[Kimchi-devel] [PATCH 1/9] authorization: Filter resources by users and groups

Wed Jul 23 20:39:12 UTC 2014

From: Aline Manera <alinefm at linux.vnet.ibm.com>

Currently, every user with 'admin' role can perform any operation on any virtual
machine.

In order to add more security, Kimchi will only allow users listed in
the VM metadata - along with those with 'admin' role - to be able to
perform actions on it. A VM may contain a list of system users and groups
associated with it. If a user is not listed to access a VM, they will
not be able to see it or to perform any operation on it.

Signed-off-by: Aline Manera <alinefm at linux.vnet.ibm.com>
Signed-off-by: Crístian Viana <vianac at linux.vnet.ibm.com>
---
 src/kimchi/control/base.py | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/src/kimchi/control/base.py b/src/kimchi/control/base.py
index f8a5210..572f980 100644
--- a/src/kimchi/control/base.py
+++ b/src/kimchi/control/base.py
@@ -22,6 +22,7 @@
 
 
 import kimchi.template
+from kimchi.auth import USER_GROUPS, USER_NAME, USER_ROLES
 from kimchi.control.utils import get_class_name, internal_redirect, model_fn
 from kimchi.control.utils import parse_request, validate_method
 from kimchi.control.utils import validate_params
@@ -53,6 +54,8 @@ def __init__(self, model, ident=None):
         self.ident = ident
         self.model_args = (ident,)
         self.update_params = []
+        self.role_key = None
+        self.admin_methods = []
 
     def _redirect(self, ident, code=303):
         if ident is not None and ident != self.ident:
@@ -134,6 +137,22 @@ def index(self):
         except KimchiException, e:
             raise cherrypy.HTTPError(500, e.message)
 
+    def is_authorized(self):
+        user_name = cherrypy.session.get(USER_NAME, '')
+        user_groups = cherrypy.session.get(USER_GROUPS, [])
+        user_role = cherrypy.session.get(USER_ROLES, {}).get(self.role_key)
+
+        users = self.data.get("users", None)
+        groups = self.data.get("groups", None)
+
+        if (users is not None or groups is not None) and \
+            user_role and user_role != 'admin' and \
+            (user_name not in users or \
+            (groups and list(set(user_groups) & set(groups)) == [])):
+            return False
+
+        return True
+
     def update(self):
         try:
             update = getattr(self.model, model_fn(self, 'update'))
@@ -195,6 +214,8 @@ def __init__(self, model):
         self.resource = Resource
         self.resource_args = []
         self.model_args = []
+        self.role_key = None
+        self.admin_methods = []
 
     def create(self, params, *args):
         try:
@@ -239,6 +260,9 @@ def _cp_dispatch(self, vpath):
     def filter_data(self, resources, fields_filter):
         data = []
         for res in resources:
+            if not res.is_authorized():
+                continue
+
             if all(key in res.data and res.data[key] == val
                    for key, val in fields_filter.iteritems()):
                 data.append(res.data)
-- 
1.9.3


