<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
<div class="moz-cite-prefix">On 05/11/2015 10:14, Aline Manera
wrote:<br>
</div>
<blockquote cite="mid:563B483C.1090203@linux.vnet.ibm.com"
type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<br>
Hi Archana,<br>
<br>
After some tests, I verified this patch set broke the guest
authorization feature.<br>
<br>
The guest authorization feature allows user to specify which users
and groups can access a specific resource.<br>
<br>
For example, in my system:<br>
<br>
GET /plugins/kimchi/vms/fedora22<br>
{<br>
<b>"users":[</b><b><br>
</b><b> "guest"</b><b><br>
</b><b> ],</b><br>
"screenshot":null,<br>
"cpus":2,<br>
"persistent":true,<br>
<b>"groups":[],</b><br>
"graphics":{<br>
"passwd":null,<br>
"passwdValidTo":null,<br>
"type":"vnc",<br>
"port":null,<br>
"listen":"127.0.0.1"<br>
},<br>
"icon":null,<br>
"stats":{<br>
"cpu_utilization":0,<br>
"io_throughput":0,<br>
"io_throughput_peak":100,<br>
"net_throughput":0,<br>
"mem_utilization":0,<br>
"net_throughput_peak":100<br>
},<br>
"name":"fedora22",<br>
"uuid":"7a07310c-6fd9-47e4-b8e1-ac5a7bd82c79",<br>
"access":"full",<br>
"state":"shutoff",<br>
"memory":4096.0<br>
}<br>
<br>
That means, in addition to sysadmin the user 'guest' can also have
access to the virtual machine "fedora22"<br>
<br>
After applying this patch, any user can has access to any virtual
machine, ie, the guest authorization configuration is being
ignored.<br>
See below:<br>
<br>
GET /plugins/kimchi/vms/ubuntu15.04<br>
{<br>
<b> "users":[],</b><br>
"screenshot":null,<br>
"cpus":1,<br>
"persistent":true,<br>
<b> "groups":[],</b><br>
"graphics":{<br>
"passwd":null,<br>
"passwdValidTo":null,<br>
"type":"vnc",<br>
"port":null,<br>
"listen":"127.0.0.1"<br>
},<br>
"icon":null,<br>
"stats":{<br>
"cpu_utilization":0,<br>
"io_throughput":0,<br>
"io_throughput_peak":100,<br>
"net_throughput":0,<br>
"mem_utilization":0,<br>
"net_throughput_peak":100<br>
},<br>
"name":"ubuntu15.04",<br>
"uuid":"aafc4eb0-9f8e-4f8e-b001-390b180c3675",<br>
"access":"full",<br>
"state":"shutoff",<br>
"memory":4096.0<br>
}<br>
<br>
If I log into Kimchi as 'guest' user, I can also perform operation
on 'ubuntu15.04' virtual machine but as you can see, only the
sysadmin should be able to do that.<br>
<br>
</blockquote>
<br>
Just one more information. Without your patch, while trying to
access the 'ubuntu15.04' virtual machine as 'guest' user I get the
following:<br>
<br>
<!DOCTYPE html PUBLIC<br>
"-//W3C//DTD XHTML 1.0 Transitional//EN"<br>
<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"</a>><br>
<html><br>
<head><br>
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8"></meta><br>
<title>403 Forbidden</title><br>
<style type="text/css"><br>
#powered_by {<br>
margin-top: 20px;<br>
border-top: 2px solid black;<br>
font-style: italic;<br>
}<br>
<br>
#traceback {<br>
color: red;<br>
}<br>
</style><br>
</head><br>
<body><br>
<h2>403 Forbidden</h2><br>
<p>WOKAPI0009E: WOKAPI0009E</p><br>
<pre id="traceback">Traceback (most recent call last):<br>
File "/usr/lib/python2.7/dist-packages/cherrypy/_cprequest.py",
line 670, in respond<br>
response.body = self.handler()<br>
File "/usr/lib/python2.7/dist-packages/cherrypy/lib/encoding.py",
line 217, in __call__<br>
self.body = self.oldhandler(*args, **kwargs)<br>
File "/usr/lib/python2.7/dist-packages/cherrypy/_cpdispatch.py",
line 61, in __call__<br>
return self.callable(*self.args, **self.kwargs)<br>
File "/home/alinefm/kimchi/src/wok/control/base.py", line 178, in
index<br>
raise cherrypy.HTTPError(403, e.message)<br>
HTTPError: (403, u'WOKAPI0009E: WOKAPI0009E')<br>
</pre><br>
<div id="powered_by"><br>
<span><br>
Powered by <a href=<a class="moz-txt-link-rfc2396E" href="http://www.cherrypy.org">"http://www.cherrypy.org"</a>>CherryPy
3.5.0</a><br>
</span><br>
</div><br>
</body><br>
</html><br>
<br>
<blockquote cite="mid:563B483C.1090203@linux.vnet.ibm.com"
type="cite">
<div class="moz-cite-prefix">On 03/11/2015 16:54, <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:archus@linux.vnet.ibm.com">archus@linux.vnet.ibm.com</a>
wrote:<br>
</div>
<blockquote
cite="mid:1446576873-15511-1-git-send-email-archus@linux.vnet.ibm.com"
type="cite">
<pre wrap="">From: Archana Singh <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:archus@linux.vnet.ibm.com"><archus@linux.vnet.ibm.com></a>
Incase of GET lookup was called twice.
Once lookup() before is_authorized() and then in self.get().
This added overhead to system when lookup() is called
for each value in list from get_list() of Collection.
So to avoid this overhead, lookup() should not be called
before self.get().
1) Added lookup() call from Resource's update(), delete().
2) Removed lookup() call from Resource's index().
2) As is_authorized() calls self.data which calls self.info.
Added check to make sure that self.data only get called
if self.info is not None. And intialized self.info as None
in __init__. As its value is getting assigned in lookup().
3) In _generate_action_handler_base(), lookup() was getting
called before is_authorized(), move its call after is_authorized().
Archana Singh (1):
Issue #737: Fix to remove twice calls of resource lookup on GET
OPERATION
src/wok/control/base.py | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Kimchi-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Kimchi-devel@ovirt.org">Kimchi-devel@ovirt.org</a>
<a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/kimchi-devel">http://lists.ovirt.org/mailman/listinfo/kimchi-devel</a>
</pre>
</blockquote>
<br>
</body>
</html>