# HG changeset patch # User Marcus Granado <[email protected]> # Date 1268753781 0 # Node ID bda8cf8aa3e40ee4591f71c435361b9ec94a70de # Parent 708d1cf38f4f700368235b2f6d250f978ccb7a43 CA-38974: improve parameter reporting during obj.destroy in auditlog
Obj.destroy has the nasty side-effect of removing the object name from the database. Therefore, for .destroy actions, no obj name is shown in the audit record parameters. This patch caches the object name before Obj.destroy is called, working around this side-effect. Signed-off-by: Marcus Granado <[email protected]> diff -r 708d1cf38f4f -r bda8cf8aa3e4 ocaml/idl/ocaml_backend/rbac.ml --- a/ocaml/idl/ocaml_backend/rbac.ml Tue Mar 16 15:36:21 2010 +0000 +++ b/ocaml/idl/ocaml_backend/rbac.ml Tue Mar 16 15:36:21 2010 +0000 @@ -220,16 +220,19 @@ if (is_access_allowed ~__context ~session_id ~permission) then (* allow access to action *) begin + let sexpr_of_args = + Rbac_audit.allowed_pre_fn ~action ?args () + in try let result = (fn ()) (* call rbac-protected function *) in - Rbac_audit.allowed_ok ~__context ~session_id ~action - ~permission ?args ~result (); + Rbac_audit.allowed_post_fn_ok ~__context ~session_id ~action + ~permission ?sexpr_of_args ?args ~result (); result with error-> (* catch all exceptions *) begin - Rbac_audit.allowed_error ~__context ~session_id ~action - ~permission ?args ~error (); + Rbac_audit.allowed_post_fn_error ~__context ~session_id ~action + ~permission ?sexpr_of_args ?args ~error (); raise error end end diff -r 708d1cf38f4f -r bda8cf8aa3e4 ocaml/idl/ocaml_backend/rbac_audit.ml --- a/ocaml/idl/ocaml_backend/rbac_audit.ml Tue Mar 16 15:36:21 2010 +0000 +++ b/ocaml/idl/ocaml_backend/rbac_audit.ml Tue Mar 16 15:36:21 2010 +0000 @@ -314,7 +314,7 @@ with e -> (* never bubble up the error here *) D.debug "ignoring %s" (ExnHelper.string_of_exn e) -let sexpr_of __context session_id allowed_denied ok_error result_error ?args action permission = +let sexpr_of __context session_id allowed_denied ok_error result_error ?args ?sexpr_of_args action permission = let result_error = if result_error = "" then result_error else ":"^result_error in @@ -328,7 +328,11 @@ SExpr.String (call_type_of action):: (*SExpr.String (Helper_hostname.get_hostname ())::*) SExpr.String action:: - (SExpr.Node (sexpr_of_parameters action args)):: + (SExpr.Node ( + match sexpr_of_args with + | None -> (sexpr_of_parameters action args) + | Some sexpr_of_args -> sexpr_of_args + )):: [] ) @@ -336,11 +340,11 @@ let fn_append_to_master_audit_log = ref None -let audit_line_of __context session_id allowed_denied ok_error result_error action permission ?args = +let audit_line_of __context session_id allowed_denied ok_error result_error action permission ?args ?sexpr_of_args () = let _line = (SExpr.string_of (sexpr_of __context session_id allowed_denied - ok_error result_error ?args action permission + ok_error result_error ?args ?sexpr_of_args action permission ) ) in @@ -353,13 +357,24 @@ | None -> () | Some fn -> fn __context action audit_line -let allowed_ok ~__context ~session_id ~action ~permission ?args ?result () = +let allowed_pre_fn ~action ?args () = + try + if (has_to_audit action) + (* for now, we only cache arg results for destroy actions *) + && (Stringext.String.has_substr action ".destroy") + then Some(sexpr_of_parameters action args) + else None + with e -> + D.debug "ignoring %s" (ExnHelper.string_of_exn e); + None + +let allowed_post_fn_ok ~__context ~session_id ~action ~permission ?sexpr_of_args ?args ?result () = wrap (fun () -> if has_to_audit action then - audit_line_of __context session_id "ALLOWED" "OK" "" action permission ?args + audit_line_of __context session_id "ALLOWED" "OK" "" action permission ?sexpr_of_args ?args () ) -let allowed_error ~__context ~session_id ~action ~permission ?args ?error () = +let allowed_post_fn_error ~__context ~session_id ~action ~permission ?sexpr_of_args ?args ?error () = wrap (fun () -> if has_to_audit action then let error_str = @@ -367,13 +382,13 @@ | None -> "" | Some error -> (ExnHelper.string_of_exn error) in - audit_line_of __context session_id "ALLOWED" "ERROR" error_str action permission ?args + audit_line_of __context session_id "ALLOWED" "ERROR" error_str action permission ?sexpr_of_args ?args () ) let denied ~__context ~session_id ~action ~permission ?args () = wrap (fun () -> if has_to_audit action then - audit_line_of __context session_id "DENIED" "" "" action permission ?args + audit_line_of __context session_id "DENIED" "" "" action permission ?args () ) let session_destroy ~__context ~session_id = 2 files changed, 31 insertions(+), 13 deletions(-) ocaml/idl/ocaml_backend/rbac.ml | 11 +++++++---- ocaml/idl/ocaml_backend/rbac_audit.ml | 33 ++++++++++++++++++++++++---------
# HG changeset patch # User Marcus Granado <[email protected]> # Date 1268753781 0 # Node ID bda8cf8aa3e40ee4591f71c435361b9ec94a70de # Parent 708d1cf38f4f700368235b2f6d250f978ccb7a43 CA-38974: improve parameter reporting during obj.destroy in auditlog Obj.destroy has the nasty side-effect of removing the object name from the database. Therefore, for .destroy actions, no obj name is shown in the audit record parameters. This patch caches the object name before Obj.destroy is called, working around this side-effect. Signed-off-by: Marcus Granado <[email protected]> diff -r 708d1cf38f4f -r bda8cf8aa3e4 ocaml/idl/ocaml_backend/rbac.ml --- a/ocaml/idl/ocaml_backend/rbac.ml Tue Mar 16 15:36:21 2010 +0000 +++ b/ocaml/idl/ocaml_backend/rbac.ml Tue Mar 16 15:36:21 2010 +0000 @@ -220,16 +220,19 @@ if (is_access_allowed ~__context ~session_id ~permission) then (* allow access to action *) begin + let sexpr_of_args = + Rbac_audit.allowed_pre_fn ~action ?args () + in try let result = (fn ()) (* call rbac-protected function *) in - Rbac_audit.allowed_ok ~__context ~session_id ~action - ~permission ?args ~result (); + Rbac_audit.allowed_post_fn_ok ~__context ~session_id ~action + ~permission ?sexpr_of_args ?args ~result (); result with error-> (* catch all exceptions *) begin - Rbac_audit.allowed_error ~__context ~session_id ~action - ~permission ?args ~error (); + Rbac_audit.allowed_post_fn_error ~__context ~session_id ~action + ~permission ?sexpr_of_args ?args ~error (); raise error end end diff -r 708d1cf38f4f -r bda8cf8aa3e4 ocaml/idl/ocaml_backend/rbac_audit.ml --- a/ocaml/idl/ocaml_backend/rbac_audit.ml Tue Mar 16 15:36:21 2010 +0000 +++ b/ocaml/idl/ocaml_backend/rbac_audit.ml Tue Mar 16 15:36:21 2010 +0000 @@ -314,7 +314,7 @@ with e -> (* never bubble up the error here *) D.debug "ignoring %s" (ExnHelper.string_of_exn e) -let sexpr_of __context session_id allowed_denied ok_error result_error ?args action permission = +let sexpr_of __context session_id allowed_denied ok_error result_error ?args ?sexpr_of_args action permission = let result_error = if result_error = "" then result_error else ":"^result_error in @@ -328,7 +328,11 @@ SExpr.String (call_type_of action):: (*SExpr.String (Helper_hostname.get_hostname ())::*) SExpr.String action:: - (SExpr.Node (sexpr_of_parameters action args)):: + (SExpr.Node ( + match sexpr_of_args with + | None -> (sexpr_of_parameters action args) + | Some sexpr_of_args -> sexpr_of_args + )):: [] ) @@ -336,11 +340,11 @@ let fn_append_to_master_audit_log = ref None -let audit_line_of __context session_id allowed_denied ok_error result_error action permission ?args = +let audit_line_of __context session_id allowed_denied ok_error result_error action permission ?args ?sexpr_of_args () = let _line = (SExpr.string_of (sexpr_of __context session_id allowed_denied - ok_error result_error ?args action permission + ok_error result_error ?args ?sexpr_of_args action permission ) ) in @@ -353,13 +357,24 @@ | None -> () | Some fn -> fn __context action audit_line -let allowed_ok ~__context ~session_id ~action ~permission ?args ?result () = +let allowed_pre_fn ~action ?args () = + try + if (has_to_audit action) + (* for now, we only cache arg results for destroy actions *) + && (Stringext.String.has_substr action ".destroy") + then Some(sexpr_of_parameters action args) + else None + with e -> + D.debug "ignoring %s" (ExnHelper.string_of_exn e); + None + +let allowed_post_fn_ok ~__context ~session_id ~action ~permission ?sexpr_of_args ?args ?result () = wrap (fun () -> if has_to_audit action then - audit_line_of __context session_id "ALLOWED" "OK" "" action permission ?args + audit_line_of __context session_id "ALLOWED" "OK" "" action permission ?sexpr_of_args ?args () ) -let allowed_error ~__context ~session_id ~action ~permission ?args ?error () = +let allowed_post_fn_error ~__context ~session_id ~action ~permission ?sexpr_of_args ?args ?error () = wrap (fun () -> if has_to_audit action then let error_str = @@ -367,13 +382,13 @@ | None -> "" | Some error -> (ExnHelper.string_of_exn error) in - audit_line_of __context session_id "ALLOWED" "ERROR" error_str action permission ?args + audit_line_of __context session_id "ALLOWED" "ERROR" error_str action permission ?sexpr_of_args ?args () ) let denied ~__context ~session_id ~action ~permission ?args () = wrap (fun () -> if has_to_audit action then - audit_line_of __context session_id "DENIED" "" "" action permission ?args + audit_line_of __context session_id "DENIED" "" "" action permission ?args () ) let session_destroy ~__context ~session_id =
_______________________________________________ xen-api mailing list [email protected] http://lists.xensource.com/mailman/listinfo/xen-api
