# HG changeset patch
# User Marcus Granado <marcus.granado@xxxxxxxxxx>
# Date 1268753781 0
# Node ID bda8cf8aa3e40ee4591f71c435361b9ec94a70de
# Parent 708d1cf38f4f700368235b2f6d250f978ccb7a43
CA-38974: improve parameter reporting during obj.destroy in auditlog
Obj.destroy has the nasty side-effect of removing the object name from the
database.
Therefore, for .destroy actions, no obj name is shown in the audit record
parameters.
This patch caches the object name before Obj.destroy is called, working around
this
side-effect.
Signed-off-by: Marcus Granado <marcus.granado@xxxxxxxxxxxxx>
diff -r 708d1cf38f4f -r bda8cf8aa3e4 ocaml/idl/ocaml_backend/rbac.ml
--- a/ocaml/idl/ocaml_backend/rbac.ml Tue Mar 16 15:36:21 2010 +0000
+++ b/ocaml/idl/ocaml_backend/rbac.ml Tue Mar 16 15:36:21 2010 +0000
@@ -220,16 +220,19 @@
if (is_access_allowed ~__context ~session_id ~permission)
then (* allow access to action *)
begin
+ let sexpr_of_args =
+ Rbac_audit.allowed_pre_fn ~action ?args ()
+ in
try
let result = (fn ()) (* call rbac-protected function *)
in
- Rbac_audit.allowed_ok ~__context ~session_id ~action
- ~permission ?args ~result ();
+ Rbac_audit.allowed_post_fn_ok ~__context ~session_id
~action
+ ~permission ?sexpr_of_args ?args
~result ();
result
with error-> (* catch all exceptions *)
begin
- Rbac_audit.allowed_error ~__context ~session_id
~action
- ~permission ?args ~error ();
+ Rbac_audit.allowed_post_fn_error ~__context
~session_id ~action
+ ~permission ?sexpr_of_args ?args ~error
();
raise error
end
end
diff -r 708d1cf38f4f -r bda8cf8aa3e4 ocaml/idl/ocaml_backend/rbac_audit.ml
--- a/ocaml/idl/ocaml_backend/rbac_audit.ml Tue Mar 16 15:36:21 2010 +0000
+++ b/ocaml/idl/ocaml_backend/rbac_audit.ml Tue Mar 16 15:36:21 2010 +0000
@@ -314,7 +314,7 @@
with e -> (* never bubble up the error here *)
D.debug "ignoring %s" (ExnHelper.string_of_exn e)
-let sexpr_of __context session_id allowed_denied ok_error result_error ?args
action permission =
+let sexpr_of __context session_id allowed_denied ok_error result_error ?args
?sexpr_of_args action permission =
let result_error =
if result_error = "" then result_error else ":"^result_error
in
@@ -328,7 +328,11 @@
SExpr.String (call_type_of action)::
(*SExpr.String (Helper_hostname.get_hostname ())::*)
SExpr.String action::
- (SExpr.Node (sexpr_of_parameters action args))::
+ (SExpr.Node (
+ match sexpr_of_args with
+ | None -> (sexpr_of_parameters action args)
+ | Some sexpr_of_args -> sexpr_of_args
+ ))::
[]
)
@@ -336,11 +340,11 @@
let fn_append_to_master_audit_log = ref None
-let audit_line_of __context session_id allowed_denied ok_error result_error
action permission ?args =
+let audit_line_of __context session_id allowed_denied ok_error result_error
action permission ?args ?sexpr_of_args () =
let _line =
(SExpr.string_of
(sexpr_of __context session_id allowed_denied
- ok_error result_error ?args action
permission
+ ok_error result_error ?args
?sexpr_of_args action permission
)
)
in
@@ -353,13 +357,24 @@
| None -> ()
| Some fn -> fn __context action audit_line
-let allowed_ok ~__context ~session_id ~action ~permission ?args ?result () =
+let allowed_pre_fn ~action ?args () =
+ try
+ if (has_to_audit action)
+ (* for now, we only cache arg results for destroy
actions *)
+ && (Stringext.String.has_substr action ".destroy")
+ then Some(sexpr_of_parameters action args)
+ else None
+ with e ->
+ D.debug "ignoring %s" (ExnHelper.string_of_exn e);
+ None
+
+let allowed_post_fn_ok ~__context ~session_id ~action ~permission
?sexpr_of_args ?args ?result () =
wrap (fun () ->
if has_to_audit action then
- audit_line_of __context session_id "ALLOWED" "OK" ""
action permission ?args
+ audit_line_of __context session_id "ALLOWED" "OK" ""
action permission ?sexpr_of_args ?args ()
)
-let allowed_error ~__context ~session_id ~action ~permission ?args ?error () =
+let allowed_post_fn_error ~__context ~session_id ~action ~permission
?sexpr_of_args ?args ?error () =
wrap (fun () ->
if has_to_audit action then
let error_str =
@@ -367,13 +382,13 @@
| None -> ""
| Some error -> (ExnHelper.string_of_exn error)
in
- audit_line_of __context session_id "ALLOWED" "ERROR"
error_str action permission ?args
+ audit_line_of __context session_id "ALLOWED" "ERROR"
error_str action permission ?sexpr_of_args ?args ()
)
let denied ~__context ~session_id ~action ~permission ?args () =
wrap (fun () ->
if has_to_audit action then
- audit_line_of __context session_id "DENIED" "" ""
action permission ?args
+ audit_line_of __context session_id "DENIED" "" ""
action permission ?args ()
)
let session_destroy ~__context ~session_id =
2 files changed, 31 insertions(+), 13 deletions(-)
ocaml/idl/ocaml_backend/rbac.ml | 11 +++++++----
ocaml/idl/ocaml_backend/rbac_audit.ml | 33 ++++++++++++++++++++++++---------
xen-api.hg.patch
Description: Text Data
_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api
|
Home