ocaml/idl/datamodel.ml | 1 + ocaml/idl/ocaml_backend/rbac_audit.ml | 26 +++++++++++++++++++------- ocaml/xapi/message_forwarding.ml | 2 +- ocaml/xapi/sm_exec.ml | 2 +- ocaml/xapi/xapi_session.ml | 26 ++++++++++++++++---------- 5 files changed, 38 insertions(+), 19 deletions(-)
# HG changeset patch # User Marcus Granado <[email protected]> # Date 1271346240 -3600 # Node ID 49faab8d415a8764709af25e589f1207d9b76b0f # Parent 1513daffb85c6e0dd085db2295f6c53fdf22cef8 CA-40427: print AD username in audit.log records even when logged through AD group in subject-list Signed-off-by: Marcus Granado <[email protected]> diff -r 1513daffb85c -r 49faab8d415a ocaml/idl/datamodel.ml --- a/ocaml/idl/datamodel.ml Wed Apr 14 23:47:40 2010 +0100 +++ b/ocaml/idl/datamodel.ml Thu Apr 15 16:44:00 2010 +0100 @@ -2853,6 +2853,7 @@ field ~in_product_since:rel_george ~qualifier:DynamicRO ~default_value:(Some (VRef (Ref.string_of Ref.null))) ~ty:(Ref _subject) "subject" "references the subject instance that created the session. If a session instance has is_local_superuser set, then the value of this field is undefined."; field ~in_product_since:rel_george ~qualifier:DynamicRO ~default_value:(Some(VDateTime(Date.of_float 0.))) ~ty:DateTime "validation_time" "time when session was last validated"; field ~in_product_since:rel_george ~qualifier:DynamicRO ~default_value:(Some(VString(""))) ~ty:String "auth_user_sid" "the subject identifier of the user that was externally authenticated. If a session instance has is_local_superuser set, then the value of this field is undefined."; + field ~in_product_since:rel_midnight_ride ~qualifier:DynamicRO ~default_value:(Some(VString(""))) ~ty:String "auth_user_name" "the subject name of the user that was externally authenticated. If a session instance has is_local_superuser set, then the value of this field is undefined."; field ~in_product_since:rel_midnight_ride ~qualifier:StaticRO ~default_value:(Some(VSet [])) ~ty:(Set(String)) "rbac_permissions" "list with all RBAC permissions for this session"; ] () diff -r 1513daffb85c -r 49faab8d415a ocaml/idl/ocaml_backend/rbac_audit.ml --- a/ocaml/idl/ocaml_backend/rbac_audit.ml Wed Apr 14 23:47:40 2010 +0100 +++ b/ocaml/idl/ocaml_backend/rbac_audit.ml Thu Apr 15 16:44:00 2010 +0100 @@ -84,6 +84,8 @@ ~fn_if_local_session:(fun()->"") ~fn_if_local_superuser:(fun()->"") ~fn_if_subject:(fun()-> + DB_Action.Session.get_auth_user_name ~__context ~self:session_id + (* let sid = DB_Action.Session.get_auth_user_sid ~__context ~self:session_id in @@ -98,6 +100,7 @@ List.assoc "subject-name" (*Auth_signature.subject_information_field_subject_name*) subj.API.subject_other_config + *) ) (*given a ref-value, return a human-friendly value associated with that ref*) @@ -473,10 +476,19 @@ *) () -let session_create ~__context ~session_id = -(* - (* this is currently only creating spam in the audit log *) - let action="session.create" in - allowed_ok ~__context ~session_id ~action ~permission:action () -*) - () +let session_create ~__context ~session_id ~uname = + wrap (fun () -> + let session_rec = DB_Action.Session.get_record ~__context ~self:session_id in + let s_is_intrapool = session_rec.API.session_pool in + let s_is_lsu = session_rec.API.session_is_local_superuser in + (* filters out intra-pool logins to avoid spamming the audit log *) + if (not s_is_intrapool) && (not s_is_lsu) then ( + let action="session.create" in + let sexpr_of_args = + (get_sexpr_arg "uname" (match uname with None->""|Some u->u) "" ""):: + [] + in + allowed_post_fn_ok ~__context ~session_id ~action ~sexpr_of_args ~permission:action () + ) + ) + diff -r 1513daffb85c -r 49faab8d415a ocaml/xapi/message_forwarding.ml --- a/ocaml/xapi/message_forwarding.ml Wed Apr 14 23:47:40 2010 +0100 +++ b/ocaml/xapi/message_forwarding.ml Thu Apr 15 16:44:00 2010 +0100 @@ -191,7 +191,7 @@ ~port:!Xapi_globs.https_port ~path:"/" xml let call_slave_with_session remote_rpc_fn __context host (task_opt: API.ref_task option) f = - let session_id = Xapi_session.login_no_password ~__context ~uname:None ~host ~pool:true ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:"" ~rbac_permissions:[] in + let session_id = Xapi_session.login_no_password ~__context ~uname:None ~host ~pool:true ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:"" ~auth_user_name:"" ~rbac_permissions:[] in let hostname = Db.Host.get_address ~__context ~self:host in Pervasiveext.finally (fun ()->f session_id (remote_rpc_fn __context hostname task_opt)) diff -r 1513daffb85c -r 49faab8d415a ocaml/xapi/sm_exec.ml --- a/ocaml/xapi/sm_exec.ml Wed Apr 14 23:47:40 2010 +0100 +++ b/ocaml/xapi/sm_exec.ml Thu Apr 15 16:44:00 2010 +0100 @@ -143,7 +143,7 @@ Server_helpers.exec_with_new_task "sm_exec" (fun __context -> let create_session () = let host = !Xapi_globs.localhost_ref in - let session=Xapi_session.login_no_password ~__context ~uname:None ~host ~pool:false ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:"" ~rbac_permissions:[] in + let session=Xapi_session.login_no_password ~__context ~uname:None ~host ~pool:false ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:"" ~auth_user_name:"" ~rbac_permissions:[] in (* Give this session access to this particular SR *) maybe (fun sr -> Db.Session.add_to_other_config ~__context ~self:session diff -r 1513daffb85c -r 49faab8d415a ocaml/xapi/xapi_session.ml --- a/ocaml/xapi/xapi_session.ml Wed Apr 14 23:47:40 2010 +0100 +++ b/ocaml/xapi/xapi_session.ml Thu Apr 15 16:44:00 2010 +0100 @@ -99,6 +99,11 @@ end ) in + let subject_name = + if List.mem_assoc Auth_signature.subject_information_field_subject_name info + then List.assoc Auth_signature.subject_information_field_subject_name info + else "" + in let get_suspension_value name info = if List.mem_assoc name info (* is the required field present? *) then ((List.assoc name info)<>"false") (* no suspension only if value is explicitly false *) @@ -119,7 +124,7 @@ if (is_suspended) then begin debug "Subject identifier %s is suspended" subject_identifier end; - is_suspended + (is_suspended,subject_name) end let destroy_db_session ~__context ~self = @@ -171,7 +176,8 @@ (* 2a. revalidate external authentication *) (* CP-827: if the user was suspended (disabled,expired,locked-out), then we must destroy the session *) - if is_subject_suspended authenticated_user_sid + let (suspended,_)=is_subject_suspended authenticated_user_sid in + if suspended then begin debug "Subject (identifier %s) has been suspended, destroying session %s" authenticated_user_sid (trackid session); (* we must destroy the session in this case *) @@ -261,7 +267,7 @@ (* XXX: only used internally by the code which grants the guest access to the API. Needs to be protected by a proper access control system *) -let login_no_password ~__context ~uname ~host ~pool ~is_local_superuser ~subject ~auth_user_sid ~rbac_permissions = +let login_no_password ~__context ~uname ~host ~pool ~is_local_superuser ~subject ~auth_user_sid ~auth_user_name ~rbac_permissions = let session_id = Ref.make () in let uuid = Uuid.to_string (Uuid.make_uuid ()) in let user = Ref.null in (* always return a null reference to the deprecated user object *) @@ -281,8 +287,8 @@ ~last_active:(Date.of_float (Unix.time ())) ~other_config:[] ~subject:subject ~is_local_superuser:is_local_superuser ~auth_user_sid ~validation_time:(Date.of_float (Unix.time ())) - ~rbac_permissions; - Rbac_audit.session_create ~__context ~session_id; + ~auth_user_name ~rbac_permissions; + Rbac_audit.session_create ~__context ~session_id ~uname; (* At this point, the session is created, but with an incorrect time *) (* Force the time to be updated by calling an API function with this session *) let rpc = Helpers.make_rpc ~__context in @@ -318,7 +324,7 @@ slave_login_common ~__context ~host_str:(Ref.string_of host) ~psecret; login_no_password ~__context ~uname:None ~host:host ~pool:true ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:"" - ~rbac_permissions:[] + ~auth_user_name:"" ~rbac_permissions:[] (* Emergency mode login, uses local storage *) let slave_local_login ~__context ~psecret = @@ -354,7 +360,7 @@ (* we trust requests from local unix filename sockets, so no need to authenticate them before login *) login_no_password ~__context ~uname:(Some uname) ~host:(Helpers.get_localhost ~__context) ~pool:false ~is_local_superuser:true ~subject:(Ref.null)(*~subject should be undefined here or not??? *) - ~auth_user_sid:"" ~rbac_permissions:[] + ~auth_user_sid:"" ~auth_user_name:"" ~rbac_permissions:[] end else let login_as_local_superuser auth_type = @@ -365,7 +371,7 @@ do_local_auth uname pwd; debug "Successful local authentication user %s from %s" uname (Context.get_origin __context); login_no_password ~__context ~uname:(Some uname) ~host:(Helpers.get_localhost ~__context) - ~pool:false ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:"" + ~pool:false ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:"" ~auth_user_name:"" ~rbac_permissions:[] end in @@ -428,7 +434,7 @@ (* Otherwise, there might be cases where the initial authentication/login succeeds, but *) (* then a few minutes later the revalidation finds that the user is 'suspended' (due to *) (* subject info caching problems in likewise) and closes the user's session *) - let subject_suspended = (try + let (subject_suspended,subject_name) = (try is_subject_suspended subject_identifier with (Auth_signature.Auth_service_error (errtag,msg)) -> begin @@ -523,7 +529,7 @@ end ) in login_no_password ~__context ~uname:(Some uname) ~host:(Helpers.get_localhost ~__context) - ~pool:false ~is_local_superuser:false ~subject:subject ~auth_user_sid:subject_identifier + ~pool:false ~is_local_superuser:false ~subject:subject ~auth_user_sid:subject_identifier ~auth_user_name:subject_name ~rbac_permissions end (* we only reach this point if for some reason a function above forgot to catch a possible exception in the Auth_signature module*)
# HG changeset patch # User Marcus Granado <[email protected]> # Date 1271346240 -3600 # Node ID 49faab8d415a8764709af25e589f1207d9b76b0f # Parent 1513daffb85c6e0dd085db2295f6c53fdf22cef8 CA-40427: print AD username in audit.log records even when logged through AD group in subject-list Signed-off-by: Marcus Granado <[email protected]> diff -r 1513daffb85c -r 49faab8d415a ocaml/idl/datamodel.ml --- a/ocaml/idl/datamodel.ml Wed Apr 14 23:47:40 2010 +0100 +++ b/ocaml/idl/datamodel.ml Thu Apr 15 16:44:00 2010 +0100 @@ -2853,6 +2853,7 @@ field ~in_product_since:rel_george ~qualifier:DynamicRO ~default_value:(Some (VRef (Ref.string_of Ref.null))) ~ty:(Ref _subject) "subject" "references the subject instance that created the session. If a session instance has is_local_superuser set, then the value of this field is undefined."; field ~in_product_since:rel_george ~qualifier:DynamicRO ~default_value:(Some(VDateTime(Date.of_float 0.))) ~ty:DateTime "validation_time" "time when session was last validated"; field ~in_product_since:rel_george ~qualifier:DynamicRO ~default_value:(Some(VString(""))) ~ty:String "auth_user_sid" "the subject identifier of the user that was externally authenticated. If a session instance has is_local_superuser set, then the value of this field is undefined."; + field ~in_product_since:rel_midnight_ride ~qualifier:DynamicRO ~default_value:(Some(VString(""))) ~ty:String "auth_user_name" "the subject name of the user that was externally authenticated. If a session instance has is_local_superuser set, then the value of this field is undefined."; field ~in_product_since:rel_midnight_ride ~qualifier:StaticRO ~default_value:(Some(VSet [])) ~ty:(Set(String)) "rbac_permissions" "list with all RBAC permissions for this session"; ] () diff -r 1513daffb85c -r 49faab8d415a ocaml/idl/ocaml_backend/rbac_audit.ml --- a/ocaml/idl/ocaml_backend/rbac_audit.ml Wed Apr 14 23:47:40 2010 +0100 +++ b/ocaml/idl/ocaml_backend/rbac_audit.ml Thu Apr 15 16:44:00 2010 +0100 @@ -84,6 +84,8 @@ ~fn_if_local_session:(fun()->"") ~fn_if_local_superuser:(fun()->"") ~fn_if_subject:(fun()-> + DB_Action.Session.get_auth_user_name ~__context ~self:session_id + (* let sid = DB_Action.Session.get_auth_user_sid ~__context ~self:session_id in @@ -98,6 +100,7 @@ List.assoc "subject-name" (*Auth_signature.subject_information_field_subject_name*) subj.API.subject_other_config + *) ) (*given a ref-value, return a human-friendly value associated with that ref*) @@ -473,10 +476,19 @@ *) () -let session_create ~__context ~session_id = -(* - (* this is currently only creating spam in the audit log *) - let action="session.create" in - allowed_ok ~__context ~session_id ~action ~permission:action () -*) - () +let session_create ~__context ~session_id ~uname = + wrap (fun () -> + let session_rec = DB_Action.Session.get_record ~__context ~self:session_id in + let s_is_intrapool = session_rec.API.session_pool in + let s_is_lsu = session_rec.API.session_is_local_superuser in + (* filters out intra-pool logins to avoid spamming the audit log *) + if (not s_is_intrapool) && (not s_is_lsu) then ( + let action="session.create" in + let sexpr_of_args = + (get_sexpr_arg "uname" (match uname with None->""|Some u->u) "" ""):: + [] + in + allowed_post_fn_ok ~__context ~session_id ~action ~sexpr_of_args ~permission:action () + ) + ) + diff -r 1513daffb85c -r 49faab8d415a ocaml/xapi/message_forwarding.ml --- a/ocaml/xapi/message_forwarding.ml Wed Apr 14 23:47:40 2010 +0100 +++ b/ocaml/xapi/message_forwarding.ml Thu Apr 15 16:44:00 2010 +0100 @@ -191,7 +191,7 @@ ~port:!Xapi_globs.https_port ~path:"/" xml let call_slave_with_session remote_rpc_fn __context host (task_opt: API.ref_task option) f = - let session_id = Xapi_session.login_no_password ~__context ~uname:None ~host ~pool:true ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:"" ~rbac_permissions:[] in + let session_id = Xapi_session.login_no_password ~__context ~uname:None ~host ~pool:true ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:"" ~auth_user_name:"" ~rbac_permissions:[] in let hostname = Db.Host.get_address ~__context ~self:host in Pervasiveext.finally (fun ()->f session_id (remote_rpc_fn __context hostname task_opt)) diff -r 1513daffb85c -r 49faab8d415a ocaml/xapi/sm_exec.ml --- a/ocaml/xapi/sm_exec.ml Wed Apr 14 23:47:40 2010 +0100 +++ b/ocaml/xapi/sm_exec.ml Thu Apr 15 16:44:00 2010 +0100 @@ -143,7 +143,7 @@ Server_helpers.exec_with_new_task "sm_exec" (fun __context -> let create_session () = let host = !Xapi_globs.localhost_ref in - let session=Xapi_session.login_no_password ~__context ~uname:None ~host ~pool:false ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:"" ~rbac_permissions:[] in + let session=Xapi_session.login_no_password ~__context ~uname:None ~host ~pool:false ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:"" ~auth_user_name:"" ~rbac_permissions:[] in (* Give this session access to this particular SR *) maybe (fun sr -> Db.Session.add_to_other_config ~__context ~self:session diff -r 1513daffb85c -r 49faab8d415a ocaml/xapi/xapi_session.ml --- a/ocaml/xapi/xapi_session.ml Wed Apr 14 23:47:40 2010 +0100 +++ b/ocaml/xapi/xapi_session.ml Thu Apr 15 16:44:00 2010 +0100 @@ -99,6 +99,11 @@ end ) in + let subject_name = + if List.mem_assoc Auth_signature.subject_information_field_subject_name info + then List.assoc Auth_signature.subject_information_field_subject_name info + else "" + in let get_suspension_value name info = if List.mem_assoc name info (* is the required field present? *) then ((List.assoc name info)<>"false") (* no suspension only if value is explicitly false *) @@ -119,7 +124,7 @@ if (is_suspended) then begin debug "Subject identifier %s is suspended" subject_identifier end; - is_suspended + (is_suspended,subject_name) end let destroy_db_session ~__context ~self = @@ -171,7 +176,8 @@ (* 2a. revalidate external authentication *) (* CP-827: if the user was suspended (disabled,expired,locked-out), then we must destroy the session *) - if is_subject_suspended authenticated_user_sid + let (suspended,_)=is_subject_suspended authenticated_user_sid in + if suspended then begin debug "Subject (identifier %s) has been suspended, destroying session %s" authenticated_user_sid (trackid session); (* we must destroy the session in this case *) @@ -261,7 +267,7 @@ (* XXX: only used internally by the code which grants the guest access to the API. Needs to be protected by a proper access control system *) -let login_no_password ~__context ~uname ~host ~pool ~is_local_superuser ~subject ~auth_user_sid ~rbac_permissions = +let login_no_password ~__context ~uname ~host ~pool ~is_local_superuser ~subject ~auth_user_sid ~auth_user_name ~rbac_permissions = let session_id = Ref.make () in let uuid = Uuid.to_string (Uuid.make_uuid ()) in let user = Ref.null in (* always return a null reference to the deprecated user object *) @@ -281,8 +287,8 @@ ~last_active:(Date.of_float (Unix.time ())) ~other_config:[] ~subject:subject ~is_local_superuser:is_local_superuser ~auth_user_sid ~validation_time:(Date.of_float (Unix.time ())) - ~rbac_permissions; - Rbac_audit.session_create ~__context ~session_id; + ~auth_user_name ~rbac_permissions; + Rbac_audit.session_create ~__context ~session_id ~uname; (* At this point, the session is created, but with an incorrect time *) (* Force the time to be updated by calling an API function with this session *) let rpc = Helpers.make_rpc ~__context in @@ -318,7 +324,7 @@ slave_login_common ~__context ~host_str:(Ref.string_of host) ~psecret; login_no_password ~__context ~uname:None ~host:host ~pool:true ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:"" - ~rbac_permissions:[] + ~auth_user_name:"" ~rbac_permissions:[] (* Emergency mode login, uses local storage *) let slave_local_login ~__context ~psecret = @@ -354,7 +360,7 @@ (* we trust requests from local unix filename sockets, so no need to authenticate them before login *) login_no_password ~__context ~uname:(Some uname) ~host:(Helpers.get_localhost ~__context) ~pool:false ~is_local_superuser:true ~subject:(Ref.null)(*~subject should be undefined here or not??? *) - ~auth_user_sid:"" ~rbac_permissions:[] + ~auth_user_sid:"" ~auth_user_name:"" ~rbac_permissions:[] end else let login_as_local_superuser auth_type = @@ -365,7 +371,7 @@ do_local_auth uname pwd; debug "Successful local authentication user %s from %s" uname (Context.get_origin __context); login_no_password ~__context ~uname:(Some uname) ~host:(Helpers.get_localhost ~__context) - ~pool:false ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:"" + ~pool:false ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:"" ~auth_user_name:"" ~rbac_permissions:[] end in @@ -428,7 +434,7 @@ (* Otherwise, there might be cases where the initial authentication/login succeeds, but *) (* then a few minutes later the revalidation finds that the user is 'suspended' (due to *) (* subject info caching problems in likewise) and closes the user's session *) - let subject_suspended = (try + let (subject_suspended,subject_name) = (try is_subject_suspended subject_identifier with (Auth_signature.Auth_service_error (errtag,msg)) -> begin @@ -523,7 +529,7 @@ end ) in login_no_password ~__context ~uname:(Some uname) ~host:(Helpers.get_localhost ~__context) - ~pool:false ~is_local_superuser:false ~subject:subject ~auth_user_sid:subject_identifier + ~pool:false ~is_local_superuser:false ~subject:subject ~auth_user_sid:subject_identifier ~auth_user_name:subject_name ~rbac_permissions end (* we only reach this point if for some reason a function above forgot to catch a possible exception in the Auth_signature module*)
_______________________________________________ xen-api mailing list [email protected] http://lists.xensource.com/mailman/listinfo/xen-api
