Hello Ravi Nori,
I'd like you to do a code review. Please visit
http://gerrit.ovirt.org/35733
to review the following change.
Change subject: engine : [mla] query execution failed due to insufficient
permissions
......................................................................
engine : [mla] query execution failed due to insufficient permissions
GetTasksStatusesByTasksIDsQuery throws
insufficient permissions when querying for
task ids
Change-Id: I2d036f6a03a5f46342945452340133bd8150ce45
Bug-Url: https://bugzilla.redhat.com/1153043
Signed-off-by: Ravi Nori <[email protected]>
---
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/GetTasksStatusesByTasksIDsQuery.java
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/tasks/AsyncTaskManager.java
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/tasks/CommandCoordinatorUtil.java
3 files changed, 31 insertions(+), 4 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/33/35733/1
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/GetTasksStatusesByTasksIDsQuery.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/GetTasksStatusesByTasksIDsQuery.java
index 9937105..8cbf97e 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/GetTasksStatusesByTasksIDsQuery.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/GetTasksStatusesByTasksIDsQuery.java
@@ -2,7 +2,9 @@
import org.ovirt.engine.core.bll.tasks.CommandCoordinatorUtil;
import
org.ovirt.engine.core.common.queries.GetTasksStatusesByTasksIDsParameters;
-import org.ovirt.engine.core.dal.dbbroker.DbFacade;
+import org.ovirt.engine.core.compat.Guid;
+
+import java.util.Collection;
public class GetTasksStatusesByTasksIDsQuery<P extends
GetTasksStatusesByTasksIDsParameters>
extends QueriesCommandBase<P> {
@@ -12,9 +14,16 @@
@Override
protected void executeQueryCommand() {
- if (getUser().isAdmin() ||
-
DbFacade.getInstance().getAsyncTaskDao().getVdsmTaskIdsByUser(getUserID()).
- containsAll(getParameters().getTasksIDs())) {
+ boolean userAuthorizedToRunQuery = getUser().isAdmin();
+
+ if (!userAuthorizedToRunQuery) {
+ Collection<Guid> userIds =
CommandCoordinatorUtil.getUserIdsForVdsmTaskIds(getParameters().getTasksIDs());
+ boolean tasksOwnedByUser = userIds.size() == 1 &&
userIds.contains(getUserID());
+ // if user ids is empty the tasks have completed
+ userAuthorizedToRunQuery = userIds.isEmpty() || tasksOwnedByUser;
+ }
+
+ if (userAuthorizedToRunQuery) {
getQueryReturnValue().setReturnValue(CommandCoordinatorUtil.pollTasks(getParameters().getTasksIDs()));
} else {
String errMessage = "Query execution failed due to insufficient
permissions. Users can only query tasks started by them.";
@@ -22,4 +31,5 @@
getQueryReturnValue().setExceptionString(errMessage);
}
}
+
}
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/tasks/AsyncTaskManager.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/tasks/AsyncTaskManager.java
index 28a699c..52a9603 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/tasks/AsyncTaskManager.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/tasks/AsyncTaskManager.java
@@ -1,12 +1,14 @@
package org.ovirt.engine.core.bll.tasks;
import java.util.ArrayList;
+import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Set;
+import java.util.TreeSet;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.CountDownLatch;
@@ -788,4 +790,14 @@
return false;
}
+ public Collection<Guid> getUserIdsForVdsmTaskIds(List<Guid> vdsmTaskIds) {
+ Set<Guid> users = new TreeSet<>();
+ for (Guid id : vdsmTaskIds) {
+ if (_tasks.containsKey(id)) {
+
users.add(_tasks.get(id).getParameters().getDbAsyncTask().getUserId());
+ }
+ }
+ return users;
+ }
+
}
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/tasks/CommandCoordinatorUtil.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/tasks/CommandCoordinatorUtil.java
index f23a173..c928eba 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/tasks/CommandCoordinatorUtil.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/tasks/CommandCoordinatorUtil.java
@@ -1,6 +1,7 @@
package org.ovirt.engine.core.bll.tasks;
import java.util.ArrayList;
+import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.concurrent.Future;
@@ -111,6 +112,10 @@
getAsyncTaskManager().logAndFailTaskOfCommandWithEmptyVdsmId(task,
message);
}
+ public static Collection<Guid> getUserIdsForVdsmTaskIds(ArrayList<Guid>
tasksIDs) {
+ return getAsyncTaskManager().getUserIdsForVdsmTaskIds(tasksIDs);
+ }
+
public static void removeTaskFromDbByTaskId(Guid taskId) {
AsyncTaskManager.removeTaskFromDbByTaskId(taskId);
}
--
To view, visit http://gerrit.ovirt.org/35733
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I2d036f6a03a5f46342945452340133bd8150ce45
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: ovirt-engine-3.5
Gerrit-Owner: Oved Ourfali <[email protected]>
Gerrit-Reviewer: Ravi Nori <[email protected]>
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches
