osaf/libs/common/immsv/include/immsv_api.h | 2 + osaf/services/saf/immsv/immloadd/imm_loader.cc | 23 ++++++++- osaf/services/saf/immsv/immnd/ImmModel.cc | 65 ++++++++++++++++++++++++++ osaf/services/saf/immsv/immnd/ImmModel.hh | 2 + osaf/services/saf/immsv/immnd/immnd_cb.h | 1 - osaf/services/saf/immsv/immnd/immnd_evt.c | 34 ++++++++----- osaf/services/saf/immsv/immnd/immnd_init.h | 2 + osaf/services/saf/immsv/immnd/immnd_main.c | 2 - samples/immsv/OpensafImm_Upgrade_4.5.xml | 13 +++++ 9 files changed, 125 insertions(+), 19 deletions(-)
A new boolean attribute accessControlEnabled is added to the OpensafImm class. Its default value is OFF meaning no access control. This is to be backwards compatible for upgrade of existing systems. Access control is in runtime enabled with: immcfg -a accessControlEnabled=1 opensafImm=opensafImm,safApp=safImmService And disabled with: immcfg -a accessControlEnabled=0 opensafImm=opensafImm,safApp=safImmService An additional UNIX group that allows IMM access can be configured with the adminGroupName attribute in the OpensafImm class. For example: immcfg -a adminGroupName=osafimmadm opensafImm=opensafImm,safApp=safImmService diff --git a/osaf/libs/common/immsv/include/immsv_api.h b/osaf/libs/common/immsv/include/immsv_api.h --- a/osaf/libs/common/immsv/include/immsv_api.h +++ b/osaf/libs/common/immsv/include/immsv_api.h @@ -59,6 +59,8 @@ extern "C" { #define IMMSV_MAX_OBJS_IN_SYNCBATCH (IMMSV_DEFAULT_MAX_SYNC_BATCH_SIZE / 10) #define OPENSAF_IMM_LONG_DNS_ALLOWED "longDnsAllowed" +#define OPENSAF_IMM_ACCESS_CONTROL_ENABLED "accessControlEnabled" +#define OPENSAF_IMM_ADMIN_GROUP_NAME "adminGroupName" /*Max # of outstanding fevs messages towards director.*/ /*Note max-max is 255. cb->fevs_replies_pending is an uint8_t*/ diff --git a/osaf/services/saf/immsv/immloadd/imm_loader.cc b/osaf/services/saf/immsv/immloadd/imm_loader.cc --- a/osaf/services/saf/immsv/immloadd/imm_loader.cc +++ b/osaf/services/saf/immsv/immloadd/imm_loader.cc @@ -31,10 +31,17 @@ #include <sys/stat.h> #include <errno.h> #include <ncsgl_defs.h> +#include <config.h> #include "saAis.h" #include "osaf_extended_name.h" +// Default value of accessControlEnabled attribute in the OpensafImm class +// Can be changed at build time using configure +#ifndef IMM_ACCESS_CONTROL +#define IMM_ACCESS_CONTROL 0 +#endif + #define MAX_DEPTH 10 #define MAX_CHAR_BUFFER_SIZE 8192 //8k @@ -286,10 +293,11 @@ void opensafClassCreate(SaImmHandleT imm { SaAisErrorT err = SA_AIS_OK; int retries=0; - SaImmAttrDefinitionT_2 d1, d2, d3, d4, d5, d6; + SaImmAttrDefinitionT_2 d1, d2, d3, d4, d5, d6, d7, d8; SaUint32T nost_flags_default = 0; SaUint32T batch_size_default = IMMSV_DEFAULT_MAX_SYNC_BATCH_SIZE; SaUint32T extended_names_enabled_default = 0; + SaUint32T access_control_enabled_default = IMM_ACCESS_CONTROL; d1.attrName = (char *) OPENSAF_IMM_ATTR_RDN; d1.attrValueType = SA_IMM_ATTR_SANAMET; @@ -322,7 +330,18 @@ void opensafClassCreate(SaImmHandleT imm d6.attrFlags = SA_IMM_ATTR_CONFIG | SA_IMM_ATTR_WRITABLE; d6.attrDefaultValue = &extended_names_enabled_default; - const SaImmAttrDefinitionT_2* attrDefs[7] = {&d1, &d2, &d3, &d4, &d5, &d6, 0}; + d7.attrName = (char *) OPENSAF_IMM_ACCESS_CONTROL_ENABLED; + d7.attrValueType = SA_IMM_ATTR_SAUINT32T; + d7.attrFlags = SA_IMM_ATTR_CONFIG | SA_IMM_ATTR_WRITABLE; + d7.attrDefaultValue = &access_control_enabled_default; + + d8.attrName = (char *) OPENSAF_IMM_ADMIN_GROUP_NAME; + d8.attrValueType = SA_IMM_ATTR_SASTRINGT; + d8.attrFlags = SA_IMM_ATTR_CONFIG | SA_IMM_ATTR_WRITABLE; + d8.attrDefaultValue = NULL; + + const SaImmAttrDefinitionT_2* attrDefs[] = + {&d1, &d2, &d3, &d4, &d5, &d6, &d7, &d8, 0}; do {/* Create the class */ diff --git a/osaf/services/saf/immsv/immnd/ImmModel.cc b/osaf/services/saf/immsv/immnd/ImmModel.cc --- a/osaf/services/saf/immsv/immnd/ImmModel.cc +++ b/osaf/services/saf/immsv/immnd/ImmModel.cc @@ -443,6 +443,8 @@ static const std::string immAttrNostFlag static const std::string immSyncBatchSize(OPENSAF_IMM_SYNC_BATCH_SIZE); static const std::string immPbeBSlaveName(OPENSAF_IMM_2PBE_APPL_NAME); static const std::string immLongDnsAllowed(OPENSAF_IMM_LONG_DNS_ALLOWED); +static const std::string immAccessControlEnabled(OPENSAF_IMM_ACCESS_CONTROL_ENABLED); +static const std::string immAdminGroupName(OPENSAF_IMM_ADMIN_GROUP_NAME); static const std::string immMngtClass("SaImmMngt"); static const std::string immManagementDn("safRdn=immManagement,safApp=safImmService"); @@ -899,6 +901,18 @@ immModel_protocol45Allowed(IMMND_CB *cb) SA_TRUE : SA_FALSE; } +SaBoolT +immModel_accessControlEnabled(IMMND_CB *cb) +{ + return (ImmModel::instance(&cb->immModel)->accessControlEnabled()) ? + SA_TRUE : SA_FALSE; +} + +const char* +immModel_adminGroupName(IMMND_CB *cb) +{ + return ImmModel::instance(&cb->immModel)->adminGroupName(); +} SaBoolT immModel_purgeSyncRequest(IMMND_CB *cb, SaUint32T clientId) @@ -2454,6 +2468,13 @@ ImmModel::setLoader(int pid) LOG_NO("RepositoryInitModeT is SA_IMM_INIT_FROM_FILE"); immInitMode = SA_IMM_INIT_FROM_FILE; /* Ensure valid value*/ } + + if (accessControlEnabled() == 0) { + LOG_WA("IMM Access Control is OFF!"); + } else { + LOG_NO("IMM Access Control is ON"); + } + } else { TRACE_5("Loading starts, pid:%u", pid); } @@ -3438,6 +3459,50 @@ ImmModel::schemaChangeAllowed() return noStdFlags & OPENSAF_IMM_FLAG_SCHCH_ALLOW; } +bool +ImmModel::accessControlEnabled() +{ + TRACE_ENTER(); + ObjectMap::iterator oi = sObjectMap.find(immObjectDn); + if(oi == sObjectMap.end()) { + TRACE_LEAVE(); + return false; + } + + ObjectInfo* immObject = oi->second; + ImmAttrValueMap::iterator avi = + immObject->mAttrValueMap.find(immAccessControlEnabled); + osafassert(avi != immObject->mAttrValueMap.end()); + osafassert(!(avi->second->isMultiValued())); + ImmAttrValue* valuep = avi->second; + unsigned int accessControlEnabled = valuep->getValue_int(); + + TRACE_LEAVE2("%u", accessControlEnabled); + return accessControlEnabled; +} + +const char* +ImmModel::adminGroupName() +{ + TRACE_ENTER(); + ObjectMap::iterator oi = sObjectMap.find(immObjectDn); + if(oi == sObjectMap.end()) { + TRACE_LEAVE(); + return false; + } + + ObjectInfo* immObject = oi->second; + ImmAttrValueMap::iterator avi = + immObject->mAttrValueMap.find(immAdminGroupName); + osafassert(avi != immObject->mAttrValueMap.end()); + osafassert(!(avi->second->isMultiValued())); + ImmAttrValue* valuep = avi->second; + const char *adminGroupName = valuep->getValueC_str(); + + TRACE_LEAVE(); + return adminGroupName; +} + /** * Verify that a class create with same name as an existing class is a legal * schema upgrade. diff --git a/osaf/services/saf/immsv/immnd/ImmModel.hh b/osaf/services/saf/immsv/immnd/ImmModel.hh --- a/osaf/services/saf/immsv/immnd/ImmModel.hh +++ b/osaf/services/saf/immsv/immnd/ImmModel.hh @@ -102,6 +102,8 @@ public: bool nocaseCompare(const std::string& s1, const std::string& s2) const; + const char* adminGroupName(); + bool accessControlEnabled(); bool schemaChangeAllowed(); bool protocol41Allowed(); bool protocol43Allowed(); diff --git a/osaf/services/saf/immsv/immnd/immnd_cb.h b/osaf/services/saf/immsv/immnd/immnd_cb.h --- a/osaf/services/saf/immsv/immnd/immnd_cb.h +++ b/osaf/services/saf/immsv/immnd/immnd_cb.h @@ -170,7 +170,6 @@ typedef struct immnd_cb_tag { NCS_SEL_OBJ usr1_sel_obj; /* Selection object for USR1 signal events */ SaSelectionObjectT amf_sel_obj; /* Selection Object for AMF events */ int nid_started; /* true if started by NID */ - const char *admin_group_name; // linux group name for admins } IMMND_CB; /* CB prototypes */ diff --git a/osaf/services/saf/immsv/immnd/immnd_evt.c b/osaf/services/saf/immsv/immnd/immnd_evt.c --- a/osaf/services/saf/immsv/immnd/immnd_evt.c +++ b/osaf/services/saf/immsv/immnd/immnd_evt.c @@ -736,20 +736,26 @@ static uint32_t immnd_evt_proc_imm_init( goto agent_rsp; } - /* allow access using white list approach */ - if (sinfo->uid == 0) { - TRACE("superuser"); - } else if (getgid() == sinfo->gid) { - TRACE("same group"); - } else if ((immnd_cb->admin_group_name != NULL) && - (osaf_user_is_member_of_group(sinfo->uid, immnd_cb->admin_group_name) == true)) { - TRACE("configured group"); - } else { - syslog(LOG_AUTH, "access denied, uid:%d, pid:%d", sinfo->uid, sinfo->pid); - TRACE_2("access denied, uid:%d, pid:%d, group_name:%s", sinfo->uid, sinfo->pid, - immnd_cb->admin_group_name); - error = SA_AIS_ERR_ACCESS_DENIED; - goto agent_rsp; + if (immModel_accessControlEnabled(immnd_cb)) { + /* allow access using white list approach */ + if (sinfo->uid == 0) { + TRACE("superuser"); + } else if (getgid() == sinfo->gid) { + TRACE("same group"); + } else { + const char *admin_group_name = immModel_adminGroupName(immnd_cb); + if ((admin_group_name != NULL) && + (osaf_user_is_member_of_group(sinfo->uid, admin_group_name) == true)) { + TRACE("configured group"); + } else { + syslog(LOG_AUTH, "access denied, uid:%d, pid:%d", + sinfo->uid, sinfo->pid); + TRACE_2("access denied, uid:%d, pid:%d, group_name:%s", + sinfo->uid, sinfo->pid, admin_group_name); + error = SA_AIS_ERR_ACCESS_DENIED; + goto agent_rsp; + } + } } cl_node = calloc(1, sizeof(IMMND_IMM_CLIENT_NODE)); diff --git a/osaf/services/saf/immsv/immnd/immnd_init.h b/osaf/services/saf/immsv/immnd/immnd_init.h --- a/osaf/services/saf/immsv/immnd/immnd_init.h +++ b/osaf/services/saf/immsv/immnd/immnd_init.h @@ -296,6 +296,8 @@ extern "C" { SaBoolT immModel_protocol43Allowed(IMMND_CB *cb); SaBoolT immModel_protocol45Allowed(IMMND_CB *cb); SaBoolT immModel_oneSafe2PBEAllowed(IMMND_CB *cb); + SaBoolT immModel_accessControlEnabled(IMMND_CB *cb); + const char *immModel_adminGroupName(IMMND_CB *cb); SaBoolT immModel_purgeSyncRequest(IMMND_CB *cb, SaUint32T clientId); diff --git a/osaf/services/saf/immsv/immnd/immnd_main.c b/osaf/services/saf/immsv/immnd/immnd_main.c --- a/osaf/services/saf/immsv/immnd/immnd_main.c +++ b/osaf/services/saf/immsv/immnd/immnd_main.c @@ -127,8 +127,6 @@ static uint32_t immnd_initialize(char *p /* unset so that forked processes (e.g. loader) does not create MDS server */ unsetenv("MDS_SOCK_SERVER_CREATE"); - immnd_cb->admin_group_name = getenv("IMM_ADMIN_GROUP_NAME"); - /* Initialize immnd control block */ immnd_cb->ha_state = SA_AMF_HA_ACTIVE; immnd_cb->cli_id_gen = 1; diff --git a/samples/immsv/OpensafImm_Upgrade_4.5.xml b/samples/immsv/OpensafImm_Upgrade_4.5.xml --- a/samples/immsv/OpensafImm_Upgrade_4.5.xml +++ b/samples/immsv/OpensafImm_Upgrade_4.5.xml @@ -9,6 +9,19 @@ <flag>SA_INITIALIZED</flag> </rdn> <attr> + <name>accessControlEnabled</name> + <type>SA_UINT32_T</type> + <category>SA_CONFIG</category> + <flag>SA_WRITABLE</flag> + <default-value>0</default-value> + </attr> + <attr> + <name>adminGroupName</name> + <type>SA_STRING_T</type> + <category>SA_CONFIG</category> + <flag>SA_WRITABLE</flag> + </attr> + <attr> <name>longDnsAllowed</name> <type>SA_UINT32_T</type> <category>SA_CONFIG</category> ------------------------------------------------------------------------------ _______________________________________________ Opensaf-devel mailing list Opensaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/opensaf-devel