Summary: IMM access control configurability
Review request for Trac Ticket(s): 938
Peer Reviewer(s): IMM devels
Pull request to: <<LIST THE PERSON WITH PUSH ACCESS HERE>>
Affected branch(es): 4.5/default
Development branch: <<IF ANY GIVE THE REPO URL>>
--------------------------------
Impacted area Impact y/n
--------------------------------
Docs n
Build system n
RPM/packaging n
Configuration files n
Startup scripts n
SAF services y
OpenSAF services n
Core libraries n
Samples n
Tests n
Other n
Comments (indicate scope for each "y" above):
---------------------------------------------
changeset 2cae24150a872a6f0aed8beb00b6e33f217771cf
Author: Hans Feldt <hans.fe...@ericsson.com>
Date: Fri, 15 Aug 2014 11:53:39 +0200
immsv: add configurability of access control [#938]
A new boolean attribute accessControlEnabled is added to the OpensafImm
class. Its default value is OFF meaning no access control. This is to be
backwards compatible for upgrade of existing systems.
Access control is in runtime enabled with: immcfg -a
accessControlEnabled=1
opensafImm=opensafImm,safApp=safImmService
And disabled with: immcfg -a accessControlEnabled=0
opensafImm=opensafImm,safApp=safImmService
An additional UNIX group that allows IMM access can be configured with
the
adminGroupName attribute in the OpensafImm class. For example:
immcfg -a adminGroupName=osafimmadm
opensafImm=opensafImm,safApp=safImmService
Complete diffstat:
------------------
osaf/libs/common/immsv/include/immsv_api.h | 2 ++
osaf/services/saf/immsv/immloadd/imm_loader.cc | 23 +++++++++++++++++++++--
osaf/services/saf/immsv/immnd/ImmModel.cc | 65
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
osaf/services/saf/immsv/immnd/ImmModel.hh | 2 ++
osaf/services/saf/immsv/immnd/immnd_cb.h | 1 -
osaf/services/saf/immsv/immnd/immnd_evt.c | 34
++++++++++++++++++++--------------
osaf/services/saf/immsv/immnd/immnd_init.h | 2 ++
osaf/services/saf/immsv/immnd/immnd_main.c | 2 --
samples/immsv/OpensafImm_Upgrade_4.5.xml | 13 +++++++++++++
9 files changed, 125 insertions(+), 19 deletions(-)
Testing Commands:
-----------------
Build and start a default opensaf build (as non root)
Run the following script:
# test script for IMM access control and configurability
# works on Ubuntu 14.04 where user has sudo access without password
dn="opensafImm=opensafImm,safApp=safImmService"
# by default access is allowed
immlist $dn >& /dev/null || exit 1
# reconfigure to a group user not is member of
id | grep whoopsie && exit 1
immcfg -a adminGroupName=whoopsie $dn || exit 1
immcfg -a accessControlEnabled=1 $dn || exit 1
# expect failure now
immcfg -a accessControlEnabled=0 $dn && exit 1
# access as root is possible
sudo immlist $dn >& /dev/null || exit 1
# configure access for group adm
id | grep adm >& /dev/null || exit 1
sudo immcfg -a adminGroupName=adm $dn || exit 1
# check access for username opensaf
sudo su -c immfind opensaf >& /dev/null || exit 1
# check access as member of group
immcfg -a accessControlEnabled=0 $dn || exit 1
Testing, Expected Results:
--------------------------
Opensaf starts, test script works
Conditions of Submission:
-------------------------
Ack from maintainers
Arch Built Started Linux distro
-------------------------------------------
mips n n
mips64 n n
x86 n n
x86_64 y y Ubuntu 14.04
powerpc n n
powerpc64 n n
Reviewer Checklist:
-------------------
[Submitters: make sure that your review doesn't trigger any checkmarks!]
Your checkin has not passed review because (see checked entries):
___ Your RR template is generally incomplete; it has too many blank entries
that need proper data filled in.
___ You have failed to nominate the proper persons for review and push.
___ Your patches do not have proper short+long header
___ You have grammar/spelling in your header that is unacceptable.
___ You have exceeded a sensible line length in your headers/comments/text.
___ You have failed to put in a proper Trac Ticket # into your commits.
___ You have incorrectly put/left internal data in your comments/files
(i.e. internal bug tracking tool IDs, product names etc)
___ You have not given any evidence of testing beyond basic build tests.
Demonstrate some level of runtime or other sanity testing.
___ You have ^M present in some of your files. These have to be removed.
___ You have needlessly changed whitespace or added whitespace crimes
like trailing spaces, or spaces before tabs.
___ You have mixed real technical changes with whitespace and other
cosmetic code cleanup changes. These have to be separate commits.
___ You need to refactor your submission into logical chunks; there is
too much content into a single commit.
___ You have extraneous garbage in your review (merge commits etc)
___ You have giant attachments which should never have been sent;
Instead you should place your content in a public tree to be pulled.
___ You have too many commits attached to an e-mail; resend as threaded
commits, or place in a public tree for a pull.
___ You have resent this content multiple times without a clear indication
of what has changed between each re-send.
___ You have failed to adequately and individually address all of the
comments and change requests that were proposed in the initial review.
___ You have a misconfigured ~/.hgrc file (i.e. username, email etc)
___ Your computer have a badly configured date and time; confusing the
the threaded patch review.
___ Your changes affect IPC mechanism, and you don't present any results
for in-service upgradability test.
___ Your changes affect user manual and documentation, your patch series
do not contain the patch that updates the Doxygen manual.
------------------------------------------------------------------------------
_______________________________________________
Opensaf-devel mailing list
Opensaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensaf-devel
