Revision bfaabf35

View differences:

include/AclManager.h
1
/* -------------------------------------------------------------------------- */
2
/* Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             */
3
/*                                                                            */
4
/* Licensed under the Apache License, Version 2.0 (the "License"); you may    */
5
/* not use this file except in compliance with the License. You may obtain    */
6
/* a copy of the License at                                                   */
7
/*                                                                            */
8
/* http://www.apache.org/licenses/LICENSE-2.0                                 */
9
/*                                                                            */
10
/* Unless required by applicable law or agreed to in writing, software        */
11
/* distributed under the License is distributed on an "AS IS" BASIS,          */
12
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   */
13
/* See the License for the specific language governing permissions and        */
14
/* limitations under the License.                                             */
15
/* -------------------------------------------------------------------------- */
16

  
17
#ifndef ACL_MANAGER_H_
18
#define ACL_MANAGER_H_
19

  
20
#include <set>
21

  
22
#include "AuthManager.h"
23
#include "AclRule.h"
24

  
25
using namespace std;
26

  
27
class AclManager : public ObjectSQL
28
{
29
public:
30
    AclManager(){};
31

  
32
    /* ---------------------------------------------------------------------- */
33
    /* Rule management                                                        */
34
    /* ---------------------------------------------------------------------- */
35

  
36
    bool authorize(int uid, const set<int> &user_groups,
37
            AuthRequest::Object obj_type, int obj_id, int obj_gid,
38
            AuthRequest::Operation op);
39

  
40
    /* ---------------------------------------------------------------------- */
41

  
42
    int add_rule(long long user, long long resource, long long rights)
43
    {
44
        AclRule rule(user, resource, rights);
45
        return add_rule(rule);
46
    };
47

  
48
    int add_rule(const AclRule &rule)
49
    {
50
        pair<set<AclRule>::iterator,bool> ret;
51

  
52
        ret = acl_set.insert(rule);
53

  
54
        if( !ret.second )
55
        {
56
            return -1;
57
        }
58

  
59
        return 0;
60
    };
61

  
62
    /* ---------------------------------------------------------------------- */
63

  
64
    int del_rule(long long user, long long resource, long long rights)
65
    {
66
        AclRule rule(user, resource, rights);
67
        return del_rule(rule);
68
    };
69

  
70
    int del_rule(AclRule &rule)
71
    {
72
        if( acl_set.erase(rule) != 1 )
73
        {
74
            return -1;
75
        }
76

  
77
        return 0;
78
    };
79

  
80
    /* ---------------------------------------------------------------------- */
81
    /* DB management                                                          */
82
    /* ---------------------------------------------------------------------- */
83

  
84
    /**
85
     *  Callback function to unmarshall a PoolObjectSQL
86
     *    @param num the number of columns read from the DB
87
     *    @param names the column names
88
     *    @param vaues the column values
89
     *    @return 0 on success
90
     */
91
    int select_cb(void *nil, int num, char **values, char **names)
92
    {
93
        if ( (!values[0]) || (num != 1) )
94
        {
95
            return -1;
96
        }
97

  
98
        // TODO: from_xml
99

  
100
        return 0;
101
    };
102

  
103
    /**
104
     *  Reads the ACL rule set from the database.
105
     *    @param db pointer to the db
106
     *    @return 0 on success
107
     */
108
    int select(SqlDB *db)
109
    {
110
        return 0;
111
    };
112

  
113
    int insert(SqlDB*, std::string&)
114
    {
115
        return 0;
116
    };
117

  
118
    int update(SqlDB*)
119
    {
120
        return 0;
121
    };
122

  
123
    int drop(SqlDB*)
124
    {
125
        return 0;
126
    };
127

  
128
    /* ---------------------------------------------------------------------- */
129

  
130
    int dump(ostringstream& oss);
131

  
132
private:
133
    set<AclRule> acl_set;
134
};
135

  
136
#endif /*ACL_MANAGER_H*/
137

  
include/AclRule.h
1
/* -------------------------------------------------------------------------- */
2
/* Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             */
3
/*                                                                            */
4
/* Licensed under the Apache License, Version 2.0 (the "License"); you may    */
5
/* not use this file except in compliance with the License. You may obtain    */
6
/* a copy of the License at                                                   */
7
/*                                                                            */
8
/* http://www.apache.org/licenses/LICENSE-2.0                                 */
9
/*                                                                            */
10
/* Unless required by applicable law or agreed to in writing, software        */
11
/* distributed under the License is distributed on an "AS IS" BASIS,          */
12
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   */
13
/* See the License for the specific language governing permissions and        */
14
/* limitations under the License.                                             */
15
/* -------------------------------------------------------------------------- */
16

  
17
#ifndef ACL_RULE_H_
18
#define ACL_RULE_H_
19

  
20
#include <set>
21

  
22
#include "ObjectSQL.h"
23

  
24
using namespace std;
25

  
26
class AclRule
27
{
28
public:
29

  
30
    static const long long INDIVIDUAL_ID;
31
    static const long long GROUP_ID;
32
    static const long long ALL_ID;
33

  
34
    AclRule(long long _user, long long _resource, long long _rights):
35
        user(_user), resource(_resource), rights(_rights)
36
    {};
37

  
38
    AclRule& operator=(AclRule const& o)
39
    {
40
        user = o.user;
41
        resource = o.resource;
42
        rights = o.rights;
43

  
44
        return *this;
45
    };
46

  
47
    bool operator ==(const AclRule& other) const
48
    {
49
        return (user == other.user &&
50
                resource == other.resource &&
51
                rights == other.rights);
52
    };
53

  
54
    bool operator!=(const AclRule& other) const
55
    {
56
        return !(*this == other);
57
    };
58

  
59
    bool operator <(const AclRule& other) const
60
    {
61
        return user < other.user;
62
    };
63

  
64
    string to_str() const;
65

  
66
    string& to_xml(string& xml) const;
67

  
68
    int user_id() const
69
    {
70
        return user;
71
    };
72

  
73
    long long user_code() const
74
    {
75
        return user & 0xFFFFFFFF00000000LL;
76
    };
77

  
78
    int resource_id() const
79
    {
80
        return resource;
81
    };
82

  
83
    long long resource_code() const
84
    {
85
        return resource & 0xFFFFFFFF00000000LL;
86
    };
87

  
88
private:
89

  
90
    friend class AclManager;
91

  
92
    /**
93
     *
94
     */
95
    long long user;
96

  
97
    /**
98
     *
99
     */
100
    long long resource;
101

  
102
    /**
103
     *
104
     */
105
    long long rights;
106
};
107

  
108
#endif /*ACL_RULE_H*/
109

  
include/AuthManager.h
276 276
     */
277 277
    enum Operation
278 278
    {
279
        CREATE,     /** Authorization to create an object   */
280
        DELETE,     /** Authorization to delete an object   */
281
        USE,        /** Authorization to use an object      */
282
        MANAGE,     /** Authorization to manage an object   */
283
        INFO,       /** Authorization to view an object     */
284
        INFO_POOL,  /** Authorization to view any object in the pool */
285
        INFO_POOL_MINE, /** Authorization to view user and/or group objects */ 
286
        INSTANTIATE, /** Authorization to instantiate a VM from a TEMPLATE  */
287
        CHOWN /** Authorization to change ownership of an object */
279
        CREATE        = 0x1LL,  /**< Auth. to create an object                */
280
        DELETE        = 0x2LL,  /**< Auth. to delete an object                */
281
        USE           = 0x4LL,  /**< Auth. to use an object                   */
282
        MANAGE        = 0x8LL,  /**< Auth. to manage an object                */
283
        INFO          = 0x10LL, /**< Auth. to view an object                  */
284
        INFO_POOL     = 0x20LL, /**< Auth. to view any object in the pool     */
285
        INFO_POOL_MINE= 0x40LL, /**< Auth. to view user and/or group objects  */
286
        INSTANTIATE   = 0x80LL, /**< Auth. to instantiate a VM from a TEMPLATE*/
287
        CHOWN         = 0x100LL /**< Auth. to change ownership of an object   */
288
    };
289

  
290
    static string Operation_to_str(Operation op)
291
    {
292
        switch (op)
293
        {
294
            case CREATE:            return "CREATE";
295
            case DELETE:            return "DELETE";
296
            case USE:               return "USE";
297
            case MANAGE:            return "MANAGE";
298
            case INFO:              return "INFO";
299
            case INFO_POOL:         return "INFO_POOL";
300
            case INFO_POOL_MINE:    return "INFO_POOL_MINE";
301
            case INSTANTIATE:       return "INSTANTIATE";
302
            case CHOWN:             return "CHOWN";
303
            default:                return "";
304
        }
288 305
    };
289 306

  
290 307
    /**
......
292 309
     */
293 310
    enum Object
294 311
    {
295
        VM,
296
        HOST,
297
        NET,
298
        IMAGE,
299
        USER,
300
        TEMPLATE,
301
        GROUP
312
        VM         = 0x1000000000LL,
313
        HOST       = 0x2000000000LL,
314
        NET        = 0x4000000000LL,
315
        IMAGE      = 0x8000000000LL,
316
        USER       = 0x10000000000LL,
317
        TEMPLATE   = 0x20000000000LL,
318
        GROUP      = 0x40000000000LL,
319
        ACL        = 0x80000000000LL
320
    };
321

  
322
    static string Object_to_str(Object ob)
323
    {
324
        switch (ob)
325
        {
326
            case VM:       return "VM" ; break;
327
            case HOST:     return "HOST" ; break;
328
            case NET:      return "NET" ; break;
329
            case IMAGE:    return "IMAGE" ; break;
330
            case USER:     return "USER" ; break;
331
            case TEMPLATE: return "TEMPLATE" ; break;
332
            case GROUP:    return "GROUP" ; break;
333
            default:       return "";
334
        }
302 335
    };
303 336

  
304 337
    /**
include/Nebula.h
36 36
#include "RequestManager.h"
37 37
#include "HookManager.h"
38 38
#include "AuthManager.h"
39
#include "AclManager.h"
39 40
#include "ImageManager.h"
40 41

  
41 42
#include "Callbackable.h"
......
134 135
        return imagem;
135 136
    };
136 137

  
138
    AclManager * get_aclm()
139
    {
140
        return aclm;
141
    };
142

  
137 143
    // --------------------------------------------------------------
138 144
    // Environment & Configuration
139 145
    // --------------------------------------------------------------
......
249 255

  
250 256
    Nebula():nebula_configuration(0),db(0),vmpool(0),hpool(0),vnpool(0),
251 257
        upool(0),ipool(0),gpool(0),tpool(0),lcm(0),vmm(0),im(0),tm(0),
252
        dm(0),rm(0),hm(0),authm(0),imagem(0)
258
        dm(0),rm(0),hm(0),authm(0),aclm(0),imagem(0)
253 259
    {
254 260
        const char * nl = getenv("ONE_LOCATION");
255 261

  
......
359 365
            delete authm;
360 366
        }
361 367

  
368
        if ( aclm != 0)
369
        {
370
            delete aclm;
371
        }
372

  
362 373
        if ( imagem != 0)
363 374
        {
364 375
            delete imagem;
......
425 436
    RequestManager *        rm;
426 437
    HookManager *           hm;
427 438
    AuthManager *           authm;
439
    AclManager *            aclm;
428 440
    ImageManager *          imagem;
429 441

  
430 442
    // ---------------------------------------------------------------
include/Request.h
88 88
    /* -------------------------------------------------------------------- */
89 89

  
90 90
    /**
91
     *  Performs a basic autorization for this request using the uid/gid
91
     *  Performs a basic authorization for this request using the uid/gid
92 92
     *  from the request. The function gets the object from the pool to get 
93 93
     *  the public attribute and its owner. The authorization is based on 
94 94
     *  object and type of operation for the request.
include/RequestManagerAcl.h
1
/* -------------------------------------------------------------------------- */
2
/* Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             */
3
/*                                                                            */
4
/* Licensed under the Apache License, Version 2.0 (the "License"); you may    */
5
/* not use this file except in compliance with the License. You may obtain    */
6
/* a copy of the License at                                                   */
7
/*                                                                            */
8
/* http://www.apache.org/licenses/LICENSE-2.0                                 */
9
/*                                                                            */
10
/* Unless required by applicable law or agreed to in writing, software        */
11
/* distributed under the License is distributed on an "AS IS" BASIS,          */
12
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   */
13
/* See the License for the specific language governing permissions and        */
14
/* limitations under the License.                                             */
15
/* -------------------------------------------------------------------------- */
16

  
17
#ifndef REQUEST_MANAGER_ACL_H
18
#define REQUEST_MANAGER_ACL_H
19

  
20
#include "Request.h"
21
#include "Nebula.h"
22

  
23
using namespace std;
24

  
25
/* ------------------------------------------------------------------------- */
26
/* ------------------------------------------------------------------------- */
27
/* ------------------------------------------------------------------------- */
28

  
29
class RequestManagerAcl: public Request
30
{
31
protected:
32
    RequestManagerAcl( const string& method_name,
33
                       const string& help,
34
                       const string& params)
35
        :Request(method_name,params,help)
36
    {
37
        auth_object = AuthRequest::ACL;
38
    };
39

  
40
    ~RequestManagerAcl(){};
41

  
42
    /* -------------------------------------------------------------------- */
43

  
44
    virtual void request_execute(xmlrpc_c::paramList const& _paramList);
45

  
46
    /* -------------------------------------------------------------------- */
47

  
48
    virtual int perform_operation(string& error_msg)
49
    {
50
        return 0;
51
    };
52

  
53
    /* -------------------------------------------------------------------- */
54

  
55
    long long user;
56
    long long resource;
57
    long long rights;
58

  
59
    AclManager * aclm;
60
};
61

  
62
/* ------------------------------------------------------------------------- */
63
/* ------------------------------------------------------------------------- */
64

  
65
class AclAddRule : public RequestManagerAcl
66
{
67
public:
68
    AclAddRule():
69
        RequestManagerAcl("AclAddRule",
70
                            "Adds a new ACL rule",
71
                            "A:ssss")
72
    {
73
        // TODO: auth_op ?
74
    };
75

  
76
    ~AclAddRule(){};
77

  
78
    int perform_operation(string& error_msg);
79
};
80

  
81
/* ------------------------------------------------------------------------- */
82
/* ------------------------------------------------------------------------- */
83

  
84
class AclDelRule : public RequestManagerAcl
85
{
86
public:
87
    AclDelRule():
88
        RequestManagerAcl("AclDelRule",
89
                            "Deletes an existing ACL rule",
90
                            "A:ssss")
91
    {
92
        // TODO: auth_op ?
93
    };
94

  
95
    ~AclDelRule(){};
96

  
97
    int perform_operation(string& error_msg);
98
};
99

  
100
/* ------------------------------------------------------------------------- */
101
/* ------------------------------------------------------------------------- */
102

  
103
class AclInfo: public RequestManagerAcl
104
{
105
public:
106
    AclInfo():
107
        RequestManagerAcl("AclInfo",
108
                            "Returns the ACL rule set",
109
                            "A:s")
110
    {
111
        // TODO: auth_op ?
112
    };
113

  
114
    ~AclInfo(){};
115

  
116
    void request_execute(xmlrpc_c::paramList const& _paramList);
117
};
118

  
119
/* -------------------------------------------------------------------------- */
120
/* -------------------------------------------------------------------------- */
121
/* -------------------------------------------------------------------------- */
122

  
123
#endif
install.sh
371 371
           src/cli/oneimage \
372 372
           src/cli/onegroup \
373 373
           src/cli/onetemplate \
374
           src/cli/oneacl \
374 375
           src/onedb/onedb \
375 376
           share/scripts/one \
376 377
           src/authm_mad/oneauth"
......
653 654
                           src/oca/ruby/OpenNebula/TemplatePool.rb \
654 655
                           src/oca/ruby/OpenNebula/Group.rb \
655 656
                           src/oca/ruby/OpenNebula/GroupPool.rb \
657
                           src/oca/ruby/OpenNebula/Acl.rb \
656 658
                           src/oca/ruby/OpenNebula/XMLUtils.rb"
657 659

  
658 660
#-------------------------------------------------------------------------------
......
756 758
               src/cli/oneuser \
757 759
               src/cli/oneimage \
758 760
               src/cli/onetemplate \
759
               src/cli/onegroup"
761
               src/cli/onegroup \
762
               src/cli/oneacl"
760 763

  
761 764
CLI_CONF_FILES="src/cli/etc/onegroup.yaml \
762 765
                src/cli/etc/onehost.yaml \
src/authm/AclManager.cc
1
/* -------------------------------------------------------------------------- */
2
/* Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             */
3
/*                                                                            */
4
/* Licensed under the Apache License, Version 2.0 (the "License"); you may    */
5
/* not use this file except in compliance with the License. You may obtain    */
6
/* a copy of the License at                                                   */
7
/*                                                                            */
8
/* http://www.apache.org/licenses/LICENSE-2.0                                 */
9
/*                                                                            */
10
/* Unless required by applicable law or agreed to in writing, software        */
11
/* distributed under the License is distributed on an "AS IS" BASIS,          */
12
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   */
13
/* See the License for the specific language governing permissions and        */
14
/* limitations under the License.                                             */
15
/* -------------------------------------------------------------------------- */
16

  
17
#include "AclManager.h"
18
#include "NebulaLog.h"
19

  
20
/* -------------------------------------------------------------------------- */
21
/* -------------------------------------------------------------------------- */
22

  
23
bool AclManager::authorize(int uid, const set<int> &user_groups,
24
        AuthRequest::Object obj_type, int obj_id, int obj_gid,
25
        AuthRequest::Operation op)
26
{
27
    ostringstream oss;
28

  
29
    bool auth = false;
30

  
31
    // Build masks for request
32
    long long user_req          = AclRule::INDIVIDUAL_ID + uid;
33
    long long resource_oid_req  = obj_type + AclRule::INDIVIDUAL_ID + obj_id;
34
    long long resource_gid_req  = obj_type + AclRule::INDIVIDUAL_ID + obj_gid;
35
    long long rights_req        = op;
36

  
37
    long long individual_obj_type =
38
            ( obj_type | AclRule::INDIVIDUAL_ID | 0xFFFFFFFF );
39

  
40
    long long group_obj_type =
41
            ( obj_type | AclRule::GROUP_ID | 0xFFFFFFFF );
42

  
43
    AclRule request_rule(user_req, resource_oid_req, rights_req);
44
    oss << "Request " << request_rule.to_str();
45
    NebulaLog::log("ACL",Log::DEBUG,oss);
46

  
47

  
48
    set<AclRule>::iterator rule;
49

  
50
    for ( rule = acl_set.begin() ; rule != acl_set.end(); rule++ )
51
    {
52
        oss.str("");
53
        oss << "> Rule  " << rule->to_str();
54
        NebulaLog::log("ACL",Log::DEBUG,oss);
55

  
56
        // TODO: This only works for individual uid
57

  
58
        auth =
59
            // This rule applies to this individual user ID
60
            ( rule->user == user_req )
61
            &&
62
            (
63
                // Rule's object type and individual object ID match
64
                ( ( rule->resource & individual_obj_type ) == resource_oid_req )
65
                ||
66
                // Or rule's object type and group object ID match
67
                ( ( rule->resource & group_obj_type ) == resource_gid_req )
68
            )
69
            &&
70
            ( ( rule->rights & rights_req ) == rights_req );
71

  
72
        if ( auth == true )
73
        {
74
            oss.str("Permission granted");
75
            NebulaLog::log("ACL",Log::DEBUG,oss);
76

  
77
            return true;
78
        }
79
    }
80

  
81
    oss.str("No more rules, permission not granted ");
82
    NebulaLog::log("ACL",Log::DEBUG,oss);
83

  
84
    return false;
85
}
86

  
87
/* -------------------------------------------------------------------------- */
88
/* -------------------------------------------------------------------------- */
89

  
90
int AclManager::dump(ostringstream& oss)
91
{
92
    set<AclRule>::iterator rule;
93
    string xml;
94

  
95
    oss << "<ACL>";
96

  
97
    for ( rule = acl_set.begin() ; rule != acl_set.end(); rule++ )
98
    {
99
        oss << rule->to_xml(xml);
100
    }
101

  
102
    oss << "</ACL>";
103

  
104
    return 0;
105
}
106

  
107
/* -------------------------------------------------------------------------- */
108
/* -------------------------------------------------------------------------- */
src/authm/AclRule.cc
1
/* -------------------------------------------------------------------------- */
2
/* Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             */
3
/*                                                                            */
4
/* Licensed under the Apache License, Version 2.0 (the "License"); you may    */
5
/* not use this file except in compliance with the License. You may obtain    */
6
/* a copy of the License at                                                   */
7
/*                                                                            */
8
/* http://www.apache.org/licenses/LICENSE-2.0                                 */
9
/*                                                                            */
10
/* Unless required by applicable law or agreed to in writing, software        */
11
/* distributed under the License is distributed on an "AS IS" BASIS,          */
12
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   */
13
/* See the License for the specific language governing permissions and        */
14
/* limitations under the License.                                             */
15
/* -------------------------------------------------------------------------- */
16

  
17
#include "AclRule.h"
18
#include "AuthManager.h"
19
#include "NebulaLog.h"
20

  
21
/* -------------------------------------------------------------------------- */
22
/* -------------------------------------------------------------------------- */
23

  
24
const long long AclRule::INDIVIDUAL_ID  = 0x100000000LL;
25
const long long AclRule::GROUP_ID       = 0x200000000LL;
26
const long long AclRule::ALL_ID         = 0x400000000LL;
27

  
28
/* -------------------------------------------------------------------------- */
29
/* -------------------------------------------------------------------------- */
30

  
31
string AclRule::to_str() const
32
{
33
    ostringstream oss;
34

  
35
    oss << "USER:";
36
    if ( (user & GROUP_ID) != 0 )
37
    {
38
        oss << "@" << user_id();
39
    }
40
    else if ( (user & INDIVIDUAL_ID) != 0 )
41
    {
42
        oss << "#" << user_id();
43
    }
44
    else
45
    {
46
        oss << "*";
47
    }
48

  
49
    oss << " RESOURCE:";
50

  
51
    AuthRequest::Object objects[] = {
52
            AuthRequest::VM,
53
            AuthRequest::HOST,
54
            AuthRequest::NET,
55
            AuthRequest::IMAGE,
56
            AuthRequest::USER,
57
            AuthRequest::TEMPLATE,
58
            AuthRequest::GROUP,
59
            AuthRequest::ACL
60
    };
61

  
62
    bool prefix = false;
63

  
64
    for ( int i = 0; i < 8; i++ )
65
    {
66
        if ( (resource & objects[i]) != 0 )
67
        {
68
            if ( prefix )
69
            {
70
                oss << "+";
71
            }
72

  
73
            oss << AuthRequest::Object_to_str( objects[i] );
74
            prefix = true;
75
        }
76
    }
77

  
78
    oss << "/";
79

  
80
    if ( (resource & GROUP_ID) != 0 )
81
    {
82
        oss << "@" << resource_id();
83
    }
84
    else if ( (resource & INDIVIDUAL_ID) != 0 )
85
    {
86
        oss << "#" << resource_id();
87
    }
88
    else
89
    {
90
        oss << "*";
91
    }
92

  
93
    oss << " OPERATION:";
94

  
95

  
96
    AuthRequest::Operation operations[] = {
97
            AuthRequest::CREATE,
98
            AuthRequest::DELETE,
99
            AuthRequest::USE,
100
            AuthRequest::MANAGE,
101
            AuthRequest::INFO,
102
            AuthRequest::INFO_POOL,
103
            AuthRequest::INFO_POOL_MINE,
104
            AuthRequest::INSTANTIATE,
105
            AuthRequest::CHOWN
106
    };
107

  
108
    prefix = false;
109

  
110
    for ( int i = 0; i < 10; i++ )
111
    {
112
        if ( (rights & operations[i]) != 0 )
113
        {
114
            if ( prefix )
115
            {
116
                oss << "+";
117
            }
118

  
119
            oss << AuthRequest::Operation_to_str( operations[i] );
120
            prefix = true;
121
        }
122
    }
123

  
124
    return oss.str();
125
}
126

  
127
/* -------------------------------------------------------------------------- */
128
/* -------------------------------------------------------------------------- */
129

  
130
string& AclRule::to_xml(string& xml) const
131
{
132
    ostringstream   oss;
133

  
134
    oss <<
135
    "<RULE>"
136
       "<USER>"     << hex << user      << "</USER>"        <<
137
       "<RESOURCE>" << hex << resource  << "</RESOURCE>"    <<
138
       "<RIGHTS>"   << hex << rights    << "</RIGHTS>"      <<
139

  
140
       // TODO: Element DEBUG contains a human friendly string
141
       "<DEBUG>"    << to_str()         << "</DEBUG>"       <<
142

  
143
       "</RULE>";
144

  
145
    xml = oss.str();
146

  
147
    return xml;
148
}
149

  
150
/* -------------------------------------------------------------------------- */
151
/* -------------------------------------------------------------------------- */
src/authm/AuthManager.cc
39 39
    ostringstream oss;
40 40
    bool          auth;
41 41

  
42
    switch (ob)
43
    {
44
        case VM:       oss << "VM:" ; break;
45
        case HOST:     oss << "HOST:" ; break;
46
        case NET:      oss << "NET:" ; break;
47
        case IMAGE:    oss << "IMAGE:" ; break;
48
        case USER:     oss << "USER:" ; break;
49
        case TEMPLATE: oss << "TEMPLATE:" ; break;
50
        case GROUP:    oss << "GROUP:" ; break;
51
    }
42
    oss << Object_to_str(ob) << ":";
52 43

  
53 44
    if (op == CREATE || op == INSTANTIATE) //encode the ob_id, it is a template
54 45
    {
......
69 60
        oss << ob_id << ":";
70 61
    }
71 62

  
72
    switch (op)
73
    {
74
        case CREATE:
75
            oss << "CREATE:" ;
76
            break;
77

  
78
        case DELETE:
79
            oss << "DELETE:" ;
80
            break;
81

  
82
        case USE:
83
            oss << "USE:" ;
84
            break;
85

  
86
        case MANAGE:
87
            oss << "MANAGE:" ;
88
            break;
89
            
90
        case INFO:
91
            oss << "INFO:" ;
92
            break;
93

  
94
        case INFO_POOL:
95
            oss << "INFO_POOL:" ;
96
            break;
97

  
98
        case INFO_POOL_MINE:
99
            oss << "INFO_POOL_MINE:" ;
100
            break;
101

  
102
        case INSTANTIATE:
103
            oss << "INSTANTIATE:" ;
104
            break;
105

  
106
        case CHOWN:
107
            oss << "CHOWN:" ;
108
            break;
109
    }
63
    oss << Operation_to_str(op) << ":";
110 64

  
111 65
    oss << owner << ":" << pub;
112 66

  
......
120 74
    }
121 75
    else
122 76
    {
123
        auth = false;
77
        // TODO, the set of object ids is needed
78
        set<int> emtpy_set;
124 79

  
125
        switch (op)
126
        {
127
            case CREATE:
128
                if ( ob == VM || ob == NET || ob == IMAGE || ob == TEMPLATE )
129
                {
130
                    auth = true;
131
                }
132
                break;
133

  
134
            case INSTANTIATE:
135
                if ( ob == VM )
136
                {
137
                    auth = true;
138
                }
139
                break;
140

  
141
            case DELETE:
142
                auth = owner == uid;
143
                break;
144

  
145
            case USE:
146
                if (ob == NET || ob == IMAGE || ob == TEMPLATE)
147
                {
148
                    auth = (owner == uid) || pub;
149
                }
150
                else if (ob == HOST)
151
                {
152
                    auth = true;
153
                }
154
                break;
155

  
156
            case MANAGE:
157
                auth = owner == uid;
158
                break;
159
                
160
            case INFO: 
161
                if ( ob != USER ) // User info only for root or owner
162
                {
163
                    auth = true;
164
                }
165
                else 
166
                {
167
                    istringstream iss(ob_id);
168
                    int ob_id_int;
169

  
170
                    iss >> ob_id_int;
171

  
172
                    if (ob_id_int == uid)
173
                    {
174
                        auth = true;
175
                    }
176
                }
177
                break;
178

  
179
            case INFO_POOL:
180
                if ( ob != USER ) // User pool only for oneadmin
181
                {
182
                    auth = true;
183
                }
184
                break;
185

  
186
            case INFO_POOL_MINE:
187
                auth = true;
188
                break;
189
            case CHOWN: //true only for oneadmin
190
                break;
191
        }
80
        int         ob_gid = 0;
81

  
82
        istringstream iss(ob_id);
83
        int ob_id_int;
84

  
85
        iss >> ob_id_int;
86

  
87
        Nebula&     nd   = Nebula::instance();
88
        AclManager* aclm = nd.get_aclm();
89

  
90
        auth = aclm->authorize(uid, emtpy_set, ob, ob_id_int, ob_gid, op);
192 91
    }
193 92

  
194 93
    self_authorize = self_authorize && auth;
src/authm/SConstruct
23 23
# Sources to generate the library
24 24
source_files=[
25 25
    'AuthManager.cc',
26
    'AuthManagerDriver.cc'
26
    'AuthManagerDriver.cc',
27
    'AclManager.cc',
28
    'AclRule.cc'
27 29
]
28 30

  
29 31
# Build library
src/cli/oneacl
1
#!/usr/bin/env ruby
2

  
3
# -------------------------------------------------------------------------- #
4
# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
5
#                                                                            #
6
# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
7
# not use this file except in compliance with the License. You may obtain    #
8
# a copy of the License at                                                   #
9
#                                                                            #
10
# http://www.apache.org/licenses/LICENSE-2.0                                 #
11
#                                                                            #
12
# Unless required by applicable law or agreed to in writing, software        #
13
# distributed under the License is distributed on an "AS IS" BASIS,          #
14
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
15
# See the License for the specific language governing permissions and        #
16
# limitations under the License.                                             #
17
#--------------------------------------------------------------------------- #
18

  
19
ONE_LOCATION=ENV["ONE_LOCATION"]
20

  
21
if !ONE_LOCATION
22
    RUBY_LIB_LOCATION="/usr/lib/one/ruby"
23
else
24
    RUBY_LIB_LOCATION=ONE_LOCATION+"/lib/ruby"
25
end
26

  
27
$: << RUBY_LIB_LOCATION
28
$: << RUBY_LIB_LOCATION+"/cli"
29

  
30
require 'command_parser'
31
require 'one_helper'
32

  
33
cmd = CommandParser::CmdParser.new(ARGV) do
34
    usage "oneacl COMMAND [args..] [options..]"
35
    version OpenNebulaHelper::ONE_VERSION
36

  
37
    ########################################################################
38
    # Global Options
39
    ########################################################################
40
    set :option, CommandParser::OPTIONS
41

  
42
    ########################################################################
43
    # Formatters for arguments
44
    ########################################################################
45
    # TODO
46

  
47
    ########################################################################
48
    # Commands
49
    ########################################################################
50

  
51
    addrule_desc = <<-EOT.unindent
52
        Adds a new ACL rule
53
    EOT
54

  
55
    command :addrule, addrule_desc, :user, :resource, :rights do
56
        acl = OpenNebula::Acl.new( OpenNebula::Client.new() )
57

  
58
        rc = acl.addrule( args[0], args[1], args[2] )
59

  
60
        if OpenNebula.is_error?(rc)
61
            [-1, rc.message]
62
        else
63
            puts "Rule added" if options[:verbose]
64
            0
65
        end
66
    end
67

  
68
    delrule_desc = <<-EOT.unindent
69
        Deletes an existing ACL rule
70
    EOT
71

  
72
    command :delrule, delrule_desc, :user, :resource, :rights do
73
        acl = OpenNebula::Acl.new( OpenNebula::Client.new() )
74

  
75
        rc = acl.delrule( args[0], args[1], args[2] )
76

  
77
        if OpenNebula.is_error?(rc)
78
            [-1, rc.message]
79
        else
80
            puts "Rule deleted" if options[:verbose]
81
            0
82
        end
83

  
84
    end
85

  
86
    list_desc = <<-EOT.unindent
87
        Lists the ACL rule set
88
    EOT
89

  
90
    command :list, list_desc,:options=>OpenNebulaHelper::XML do
91
        acl = OpenNebula::Acl.new( OpenNebula::Client.new() )
92

  
93
        rc = acl.info()
94

  
95
        if OpenNebula.is_error?(rc)
96
            [-1, rc.message]
97
        else
98
            puts acl.to_xml
99
            0
100
        end
101
    end
102
end
src/nebula/Nebula.cc
515 515
        }
516 516
    }
517 517

  
518
    // ---- ACL Manager ----
519
    aclm = new AclManager();
520

  
518 521
    // ---- Image Manager ----
519 522
    try
520 523
    {
src/oca/ruby/OpenNebula.rb
39 39
require 'OpenNebula/TemplatePool'
40 40
require 'OpenNebula/Group'
41 41
require 'OpenNebula/GroupPool'
42
require 'OpenNebula/Acl'
42 43

  
43 44
module OpenNebula
44 45

  
src/oca/ruby/OpenNebula/Acl.rb
1
# -------------------------------------------------------------------------- #
2
# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
3
#                                                                            #
4
# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
5
# not use this file except in compliance with the License. You may obtain    #
6
# a copy of the License at                                                   #
7
#                                                                            #
8
# http://www.apache.org/licenses/LICENSE-2.0                                 #
9
#                                                                            #
10
# Unless required by applicable law or agreed to in writing, software        #
11
# distributed under the License is distributed on an "AS IS" BASIS,          #
12
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
13
# See the License for the specific language governing permissions and        #
14
# limitations under the License.                                             #
15
#--------------------------------------------------------------------------- #
16

  
17
require 'OpenNebula/Pool'
18

  
19
module OpenNebula
20
    class Acl < XMLElement
21

  
22
        #######################################################################
23
        # Constants and Class Methods
24
        #######################################################################
25
        ACL_METHODS = {
26
            :info       => "acl.info",
27
            :addrule    => "acl.addrule",
28
            :delrule    => "acl.delrule"
29
        }
30

  
31
        #######################################################################
32
        # Class constructor
33
        #######################################################################
34
        def initialize(client)
35
            @client = client
36
        end
37

  
38
        #######################################################################
39
        # XML-RPC Methods
40
        #######################################################################
41

  
42
        # Retrieves the ACL rule set
43
        def info()
44
            rc = @client.call( ACL_METHODS[:info] )
45

  
46
            if !OpenNebula.is_error?(rc)
47
                initialize_xml(rc, 'ACL')
48
                rc = nil
49
            end
50

  
51
            return rc
52
        end
53

  
54
        # Adds a new ACL rule.
55
        #
56
        # +user+ A hex number, e.g. 0x100000001
57
        # +resource+ A hex number, e.g. 0x2100000001
58
        # +rights+ A hex number, e.g. 0x10
59
        def addrule(user, resource, rights)
60
            rc = @client.call( ACL_METHODS[:addrule], user, resource, rights )
61

  
62
            rc = nil if !OpenNebula.is_error?(rc)
63

  
64
            return rc
65
        end
66

  
67
        # Deletes an existing ACL rule.
68
        #
69
        # +user+ A hex number, e.g. 0x100000001
70
        # +resource+ A hex number, e.g. 0x2100000001
71
        # +rights+ A hex number, e.g. 0x10
72
        def delrule(user, resource, rights)
73
            rc = @client.call( ACL_METHODS[:delrule], user, resource, rights )
74

  
75
            rc = nil if !OpenNebula.is_error?(rc)
76

  
77
            return rc
78
        end
79

  
80
        #######################################################################
81
        # Helpers
82
        #######################################################################
83

  
84
    private
85

  
86
    end
87
end
src/rm/RequestManager.cc
33 33
#include "RequestManagerHost.h"
34 34
#include "RequestManagerImage.h"
35 35
#include "RequestManagerUser.h"
36
#include "RequestManagerAcl.h"
36 37

  
37 38
#include <sys/signal.h>
38 39
#include <sys/socket.h>
......
310 311
    xmlrpc_c::methodPtr image_chown(new ImageChown());
311 312
    xmlrpc_c::methodPtr user_chown(new UserChown());
312 313

  
314
    // ACL Methods
315
    xmlrpc_c::methodPtr acl_addrule(new AclAddRule());
316
    xmlrpc_c::methodPtr acl_delrule(new AclDelRule());
317
    xmlrpc_c::methodPtr acl_info(new AclInfo());
318

  
313 319
    /* VM related methods  */    
314 320
    RequestManagerRegistry.addMethod("one.vm.deploy", vm_deploy);
315 321
    RequestManagerRegistry.addMethod("one.vm.action", vm_action);
......
383 389
    RequestManagerRegistry.addMethod("one.image.chown", image_chown);
384 390

  
385 391
    RequestManagerRegistry.addMethod("one.imagepool.info", imagepool_info);
392

  
393
    /* ACL related methods */
394
    RequestManagerRegistry.addMethod("one.acl.addrule", acl_addrule);
395
    RequestManagerRegistry.addMethod("one.acl.delrule", acl_delrule);
396
    RequestManagerRegistry.addMethod("one.acl.info",    acl_info);
386 397
};
387 398

  
388 399
/* -------------------------------------------------------------------------- */
src/rm/RequestManagerAcl.cc
1
/* -------------------------------------------------------------------------- */
2
/* Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             */
3
/*                                                                            */
4
/* Licensed under the Apache License, Version 2.0 (the "License"); you may    */
5
/* not use this file except in compliance with the License. You may obtain    */
6
/* a copy of the License at                                                   */
7
/*                                                                            */
8
/* http://www.apache.org/licenses/LICENSE-2.0                                 */
9
/*                                                                            */
10
/* Unless required by applicable law or agreed to in writing, software        */
11
/* distributed under the License is distributed on an "AS IS" BASIS,          */
12
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   */
13
/* See the License for the specific language governing permissions and        */
14
/* limitations under the License.                                             */
15
/* -------------------------------------------------------------------------- */
16

  
17
#include "RequestManagerAcl.h"
18

  
19
using namespace std;
20

  
21
/* ------------------------------------------------------------------------- */
22
/* ------------------------------------------------------------------------- */
23

  
24
void RequestManagerAcl::request_execute(xmlrpc_c::paramList const& paramList)
25
{
26
/*
27
    xmlrpc-c version 1.07 can manage 64 bit numbers, but not all distros. ship
28
    the latest version.
29

  
30
    user      = xmlrpc_c::value_i8(paramList.getI8(1));
31
    resource  = xmlrpc_c::value_i8(paramList.getI8(2));
32
    rights    = xmlrpc_c::value_i8(paramList.getI8(3));
33
*/
34

  
35
    istringstream iss;
36

  
37
    iss.str( xmlrpc_c::value_string(paramList.getString(1)) );
38
    iss >> hex >> user;
39

  
40
    iss.clear();
41
    iss.str( xmlrpc_c::value_string(paramList.getString(2)) );
42
    iss >> hex >> resource;
43

  
44
    iss.clear();
45
    iss.str( xmlrpc_c::value_string(paramList.getString(3)) );
46
    iss >> hex >> rights;
47

  
48

  
49

  
50
    // TODO, debug
51
/*
52
    int iu, id, it;
53

  
54
    iss.clear();
55
    iss.str( xmlrpc_c::value_string(paramList.getString(1)) );
56
    iss >> iu;
57

  
58
    iss.clear();
59
    iss.str( xmlrpc_c::value_string(paramList.getString(2)) );
60
    iss >> id;
61

  
62
    iss.clear();
63
    iss.str( xmlrpc_c::value_string(paramList.getString(3)) );
64
    iss >> it;
65

  
66

  
67

  
68
    ostringstream oss;
69
    string u = xmlrpc_c::value_string(paramList.getString(1));
70
    string d = xmlrpc_c::value_string(paramList.getString(2));
71
    string t = xmlrpc_c::value_string(paramList.getString(3));
72

  
73
    oss << "\n";
74
    oss << "User :     " << u << ", " << iu << ", dec: " << dec  << user     << "\n";
75
    oss << "Resource : " << d << ", " << id << ", dec: "  << dec << resource << "\n";
76
    oss << "Rights :   " << t << ", " << it << ", dec: "  << dec << rights   << "\n";
77
    NebulaLog::log("ACL-RM",Log::DEBUG,oss);
78
*/
79

  
80
    Nebula& nd  = Nebula::instance();
81
    aclm        = nd.get_aclm();
82

  
83
    string error_msg;
84

  
85
    // TODO: Only oneadmin can manage ACL
86
    if ( uid != 0 )
87
    {
88
        failure_response(AUTHORIZATION,
89
                authorization_error("Only oneadmin can manage ACL rules"));
90
        return;
91
    }
92

  
93
    int rc = perform_operation(error_msg);
94

  
95
    if ( rc != 0 )
96
    {
97
        failure_response(INTERNAL, request_error(error_msg, ""));
98
        return;
99
    }
100

  
101
    success_response("");
102

  
103
    return;
104
}
105

  
106
/* ------------------------------------------------------------------------- */
107

  
108
int AclAddRule::perform_operation(string& error_msg)
109
{
110
    return aclm->add_rule(user, resource, rights);
111
}
112

  
113
/* ------------------------------------------------------------------------- */
114

  
115
int AclDelRule::perform_operation(string& error_msg)
116
{
117
    return aclm->del_rule(user, resource, rights);
118
}
119

  
120
/* ------------------------------------------------------------------------- */
121
/* ------------------------------------------------------------------------- */
122

  
123
void AclInfo::request_execute(xmlrpc_c::paramList const& paramList)
124
{
125
    Nebula& nd  = Nebula::instance();
126
    aclm        = nd.get_aclm();
127

  
128
    ostringstream oss;
129
    int rc;
130

  
131
    // TODO: Only oneadmin can manage ACL
132
    if ( uid != 0 )
133
    {
134
        failure_response(AUTHORIZATION,
135
                authorization_error("Only oneadmin can manage ACL rules"));
136
        return;
137
    }
138

  
139
    rc = aclm->dump(oss);
140

  
141
    if ( rc != 0 )
142
    {
143
        failure_response(INTERNAL, request_error("Internal Error",""));
144
        return;
145
    }
146

  
147
    success_response( oss.str() );
148

  
149
    return;
150
}
151

  
152
/* ------------------------------------------------------------------------- */
src/rm/SConstruct
38 38
    'RequestManagerHost.cc',
39 39
    'RequestManagerImage.cc',
40 40
    'RequestManagerChown.cc',
41

  
42
#    'RequestManagerAction.cc',
43
#    'RequestManagerAllocate.cc',
44
#    'RequestManagerDeploy.cc',
45
#    'RequestManagerMigrate.cc',
46
#    'RequestManagerSaveDisk.cc',
47
#    'RequestManagerHostAllocate.cc',
48
#    'RequestManagerHostEnable.cc',
49
#    'RequestManagerImageAllocate.cc',
50
#    'RequestManagerImageUpdate.cc',
51
#    'RequestManagerImageRemoveAttribute.cc',
52
#    'RequestManagerImagePublish.cc',
53
#    'RequestManagerImagePersistent.cc',
54
#    'RequestManagerImageEnable.cc',
55
#    'RequestManagerClusterAdd.cc',
56
#    'RequestManagerClusterAllocate.cc',
57
#    'RequestManagerClusterRemove.cc',
58
#    'RequestManagerGroupAllocate.cc',
59
#    'RequestManagerVirtualNetworkAllocate.cc',
60
#    'RequestManagerVirtualNetworkInfo.cc',
61
#    'RequestManagerVirtualNetworkPublish.cc',
62
#    'RequestManagerVirtualNetworkAddLeases.cc',
63
#    'RequestManagerVirtualNetworkRemoveLeases.cc',
64
#    'RequestManagerUserAllocate.cc',
65
#    'RequestManagerUserChangePassword.cc',
66
#    'RequestManagerTemplateAllocate.cc',
67
#    'RequestManagerTemplateUpdate.cc',
68
#    'RequestManagerTemplateRemoveAttribute.cc',
69
#    'RequestManagerTemplatePublish.cc',
70
#    'RequestManagerChown.cc',
41
    'RequestManagerAcl.cc',
71 42
]
72 43

  
73 44
# Build library

Also available in: Unified diff