def map_tenant(self, tenant):
"""
Map a DockerVolumeTenant instance returned by auth_api to VMODL vim.vcs.Tenant instance
"""
if tenant == None:
return None
result = vim.vcs.Tenant()
# Populate basic tenant info
result.id = tenant.id
result.name = tenant.name
result.description = tenant.description
# Populate default datastore
if tenant.default_datastore_url:
result.default_datastore = vmdk_utils.get_datastore_name(
tenant.default_datastore_url)
if result.default_datastore is None:
return None
# Populate associated VMs
if tenant.vms:
for vm_id in tenant.vms:
vm_name = vmdk_utils.get_vm_name_by_uuid(vm_id)
result.vms.append(vm_name)
# Populate associated privileges
if tenant.privileges:
for privilege in tenant.privileges:
result.privileges.append(self.map_privilege(privilege))
return result
def map_tenant(self, tenant):
"""
Map a DockerVolumeTenant instance returned by auth_api to VMODL vim.vcs.Tenant instance
"""
if tenant == None:
return None
result = vim.vcs.Tenant()
# Populate basic tenant info
result.id = tenant.id
result.name = tenant.name
result.description = tenant.description
# Populate default datastore
if tenant.default_datastore_url:
result.default_datastore = vmdk_utils.get_datastore_name(tenant.default_datastore_url)
if result.default_datastore is None:
return None
# Populate associated VMs
if tenant.vms:
for vm_id in tenant.vms:
vm_name = vmdk_utils.get_vm_name_by_uuid(vm_id)
result.vms.append(vm_name)
# Populate associated privileges
if tenant.privileges:
for privilege in tenant.privileges:
result.privileges.append(self.map_privilege(privilege))
return result
def authorize(vm_uuid, datastore_url, cmd, opts):
""" Check whether the command can be run on this VM.
Return value: result, tenant_uuid, tenant_name
- result: return None if the command can be run on this VM, otherwise, return
corresponding error message
- tenant_uuid: If the VM belongs to a tenant, return tenant_uuid, otherwise, return
None
- tenant_name: If the VM belongs to a tenant, return tenant_name, otherwise, return
None
"""
logging.debug("Authorize: vm_uuid=%s", vm_uuid)
logging.debug("Authorize: datastore_url=%s", datastore_url)
logging.debug("Authorize: cmd=%s", cmd)
logging.debug("Authorize: opt=%s", opts)
try:
get_auth_mgr()
except (auth_data.DbConnectionError, auth_data.DbAccessError) as e:
error_msg = str(e)
return error_msg, None, None
# If table "tenants", "vms", "privileges" or "volumes" does not exist
# don't need auth check
if not tables_exist():
logging.error("Required tables in auth db do not exist")
error_msg = "Required tables in aut db do not exist"
return error_msg, None, None
error_msg, tenant_uuid, tenant_name = get_tenant(vm_uuid)
if error_msg:
return error_msg, None, None
if not tenant_uuid:
# This VM does not associate any tenant(including DEFAULT tenant),
# need reject the request
vm_name = vmdk_utils.get_vm_name_by_uuid(vm_uuid)
err_code = error_code.ErrorCode.VM_NOT_BELONG_TO_TENANT
err_msg = error_code.error_code_to_message[err_code].format(vm_name)
logging.debug(err_msg)
return err_msg, None, None
else:
error_msg, privileges = get_privileges(tenant_uuid, datastore_url)
if error_msg:
return error_msg, None, None
logging.debug(
"authorize: tenant_uuid=%s, datastore_url=%s, privileges=%s",
tenant_uuid, datastore_url, privileges)
result = check_privileges_for_command(cmd, opts, tenant_uuid,
datastore_url, privileges)
if not result:
logging.info(
"cmd %s with opts %s on tenant_uuid %s datastore_url %s is allowed to execute",
cmd, opts, tenant_uuid, datastore_url)
return result, tenant_uuid, tenant_name
def authorize(vm_uuid, datastore_url, cmd, opts):
""" Check whether the command can be run on this VM.
Return value: result, tenant_uuid, tenant_name
- result: return None if the command can be run on this VM, otherwise, return
corresponding error message
- tenant_uuid: If the VM belongs to a tenant, return tenant_uuid, otherwise, return
None
- tenant_name: If the VM belongs to a tenant, return tenant_name, otherwise, return
None
"""
logging.debug("Authorize: cmd=%s opts=`%s' vm_uuid=%s, datastore_url=%s",
cmd, opts, vm_uuid, datastore_url)
# The possible value of "datastore_url" can be url of real datastore or "_VM_DS://"
error_msg, _auth_mgr = get_auth_mgr()
if error_msg:
return error_msg, None, None
if _auth_mgr.allow_all_access():
return None, auth_data_const.DEFAULT_TENANT_UUID, auth_data_const.DEFAULT_TENANT
# If table "tenants", "vms", "privileges" or "volumes" does not exist
# don't need auth check
if not tables_exist():
error_msg = "Required tables do not exist in auth db"
logging.error(error_msg)
return error_msg, None, None
error_msg, tenant_uuid, tenant_name = get_tenant(vm_uuid)
if error_msg:
return error_msg, None, None
if not tenant_uuid:
# This VM does not associate any tenant(including DEFAULT tenant),
# need reject the request
vm_name = vmdk_utils.get_vm_name_by_uuid(vm_uuid)
err_msg = error_code_to_message[
ErrorCode.VM_NOT_BELONG_TO_TENANT].format(vm_name)
logging.debug(err_msg)
return err_msg, None, None
else:
error_msg, privileges = get_privileges(tenant_uuid, datastore_url)
if error_msg:
return error_msg, None, None
result = check_privileges_for_command(cmd, opts, tenant_uuid,
datastore_url, privileges)
logging.debug(
"authorize: vmgroup_name=%s, datastore_url=%s, privileges=%s, result=%s",
tenant_name, datastore_url, privileges, result)
if result is None:
logging.info(
"db_mode='%s' cmd=%s opts=%s vmgroup=%s datastore_url=%s is allowed to execute",
_auth_mgr.mode, cmd, opts, tenant_name, datastore_url)
return result, tenant_uuid, tenant_name
def get_tenant(vm_uuid):
"""
Get tenant which owns this VM by querying the auth DB.
Return value:
-- error_msg: return None on success or error info on failure
-- tenant_uuid: return tenant uuid which the VM with given vm_uuid is associated to,
return None if the VM is not associated to any tenant
-- tenant_name: return tenant name which the VM with given vm_uuid is associated to,
return None if the VM is not associated to any tenant
"""
err_msg, _auth_mgr = get_auth_mgr()
if err_msg:
return err_msg, None, None
try:
cur = _auth_mgr.conn.execute(
"SELECT tenant_id FROM vms WHERE vm_id = ?", (vm_uuid, ))
result = cur.fetchone()
except sqlite3.Error as e:
logging.error("Error %s when querying from vms table for vm_id %s", e,
vm_uuid)
return str(e), None, None
if result:
logging.debug("get tenant vm_uuid=%s tenant_id=%s", vm_uuid, result[0])
tenant_uuid = None
tenant_name = None
if result:
tenant_uuid = result[0]
try:
cur = _auth_mgr.conn.execute(
"SELECT name FROM tenants WHERE id = ?", (tenant_uuid, ))
result = cur.fetchone()
except sqlite3.Error as e:
logging.error(
"Error %s when querying from tenants table for tenant_id %s",
e, tenant_uuid)
return str(e), None, None
if result:
tenant_name = result[0]
logging.debug("Found tenant_uuid %s, tenant_name %s", tenant_uuid,
tenant_name)
return None, tenant_uuid, tenant_name
else:
error_msg, tenant_uuid, tenant_name = get_default_tenant()
if error_msg:
return error_msg, None, None
if not tenant_uuid:
vm_name = vmdk_utils.get_vm_name_by_uuid(vm_uuid)
err_code = error_code.ErrorCode.VM_NOT_BELONG_TO_TENANT
err_msg = error_code.error_code_to_message[err_code].format(
vm_name)
logging.debug(err_msg)
return err_msg, None, None
return None, tenant_uuid, tenant_name
def generate_tenant_vm_ls_rows(vms):
""" Generate output for tenant vm ls command """
rows = []
for vm in vms:
# vm has the format like this (vm_uuid)
uuid = vm
name = vmdk_utils.get_vm_name_by_uuid(uuid)
rows.append([uuid, name])
return rows
def generate_vm_list(vms_uuid):
""" Generate vm names with given list of vm uuid"""
# vms_uuid is a list of vm_uuid
# example: vms_uuid=["vm1_uuid", "vm2_uuid"]
# the return value is a string like this vm1,vm2
res = ""
for vm_uuid in vms_uuid:
vm_name = vmdk_utils.get_vm_name_by_uuid(vm_uuid)
# If the VM name cannot be resolved then its possible
# the VM has been deleted or migrated off the host,
# skip the VM in that case.
if vm_name:
res = res + vm_name
res = res + ","
if res:
res = res[:-1]
return res
def get_tenant(vm_uuid):
"""
Get tenant which owns this VM by querying the auth DB.
Return: error_msg, tenant_uuid, tenant_name
-- error_msg: return None on success or error info on failure
-- tenant_uuid: return tenant uuid which the VM with given vm_uuid is associated to,
return None if the VM is not associated to any tenant
-- tenant_name: return tenant name which the VM with given vm_uuid is associated to,
return None if the VM is not associated to any tenant
"""
err_msg, _auth_mgr = get_auth_mgr()
if err_msg:
return err_msg, None, None
logging.debug("auth.get_tenant: allow_all: %s, uuid: %s", _auth_mgr.allow_all_access(), vm_uuid)
if _auth_mgr.allow_all_access():
logging.debug("returning default info")
return None, auth_data_const.DEFAULT_TENANT_UUID, auth_data_const.DEFAULT_TENANT
try:
cur = _auth_mgr.conn.execute(
"SELECT tenant_id FROM vms WHERE vm_id = ?",
(vm_uuid, )
)
result = cur.fetchone()
except sqlite3.Error as e:
logging.error("Error %s when querying from vms table for vm_id %s", e, vm_uuid)
return str(e), None, None
if result:
logging.debug("get tenant vm_uuid=%s tenant_id=%s", vm_uuid, result[0])
tenant_uuid = None
tenant_name = None
if result:
tenant_uuid = result[0]
try:
cur = _auth_mgr.conn.execute(
"SELECT name FROM tenants WHERE id = ?",
(tenant_uuid, )
)
result = cur.fetchone()
except sqlite3.Error as e:
logging.error("Error %s when querying from tenants table for tenant_id %s",
e, tenant_uuid)
return str(e), None, None
if result:
tenant_name = result[0]
logging.debug("Found tenant_uuid %s, tenant_name %s", tenant_uuid, tenant_name)
return None, tenant_uuid, tenant_name
else:
error_msg, tenant_uuid, tenant_name = get_default_tenant()
if error_msg:
return error_msg, None, None
if not tenant_uuid:
vm_name = vmdk_utils.get_vm_name_by_uuid(vm_uuid)
if vm_name:
err_msg = error_code_to_message[ErrorCode.VM_NOT_BELONG_TO_TENANT].format(vm_name)
else:
err_msg = error_code_to_message[ErrorCode.VM_NOT_BELONG_TO_TENANT].format(vm_uuid)
logging.debug(err_msg)
return err_msg, None, None
return None, tenant_uuid, tenant_name
def authorize(vm_uuid, datastore_url, cmd, opts, privilege_ds_url, vm_datastore_url=None):
""" Check whether the command can be run on this VM on given datastore.
Return value: result, tenant_uuid, tenant_name
- result: return None if the command can be run on this VM, otherwise, return
corresponding error message
- tenant_uuid: If the VM belongs to a tenant, return tenant_uuid, otherwise, return
None
- tenant_name: If the VM belongs to a tenant, return tenant_name, otherwise, return
None
"""
# "datastore_url" is the url of datastore which the volume to be created on
# The possible value of "datastore_url" can be url of a real datastore or "_VM_DS"
# "privilege_ds_url" is the url of datastore which we need to get the privilege of
# The possible value of "privilege_ds_url" can be url of a real datastore, "_VM_DS" or "_ALL_DS"
# Caller need to pass the url of real datastore name where VM lives as param "vm_datastore_url" if
# param "datastore_url" is the url of datastore "_VM_DS"
logging.debug("Authorize: cmd=%s opts=`%s' vm_uuid=%s, datastore_url=%s, privilege_ds_url=%s, "
"vm_datastore_url=%s",
cmd, opts, vm_uuid, datastore_url, privilege_ds_url, vm_datastore_url)
error_msg, _auth_mgr = get_auth_mgr()
if error_msg:
return error_msg, None, None
if _auth_mgr.allow_all_access():
return None, auth_data_const.DEFAULT_TENANT_UUID, auth_data_const.DEFAULT_TENANT
# If table "tenants", "vms", "privileges" or "volumes" does not exist
# don't need auth check
if not tables_exist():
error_msg = "Required tables do not exist in auth db"
logging.error(error_msg)
return error_msg, None, None
error_msg, tenant_uuid, tenant_name = get_tenant(vm_uuid)
if error_msg:
return error_msg, None, None
if not tenant_uuid:
# This VM does not associate any tenant(including DEFAULT tenant),
# need reject the request
vm_name = vmdk_utils.get_vm_name_by_uuid(vm_uuid)
err_msg = error_code_to_message[ErrorCode.VM_NOT_BELONG_TO_TENANT].format(vm_name)
logging.debug(err_msg)
return err_msg, None, None
else:
error_msg, privileges = get_privileges(tenant_uuid, privilege_ds_url)
if error_msg:
return error_msg, None, None
result = check_privileges_for_command(cmd, opts, tenant_uuid, datastore_url, privileges, vm_datastore_url)
logging.debug("authorize: vmgroup_name=%s, datastore_url=%s, vm_datastore_url=%s, privileges=%s, result=%s",
tenant_name, datastore_url, vm_datastore_url, privileges, result)
if result is None:
logging.info("db_mode='%s' cmd=%s opts=%s vmgroup=%s datastore_url=%s is allowed to execute",
_auth_mgr.mode, cmd, opts, tenant_name, datastore_url)
return result, tenant_uuid, tenant_name