[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-API] [PATCH] print AD username in audit.log records even when logged through AD group in subject-list



# HG changeset patch
# User Marcus Granado <marcus.granado@xxxxxxxxxxxxx>
# Date 1278584383 -3600
# Node ID 9af1bf033e695ff49442baa228da630fbf91e079
# Parent  b7483deae7a5fc299005f77920b29e89f77a1425
CA-40427: print AD username in audit.log records even when logged through AD 
group in subject-list

Signed-off-by: Marcus Granado <marcus.granado@xxxxxxxxxxxxx>

diff -r b7483deae7a5 -r 9af1bf033e69 ocaml/idl/datamodel.ml
--- a/ocaml/idl/datamodel.ml    Thu Jul 08 11:19:16 2010 +0100
+++ b/ocaml/idl/datamodel.ml    Thu Jul 08 11:19:43 2010 +0100
@@ -2851,6 +2851,7 @@
                  field ~in_product_since:rel_george ~qualifier:DynamicRO 
~default_value:(Some (VRef (Ref.string_of Ref.null))) ~ty:(Ref _subject) 
"subject" "references the subject instance that created the session. If a 
session instance has is_local_superuser set, then the value of this field is 
undefined.";
                  field ~in_product_since:rel_george ~qualifier:DynamicRO 
~default_value:(Some(VDateTime(Date.of_float 0.))) ~ty:DateTime 
"validation_time" "time when session was last validated";
                  field ~in_product_since:rel_george ~qualifier:DynamicRO 
~default_value:(Some(VString(""))) ~ty:String "auth_user_sid" "the subject 
identifier of the user that was externally authenticated. If a session instance 
has is_local_superuser set, then the value of this field is undefined.";
+                 field ~in_product_since:rel_midnight_ride 
~qualifier:DynamicRO ~default_value:(Some(VString(""))) ~ty:String 
"auth_user_name" "the subject name of the user that was externally 
authenticated. If a session instance has is_local_superuser set, then the value 
of this field is undefined.";
                  field ~in_product_since:rel_midnight_ride ~qualifier:StaticRO 
~default_value:(Some(VSet [])) ~ty:(Set(String)) "rbac_permissions" "list with 
all RBAC permissions for this session";
                ]
        ()
diff -r b7483deae7a5 -r 9af1bf033e69 ocaml/idl/ocaml_backend/rbac_audit.ml
--- a/ocaml/idl/ocaml_backend/rbac_audit.ml     Thu Jul 08 11:19:16 2010 +0100
+++ b/ocaml/idl/ocaml_backend/rbac_audit.ml     Thu Jul 08 11:19:43 2010 +0100
@@ -84,6 +84,8 @@
                ~fn_if_local_session:(fun()->"")
                ~fn_if_local_superuser:(fun()->"")
                ~fn_if_subject:(fun()->
+                               DB_Action.Session.get_auth_user_name ~__context 
~self:session_id
+                       (*
                        let sid =
                                DB_Action.Session.get_auth_user_sid ~__context 
~self:session_id
                        in
@@ -98,6 +100,7 @@
                        List.assoc
                                "subject-name" 
(*Auth_signature.subject_information_field_subject_name*)
                                subj.API.subject_other_config
+                       *)
                )
 
 (*given a ref-value, return a human-friendly value associated with that ref*)
@@ -399,10 +402,19 @@
 *)
        ()
 
-let session_create ~__context ~session_id =
-(*
-       (* this is currently only creating spam in the audit log *)
-       let action="session.create" in
-       allowed_ok ~__context ~session_id ~action ~permission:action ()
-*)
-       ()
+let session_create ~__context ~session_id ~uname =
+  wrap (fun () ->
+       let session_rec = DB_Action.Session.get_record ~__context 
~self:session_id in
+       let s_is_intrapool = session_rec.API.session_pool in
+       let s_is_lsu = session_rec.API.session_is_local_superuser in
+       (* filters out intra-pool logins to avoid spamming the audit log *)
+       if (not s_is_intrapool) && (not s_is_lsu) then (
+               let action="session.create" in
+               let sexpr_of_args = 
+                       (get_sexpr_arg "uname" (match uname with None->""|Some 
u->u) "" "")::
+                       []
+               in
+               allowed_post_fn_ok ~__context ~session_id ~action 
~sexpr_of_args ~permission:action ()
+       )
+       )
+
diff -r b7483deae7a5 -r 9af1bf033e69 ocaml/xapi/message_forwarding.ml
--- a/ocaml/xapi/message_forwarding.ml  Thu Jul 08 11:19:16 2010 +0100
+++ b/ocaml/xapi/message_forwarding.ml  Thu Jul 08 11:19:43 2010 +0100
@@ -191,7 +191,7 @@
     ~port:!Xapi_globs.https_port ~path:"/" xml
 
 let call_slave_with_session remote_rpc_fn __context host (task_opt: 
API.ref_task option) f =
-  let session_id = Xapi_session.login_no_password ~__context ~uname:None ~host 
~pool:true ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:"" 
~rbac_permissions:[] in
+  let session_id = Xapi_session.login_no_password ~__context ~uname:None ~host 
~pool:true ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:"" 
~auth_user_name:"" ~rbac_permissions:[] in
   let hostname = Db.Host.get_address ~__context ~self:host in
   Pervasiveext.finally
     (fun ()->f session_id (remote_rpc_fn __context hostname task_opt))
diff -r b7483deae7a5 -r 9af1bf033e69 ocaml/xapi/sm_exec.ml
--- a/ocaml/xapi/sm_exec.ml     Thu Jul 08 11:19:16 2010 +0100
+++ b/ocaml/xapi/sm_exec.ml     Thu Jul 08 11:19:43 2010 +0100
@@ -143,7 +143,7 @@
   Server_helpers.exec_with_new_task "sm_exec" (fun __context ->
   let create_session () =
     let host = !Xapi_globs.localhost_ref in
-    let session=Xapi_session.login_no_password ~__context ~uname:None ~host 
~pool:false ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:"" 
~rbac_permissions:[] in
+    let session=Xapi_session.login_no_password ~__context ~uname:None ~host 
~pool:false ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:"" 
~auth_user_name:"" ~rbac_permissions:[] in
     (* Give this session access to this particular SR *)
     maybe (fun sr ->
             Db.Session.add_to_other_config ~__context ~self:session 
diff -r b7483deae7a5 -r 9af1bf033e69 ocaml/xapi/xapi_session.ml
--- a/ocaml/xapi/xapi_session.ml        Thu Jul 08 11:19:16 2010 +0100
+++ b/ocaml/xapi/xapi_session.ml        Thu Jul 08 11:19:43 2010 +0100
@@ -99,6 +99,11 @@
                end
        )
        in
+       let subject_name = 
+               if List.mem_assoc 
Auth_signature.subject_information_field_subject_name info
+               then List.assoc 
Auth_signature.subject_information_field_subject_name info
+               else ""
+       in
        let get_suspension_value name info = 
                if List.mem_assoc name info (* is the required field present? *)
                        then ((List.assoc name info)<>"false") (* no suspension 
only if value is explicitly false *)
@@ -119,7 +124,7 @@
                if (is_suspended) then begin
                        debug "Subject identifier %s is suspended" 
subject_identifier
                end;
-               is_suspended
+               (is_suspended,subject_name)
        end
 
 let destroy_db_session ~__context ~self = 
@@ -171,7 +176,8 @@
                        (* 2a. revalidate external authentication *)
 
                        (* CP-827: if the user was suspended 
(disabled,expired,locked-out), then we must destroy the session *)
-                       if is_subject_suspended authenticated_user_sid
+                       let (suspended,_)=is_subject_suspended 
authenticated_user_sid in
+                       if suspended
                        then begin 
                                debug "Subject (identifier %s) has been 
suspended, destroying session %s" authenticated_user_sid (trackid session);
                                (* we must destroy the session in this case *)
@@ -261,7 +267,7 @@
 
 (* XXX: only used internally by the code which grants the guest access to the 
API.
    Needs to be protected by a proper access control system *)
-let login_no_password ~__context ~uname ~host ~pool ~is_local_superuser 
~subject ~auth_user_sid ~rbac_permissions =
+let login_no_password ~__context ~uname ~host ~pool ~is_local_superuser 
~subject ~auth_user_sid ~auth_user_name ~rbac_permissions =
        let session_id = Ref.make () in
        let uuid = Uuid.to_string (Uuid.make_uuid ()) in
        let user = Ref.null in (* always return a null reference to the 
deprecated user object *)
@@ -281,8 +287,8 @@
                          ~last_active:(Date.of_float (Unix.time ())) 
~other_config:[] 
                          ~subject:subject 
~is_local_superuser:is_local_superuser
                          ~auth_user_sid ~validation_time:(Date.of_float 
(Unix.time ()))
-                         ~rbac_permissions;
-       Rbac_audit.session_create ~__context ~session_id;
+                         ~auth_user_name ~rbac_permissions;
+       Rbac_audit.session_create ~__context ~session_id ~uname;
        (* At this point, the session is created, but with an incorrect time *)
        (* Force the time to be updated by calling an API function with this 
session *)
        let rpc = Helpers.make_rpc ~__context in
@@ -318,7 +324,7 @@
   slave_login_common ~__context ~host_str:(Ref.string_of host) ~psecret;
   login_no_password ~__context ~uname:None ~host:host ~pool:true 
       ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:""
-      ~rbac_permissions:[]
+      ~auth_user_name:"" ~rbac_permissions:[]
 
 (* Emergency mode login, uses local storage *)
 let slave_local_login ~__context ~psecret = 
@@ -354,7 +360,7 @@
                (* we trust requests from local unix filename sockets, so no 
need to authenticate them before login *)
                login_no_password ~__context ~uname:(Some uname) 
~host:(Helpers.get_localhost ~__context) 
                        ~pool:false ~is_local_superuser:true 
~subject:(Ref.null)(*~subject should be undefined here or not??? *)
-                       ~auth_user_sid:"" ~rbac_permissions:[]
+                       ~auth_user_sid:"" ~auth_user_name:"" 
~rbac_permissions:[]
        end 
        else
        let login_as_local_superuser auth_type = 
@@ -365,7 +371,7 @@
                        do_local_auth uname pwd;
                        debug "Successful local authentication user %s from %s" 
uname (Context.get_origin __context);
                        login_no_password ~__context ~uname:(Some uname) 
~host:(Helpers.get_localhost ~__context) 
-                               ~pool:false ~is_local_superuser:true 
~subject:(Ref.null) ~auth_user_sid:""
+                               ~pool:false ~is_local_superuser:true 
~subject:(Ref.null) ~auth_user_sid:"" ~auth_user_name:""
                                ~rbac_permissions:[]
                end
        in      
@@ -428,7 +434,7 @@
                                        (* Otherwise, there might be cases 
where the initial authentication/login succeeds, but *)
                                        (* then a few minutes later the 
revalidation finds that the user is 'suspended' (due to *)
                                        (* subject info caching problems in 
likewise) and closes the user's session *)
-                                       let subject_suspended = (try
+                                       let (subject_suspended,subject_name) = 
(try
                                                is_subject_suspended 
subject_identifier
                                        with (Auth_signature.Auth_service_error 
(errtag,msg)) ->
                                                begin
@@ -523,7 +529,7 @@
                                                                end
                                                ) in 
                                                login_no_password ~__context 
~uname:(Some uname) ~host:(Helpers.get_localhost ~__context) 
-                                                       ~pool:false 
~is_local_superuser:false ~subject:subject ~auth_user_sid:subject_identifier
+                                                       ~pool:false 
~is_local_superuser:false ~subject:subject ~auth_user_sid:subject_identifier 
~auth_user_name:subject_name
                                                        ~rbac_permissions
                                        end
                                (* we only reach this point if for some reason 
a function above forgot to catch a possible exception in the Auth_signature 
module*)
 ocaml/idl/datamodel.ml                |   1 +
 ocaml/idl/ocaml_backend/rbac_audit.ml |  26 +++++++++++++++++++-------
 ocaml/xapi/message_forwarding.ml      |   2 +-
 ocaml/xapi/sm_exec.ml                 |   2 +-
 ocaml/xapi/xapi_session.ml            |  26 ++++++++++++++++----------
 5 files changed, 38 insertions(+), 19 deletions(-)


Attachment: xen-api.hg.patch
Description: Text Data

_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.