def map_tenant(self, tenant): """ Map a DockerVolumeTenant instance returned by auth_api to VMODL vim.vcs.Tenant instance """ if tenant == None: return None result = vim.vcs.Tenant() # Populate basic tenant info result.id = tenant.id result.name = tenant.name result.description = tenant.description # Populate default datastore if tenant.default_datastore_url: result.default_datastore = vmdk_utils.get_datastore_name( tenant.default_datastore_url) if result.default_datastore is None: return None # Populate associated VMs if tenant.vms: for vm_id in tenant.vms: vm_name = vmdk_utils.get_vm_name_by_uuid(vm_id) result.vms.append(vm_name) # Populate associated privileges if tenant.privileges: for privilege in tenant.privileges: result.privileges.append(self.map_privilege(privilege)) return result
def map_tenant(self, tenant): """ Map a DockerVolumeTenant instance returned by auth_api to VMODL vim.vcs.Tenant instance """ if tenant == None: return None result = vim.vcs.Tenant() # Populate basic tenant info result.id = tenant.id result.name = tenant.name result.description = tenant.description # Populate default datastore if tenant.default_datastore_url: result.default_datastore = vmdk_utils.get_datastore_name(tenant.default_datastore_url) if result.default_datastore is None: return None # Populate associated VMs if tenant.vms: for vm_id in tenant.vms: vm_name = vmdk_utils.get_vm_name_by_uuid(vm_id) result.vms.append(vm_name) # Populate associated privileges if tenant.privileges: for privilege in tenant.privileges: result.privileges.append(self.map_privilege(privilege)) return result
def authorize(vm_uuid, datastore_url, cmd, opts): """ Check whether the command can be run on this VM. Return value: result, tenant_uuid, tenant_name - result: return None if the command can be run on this VM, otherwise, return corresponding error message - tenant_uuid: If the VM belongs to a tenant, return tenant_uuid, otherwise, return None - tenant_name: If the VM belongs to a tenant, return tenant_name, otherwise, return None """ logging.debug("Authorize: vm_uuid=%s", vm_uuid) logging.debug("Authorize: datastore_url=%s", datastore_url) logging.debug("Authorize: cmd=%s", cmd) logging.debug("Authorize: opt=%s", opts) try: get_auth_mgr() except (auth_data.DbConnectionError, auth_data.DbAccessError) as e: error_msg = str(e) return error_msg, None, None # If table "tenants", "vms", "privileges" or "volumes" does not exist # don't need auth check if not tables_exist(): logging.error("Required tables in auth db do not exist") error_msg = "Required tables in aut db do not exist" return error_msg, None, None error_msg, tenant_uuid, tenant_name = get_tenant(vm_uuid) if error_msg: return error_msg, None, None if not tenant_uuid: # This VM does not associate any tenant(including DEFAULT tenant), # need reject the request vm_name = vmdk_utils.get_vm_name_by_uuid(vm_uuid) err_code = error_code.ErrorCode.VM_NOT_BELONG_TO_TENANT err_msg = error_code.error_code_to_message[err_code].format(vm_name) logging.debug(err_msg) return err_msg, None, None else: error_msg, privileges = get_privileges(tenant_uuid, datastore_url) if error_msg: return error_msg, None, None logging.debug( "authorize: tenant_uuid=%s, datastore_url=%s, privileges=%s", tenant_uuid, datastore_url, privileges) result = check_privileges_for_command(cmd, opts, tenant_uuid, datastore_url, privileges) if not result: logging.info( "cmd %s with opts %s on tenant_uuid %s datastore_url %s is allowed to execute", cmd, opts, tenant_uuid, datastore_url) return result, tenant_uuid, tenant_name
def authorize(vm_uuid, datastore_url, cmd, opts): """ Check whether the command can be run on this VM. Return value: result, tenant_uuid, tenant_name - result: return None if the command can be run on this VM, otherwise, return corresponding error message - tenant_uuid: If the VM belongs to a tenant, return tenant_uuid, otherwise, return None - tenant_name: If the VM belongs to a tenant, return tenant_name, otherwise, return None """ logging.debug("Authorize: cmd=%s opts=`%s' vm_uuid=%s, datastore_url=%s", cmd, opts, vm_uuid, datastore_url) # The possible value of "datastore_url" can be url of real datastore or "_VM_DS://" error_msg, _auth_mgr = get_auth_mgr() if error_msg: return error_msg, None, None if _auth_mgr.allow_all_access(): return None, auth_data_const.DEFAULT_TENANT_UUID, auth_data_const.DEFAULT_TENANT # If table "tenants", "vms", "privileges" or "volumes" does not exist # don't need auth check if not tables_exist(): error_msg = "Required tables do not exist in auth db" logging.error(error_msg) return error_msg, None, None error_msg, tenant_uuid, tenant_name = get_tenant(vm_uuid) if error_msg: return error_msg, None, None if not tenant_uuid: # This VM does not associate any tenant(including DEFAULT tenant), # need reject the request vm_name = vmdk_utils.get_vm_name_by_uuid(vm_uuid) err_msg = error_code_to_message[ ErrorCode.VM_NOT_BELONG_TO_TENANT].format(vm_name) logging.debug(err_msg) return err_msg, None, None else: error_msg, privileges = get_privileges(tenant_uuid, datastore_url) if error_msg: return error_msg, None, None result = check_privileges_for_command(cmd, opts, tenant_uuid, datastore_url, privileges) logging.debug( "authorize: vmgroup_name=%s, datastore_url=%s, privileges=%s, result=%s", tenant_name, datastore_url, privileges, result) if result is None: logging.info( "db_mode='%s' cmd=%s opts=%s vmgroup=%s datastore_url=%s is allowed to execute", _auth_mgr.mode, cmd, opts, tenant_name, datastore_url) return result, tenant_uuid, tenant_name
def get_tenant(vm_uuid): """ Get tenant which owns this VM by querying the auth DB. Return value: -- error_msg: return None on success or error info on failure -- tenant_uuid: return tenant uuid which the VM with given vm_uuid is associated to, return None if the VM is not associated to any tenant -- tenant_name: return tenant name which the VM with given vm_uuid is associated to, return None if the VM is not associated to any tenant """ err_msg, _auth_mgr = get_auth_mgr() if err_msg: return err_msg, None, None try: cur = _auth_mgr.conn.execute( "SELECT tenant_id FROM vms WHERE vm_id = ?", (vm_uuid, )) result = cur.fetchone() except sqlite3.Error as e: logging.error("Error %s when querying from vms table for vm_id %s", e, vm_uuid) return str(e), None, None if result: logging.debug("get tenant vm_uuid=%s tenant_id=%s", vm_uuid, result[0]) tenant_uuid = None tenant_name = None if result: tenant_uuid = result[0] try: cur = _auth_mgr.conn.execute( "SELECT name FROM tenants WHERE id = ?", (tenant_uuid, )) result = cur.fetchone() except sqlite3.Error as e: logging.error( "Error %s when querying from tenants table for tenant_id %s", e, tenant_uuid) return str(e), None, None if result: tenant_name = result[0] logging.debug("Found tenant_uuid %s, tenant_name %s", tenant_uuid, tenant_name) return None, tenant_uuid, tenant_name else: error_msg, tenant_uuid, tenant_name = get_default_tenant() if error_msg: return error_msg, None, None if not tenant_uuid: vm_name = vmdk_utils.get_vm_name_by_uuid(vm_uuid) err_code = error_code.ErrorCode.VM_NOT_BELONG_TO_TENANT err_msg = error_code.error_code_to_message[err_code].format( vm_name) logging.debug(err_msg) return err_msg, None, None return None, tenant_uuid, tenant_name
def generate_tenant_vm_ls_rows(vms): """ Generate output for tenant vm ls command """ rows = [] for vm in vms: # vm has the format like this (vm_uuid) uuid = vm name = vmdk_utils.get_vm_name_by_uuid(uuid) rows.append([uuid, name]) return rows
def generate_vm_list(vms_uuid): """ Generate vm names with given list of vm uuid""" # vms_uuid is a list of vm_uuid # example: vms_uuid=["vm1_uuid", "vm2_uuid"] # the return value is a string like this vm1,vm2 res = "" for vm_uuid in vms_uuid: vm_name = vmdk_utils.get_vm_name_by_uuid(vm_uuid) # If the VM name cannot be resolved then its possible # the VM has been deleted or migrated off the host, # skip the VM in that case. if vm_name: res = res + vm_name res = res + "," if res: res = res[:-1] return res
def get_tenant(vm_uuid): """ Get tenant which owns this VM by querying the auth DB. Return: error_msg, tenant_uuid, tenant_name -- error_msg: return None on success or error info on failure -- tenant_uuid: return tenant uuid which the VM with given vm_uuid is associated to, return None if the VM is not associated to any tenant -- tenant_name: return tenant name which the VM with given vm_uuid is associated to, return None if the VM is not associated to any tenant """ err_msg, _auth_mgr = get_auth_mgr() if err_msg: return err_msg, None, None logging.debug("auth.get_tenant: allow_all: %s, uuid: %s", _auth_mgr.allow_all_access(), vm_uuid) if _auth_mgr.allow_all_access(): logging.debug("returning default info") return None, auth_data_const.DEFAULT_TENANT_UUID, auth_data_const.DEFAULT_TENANT try: cur = _auth_mgr.conn.execute( "SELECT tenant_id FROM vms WHERE vm_id = ?", (vm_uuid, ) ) result = cur.fetchone() except sqlite3.Error as e: logging.error("Error %s when querying from vms table for vm_id %s", e, vm_uuid) return str(e), None, None if result: logging.debug("get tenant vm_uuid=%s tenant_id=%s", vm_uuid, result[0]) tenant_uuid = None tenant_name = None if result: tenant_uuid = result[0] try: cur = _auth_mgr.conn.execute( "SELECT name FROM tenants WHERE id = ?", (tenant_uuid, ) ) result = cur.fetchone() except sqlite3.Error as e: logging.error("Error %s when querying from tenants table for tenant_id %s", e, tenant_uuid) return str(e), None, None if result: tenant_name = result[0] logging.debug("Found tenant_uuid %s, tenant_name %s", tenant_uuid, tenant_name) return None, tenant_uuid, tenant_name else: error_msg, tenant_uuid, tenant_name = get_default_tenant() if error_msg: return error_msg, None, None if not tenant_uuid: vm_name = vmdk_utils.get_vm_name_by_uuid(vm_uuid) if vm_name: err_msg = error_code_to_message[ErrorCode.VM_NOT_BELONG_TO_TENANT].format(vm_name) else: err_msg = error_code_to_message[ErrorCode.VM_NOT_BELONG_TO_TENANT].format(vm_uuid) logging.debug(err_msg) return err_msg, None, None return None, tenant_uuid, tenant_name
def authorize(vm_uuid, datastore_url, cmd, opts, privilege_ds_url, vm_datastore_url=None): """ Check whether the command can be run on this VM on given datastore. Return value: result, tenant_uuid, tenant_name - result: return None if the command can be run on this VM, otherwise, return corresponding error message - tenant_uuid: If the VM belongs to a tenant, return tenant_uuid, otherwise, return None - tenant_name: If the VM belongs to a tenant, return tenant_name, otherwise, return None """ # "datastore_url" is the url of datastore which the volume to be created on # The possible value of "datastore_url" can be url of a real datastore or "_VM_DS" # "privilege_ds_url" is the url of datastore which we need to get the privilege of # The possible value of "privilege_ds_url" can be url of a real datastore, "_VM_DS" or "_ALL_DS" # Caller need to pass the url of real datastore name where VM lives as param "vm_datastore_url" if # param "datastore_url" is the url of datastore "_VM_DS" logging.debug("Authorize: cmd=%s opts=`%s' vm_uuid=%s, datastore_url=%s, privilege_ds_url=%s, " "vm_datastore_url=%s", cmd, opts, vm_uuid, datastore_url, privilege_ds_url, vm_datastore_url) error_msg, _auth_mgr = get_auth_mgr() if error_msg: return error_msg, None, None if _auth_mgr.allow_all_access(): return None, auth_data_const.DEFAULT_TENANT_UUID, auth_data_const.DEFAULT_TENANT # If table "tenants", "vms", "privileges" or "volumes" does not exist # don't need auth check if not tables_exist(): error_msg = "Required tables do not exist in auth db" logging.error(error_msg) return error_msg, None, None error_msg, tenant_uuid, tenant_name = get_tenant(vm_uuid) if error_msg: return error_msg, None, None if not tenant_uuid: # This VM does not associate any tenant(including DEFAULT tenant), # need reject the request vm_name = vmdk_utils.get_vm_name_by_uuid(vm_uuid) err_msg = error_code_to_message[ErrorCode.VM_NOT_BELONG_TO_TENANT].format(vm_name) logging.debug(err_msg) return err_msg, None, None else: error_msg, privileges = get_privileges(tenant_uuid, privilege_ds_url) if error_msg: return error_msg, None, None result = check_privileges_for_command(cmd, opts, tenant_uuid, datastore_url, privileges, vm_datastore_url) logging.debug("authorize: vmgroup_name=%s, datastore_url=%s, vm_datastore_url=%s, privileges=%s, result=%s", tenant_name, datastore_url, vm_datastore_url, privileges, result) if result is None: logging.info("db_mode='%s' cmd=%s opts=%s vmgroup=%s datastore_url=%s is allowed to execute", _auth_mgr.mode, cmd, opts, tenant_name, datastore_url) return result, tenant_uuid, tenant_name