Moti Asayag has uploaded a new change for review. Change subject: engine: Require Permissions on Network ......................................................................
engine: Require Permissions on Network Actions that using Networks will require specific permissions for the subjected network: Network's usage actions reqiore users to have an action group CONFIGURE_VM_NETWORK for using the network. In order to configure PORT_MIRRORING the user must have PORT_MIRRORING action group on the network. The patch assumes the network name might be empty for creating a vNic which isn't connected to any network (as part of the Network Wiring feature). Change-Id: Ife019f6195b8a8c09e7dba989f37f150700dbaea Signed-off-by: Moti Asayag <[email protected]> --- M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmInterfaceCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmTemplateInterfaceCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/UpdateVmInterfaceCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/UpdateVmTemplateInterfaceCommand.java 4 files changed, 120 insertions(+), 12 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/44/9544/1 diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmInterfaceCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmInterfaceCommand.java index 1a0269d..a3e172f 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmInterfaceCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmInterfaceCommand.java @@ -179,7 +179,7 @@ Network interfaceNetwork = LinqUtils.firstOrNull(networks, new Predicate<Network>() { @Override public boolean eval(Network network) { - return network.getname().equals(getParameters().getInterface().getNetworkName()); + return network.getname().equals(getNetworkName()); } }); @@ -258,14 +258,26 @@ @Override public List<PermissionSubject> getPermissionCheckSubjects() { List<PermissionSubject> permissionList = super.getPermissionCheckSubjects(); - if (getParameters().getInterface() != null && getVm() != null && getParameters().getInterface().isPortMirroring()) { - permissionList.add(new PermissionSubject(getVm().getstorage_pool_id(), - VdcObjectType.StoragePool, - ActionGroup.PORT_MIRRORING)); + if (getParameters().getInterface() != null && StringUtils.isNotEmpty(getNetworkName()) && getVm() != null) { + + Network network = getNetworkDAO().getByNameAndCluster(getNetworkName(), getVm().getvds_group_id()); + permissionList.add(new PermissionSubject(network == null ? null : network.getId(), + VdcObjectType.Network, + ActionGroup.CONFIGURE_VM_NETWORK)); + + if (getParameters().getInterface().isPortMirroring()) { + permissionList.add(new PermissionSubject(network == null ? null : network.getId(), + VdcObjectType.Network, + ActionGroup.PORT_MIRRORING)); + } } return permissionList; } + private String getNetworkName() { + return getParameters().getInterface().getNetworkName(); + } + private void propagateFailure(VdcReturnValueBase internalReturnValue) { getReturnValue().getExecuteFailedMessages().addAll(internalReturnValue.getExecuteFailedMessages()); getReturnValue().setFault(internalReturnValue.getFault()); diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmTemplateInterfaceCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmTemplateInterfaceCommand.java index 60ddca7..39ed8e8 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmTemplateInterfaceCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmTemplateInterfaceCommand.java @@ -3,14 +3,18 @@ import java.util.ArrayList; import java.util.List; +import org.apache.commons.lang.StringUtils; +import org.ovirt.engine.core.bll.utils.PermissionSubject; import org.ovirt.engine.core.bll.utils.VmDeviceUtils; import org.ovirt.engine.core.common.AuditLogType; +import org.ovirt.engine.core.common.VdcObjectType; import org.ovirt.engine.core.common.action.AddVmTemplateInterfaceParameters; +import org.ovirt.engine.core.common.businessentities.ActionGroup; import org.ovirt.engine.core.common.businessentities.DiskImageBase; +import org.ovirt.engine.core.common.businessentities.Network; import org.ovirt.engine.core.common.businessentities.VmDeviceId; import org.ovirt.engine.core.common.businessentities.VmInterfaceType; import org.ovirt.engine.core.common.businessentities.VmNetworkInterface; -import org.ovirt.engine.core.common.businessentities.Network; import org.ovirt.engine.core.common.validation.group.CreateEntity; import org.ovirt.engine.core.compat.Guid; import org.ovirt.engine.core.dal.VdcBllMessages; @@ -85,7 +89,7 @@ if (null == LinqUtils.firstOrNull(networks, new Predicate<Network>() { @Override public boolean eval(Network network) { - return network.getname().equals(getParameters().getInterface().getNetworkName()); + return network.getname().equals(getNetworkName()); } })) { addCanDoActionMessage(VdcBllMessages.NETWORK_NOT_EXISTS_IN_CURRENT_CLUSTER); @@ -116,4 +120,30 @@ return getSucceeded() ? AuditLogType.NETWORK_ADD_TEMPLATE_INTERFACE : AuditLogType.NETWORK_ADD_TEMPLATE_INTERFACE_FAILED; } + + @Override + public List<PermissionSubject> getPermissionCheckSubjects() { + List<PermissionSubject> subjects = super.getPermissionCheckSubjects(); + + if (getParameters().getInterface() != null && StringUtils.isNotEmpty(getNetworkName()) + && getVmTemplate() != null) { + + Network network = getNetworkDAO().getByNameAndCluster(getNetworkName(), getVmTemplate().getvds_group_id()); + subjects.add(new PermissionSubject(network == null ? null : network.getId(), + VdcObjectType.Network, + getActionType().getActionGroup())); + + if (getParameters().getInterface().isPortMirroring()) { + subjects.add(new PermissionSubject(network == null ? null : network.getId(), + VdcObjectType.Network, + ActionGroup.PORT_MIRRORING)); + } + } + + return subjects; + } + + private String getNetworkName() { + return getParameters().getInterface().getNetworkName(); + } } diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/UpdateVmInterfaceCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/UpdateVmInterfaceCommand.java index 9c486ac..c6a705a 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/UpdateVmInterfaceCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/UpdateVmInterfaceCommand.java @@ -3,8 +3,8 @@ import java.util.List; import org.apache.commons.lang.StringUtils; -import org.ovirt.engine.core.common.AuditLogType; import org.ovirt.engine.core.bll.utils.PermissionSubject; +import org.ovirt.engine.core.common.AuditLogType; import org.ovirt.engine.core.common.VdcObjectType; import org.ovirt.engine.core.common.action.AddVmInterfaceParameters; import org.ovirt.engine.core.common.businessentities.ActionGroup; @@ -205,11 +205,33 @@ @Override public List<PermissionSubject> getPermissionCheckSubjects() { List<PermissionSubject> permissionList = super.getPermissionCheckSubjects(); - if (getParameters().getInterface() != null && getVm() != null && getParameters().getInterface().isPortMirroring()) { - permissionList.add(new PermissionSubject(getVm().getstorage_pool_id(), - VdcObjectType.StoragePool, - ActionGroup.PORT_MIRRORING)); + + if (getParameters().getInterface() != null && StringUtils.isNotEmpty(getNetworkName()) && getVm() != null) { + + VmNetworkInterface iface = + getDbFacade().getVmNetworkInterfaceDao().get(getParameters().getInterface().getId()); + if (iface != null) { + Network network = getNetworkDAO().getByNameAndCluster(getNetworkName(), getVm().getvds_group_id()); + + // If the vNic's network is changed, the user should have permission for using the new network + if (isNetworkChanged(iface)) { + permissionList.add(new PermissionSubject(network == null ? null : network.getId(), + VdcObjectType.Network, + ActionGroup.CONFIGURE_VM_NETWORK)); + } + + if (getParameters().getInterface().isPortMirroring() + && (isNetworkChanged(iface) || !iface.isPortMirroring())) { + permissionList.add(new PermissionSubject(network == null ? null : network.getId(), + VdcObjectType.Network, + ActionGroup.PORT_MIRRORING)); + } + } } return permissionList; } + + private boolean isNetworkChanged(VmNetworkInterface iface) { + return !getNetworkName().equals(iface.getNetworkName()); + } } diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/UpdateVmTemplateInterfaceCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/UpdateVmTemplateInterfaceCommand.java index 79689c0..71e603b 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/UpdateVmTemplateInterfaceCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/UpdateVmTemplateInterfaceCommand.java @@ -2,8 +2,13 @@ import java.util.List; +import org.apache.commons.lang.StringUtils; +import org.ovirt.engine.core.bll.utils.PermissionSubject; import org.ovirt.engine.core.common.AuditLogType; +import org.ovirt.engine.core.common.VdcObjectType; import org.ovirt.engine.core.common.action.AddVmTemplateInterfaceParameters; +import org.ovirt.engine.core.common.businessentities.ActionGroup; +import org.ovirt.engine.core.common.businessentities.Network; import org.ovirt.engine.core.common.businessentities.VmInterfaceType; import org.ovirt.engine.core.common.businessentities.VmNetworkInterface; import org.ovirt.engine.core.common.validation.group.UpdateEntity; @@ -90,4 +95,43 @@ return getSucceeded() ? AuditLogType.NETWORK_UPDATE_TEMPLATE_INTERFACE : AuditLogType.NETWORK_UPDATE_TEMPLATE_INTERFACE_FAILED; } + + @Override + public List<PermissionSubject> getPermissionCheckSubjects() { + List<PermissionSubject> permissionList = super.getPermissionCheckSubjects(); + + if (getParameters().getInterface() != null && StringUtils.isNotEmpty(getNetworkName()) + && getVmTemplate() != null) { + + VmNetworkInterface iface = + getDbFacade().getVmNetworkInterfaceDao().get(getParameters().getInterface().getId()); + if (iface != null) { + Network network = + getNetworkDAO().getByNameAndCluster(getNetworkName(), getVmTemplate().getvds_group_id()); + + // If the vNic's network is changed, the user should have permission for using the new network + if (isNetworkChanged(iface)) { + permissionList.add(new PermissionSubject(network == null ? null : network.getId(), + VdcObjectType.Network, + getActionType().getActionGroup())); + } + + if (getParameters().getInterface().isPortMirroring() + && (isNetworkChanged(iface) || !iface.isPortMirroring())) { + permissionList.add(new PermissionSubject(network == null ? null : network.getId(), + VdcObjectType.Network, + ActionGroup.PORT_MIRRORING)); + } + } + } + return permissionList; + } + + private boolean isNetworkChanged(VmNetworkInterface iface) { + return !getNetworkName().equals(iface.getNetworkName()); + } + + private String getNetworkName() { + return getParameters().getInterface().getNetworkName(); + } } -- To view, visit http://gerrit.ovirt.org/9544 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ife019f6195b8a8c09e7dba989f37f150700dbaea Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Moti Asayag <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
