[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-API] [PATCH] CA-38974: improve parameter reporting during obj.destroy in auditlog



# HG changeset patch
# User Marcus Granado <marcus.granado@xxxxxxxxxx>
# Date 1268753781 0
# Node ID bda8cf8aa3e40ee4591f71c435361b9ec94a70de
# Parent  708d1cf38f4f700368235b2f6d250f978ccb7a43
CA-38974: improve parameter reporting during obj.destroy in auditlog

Obj.destroy has the nasty side-effect of removing the object name from the 
database.
Therefore, for .destroy actions, no obj name is shown in the audit record 
parameters.

This patch caches the object name before Obj.destroy is called, working around 
this
side-effect.

Signed-off-by: Marcus Granado <marcus.granado@xxxxxxxxxxxxx>

diff -r 708d1cf38f4f -r bda8cf8aa3e4 ocaml/idl/ocaml_backend/rbac.ml
--- a/ocaml/idl/ocaml_backend/rbac.ml   Tue Mar 16 15:36:21 2010 +0000
+++ b/ocaml/idl/ocaml_backend/rbac.ml   Tue Mar 16 15:36:21 2010 +0000
@@ -220,16 +220,19 @@
        if (is_access_allowed ~__context ~session_id ~permission)
        then (* allow access to action *)
        begin
+               let sexpr_of_args =
+                       Rbac_audit.allowed_pre_fn ~action ?args ()
+               in
                try
                        let result = (fn ()) (* call rbac-protected function *)
                        in
-                       Rbac_audit.allowed_ok ~__context ~session_id ~action
-                                       ~permission ?args ~result ();
+                       Rbac_audit.allowed_post_fn_ok ~__context ~session_id 
~action
+                                       ~permission ?sexpr_of_args ?args 
~result ();
                        result
                with error-> (* catch all exceptions *)
                        begin
-                               Rbac_audit.allowed_error ~__context ~session_id 
~action 
-                                       ~permission ?args ~error ();
+                               Rbac_audit.allowed_post_fn_error ~__context 
~session_id ~action 
+                                       ~permission ?sexpr_of_args ?args ~error 
();
                                raise error
                        end
        end
diff -r 708d1cf38f4f -r bda8cf8aa3e4 ocaml/idl/ocaml_backend/rbac_audit.ml
--- a/ocaml/idl/ocaml_backend/rbac_audit.ml     Tue Mar 16 15:36:21 2010 +0000
+++ b/ocaml/idl/ocaml_backend/rbac_audit.ml     Tue Mar 16 15:36:21 2010 +0000
@@ -314,7 +314,7 @@
        with e -> (* never bubble up the error here *) 
                D.debug "ignoring %s" (ExnHelper.string_of_exn e)
 
-let sexpr_of __context session_id allowed_denied ok_error result_error ?args 
action permission =
+let sexpr_of __context session_id allowed_denied ok_error result_error ?args 
?sexpr_of_args action permission =
   let result_error = 
                if result_error = "" then result_error else ":"^result_error
        in
@@ -328,7 +328,11 @@
     SExpr.String (call_type_of action)::
                (*SExpr.String (Helper_hostname.get_hostname ())::*)
     SExpr.String action::
-    (SExpr.Node (sexpr_of_parameters action args))::
+    (SExpr.Node (
+                       match sexpr_of_args with
+                       | None -> (sexpr_of_parameters action args)
+                       | Some sexpr_of_args -> sexpr_of_args
+                ))::
                []
        )
 
@@ -336,11 +340,11 @@
 
 let fn_append_to_master_audit_log = ref None
 
-let audit_line_of __context session_id allowed_denied ok_error result_error 
action permission ?args =
+let audit_line_of __context session_id allowed_denied ok_error result_error 
action permission ?args ?sexpr_of_args () =
        let _line = 
                (SExpr.string_of 
                         (sexpr_of __context session_id allowed_denied 
-                                       ok_error result_error ?args action 
permission
+                                       ok_error result_error ?args 
?sexpr_of_args action permission
                         )
                )
        in
@@ -353,13 +357,24 @@
                | None -> () 
                | Some fn -> fn __context action audit_line
 
-let allowed_ok ~__context ~session_id ~action ~permission ?args ?result () =
+let allowed_pre_fn ~action ?args () =
+       try
+               if (has_to_audit action)
+                       (* for now, we only cache arg results for destroy 
actions *)
+                       && (Stringext.String.has_substr action ".destroy")
+               then Some(sexpr_of_parameters action args)
+               else None
+       with e -> 
+               D.debug "ignoring %s" (ExnHelper.string_of_exn e);
+               None
+
+let allowed_post_fn_ok ~__context ~session_id ~action ~permission 
?sexpr_of_args ?args ?result () =
        wrap (fun () ->
                if has_to_audit action then 
-                       audit_line_of __context session_id "ALLOWED" "OK" "" 
action permission ?args
+                       audit_line_of __context session_id "ALLOWED" "OK" "" 
action permission ?sexpr_of_args ?args ()
        )
 
-let allowed_error ~__context ~session_id ~action ~permission ?args ?error () =
+let allowed_post_fn_error ~__context ~session_id ~action ~permission 
?sexpr_of_args ?args ?error () =
        wrap (fun () ->
                if has_to_audit action then
                        let error_str = 
@@ -367,13 +382,13 @@
                                | None -> ""
                                | Some error -> (ExnHelper.string_of_exn error)
                        in
-                       audit_line_of __context session_id "ALLOWED" "ERROR" 
error_str action permission ?args
+                       audit_line_of __context session_id "ALLOWED" "ERROR" 
error_str action permission ?sexpr_of_args  ?args ()
        )
        
 let denied ~__context ~session_id ~action ~permission ?args () =
        wrap (fun () ->
                if has_to_audit action then
-                       audit_line_of __context session_id "DENIED" "" "" 
action permission ?args
+                       audit_line_of __context session_id "DENIED" "" "" 
action permission ?args ()
        )
 
 let session_destroy ~__context ~session_id =
2 files changed, 31 insertions(+), 13 deletions(-)
ocaml/idl/ocaml_backend/rbac.ml       |   11 +++++++----
ocaml/idl/ocaml_backend/rbac_audit.ml |   33 ++++++++++++++++++++++++---------


Attachment: xen-api.hg.patch
Description: Text Data

_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.