Hello Alon Bar-Lev,
I'd like you to do a code review. Please visit
http://gerrit.ovirt.org/26441
to review the following change.
Change subject: aaa: Introducing attach_user_to_su_role
......................................................................
aaa: Introducing attach_user_to_su_role
1. Introducing a function to attach role for user on system object
2. Removed attach_user_to_su_role
3. Moved generation of permission id to DB (changed manage domains code)
4. Introduced ovirt-engine-role.sh script to add role to authz user.
Change-Id: I7c6e25aa5f187ae06bd105f5493acacda355730a
Signed-off-by: Yair Zaslavsky <[email protected]>
Signed-off-by: Alon Bar-Lev <[email protected]>
---
M
backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/tools/ManageDomainsDAOImpl.java
M ovirt-engine.spec.in
A packaging/bin/ovirt-engine-role.sh
M packaging/dbscripts/common_sp.sql
4 files changed, 128 insertions(+), 28 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/41/26441/1
diff --git
a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/tools/ManageDomainsDAOImpl.java
b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/tools/ManageDomainsDAOImpl.java
index 5c5039a..595ec4a 100644
---
a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/tools/ManageDomainsDAOImpl.java
+++
b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/tools/ManageDomainsDAOImpl.java
@@ -4,8 +4,6 @@
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
-import java.sql.Types;
-import java.util.UUID;
import javax.sql.DataSource;
@@ -15,8 +13,9 @@
public class ManageDomainsDAOImpl implements ManageDomainsDAO {
+ private static final String SUPER_USER = "SuperUser";
private DataSource ds;
- private String actionQuery = "select attach_user_to_su_role(?,?,?,?)";
+ private String actionQuery = "select attach_user_to_role(?,?,?,?)";
private String selectQuery = "select get_user_permissions_for_domain(?,?)";
private final static Logger log =
Logger.getLogger(ManageDomainsDAOImpl.class);
@@ -33,11 +32,10 @@
log.info("uuid: " + userId + " username: " + userName + " domain:
" + domain);
connection = ds.getConnection();
prepareStatement = connection.prepareStatement(actionQuery);
- String permissionId = UUID.randomUUID().toString();
- prepareStatement.setObject(1, permissionId, Types.OTHER);
- prepareStatement.setString(2, userId);
- prepareStatement.setString(3, userName);
- prepareStatement.setString(4, domain);
+ prepareStatement.setString(1, userId);
+ prepareStatement.setString(2, userName);
+ prepareStatement.setString(3, domain);
+ prepareStatement.setString(4, SUPER_USER);
result = prepareStatement.execute();
} finally {
DbUtils.closeQuietly(prepareStatement, connection);
diff --git a/ovirt-engine.spec.in b/ovirt-engine.spec.in
index bf4e089..fe07409 100644
--- a/ovirt-engine.spec.in
+++ b/ovirt-engine.spec.in
@@ -1009,6 +1009,7 @@
%{engine_data}/bin/engine-config.sh
%{engine_data}/bin/engine-manage-domains.sh
%{engine_data}/bin/engine-prolog.sh
+%{engine_data}/bin/ovirt-engine-role.sh
%{engine_data}/conf/jaas.conf
%{engine_data}/services/ovirt-engine-notifier
%{engine_etc}/engine-config/engine-config.*properties
diff --git a/packaging/bin/ovirt-engine-role.sh
b/packaging/bin/ovirt-engine-role.sh
new file mode 100755
index 0000000..41e16ab
--- /dev/null
+++ b/packaging/bin/ovirt-engine-role.sh
@@ -0,0 +1,109 @@
+#!/bin/sh
+
+. "$(dirname "$(readlink -f "$0")")"/engine-prolog.sh
+
+generatePgPass() {
+ local password="${ENGINE_DB_PASSWORD}"
+
+ #
+ # we need client side psql library
+ # version as at least in rhel for 8.4
+ # the password within pgpassfile is
+ # not escaped.
+ # the simplest way is to checkout psql
+ # utility version.
+ #
+ if ! psql -V | grep -q ' 8\.'; then
+ password="$(echo "${password}" | sed -e 's/\\/\\\\/g' -e
's/:/\\:/g')"
+ fi
+
+ export PGPASSFILE="${MYTEMP}/.pgpass"
+ touch "${PGPASSFILE}" || die "Can't create ${PGPASSFILE}"
+ chmod 0600 "${PGPASSFILE}" || die "Can't chmod ${PGPASSFILE}"
+
+ cat > "${PGPASSFILE}" << __EOF__
+${ENGINE_DB_HOST}:${ENGINE_DB_PORT}:${ENGINE_DB_DATABASE}:${ENGINE_DB_USER}:${password}
+__EOF__
+}
+
+usage() {
+ cat << __EOF__
+Usage: $0 [OPTIONS]
+Manage user roles.
+
+ --command=command Command.
+ add Add role.
+ --user-name User name.
+ --provider=name Name of authorization provider instace.
+ --provider-id=id Unique user id within provider.
+ --role=role Role name.
+
+Interesting roles:
+
+ SuperUser
+ Role of administrator.
+__EOF__
+}
+
+cleanup() {
+ [ -n "${MYTEMP}" ] && rm -fr "${MYTEMP}" ]
+}
+trap cleanup 0
+
+COMMAND=
+USER_NAME=
+PROVIDER=
+PROVIDER_ID=
+ROLE=
+
+while [ -n "$1" ]; do
+ x="$1"
+ v="${x#*=}"
+ shift
+ case "${x}" in
+ --command=*)
+ COMMAND="${v}"
+ case "${COMMAND}" in
+ add) ;;
+ *) die "Invalid command '${COMMAND}'" ;;
+ esac
+ ;;
+ --user-name=*)
+ USER_NAME="${v}"
+ ;;
+ --provider=*)
+ PROVIDER="${v}"
+ ;;
+ --provider-id=*)
+ PROVIDER_ID="${v}"
+ ;;
+ --role=*)
+ ROLE="${v}"
+ ;;
+ --help)
+ usage
+ exit 0
+ ;;
+ *)
+ usage
+ exit 1
+ ;;
+ esac
+done
+
+[ -n "${COMMAND}" ] || die "Please specify command"
+[ -n "${USER_NAME}" ] || die "Please specify user name"
+[ -n "${PROVIDER}" ] || die "Please specify provider"
+[ -n "${PROVIDER_ID}" ] || die "Please specify provider id"
+[ -n "${ROLE}" ] || die "Please specify role"
+
+MYTEMP="$(mktemp -d)"
+generatePgPass
+psql -h "${ENGINE_DB_HOST}" -p "${ENGINE_DB_PORT}" -U "${ENGINE_DB_USER}" -c "
+ select attach_user_to_role(
+ '${PROVIDER_ID}',
+ '${USER_NAME}',
+ '${PROVIDER}',
+ '${ROLE}'
+ );
+" > /dev/null
diff --git a/packaging/dbscripts/common_sp.sql
b/packaging/dbscripts/common_sp.sql
index 0e5a04c..aa14456 100644
--- a/packaging/dbscripts/common_sp.sql
+++ b/packaging/dbscripts/common_sp.sql
@@ -257,34 +257,26 @@
END; $procedure$
LANGUAGE plpgsql;
-
-
-CREATE OR REPLACE FUNCTION attach_user_to_su_role(
- v_permission_id uuid,
- v_user_id VARCHAR(255),
- v_name VARCHAR(255),
- v_domain VARCHAR(255)
+CREATE OR REPLACE FUNCTION attach_user_to_role (
+ v_domain_entry_id text,
+ v_user_name VARCHAR(255),
+ v_domain VARCHAR(255),
+ v_role_name VARCHAR(255)
)
RETURNS void AS
$BODY$
- DECLARE
- v_document VARCHAR(64);
- input_uuid uuid;
- v_external_id BYTEA;
+DECLARE
+ gen_user_id uuid;
+ input_role_id uuid;
BEGIN
- input_uuid = CAST( v_user_id AS uuid );
-
+ select uuid_generate_v1() into gen_user_id;
+ select roles.id into input_role_id from roles where roles.name =
v_role_name;
-- The external identifier is the user identifier converted to an array of
-- bytes:
- v_external_id := decode(replace(v_user_id::text, '-', ''), 'hex');
-
-insert into
users(user_id,external_id,name,domain,username,groups,active,last_admin_check_status)
select input_uuid, v_external_id, v_name, v_domain, v_name,'',true,true where
not exists (select user_id,name,domain,username,groups,active from users where
user_id = input_uuid);
-
-insert into permissions(id,role_id,ad_element_id,object_id,object_type_id)
select v_permission_id, '00000000-0000-0000-0000-000000000001', input_uuid,
getGlobalIds('system'), 1 where not exists(select
role_id,ad_element_id,object_id,object_type_id from permissions where role_id =
'00000000-0000-0000-0000-000000000001' and ad_element_id = input_uuid and
object_id= getGlobalIds('system') and object_type_id = 1);
+ insert into
users(user_id,external_id,name,domain,username,groups,active,last_admin_check_status)
select gen_user_id, v_domain_entry_id, v_user_name, v_domain,
v_user_name,'',true,true where not exists (select
gen_user_id,name,domain,username,groups,active from users where external_id =
v_domain_entry_id);
+ insert into permissions(id,role_id,ad_element_id,object_id,object_type_id)
select uuid_generate_v1(), input_role_id, gen_user_id, getGlobalIds('system'),
1 where not exists(select role_id,ad_element_id,object_id,object_type_id from
permissions where role_id = input_role_id and ad_element_id = gen_user_id and
object_id= getGlobalIds('system') and object_type_id = 1);
END; $BODY$
-
LANGUAGE plpgsql;
-
-- a method for adding an action group to a role if doesn't exist
CREATE OR REPLACE FUNCTION fn_db_add_action_group_to_role(v_role_id UUID,
v_action_group_id INTEGER)
--
To view, visit http://gerrit.ovirt.org/26441
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I7c6e25aa5f187ae06bd105f5493acacda355730a
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Yair Zaslavsky <[email protected]>
Gerrit-Reviewer: Alon Bar-Lev <[email protected]>
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches
