_fits    = 0;
......
848 876
        {
849 877
            ds = static_cast<DatastoreXML *>(h_it->second);
850 878

  
851
            if (match_system_ds(vm, vm_disk, ds, n_error, n_fits, n_matched, m_error))
879
            if (match_system_ds(acls, vm, vm_disk, ds, n_auth, n_error, n_fits,
880
                        n_matched, m_error))
852 881
            {
853 882
                vm->add_match_datastore(ds->get_oid());
854 883

  
......
890 919

  
891 920
                        vm->log(oss.str());
892 921
                    }
922
                    else if (n_auth == 0)
923
                    {
924
                        vm->log("User is not authorized to use any system datastore");
925
                    }
893 926
                    else if (n_fits == 0)
894 927
                    {
895 928
                        vm->log("No system datastore with enough capacity for the VM");

Also available in: Unified diff