osaf/services/saf/immsv/immnd/ImmModel.cc | 67 ++++++++++++++++++++++--------
1 files changed, 48 insertions(+), 19 deletions(-)
When the attribute 'longDnsAllowed' is changed form non-zero to zero,
this implies that the imm is transitoning from allowing long DNs to
not allowing long DNs. Such a configuration change must be validated
that the imm-db currently has no long DNs. Only if such a check passes
will the CCB modify operation assigning zero to 'longDnsAllowed' be
allowed.
The validation is done locally in the modify operation. This is sufficent
because the IMM service itself is the "OI" for the object:
opensafImm=opensafImm,safApp=safImmService
The imm service will bar any other CCB from modifying that object untill
a current ccb that is modifying it has either comitted or aborted.
Prior to this patch, the only check done was that no object *exists*
currently with a long DN.
This patch adds a check also for reference attributes. Specifically the
attributes checked are the ones that:
a) Are defined on the type SA_IMM_ATTR_SANAMET.
Because currently references are only recognized as references when
they have this attribute type.
b) Do not have the attribute flag SA_IMM_ATTR_NO_DANGLING set.
Because if that flag is set the reference can only point to an existing
object, thus covered by the pre-existing check.
c) Do not have the attribute flag SA_IMM_ATTR_RDN set.
Because the RDN attribute is simply a copy of the RDN part of
the objects DN, thus coverd by the pre-existing check.
diff --git a/osaf/services/saf/immsv/immnd/ImmModel.cc
b/osaf/services/saf/immsv/immnd/ImmModel.cc
--- a/osaf/services/saf/immsv/immnd/ImmModel.cc
+++ b/osaf/services/saf/immsv/immnd/ImmModel.cc
@@ -452,7 +452,7 @@ static const std::string saImmOiTimeout(
static SaImmRepositoryInitModeT immInitMode = SA_IMM_INIT_FROM_FILE;
-static SaUint32T ccbIdLongDnGuard = 0; /* Disallow long DN creates if
longDnsAllowed is being changed in ccb*/
+static SaUint32T ccbIdLongDnGuard = 0; /* Disallow long DN additions if
longDnsAllowed is being changed in ccb*/
static bool sIsLongDnLoaded = false; /* track long DNs before
opensafImm=opensafImm,safApp=safImmService is created */
struct AttrFlagIncludes
@@ -2470,11 +2470,11 @@ ImmModel::setLoader(int pid)
}
if (accessControlMode() == ACCESS_CONTROL_DISABLED) {
- LOG_WA("IMM Access Control mode is DISABLED!");
+ LOG_WA("IMM Access Control mode is DISABLED!");
} else if (accessControlMode() == ACCESS_CONTROL_PERMISSIVE) {
- LOG_WA("IMM Access Control mode is PERMISSIVE");
- } else {
- LOG_NO("IMM Access Control mode is ENFORCING");
+ LOG_WA("IMM Access Control mode is PERMISSIVE");
+ } else {
+ LOG_NO("IMM Access Control mode is ENFORCING");
}
} else {
@@ -3475,11 +3475,11 @@ ImmModel::accessControlMode()
ImmAttrValueMap::iterator avi =
immObject->mAttrValueMap.find(immAccessControlMode);
if (avi == immObject->mAttrValueMap.end())
- return ACCESS_CONTROL_DISABLED;
+ return ACCESS_CONTROL_DISABLED;
osafassert(!(avi->second->isMultiValued()));
ImmAttrValue* valuep = avi->second;
OsafImmAccessControlModeT accessControlMode =
- static_cast<OsafImmAccessControlModeT>(valuep->getValue_int());
+ static_cast<OsafImmAccessControlModeT>(valuep->getValue_int());
TRACE_LEAVE2("%u", accessControlMode);
return accessControlMode;
@@ -3498,8 +3498,9 @@ ImmModel::authorizedGroup()
ObjectInfo* immObject = oi->second;
ImmAttrValueMap::iterator avi =
immObject->mAttrValueMap.find(immAuthorizedGroup);
- if (avi == immObject->mAttrValueMap.end())
- return NULL;
+ if (avi == immObject->mAttrValueMap.end()) {
+ return NULL;
+ }
osafassert(!(avi->second->isMultiValued()));
ImmAttrValue* valuep = avi->second;
const char *adminGroupName = valuep->getValueC_str();
@@ -3859,10 +3860,9 @@ ImmModel::notCompatibleAtt(const std::st
}
}
- if(av->isMultiValued())
+ if(av->isMultiValued()) {
av = ((ImmAttrMultiValue *)av)->getNextAttrValue();
- else
- break;
+ } else {break;}
}
}
}
@@ -7838,9 +7838,8 @@ ImmModel::ccbObjectModify(const ImmsvOmC
(size_t) p->attrValue.attrName.size);
std::string attrName((const char *) p->attrValue.attrName.buf, sz);
bool modifiedRim = modifiedImmMngt && (attrName ==
saImmRepositoryInit);
- bool modifiedOiTimeout = modifiedImmMngt && (attrName ==
saImmOiTimeout);
-
- if(modifiedOiTimeout) {
+
+ if(modifiedImmMngt && (attrName == saImmOiTimeout)) {
/* Currently the IMM does not support this attribute. */
TRACE_7("ERR_BAD_OPERATION: attr '%s' in IMM object %s is not
supported",
attrName.c_str(), objectName.c_str());
@@ -8300,18 +8299,48 @@ ImmModel::ccbObjectModify(const ImmsvOmC
err = SA_AIS_ERR_BUSY;
} else {
if(!longDnsAllowedAfter) {
- /* Check that NO LONG DNS EXIST! */
+ TRACE("longDnsAllowed assigned 0 => Check that no long
DNs exist in IMM-db");
ObjectMap::iterator omi = sObjectMap.begin();
while(omi != sObjectMap.end()) {
- if(omi->first.length() > 255) {
+ if(omi->first.length() >=
SA_MAX_UNEXTENDED_NAME_LENGTH) {
LOG_WA("Setting attr %s to 0 in %s not allowed
when long DN exists: '%s'",
-
immLongDnsAllowed.c_str(),immObjectDn.c_str(), omi->first.c_str());
+ immLongDnsAllowed.c_str(),
immObjectDn.c_str(), omi->first.c_str());
err = SA_AIS_ERR_BAD_OPERATION;
goto bypass_impl;
}
+ /* Check any attributes of type SaNameT that could
be dangling, i.e. does NOT
+ have the SA_IMM_ATTR_NO_DANGLING flag set. Skip
checking the RDN atribute
+ because it is covered by the DN check above.
Implementation below is not the
+ most optimal as it iterates over the attribute
definitions of the class for
+ each object. But THIS CASE, of turning OFF
longDnsAllowed, must be extreemely
+ rare. The implication is that the turning ON of
longDnsAllowed was a mistake.
+ */
+ for(i4 = omi->second->mClassInfo->mAttrMap.begin();
+ i4 != omi->second->mClassInfo->mAttrMap.end();
++i4) {
+ if((i4->second->mValueType ==
SA_IMM_ATTR_SANAMET) &&
+ !(i4->second->mFlags & SA_IMM_ATTR_RDN) &&
+ !(i4->second->mFlags &
SA_IMM_ATTR_NO_DANGLING))
+ {
+ oavi =
omi->second->mAttrValueMap.find(i4->first);
+ osafassert(oavi !=
omi->second->mAttrValueMap.end());
+ ImmAttrValue *av = oavi->second;
+ do {
+ const char* dn = av->getValueC_str();
+ if((dn && strlen(dn) >=
SA_MAX_UNEXTENDED_NAME_LENGTH)) {
+ LOG_WA("Setting attr %s to 0 in %s
not allowed when long DN exists "
+ "inside object: %s",
immLongDnsAllowed.c_str(),
+ immObjectDn.c_str(),
omi->first.c_str());
+ err = SA_AIS_ERR_BAD_OPERATION;
+ goto bypass_impl;
+ }
+ av = (av->isMultiValued()) ?
+ ((ImmAttrMultiValue
*)av)->getNextAttrValue() : NULL;
+ } while (av);
+ }
+ }
++omi;
}
- }
+ } /* End of LONG DN check */
ccbIdLongDnGuard = ccbId;
}
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensaf-devel mailing list
Opensaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensaf-devel
