The message now includes which roles *do* have the required permission. Signed-off-by: Rok Strnisa <[email protected]>
ocaml/idl/ocaml_backend/OMakefile | 2 ++ ocaml/idl/ocaml_backend/rbac.ml | 27 ++++++++++++++++++++------- ocaml/xapi/OMakefile | 2 -- 3 files changed, 22 insertions(+), 9 deletions(-)
# HG changeset patch # User Rok Strnisa <[email protected]> # Date 1282839530 -3600 # Node ID deea41560521ebeb1c5cc8822ea6a4ec5235824a # Parent 2743e64a67a66216bd3d4fdfed6c5d0c31fb901c Provides the user with a friendlier message when they are denied access. The message now includes which roles *do* have the required permission. Signed-off-by: Rok Strnisa <[email protected]> diff --git a/ocaml/idl/ocaml_backend/OMakefile b/ocaml/idl/ocaml_backend/OMakefile --- a/ocaml/idl/ocaml_backend/OMakefile +++ b/ocaml/idl/ocaml_backend/OMakefile @@ -98,6 +98,8 @@ SERVER_OBJS = ../../database/escaping lo ../../xapi/xapi_inventory \ ../../xapi/hashtbl_xml \ ../../xapi/localdb \ + ../../xapi/xapi_role \ + ../../xapi/db \ rbac \ rbac_audit \ ../../autogen/rbac_static \ diff --git a/ocaml/idl/ocaml_backend/rbac.ml b/ocaml/idl/ocaml_backend/rbac.ml --- a/ocaml/idl/ocaml_backend/rbac.ml +++ b/ocaml/idl/ocaml_backend/rbac.ml @@ -11,6 +11,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Lesser General Public License for more details. *) + +open Listext + module D = Debug.Debugger(struct let name="rbac" end) open D @@ -216,7 +219,7 @@ let nofn = fun () -> () let check ?(extra_dmsg="") ?(extra_msg="") ?args ?(keys=[]) ~__context ~fn session_id action = let permission = permission_of_action action ?args ~keys in - + if (is_access_allowed ~__context ~session_id ~permission) then (* allow access to action *) begin @@ -231,18 +234,28 @@ let check ?(extra_dmsg="") ?(extra_msg=" result with error-> (* catch all exceptions *) begin - Rbac_audit.allowed_post_fn_error ~__context ~session_id ~action + Rbac_audit.allowed_post_fn_error ~__context ~session_id ~action ~permission ?sexpr_of_args ?args ~error (); raise error end end - else (* deny access to action *) - begin - let msg=(Printf.sprintf "No permission in user session%s" extra_msg) in + else begin (* deny access to action *) + let allowed_roles_string = + try + let allowed_roles = Xapi_role.get_by_permission_name_label ~__context ~label:permission in + List.fold_left + (fun acc allowed_role -> acc ^ (if acc = "" then "" else ", ") ^ + (Xapi_role.get_name_label ~__context ~self:allowed_role)) + "" allowed_roles + with e -> debug "Could not obtain allowed roles for %s (%s)" permission (ExnHelper.string_of_exn e); + "<Could not obtain the list.>" + in + let msg = (Printf.sprintf "No permission in user session. (Roles with this permission: %s)%s" + allowed_roles_string extra_msg) in debug "%s[%s]: %s %s %s" action permission msg (trackid session_id) extra_dmsg; - Rbac_audit.denied ~__context ~session_id ~action ~permission + Rbac_audit.denied ~__context ~session_id ~action ~permission ?args (); - raise (Api_errors.Server_error + raise (Api_errors.Server_error (Api_errors.rbac_permission_denied,[permission;msg])) end diff --git a/ocaml/xapi/OMakefile b/ocaml/xapi/OMakefile --- a/ocaml/xapi/OMakefile +++ b/ocaml/xapi/OMakefile @@ -38,7 +38,6 @@ OCamlProgram(show_bat, show_bat) COMMON = \ xapi_templates \ ../idl/api_lowlevel \ - db \ nm \ xapi_mgmt_iface \ smint \ @@ -108,7 +107,6 @@ XAPI_MODULES = $(COMMON) \ ../auth/extauth_plugin_ADlikewise \ ../auth/parse_likewise \ xapi_subject \ - xapi_role \ audit_log \ xapi_vmpp \ xapi_vm_lifecycle \
_______________________________________________ xen-api mailing list [email protected] http://lists.xensource.com/mailman/listinfo/xen-api
