<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
Hi Archana,<br>
<br>
After some tests, I verified this patch set broke the guest
authorization feature.<br>
<br>
The guest authorization feature allows user to specify which users
and groups can access a specific resource.<br>
<br>
For example, in my system:<br>
<br>
GET /plugins/kimchi/vms/fedora22<br>
{<br>
<b>"users":[</b><b><br>
</b><b> "guest"</b><b><br>
</b><b> ],</b><br>
"screenshot":null,<br>
"cpus":2,<br>
"persistent":true,<br>
<b>"groups":[],</b><br>
"graphics":{<br>
"passwd":null,<br>
"passwdValidTo":null,<br>
"type":"vnc",<br>
"port":null,<br>
"listen":"127.0.0.1"<br>
},<br>
"icon":null,<br>
"stats":{<br>
"cpu_utilization":0,<br>
"io_throughput":0,<br>
"io_throughput_peak":100,<br>
"net_throughput":0,<br>
"mem_utilization":0,<br>
"net_throughput_peak":100<br>
},<br>
"name":"fedora22",<br>
"uuid":"7a07310c-6fd9-47e4-b8e1-ac5a7bd82c79",<br>
"access":"full",<br>
"state":"shutoff",<br>
"memory":4096.0<br>
}<br>
<br>
That means, in addition to sysadmin the user 'guest' can also have
access to the virtual machine "fedora22"<br>
<br>
After applying this patch, any user can has access to any virtual
machine, ie, the guest authorization configuration is being ignored.<br>
See below:<br>
<br>
GET /plugins/kimchi/vms/ubuntu15.04<br>
{<br>
<b> "users":[],</b><br>
"screenshot":null,<br>
"cpus":1,<br>
"persistent":true,<br>
<b> "groups":[],</b><br>
"graphics":{<br>
"passwd":null,<br>
"passwdValidTo":null,<br>
"type":"vnc",<br>
"port":null,<br>
"listen":"127.0.0.1"<br>
},<br>
"icon":null,<br>
"stats":{<br>
"cpu_utilization":0,<br>
"io_throughput":0,<br>
"io_throughput_peak":100,<br>
"net_throughput":0,<br>
"mem_utilization":0,<br>
"net_throughput_peak":100<br>
},<br>
"name":"ubuntu15.04",<br>
"uuid":"aafc4eb0-9f8e-4f8e-b001-390b180c3675",<br>
"access":"full",<br>
"state":"shutoff",<br>
"memory":4096.0<br>
}<br>
<br>
If I log into Kimchi as 'guest' user, I can also perform operation
on 'ubuntu15.04' virtual machine but as you can see, only the
sysadmin should be able to do that.<br>
<br>
<div class="moz-cite-prefix">On 03/11/2015 16:54,
<a class="moz-txt-link-abbreviated" href="mailto:archus@linux.vnet.ibm.com">archus@linux.vnet.ibm.com</a> wrote:<br>
</div>
<blockquote
cite="mid:1446576873-15511-1-git-send-email-archus@linux.vnet.ibm.com"
type="cite">
<pre wrap="">From: Archana Singh <a class="moz-txt-link-rfc2396E" href="mailto:archus@linux.vnet.ibm.com"><archus@linux.vnet.ibm.com></a>
Incase of GET lookup was called twice.
Once lookup() before is_authorized() and then in self.get().
This added overhead to system when lookup() is called
for each value in list from get_list() of Collection.
So to avoid this overhead, lookup() should not be called
before self.get().
1) Added lookup() call from Resource's update(), delete().
2) Removed lookup() call from Resource's index().
2) As is_authorized() calls self.data which calls self.info.
Added check to make sure that self.data only get called
if self.info is not None. And intialized self.info as None
in __init__. As its value is getting assigned in lookup().
3) In _generate_action_handler_base(), lookup() was getting
called before is_authorized(), move its call after is_authorized().
Archana Singh (1):
Issue #737: Fix to remove twice calls of resource lookup on GET
OPERATION
src/wok/control/base.py | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
</pre>
</blockquote>
<br>
</body>
</html>