9:20 p.m.
On 11/18/2014 12:26 PM, lvroyce0210(a)gmail.com wrote:
From: Royce Lv <lvroyce(a)linux.vnet.ibm.com>
Add authorization type to vm tag, and update set/retrieve access
tag accordingly.
So that we can switch between different types of authentication.
Signed-off-by: Royce Lv <lvroyce(a)linux.vnet.ibm.com>
---
src/kimchi/model/vms.py | 42 ++++++++++++++++++++++++++++++++++--------
1 file changed, 34 insertions(+), 8 deletions(-)
diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py
index eb8c831..b375f8b 100644
--- a/src/kimchi/model/vms.py
+++ b/src/kimchi/model/vms.py
@@ -31,7 +31,7 @@ import libvirt
from cherrypy.process.plugins import BackgroundTask
from kimchi import model, vnc
-from kimchi.config import READONLY_POOL_TYPE
+from kimchi.config import READONLY_POOL_TYPE, config
from kimchi.exception import InvalidOperation, InvalidParameter
from kimchi.exception import NotFoundError, OperationFailed
from kimchi.model.config import CapabilitiesModel
@@ -46,6 +46,7 @@ from kimchi.utils import add_task, get_next_clone_name, import_class
from kimchi.utils import kimchi_log, run_setfacl_set_attr
from kimchi.utils import template_name_from_uri
from kimchi.xmlutils.utils import xpath_get_text, xml_item_update
+from kimchi.xmlutils.utils import dictize
DOM_STATE_MAP = {0: 'nostate',
@@ -568,17 +569,21 @@ class VMModel(object):
'err': e.message})
def _build_access_elem(self, users, groups):
- access = E.access()
+ auth = config.get("authentication", "method")
+ auth_elem = E.auth(type=auth)
for user in users:
- access.append(E.user(user))
+ auth_elem.append(E.user(user))
for group in groups:
- access.append(E.group(group))
+ auth_elem.append(E.group(group))
+ access = E.access()
+ access.append(auth_elem)
return access
def _vm_update_access_metadata(self, dom, params):
users = groups = None
+ old_users = old_groups = list()
if "users" in params:
users = params["users"]
for user in users:
@@ -598,8 +603,19 @@ class VMModel(object):
access_xml = (get_metadata_node(dom, "access",
self.caps.metadata_support) or
"""<access></access>""")
- old_users = xpath_get_text(access_xml,
"/access/user")
- old_groups = xpath_get_text(access_xml, "/access/group")
+ auth = config.get("authentication", "method")
+ access_info = dictize(access_xml)
+ auth = config.get("authentication", "method")
+ if ('auth' in access_info['access'] and
+ ('type' in access_info['access']['auth'] or
+ len(access_info['access']['auth']) > 1)):
+ old_users = xpath_get_text(access_xml,
"/access/auth[@type='%s']/user" % auth)
+ old_groups = xpath_get_text(access_xml,
"/access/auth[@type='%s']/group" % auth)
+ elif auth == 'pam':
+ # Compatible to old permission tagging
+ old_users = xpath_get_text(access_xml, "/access/user")
+ old_groups = xpath_get_text(access_xml, "/access/group")
+
users = old_users if users is None else users
groups = old_groups if groups is None else groups
@@ -739,8 +755,18 @@ class VMModel(object):
access_xml = (get_metadata_node(dom, "access",
self.caps.metadata_support) or
"""<access></access>""")
- users = xpath_get_text(access_xml, "/access/user")
- groups = xpath_get_text(access_xml, "/access/group")
+ access_info = dictize(access_xml)
+ auth = config.get("authentication", "method")
+ users = groups = list()
+ if ('auth' in access_info['access'] and
+ ('type' in access_info['access']['auth'] or
+ len(access_info['access']['auth']) > 1)):
+ users = xpath_get_text(access_xml,
"/access/auth[@type='%s']/user" % auth)
+ groups = xpath_get_text(access_xml,
"/access/auth[@type='%s']/group" % auth)
+ elif auth == 'pam':
+ # Compatible to old permission tagging
+ users = xpath_get_text(access_xml, "/access/user")
+ groups = xpath_get_text(access_xml, "/access/group")
Those 2 blocks of code are equals, right? Maybe a function is better to
have a single point for maintenance.
return {'name': name,
'state': state,