From: Aline Manera <alinefm@linux.vnet.ibm.com> Currently, every user with 'admin' role can perform any operation on any virtual machine. In order to add more security, Kimchi will only allow users listed in the VM metadata - along with those with 'admin' role - to be able to perform actions on it. A VM may contain a list of system users and groups associated with it. If a user is not listed to access a VM, they will not be able to see it or to perform any operation on it. Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> Signed-off-by: Crístian Viana <vianac@linux.vnet.ibm.com> --- src/kimchi/control/base.py | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/src/kimchi/control/base.py b/src/kimchi/control/base.py index f8a5210..572f980 100644 --- a/src/kimchi/control/base.py +++ b/src/kimchi/control/base.py @@ -22,6 +22,7 @@ import kimchi.template +from kimchi.auth import USER_GROUPS, USER_NAME, USER_ROLES from kimchi.control.utils import get_class_name, internal_redirect, model_fn from kimchi.control.utils import parse_request, validate_method from kimchi.control.utils import validate_params @@ -53,6 +54,8 @@ def __init__(self, model, ident=None): self.ident = ident self.model_args = (ident,) self.update_params = [] + self.role_key = None + self.admin_methods = [] def _redirect(self, ident, code=303): if ident is not None and ident != self.ident: @@ -134,6 +137,22 @@ def index(self): except KimchiException, e: raise cherrypy.HTTPError(500, e.message) + def is_authorized(self): + user_name = cherrypy.session.get(USER_NAME, '') + user_groups = cherrypy.session.get(USER_GROUPS, []) + user_role = cherrypy.session.get(USER_ROLES, {}).get(self.role_key) + + users = self.data.get("users", None) + groups = self.data.get("groups", None) + + if (users is not None or groups is not None) and \ + user_role and user_role != 'admin' and \ + (user_name not in users or \ + (groups and list(set(user_groups) & set(groups)) == [])): + return False + + return True + def update(self): try: update = getattr(self.model, model_fn(self, 'update')) @@ -195,6 +214,8 @@ def __init__(self, model): self.resource = Resource self.resource_args = [] self.model_args = [] + self.role_key = None + self.admin_methods = [] def create(self, params, *args): try: @@ -239,6 +260,9 @@ def _cp_dispatch(self, vpath): def filter_data(self, resources, fields_filter): data = [] for res in resources: + if not res.is_authorized(): + continue + if all(key in res.data and res.data[key] == val for key, val in fields_filter.iteritems()): data.append(res.data) -- 1.9.3