Moti Asayag has uploaded a new change for review. Change subject: engine: Restrict viewable networks by the User ......................................................................
engine: Restrict viewable networks by the User The patch restricts the viewable network by the user for: 1. Networks the user has permissions on 2. Data Center which contains the network and the user has permission on. 3. The Network is attached to the VM's nic or Template's nic. 4. Data-Center or Cluster that contains the VM/Template Change-Id: I542e687da8f51dd83e66d813c769275736abc114 Signed-off-by: Moti Asayag <[email protected]> --- M backend/manager/dbscripts/create_views.sql M backend/manager/dbscripts/network_sp.sql M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java M backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/RoleDAOTest.java M backend/manager/modules/dal/src/test/resources/fixtures.xml 5 files changed, 131 insertions(+), 7 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/45/9545/1 diff --git a/backend/manager/dbscripts/create_views.sql b/backend/manager/dbscripts/create_views.sql index d6dd745..0c9bed8 100644 --- a/backend/manager/dbscripts/create_views.sql +++ b/backend/manager/dbscripts/create_views.sql @@ -1396,3 +1396,101 @@ SELECT device_id, vm_id, type, device, address, boot_order, spec_params, is_managed, is_plugged, is_readonly, alias FROM vm_device; + +CREATE OR REPLACE VIEW vm_interface_ext_view +AS +SELECT vm_interface_view.*, + network.id as network_id, + network_cluster.cluster_id as cluster_id, + network.storage_pool_id as data_center_id +FROM vm_interface_view +INNER JOIN vm_static +ON vm_static.vm_guid = vm_interface_view.vm_guid +INNER JOIN network_cluster +ON network_cluster.cluster_id = vm_static.vds_group_id +INNER JOIN network +ON network.id = network_cluster.network_id +AND network.name = vm_interface_view.network_name; + +CREATE OR REPLACE VIEW vm_template_interface_view +AS +SELECT vm_interface_view.*, + network.id as network_id, + network_cluster.cluster_id as cluster_id, + network.storage_pool_id as data_center_id +FROM vm_interface_view +INNER JOIN vm_templates_view +ON vm_templates_view.vmt_guid = vm_interface_view.vmt_guid +INNER JOIN network_cluster +ON network_cluster.cluster_id = vm_templates_view.vds_group_id +INNER JOIN network +ON network.id = network_cluster.network_id +AND network.name = vm_interface_view.network_name; + +-- Permissions on Networks +-- The user has permissions on the Network directly +CREATE OR REPLACE VIEW user_network_permissions_view_base (entity_id, granted_id) +AS +SELECT object_id, ad_element_id +FROM permissions_view +WHERE object_type_id = 20 AND role_type = 2 +-- Or the user has permissions on the Network's Data-Center directly +UNION ALL +SELECT network.id, ad_element_id +FROM network +INNER JOIN permissions_view ON object_id = storage_pool_id +WHERE object_type_id = 14 AND role_type = 2 +-- Or the user has permissions on the Cluster the networks are assigned to +UNION ALL +SELECT network_id, ad_element_id +FROM network_cluster +INNER JOIN permissions_view ON object_id = network_cluster.cluster_id +WHERE object_type_id = 9 AND role_type = 2 +-- Or the user has permissions on the VM with the network attached +UNION ALL +SELECT network_id, ad_element_id +FROM vm_interface_ext_view +INNER JOIN permissions_view ON object_id = cluster_id +AND object_type_id = 2 AND allows_viewing_children AND role_type = 2 +-- Or the user has permissions on the Cluster containing the VM with the network attached +UNION ALL +SELECT network_id, ad_element_id +FROM vm_interface_ext_view +INNER JOIN permissions_view ON object_id = cluster_id +AND object_type_id = 9 AND allows_viewing_children AND role_type = 2 +-- Or the user has permissions on the Data Center containing the VM with the network attached +UNION ALL +SELECT network_id, ad_element_id +FROM vm_interface_ext_view +INNER JOIN permissions_view ON object_id = cluster_id +AND object_type_id = 14 AND allows_viewing_children AND role_type = 2 +-- Or the user has permissions on the Template with the network attached +UNION ALL +SELECT network_id, ad_element_id +FROM vm_interface_ext_view +INNER JOIN permissions_view ON object_id = cluster_id +AND object_type_id = 4 AND allows_viewing_children AND role_type = 2 +-- Or the user has permissions on the Cluster containing the Template with the network attached +UNION ALL +SELECT network_id, ad_element_id +FROM vm_template_interface_view +INNER JOIN permissions_view ON object_id = cluster_id +AND object_type_id = 9 AND allows_viewing_children AND role_type = 2 +-- Or the user has permissions on the Data Center containing the Template with the network attached +UNION ALL +SELECT network_id, ad_element_id +FROM vm_template_interface_view +INNER JOIN permissions_view ON object_id = cluster_id +AND object_type_id = 14 AND allows_viewing_children AND role_type = 2 +-- Or the user has permissions on system +UNION ALL +SELECT network_id, ad_element_id +FROM permissions_view +CROSS JOIN vm_interface_ext_view +WHERE object_type_id = 1 AND allows_viewing_children AND role_type = 2; + +CREATE OR REPLACE VIEW user_network_permissions_view (entity_id, user_id) +AS +SELECT DISTINCT entity_id, user_id +FROM user_network_permissions_view_base +NATURAL JOIN user_flat_groups; diff --git a/backend/manager/dbscripts/network_sp.sql b/backend/manager/dbscripts/network_sp.sql index 2723bb3..c54eaa9 100644 --- a/backend/manager/dbscripts/network_sp.sql +++ b/backend/manager/dbscripts/network_sp.sql @@ -196,10 +196,10 @@ FROM network INNER JOIN network_cluster ON network.id = network_cluster.network_id - where network_cluster.cluster_id = v_id - AND (NOT v_is_filtered OR EXISTS (SELECT 1 - FROM user_vds_groups_permissions_view - WHERE user_id = v_user_id AND entity_id = v_id)); + WHERE network_cluster.cluster_id = v_id + AND (NOT v_is_filtered OR EXISTS (SELECT 1 + FROM user_network_permissions_view + WHERE user_id = v_user_id AND entity_id = network.id)); diff --git a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java index eeb4e56..8cff0de 100644 --- a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java +++ b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java @@ -97,7 +97,7 @@ DELETE_DISK(1104, RoleType.USER, VdcObjectType.Disk, true, ApplicationMode.VirtOnly), // Network - PORT_MIRRORING(1200, RoleType.ADMIN, VdcObjectType.Network, false), + PORT_MIRRORING(1200, RoleType.ADMIN, VdcObjectType.Network, true), // Login action group LOGIN(1300, RoleType.USER, VdcObjectType.Bottom, false); diff --git a/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/RoleDAOTest.java b/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/RoleDAOTest.java index 04bde5b..d0687c6 100644 --- a/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/RoleDAOTest.java +++ b/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/RoleDAOTest.java @@ -9,14 +9,14 @@ import java.util.List; import org.junit.Test; -import org.ovirt.engine.core.common.businessentities.RoleType; import org.ovirt.engine.core.common.businessentities.Role; +import org.ovirt.engine.core.common.businessentities.RoleType; import org.ovirt.engine.core.compat.Guid; public class RoleDAOTest extends BaseDAOTestCase { private static final String GROUP_IDS = "26df4393-659b-4b8a-b0f6-3ee94d32e82f,08963ba9-b1c8-498d-989f-75cf8142eab7"; private static final Guid USER_ID = new Guid("9bf7c640-b620-456f-a550-0348f366544b"); - private static final int ROLE_COUNT = 3; + private static final int ROLE_COUNT = 4; private RoleDAO dao; private Role existingRole; diff --git a/backend/manager/modules/dal/src/test/resources/fixtures.xml b/backend/manager/modules/dal/src/test/resources/fixtures.xml index 37c3347..571300f 100644 --- a/backend/manager/modules/dal/src/test/resources/fixtures.xml +++ b/backend/manager/modules/dal/src/test/resources/fixtures.xml @@ -2321,6 +2321,14 @@ <value>1</value> <value>true</value> </row> + <row> + <value>f5972bfa-7102-4d33-ad22-9dd421bfba70</value> + <value>jUnitTestRole</value> + <value>role for tests</value> + <value>0</value> + <value>2</value> + <value>true</value> + </row> </table> <table name="roles_groups"> @@ -2329,6 +2337,10 @@ <row> <value>119caae6-5c1b-4a82-9858-dd9e5d2e1401</value> <value>10</value> + </row> + <row> + <value>f5972bfa-7102-4d33-ad22-9dd421bfba70</value> + <value>9</value> </row> </table> @@ -2346,6 +2358,20 @@ <value>2</value> </row> <row> + <value>2d2f2522-afd2-4964-a3b1-001cca295e8f</value> + <value>f5972bfa-7102-4d33-ad22-9dd421bfba70</value> + <value>9bf7c640-b620-456f-a550-0348f366544b</value> + <value>58d5c1c6-cb15-4832-b2a4-023770607188</value> + <value>20</value> + </row> + <row> + <value>2d2f2522-afd2-4964-a3b1-001cca295b8f</value> + <value>f5972bfa-7102-4d33-ad22-9dd421bfba70</value> + <value>9bf7c640-b620-456f-a550-0348f366544b</value> + <value>b399944a-81ab-4ec5-8266-e19ba7c3c9d1</value> + <value>9</value> + </row> + <row> <value>2d2f2522-afd2-4964-a3b1-001cca295e8e</value> <value>119caae6-5c1b-4a82-9858-dd9e5d2e1401</value> <value>9bf7c640-b620-456f-a550-0348f366544b</value> -- To view, visit http://gerrit.ovirt.org/9545 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I542e687da8f51dd83e66d813c769275736abc114 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Moti Asayag <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
