Ravi Nori has uploaded a new change for review. Change subject: engine : User can see events which don't belong to him ......................................................................
engine : User can see events which don't belong to him User can see events which are not related to objects he has permissions on. This patch introduces a new view user_object_permissions_view which has the object on which the user has been granted permissions on and uses it for retrieving the events. Change-Id: I7b7a6691f6cfa2ca1c0d0d90294ecd93781fce38 Bug-Url: https://bugzilla.redhat.com/921274 Signed-off-by: Ravi Nori <[email protected]> --- M backend/manager/dbscripts/audit_log_sp.sql M backend/manager/dbscripts/create_views.sql 2 files changed, 30 insertions(+), 18 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/73/13373/1 diff --git a/backend/manager/dbscripts/audit_log_sp.sql b/backend/manager/dbscripts/audit_log_sp.sql index a093b02..41eb1f4 100644 --- a/backend/manager/dbscripts/audit_log_sp.sql +++ b/backend/manager/dbscripts/audit_log_sp.sql @@ -115,30 +115,35 @@ END; $procedure$ LANGUAGE plpgsql; +-- Returns the events for which the user has direct permissions on +-- If the user has permissions only on a VM, the user will see only events for this VM +-- If the user has permissions on a cluster, he will see events from the cluster, the hosts and the VMS in the cluster +-- because each event has the cluster id of the entity that generates the event and we check to see if the user has +-- permissions on the cluster using the column vds_group_id. Same holds true for data center Create or replace FUNCTION GetAllFromAuditLog(v_user_id UUID, v_is_filtered BOOLEAN) RETURNS SETOF audit_log AS $procedure$ BEGIN RETURN QUERY SELECT * - FROM audit_log + FROM audit_log a WHERE NOT deleted AND (NOT v_is_filtered OR EXISTS (SELECT 1 - FROM user_vm_permissions_view - WHERE user_id = v_user_id AND entity_id = vm_id) - OR EXISTS (SELECT 1 - FROM user_vm_template_permissions_view - WHERE user_id = v_user_id AND entity_id = vm_template_id) - OR EXISTS (SELECT 1 - FROM user_vds_permissions_view - WHERE user_id = v_user_id AND entity_id = vds_id) - OR EXISTS (SELECT 1 - FROM user_storage_pool_permissions_view - WHERE user_id = v_user_id AND entity_id = storage_pool_id) - OR EXISTS (SELECT 1 - FROM user_storage_domain_permissions_view - WHERE user_id = v_user_id AND entity_id = storage_domain_id) - OR EXISTS (SELECT 1 - FROM user_vds_groups_permissions_view - WHERE user_id = v_user_id AND entity_id = vds_group_id) + FROM user_vm_permissions_view pv, user_object_permissions_view dpv + WHERE pv.user_id = v_user_id AND pv.entity_id = a.vm_id AND pv.entity_id = dpv.entity_id) + OR EXISTS (SELECT 1 + FROM user_vm_template_permissions_view pv, user_object_permissions_view dpv + WHERE pv.user_id = v_user_id AND pv.entity_id = a.vm_template_id AND pv.entity_id = dpv.entity_id) + OR EXISTS (SELECT 1 + FROM user_vds_permissions_view pv, user_object_permissions_view dpv + WHERE pv.user_id = v_user_id AND pv.entity_id = a.vds_id AND pv.entity_id = dpv.entity_id) + OR EXISTS (SELECT 1 + FROM user_storage_pool_permissions_view pv, user_object_permissions_view dpv + WHERE pv.user_id = v_user_id AND pv.entity_id = a.storage_pool_id AND pv.entity_id = dpv.entity_id) + OR EXISTS (SELECT 1 + FROM user_storage_domain_permissions_view pv, user_object_permissions_view dpv + WHERE pv.user_id = v_user_id AND pv.entity_id = a.storage_domain_id AND pv.entity_id = dpv.entity_id) + OR EXISTS (SELECT 1 + FROM user_vds_groups_permissions_view pv, user_object_permissions_view dpv + WHERE pv.user_id = v_user_id AND pv.entity_id = a.vds_group_id AND pv.entity_id = dpv.entity_id) ); END; $procedure$ LANGUAGE plpgsql; diff --git a/backend/manager/dbscripts/create_views.sql b/backend/manager/dbscripts/create_views.sql index c01f4b3..704f3d2 100644 --- a/backend/manager/dbscripts/create_views.sql +++ b/backend/manager/dbscripts/create_views.sql @@ -1415,6 +1415,13 @@ FROM internal_permissions_view JOIN user_flat_groups ON granted_id = ad_element_id; +-- Direct permissions assigned to user +CREATE OR REPLACE VIEW user_object_permissions_view AS + SELECT DISTINCT permissions.object_id AS entity_id, user_flat_groups.user_id + FROM permissions + JOIN roles ON permissions.role_id = roles.id + JOIN user_flat_groups ON user_flat_groups.granted_id = permissions.ad_element_id + WHERE permissions.ad_element_id != getGlobalIds('everyone'); CREATE OR REPLACE VIEW vm_device_view AS -- To view, visit http://gerrit.ovirt.org/13373 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I7b7a6691f6cfa2ca1c0d0d90294ecd93781fce38 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: engine_3.2 Gerrit-Owner: Ravi Nori <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
