[Kimchi-devel] [PATCH V2] Issue #737: Fix to remove twice calls of resource lookup on GET OPERATION
Aline Manera
alinefm at linux.vnet.ibm.com
Thu Nov 5 12:14:52 UTC 2015
Hi Archana,
After some tests, I verified this patch set broke the guest
authorization feature.
The guest authorization feature allows user to specify which users and
groups can access a specific resource.
For example, in my system:
GET /plugins/kimchi/vms/fedora22
{
*"users":[**
** "guest"**
** ],*
"screenshot":null,
"cpus":2,
"persistent":true,
*"groups":[],*
"graphics":{
"passwd":null,
"passwdValidTo":null,
"type":"vnc",
"port":null,
"listen":"127.0.0.1"
},
"icon":null,
"stats":{
"cpu_utilization":0,
"io_throughput":0,
"io_throughput_peak":100,
"net_throughput":0,
"mem_utilization":0,
"net_throughput_peak":100
},
"name":"fedora22",
"uuid":"7a07310c-6fd9-47e4-b8e1-ac5a7bd82c79",
"access":"full",
"state":"shutoff",
"memory":4096.0
}
That means, in addition to sysadmin the user 'guest' can also have
access to the virtual machine "fedora22"
After applying this patch, any user can has access to any virtual
machine, ie, the guest authorization configuration is being ignored.
See below:
GET /plugins/kimchi/vms/ubuntu15.04
{
* "users":[],*
"screenshot":null,
"cpus":1,
"persistent":true,
* "groups":[],*
"graphics":{
"passwd":null,
"passwdValidTo":null,
"type":"vnc",
"port":null,
"listen":"127.0.0.1"
},
"icon":null,
"stats":{
"cpu_utilization":0,
"io_throughput":0,
"io_throughput_peak":100,
"net_throughput":0,
"mem_utilization":0,
"net_throughput_peak":100
},
"name":"ubuntu15.04",
"uuid":"aafc4eb0-9f8e-4f8e-b001-390b180c3675",
"access":"full",
"state":"shutoff",
"memory":4096.0
}
If I log into Kimchi as 'guest' user, I can also perform operation on
'ubuntu15.04' virtual machine but as you can see, only the sysadmin
should be able to do that.
On 03/11/2015 16:54, archus at linux.vnet.ibm.com wrote:
> From: Archana Singh <archus at linux.vnet.ibm.com>
>
> Incase of GET lookup was called twice.
> Once lookup() before is_authorized() and then in self.get().
> This added overhead to system when lookup() is called
> for each value in list from get_list() of Collection.
> So to avoid this overhead, lookup() should not be called
> before self.get().
>
> 1) Added lookup() call from Resource's update(), delete().
> 2) Removed lookup() call from Resource's index().
> 2) As is_authorized() calls self.data which calls self.info.
> Added check to make sure that self.data only get called
> if self.info is not None. And intialized self.info as None
> in __init__. As its value is getting assigned in lookup().
> 3) In _generate_action_handler_base(), lookup() was getting
> called before is_authorized(), move its call after is_authorized().
>
> Archana Singh (1):
> Issue #737: Fix to remove twice calls of resource lookup on GET
> OPERATION
>
> src/wok/control/base.py | 16 ++++++++++------
> 1 file changed, 10 insertions(+), 6 deletions(-)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/kimchi-devel/attachments/20151105/5214ec2e/attachment.html>
More information about the Kimchi-devel
mailing list