|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-API] [PATCH] print AD username in audit.log records even when logged through AD group in subject-list
# HG changeset patch
# User Marcus Granado <marcus.granado@xxxxxxxxxxxxx>
# Date 1278584383 -3600
# Node ID 9af1bf033e695ff49442baa228da630fbf91e079
# Parent b7483deae7a5fc299005f77920b29e89f77a1425
CA-40427: print AD username in audit.log records even when logged through AD
group in subject-list
Signed-off-by: Marcus Granado <marcus.granado@xxxxxxxxxxxxx>
diff -r b7483deae7a5 -r 9af1bf033e69 ocaml/idl/datamodel.ml
--- a/ocaml/idl/datamodel.ml Thu Jul 08 11:19:16 2010 +0100
+++ b/ocaml/idl/datamodel.ml Thu Jul 08 11:19:43 2010 +0100
@@ -2851,6 +2851,7 @@
field ~in_product_since:rel_george ~qualifier:DynamicRO
~default_value:(Some (VRef (Ref.string_of Ref.null))) ~ty:(Ref _subject)
"subject" "references the subject instance that created the session. If a
session instance has is_local_superuser set, then the value of this field is
undefined.";
field ~in_product_since:rel_george ~qualifier:DynamicRO
~default_value:(Some(VDateTime(Date.of_float 0.))) ~ty:DateTime
"validation_time" "time when session was last validated";
field ~in_product_since:rel_george ~qualifier:DynamicRO
~default_value:(Some(VString(""))) ~ty:String "auth_user_sid" "the subject
identifier of the user that was externally authenticated. If a session instance
has is_local_superuser set, then the value of this field is undefined.";
+ field ~in_product_since:rel_midnight_ride
~qualifier:DynamicRO ~default_value:(Some(VString(""))) ~ty:String
"auth_user_name" "the subject name of the user that was externally
authenticated. If a session instance has is_local_superuser set, then the value
of this field is undefined.";
field ~in_product_since:rel_midnight_ride ~qualifier:StaticRO
~default_value:(Some(VSet [])) ~ty:(Set(String)) "rbac_permissions" "list with
all RBAC permissions for this session";
]
()
diff -r b7483deae7a5 -r 9af1bf033e69 ocaml/idl/ocaml_backend/rbac_audit.ml
--- a/ocaml/idl/ocaml_backend/rbac_audit.ml Thu Jul 08 11:19:16 2010 +0100
+++ b/ocaml/idl/ocaml_backend/rbac_audit.ml Thu Jul 08 11:19:43 2010 +0100
@@ -84,6 +84,8 @@
~fn_if_local_session:(fun()->"")
~fn_if_local_superuser:(fun()->"")
~fn_if_subject:(fun()->
+ DB_Action.Session.get_auth_user_name ~__context
~self:session_id
+ (*
let sid =
DB_Action.Session.get_auth_user_sid ~__context
~self:session_id
in
@@ -98,6 +100,7 @@
List.assoc
"subject-name"
(*Auth_signature.subject_information_field_subject_name*)
subj.API.subject_other_config
+ *)
)
(*given a ref-value, return a human-friendly value associated with that ref*)
@@ -399,10 +402,19 @@
*)
()
-let session_create ~__context ~session_id =
-(*
- (* this is currently only creating spam in the audit log *)
- let action="session.create" in
- allowed_ok ~__context ~session_id ~action ~permission:action ()
-*)
- ()
+let session_create ~__context ~session_id ~uname =
+ wrap (fun () ->
+ let session_rec = DB_Action.Session.get_record ~__context
~self:session_id in
+ let s_is_intrapool = session_rec.API.session_pool in
+ let s_is_lsu = session_rec.API.session_is_local_superuser in
+ (* filters out intra-pool logins to avoid spamming the audit log *)
+ if (not s_is_intrapool) && (not s_is_lsu) then (
+ let action="session.create" in
+ let sexpr_of_args =
+ (get_sexpr_arg "uname" (match uname with None->""|Some
u->u) "" "")::
+ []
+ in
+ allowed_post_fn_ok ~__context ~session_id ~action
~sexpr_of_args ~permission:action ()
+ )
+ )
+
diff -r b7483deae7a5 -r 9af1bf033e69 ocaml/xapi/message_forwarding.ml
--- a/ocaml/xapi/message_forwarding.ml Thu Jul 08 11:19:16 2010 +0100
+++ b/ocaml/xapi/message_forwarding.ml Thu Jul 08 11:19:43 2010 +0100
@@ -191,7 +191,7 @@
~port:!Xapi_globs.https_port ~path:"/" xml
let call_slave_with_session remote_rpc_fn __context host (task_opt:
API.ref_task option) f =
- let session_id = Xapi_session.login_no_password ~__context ~uname:None ~host
~pool:true ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:""
~rbac_permissions:[] in
+ let session_id = Xapi_session.login_no_password ~__context ~uname:None ~host
~pool:true ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:""
~auth_user_name:"" ~rbac_permissions:[] in
let hostname = Db.Host.get_address ~__context ~self:host in
Pervasiveext.finally
(fun ()->f session_id (remote_rpc_fn __context hostname task_opt))
diff -r b7483deae7a5 -r 9af1bf033e69 ocaml/xapi/sm_exec.ml
--- a/ocaml/xapi/sm_exec.ml Thu Jul 08 11:19:16 2010 +0100
+++ b/ocaml/xapi/sm_exec.ml Thu Jul 08 11:19:43 2010 +0100
@@ -143,7 +143,7 @@
Server_helpers.exec_with_new_task "sm_exec" (fun __context ->
let create_session () =
let host = !Xapi_globs.localhost_ref in
- let session=Xapi_session.login_no_password ~__context ~uname:None ~host
~pool:false ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:""
~rbac_permissions:[] in
+ let session=Xapi_session.login_no_password ~__context ~uname:None ~host
~pool:false ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:""
~auth_user_name:"" ~rbac_permissions:[] in
(* Give this session access to this particular SR *)
maybe (fun sr ->
Db.Session.add_to_other_config ~__context ~self:session
diff -r b7483deae7a5 -r 9af1bf033e69 ocaml/xapi/xapi_session.ml
--- a/ocaml/xapi/xapi_session.ml Thu Jul 08 11:19:16 2010 +0100
+++ b/ocaml/xapi/xapi_session.ml Thu Jul 08 11:19:43 2010 +0100
@@ -99,6 +99,11 @@
end
)
in
+ let subject_name =
+ if List.mem_assoc
Auth_signature.subject_information_field_subject_name info
+ then List.assoc
Auth_signature.subject_information_field_subject_name info
+ else ""
+ in
let get_suspension_value name info =
if List.mem_assoc name info (* is the required field present? *)
then ((List.assoc name info)<>"false") (* no suspension
only if value is explicitly false *)
@@ -119,7 +124,7 @@
if (is_suspended) then begin
debug "Subject identifier %s is suspended"
subject_identifier
end;
- is_suspended
+ (is_suspended,subject_name)
end
let destroy_db_session ~__context ~self =
@@ -171,7 +176,8 @@
(* 2a. revalidate external authentication *)
(* CP-827: if the user was suspended
(disabled,expired,locked-out), then we must destroy the session *)
- if is_subject_suspended authenticated_user_sid
+ let (suspended,_)=is_subject_suspended
authenticated_user_sid in
+ if suspended
then begin
debug "Subject (identifier %s) has been
suspended, destroying session %s" authenticated_user_sid (trackid session);
(* we must destroy the session in this case *)
@@ -261,7 +267,7 @@
(* XXX: only used internally by the code which grants the guest access to the
API.
Needs to be protected by a proper access control system *)
-let login_no_password ~__context ~uname ~host ~pool ~is_local_superuser
~subject ~auth_user_sid ~rbac_permissions =
+let login_no_password ~__context ~uname ~host ~pool ~is_local_superuser
~subject ~auth_user_sid ~auth_user_name ~rbac_permissions =
let session_id = Ref.make () in
let uuid = Uuid.to_string (Uuid.make_uuid ()) in
let user = Ref.null in (* always return a null reference to the
deprecated user object *)
@@ -281,8 +287,8 @@
~last_active:(Date.of_float (Unix.time ()))
~other_config:[]
~subject:subject
~is_local_superuser:is_local_superuser
~auth_user_sid ~validation_time:(Date.of_float
(Unix.time ()))
- ~rbac_permissions;
- Rbac_audit.session_create ~__context ~session_id;
+ ~auth_user_name ~rbac_permissions;
+ Rbac_audit.session_create ~__context ~session_id ~uname;
(* At this point, the session is created, but with an incorrect time *)
(* Force the time to be updated by calling an API function with this
session *)
let rpc = Helpers.make_rpc ~__context in
@@ -318,7 +324,7 @@
slave_login_common ~__context ~host_str:(Ref.string_of host) ~psecret;
login_no_password ~__context ~uname:None ~host:host ~pool:true
~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:""
- ~rbac_permissions:[]
+ ~auth_user_name:"" ~rbac_permissions:[]
(* Emergency mode login, uses local storage *)
let slave_local_login ~__context ~psecret =
@@ -354,7 +360,7 @@
(* we trust requests from local unix filename sockets, so no
need to authenticate them before login *)
login_no_password ~__context ~uname:(Some uname)
~host:(Helpers.get_localhost ~__context)
~pool:false ~is_local_superuser:true
~subject:(Ref.null)(*~subject should be undefined here or not??? *)
- ~auth_user_sid:"" ~rbac_permissions:[]
+ ~auth_user_sid:"" ~auth_user_name:""
~rbac_permissions:[]
end
else
let login_as_local_superuser auth_type =
@@ -365,7 +371,7 @@
do_local_auth uname pwd;
debug "Successful local authentication user %s from %s"
uname (Context.get_origin __context);
login_no_password ~__context ~uname:(Some uname)
~host:(Helpers.get_localhost ~__context)
- ~pool:false ~is_local_superuser:true
~subject:(Ref.null) ~auth_user_sid:""
+ ~pool:false ~is_local_superuser:true
~subject:(Ref.null) ~auth_user_sid:"" ~auth_user_name:""
~rbac_permissions:[]
end
in
@@ -428,7 +434,7 @@
(* Otherwise, there might be cases
where the initial authentication/login succeeds, but *)
(* then a few minutes later the
revalidation finds that the user is 'suspended' (due to *)
(* subject info caching problems in
likewise) and closes the user's session *)
- let subject_suspended = (try
+ let (subject_suspended,subject_name) =
(try
is_subject_suspended
subject_identifier
with (Auth_signature.Auth_service_error
(errtag,msg)) ->
begin
@@ -523,7 +529,7 @@
end
) in
login_no_password ~__context
~uname:(Some uname) ~host:(Helpers.get_localhost ~__context)
- ~pool:false
~is_local_superuser:false ~subject:subject ~auth_user_sid:subject_identifier
+ ~pool:false
~is_local_superuser:false ~subject:subject ~auth_user_sid:subject_identifier
~auth_user_name:subject_name
~rbac_permissions
end
(* we only reach this point if for some reason
a function above forgot to catch a possible exception in the Auth_signature
module*)
ocaml/idl/datamodel.ml | 1 +
ocaml/idl/ocaml_backend/rbac_audit.ml | 26 +++++++++++++++++++-------
ocaml/xapi/message_forwarding.ml | 2 +-
ocaml/xapi/sm_exec.ml | 2 +-
ocaml/xapi/xapi_session.ml | 26 ++++++++++++++++----------
5 files changed, 38 insertions(+), 19 deletions(-)
Attachment:
xen-api.hg.patch _______________________________________________ xen-api mailing list xen-api@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/mailman/listinfo/xen-api
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |