3:39 p.m.
From: Aline Manera <alinefm(a)linux.vnet.ibm.com>
Currently, every user with 'admin' role can perform any operation on any virtual
machine.
In order to add more security, Kimchi will only allow users listed in
the VM metadata - along with those with 'admin' role - to be able to
perform actions on it. A VM may contain a list of system users and groups
associated with it. If a user is not listed to access a VM, they will
not be able to see it or to perform any operation on it.
Signed-off-by: Aline Manera <alinefm(a)linux.vnet.ibm.com>
Signed-off-by: Crístian Viana <vianac(a)linux.vnet.ibm.com>
---
src/kimchi/control/base.py | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/src/kimchi/control/base.py b/src/kimchi/control/base.py
index f8a5210..572f980 100644
--- a/src/kimchi/control/base.py
+++ b/src/kimchi/control/base.py
@@ -22,6 +22,7 @@
import kimchi.template
+from kimchi.auth import USER_GROUPS, USER_NAME, USER_ROLES
from kimchi.control.utils import get_class_name, internal_redirect, model_fn
from kimchi.control.utils import parse_request, validate_method
from kimchi.control.utils import validate_params
@@ -53,6 +54,8 @@ def __init__(self, model, ident=None):
self.ident = ident
self.model_args = (ident,)
self.update_params = []
+ self.role_key = None
+ self.admin_methods = []
def _redirect(self, ident, code=303):
if ident is not None and ident != self.ident:
@@ -134,6 +137,22 @@ def index(self):
except KimchiException, e:
raise cherrypy.HTTPError(500, e.message)
+ def is_authorized(self):
+ user_name = cherrypy.session.get(USER_NAME, '')
+ user_groups = cherrypy.session.get(USER_GROUPS, [])
+ user_role = cherrypy.session.get(USER_ROLES, {}).get(self.role_key)
+
+ users = self.data.get("users", None)
+ groups = self.data.get("groups", None)
+
+ if (users is not None or groups is not None) and \
+ user_role and user_role != 'admin' and \
+ (user_name not in users or \
+ (groups and list(set(user_groups) & set(groups)) == [])):
+ return False
+
+ return True
+
def update(self):
try:
update = getattr(self.model, model_fn(self, 'update'))
@@ -195,6 +214,8 @@ def __init__(self, model):
self.resource = Resource
self.resource_args = []
self.model_args = []
+ self.role_key = None
+ self.admin_methods = []
def create(self, params, *args):
try:
@@ -239,6 +260,9 @@ def _cp_dispatch(self, vpath):
def filter_data(self, resources, fields_filter):
data = []
for res in resources:
+ if not res.is_authorized():
+ continue
+
if all(key in res.data and res.data[key] == val
for key, val in fields_filter.iteritems()):
data.append(res.data)
--
1.9.3