WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-api

[Xen-API] [PATCH] CA-40427: print AD username in audit.log records even

To: xen-api <xen-api@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-API] [PATCH] CA-40427: print AD username in audit.log records even when logged through AD group in subject-list
From: Marcus Granado <marcus.granado@xxxxxxxxxx>
Date: Thu, 15 Apr 2010 16:50:25 +0100
Delivery-date: Thu, 15 Apr 2010 08:50:57 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-api-request@lists.xensource.com?subject=help>
List-id: Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>
List-post: <mailto:xen-api@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-api-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mercurial-patchbomb/1.4.3
 ocaml/idl/datamodel.ml                |   1 +
 ocaml/idl/ocaml_backend/rbac_audit.ml |  26 +++++++++++++++++++-------
 ocaml/xapi/message_forwarding.ml      |   2 +-
 ocaml/xapi/sm_exec.ml                 |   2 +-
 ocaml/xapi/xapi_session.ml            |  26 ++++++++++++++++----------
 5 files changed, 38 insertions(+), 19 deletions(-)


# HG changeset patch
# User Marcus Granado <marcus.granado@xxxxxxxxxx>
# Date 1271346240 -3600
# Node ID 49faab8d415a8764709af25e589f1207d9b76b0f
# Parent  1513daffb85c6e0dd085db2295f6c53fdf22cef8
CA-40427: print AD username in audit.log records even when logged through AD 
group in subject-list

Signed-off-by: Marcus Granado <marcus.granado@xxxxxxxxxxxxx>

diff -r 1513daffb85c -r 49faab8d415a ocaml/idl/datamodel.ml
--- a/ocaml/idl/datamodel.ml    Wed Apr 14 23:47:40 2010 +0100
+++ b/ocaml/idl/datamodel.ml    Thu Apr 15 16:44:00 2010 +0100
@@ -2853,6 +2853,7 @@
                  field ~in_product_since:rel_george ~qualifier:DynamicRO 
~default_value:(Some (VRef (Ref.string_of Ref.null))) ~ty:(Ref _subject) 
"subject" "references the subject instance that created the session. If a 
session instance has is_local_superuser set, then the value of this field is 
undefined.";
                  field ~in_product_since:rel_george ~qualifier:DynamicRO 
~default_value:(Some(VDateTime(Date.of_float 0.))) ~ty:DateTime 
"validation_time" "time when session was last validated";
                  field ~in_product_since:rel_george ~qualifier:DynamicRO 
~default_value:(Some(VString(""))) ~ty:String "auth_user_sid" "the subject 
identifier of the user that was externally authenticated. If a session instance 
has is_local_superuser set, then the value of this field is undefined.";
+                 field ~in_product_since:rel_midnight_ride 
~qualifier:DynamicRO ~default_value:(Some(VString(""))) ~ty:String 
"auth_user_name" "the subject name of the user that was externally 
authenticated. If a session instance has is_local_superuser set, then the value 
of this field is undefined.";
                  field ~in_product_since:rel_midnight_ride ~qualifier:StaticRO 
~default_value:(Some(VSet [])) ~ty:(Set(String)) "rbac_permissions" "list with 
all RBAC permissions for this session";
                ]
        ()
diff -r 1513daffb85c -r 49faab8d415a ocaml/idl/ocaml_backend/rbac_audit.ml
--- a/ocaml/idl/ocaml_backend/rbac_audit.ml     Wed Apr 14 23:47:40 2010 +0100
+++ b/ocaml/idl/ocaml_backend/rbac_audit.ml     Thu Apr 15 16:44:00 2010 +0100
@@ -84,6 +84,8 @@
                ~fn_if_local_session:(fun()->"")
                ~fn_if_local_superuser:(fun()->"")
                ~fn_if_subject:(fun()->
+                               DB_Action.Session.get_auth_user_name ~__context 
~self:session_id
+                       (*
                        let sid =
                                DB_Action.Session.get_auth_user_sid ~__context 
~self:session_id
                        in
@@ -98,6 +100,7 @@
                        List.assoc
                                "subject-name" 
(*Auth_signature.subject_information_field_subject_name*)
                                subj.API.subject_other_config
+                       *)
                )
 
 (*given a ref-value, return a human-friendly value associated with that ref*)
@@ -473,10 +476,19 @@
 *)
        ()
 
-let session_create ~__context ~session_id =
-(*
-       (* this is currently only creating spam in the audit log *)
-       let action="session.create" in
-       allowed_ok ~__context ~session_id ~action ~permission:action ()
-*)
-       ()
+let session_create ~__context ~session_id ~uname =
+  wrap (fun () ->
+       let session_rec = DB_Action.Session.get_record ~__context 
~self:session_id in
+       let s_is_intrapool = session_rec.API.session_pool in
+       let s_is_lsu = session_rec.API.session_is_local_superuser in
+       (* filters out intra-pool logins to avoid spamming the audit log *)
+       if (not s_is_intrapool) && (not s_is_lsu) then (
+               let action="session.create" in
+               let sexpr_of_args = 
+                       (get_sexpr_arg "uname" (match uname with None->""|Some 
u->u) "" "")::
+                       []
+               in
+               allowed_post_fn_ok ~__context ~session_id ~action 
~sexpr_of_args ~permission:action ()
+       )
+       )
+
diff -r 1513daffb85c -r 49faab8d415a ocaml/xapi/message_forwarding.ml
--- a/ocaml/xapi/message_forwarding.ml  Wed Apr 14 23:47:40 2010 +0100
+++ b/ocaml/xapi/message_forwarding.ml  Thu Apr 15 16:44:00 2010 +0100
@@ -191,7 +191,7 @@
     ~port:!Xapi_globs.https_port ~path:"/" xml
 
 let call_slave_with_session remote_rpc_fn __context host (task_opt: 
API.ref_task option) f =
-  let session_id = Xapi_session.login_no_password ~__context ~uname:None ~host 
~pool:true ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:"" 
~rbac_permissions:[] in
+  let session_id = Xapi_session.login_no_password ~__context ~uname:None ~host 
~pool:true ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:"" 
~auth_user_name:"" ~rbac_permissions:[] in
   let hostname = Db.Host.get_address ~__context ~self:host in
   Pervasiveext.finally
     (fun ()->f session_id (remote_rpc_fn __context hostname task_opt))
diff -r 1513daffb85c -r 49faab8d415a ocaml/xapi/sm_exec.ml
--- a/ocaml/xapi/sm_exec.ml     Wed Apr 14 23:47:40 2010 +0100
+++ b/ocaml/xapi/sm_exec.ml     Thu Apr 15 16:44:00 2010 +0100
@@ -143,7 +143,7 @@
   Server_helpers.exec_with_new_task "sm_exec" (fun __context ->
   let create_session () =
     let host = !Xapi_globs.localhost_ref in
-    let session=Xapi_session.login_no_password ~__context ~uname:None ~host 
~pool:false ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:"" 
~rbac_permissions:[] in
+    let session=Xapi_session.login_no_password ~__context ~uname:None ~host 
~pool:false ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:"" 
~auth_user_name:"" ~rbac_permissions:[] in
     (* Give this session access to this particular SR *)
     maybe (fun sr ->
             Db.Session.add_to_other_config ~__context ~self:session 
diff -r 1513daffb85c -r 49faab8d415a ocaml/xapi/xapi_session.ml
--- a/ocaml/xapi/xapi_session.ml        Wed Apr 14 23:47:40 2010 +0100
+++ b/ocaml/xapi/xapi_session.ml        Thu Apr 15 16:44:00 2010 +0100
@@ -99,6 +99,11 @@
                end
        )
        in
+       let subject_name = 
+               if List.mem_assoc 
Auth_signature.subject_information_field_subject_name info
+               then List.assoc 
Auth_signature.subject_information_field_subject_name info
+               else ""
+       in
        let get_suspension_value name info = 
                if List.mem_assoc name info (* is the required field present? *)
                        then ((List.assoc name info)<>"false") (* no suspension 
only if value is explicitly false *)
@@ -119,7 +124,7 @@
                if (is_suspended) then begin
                        debug "Subject identifier %s is suspended" 
subject_identifier
                end;
-               is_suspended
+               (is_suspended,subject_name)
        end
 
 let destroy_db_session ~__context ~self = 
@@ -171,7 +176,8 @@
                        (* 2a. revalidate external authentication *)
 
                        (* CP-827: if the user was suspended 
(disabled,expired,locked-out), then we must destroy the session *)
-                       if is_subject_suspended authenticated_user_sid
+                       let (suspended,_)=is_subject_suspended 
authenticated_user_sid in
+                       if suspended
                        then begin 
                                debug "Subject (identifier %s) has been 
suspended, destroying session %s" authenticated_user_sid (trackid session);
                                (* we must destroy the session in this case *)
@@ -261,7 +267,7 @@
 
 (* XXX: only used internally by the code which grants the guest access to the 
API.
    Needs to be protected by a proper access control system *)
-let login_no_password ~__context ~uname ~host ~pool ~is_local_superuser 
~subject ~auth_user_sid ~rbac_permissions =
+let login_no_password ~__context ~uname ~host ~pool ~is_local_superuser 
~subject ~auth_user_sid ~auth_user_name ~rbac_permissions =
        let session_id = Ref.make () in
        let uuid = Uuid.to_string (Uuid.make_uuid ()) in
        let user = Ref.null in (* always return a null reference to the 
deprecated user object *)
@@ -281,8 +287,8 @@
                          ~last_active:(Date.of_float (Unix.time ())) 
~other_config:[] 
                          ~subject:subject 
~is_local_superuser:is_local_superuser
                          ~auth_user_sid ~validation_time:(Date.of_float 
(Unix.time ()))
-                         ~rbac_permissions;
-       Rbac_audit.session_create ~__context ~session_id;
+                         ~auth_user_name ~rbac_permissions;
+       Rbac_audit.session_create ~__context ~session_id ~uname;
        (* At this point, the session is created, but with an incorrect time *)
        (* Force the time to be updated by calling an API function with this 
session *)
        let rpc = Helpers.make_rpc ~__context in
@@ -318,7 +324,7 @@
   slave_login_common ~__context ~host_str:(Ref.string_of host) ~psecret;
   login_no_password ~__context ~uname:None ~host:host ~pool:true 
       ~is_local_superuser:true ~subject:(Ref.null) ~auth_user_sid:""
-      ~rbac_permissions:[]
+      ~auth_user_name:"" ~rbac_permissions:[]
 
 (* Emergency mode login, uses local storage *)
 let slave_local_login ~__context ~psecret = 
@@ -354,7 +360,7 @@
                (* we trust requests from local unix filename sockets, so no 
need to authenticate them before login *)
                login_no_password ~__context ~uname:(Some uname) 
~host:(Helpers.get_localhost ~__context) 
                        ~pool:false ~is_local_superuser:true 
~subject:(Ref.null)(*~subject should be undefined here or not??? *)
-                       ~auth_user_sid:"" ~rbac_permissions:[]
+                       ~auth_user_sid:"" ~auth_user_name:"" 
~rbac_permissions:[]
        end 
        else
        let login_as_local_superuser auth_type = 
@@ -365,7 +371,7 @@
                        do_local_auth uname pwd;
                        debug "Successful local authentication user %s from %s" 
uname (Context.get_origin __context);
                        login_no_password ~__context ~uname:(Some uname) 
~host:(Helpers.get_localhost ~__context) 
-                               ~pool:false ~is_local_superuser:true 
~subject:(Ref.null) ~auth_user_sid:""
+                               ~pool:false ~is_local_superuser:true 
~subject:(Ref.null) ~auth_user_sid:"" ~auth_user_name:""
                                ~rbac_permissions:[]
                end
        in      
@@ -428,7 +434,7 @@
                                        (* Otherwise, there might be cases 
where the initial authentication/login succeeds, but *)
                                        (* then a few minutes later the 
revalidation finds that the user is 'suspended' (due to *)
                                        (* subject info caching problems in 
likewise) and closes the user's session *)
-                                       let subject_suspended = (try
+                                       let (subject_suspended,subject_name) = 
(try
                                                is_subject_suspended 
subject_identifier
                                        with (Auth_signature.Auth_service_error 
(errtag,msg)) ->
                                                begin
@@ -523,7 +529,7 @@
                                                                end
                                                ) in 
                                                login_no_password ~__context 
~uname:(Some uname) ~host:(Helpers.get_localhost ~__context) 
-                                                       ~pool:false 
~is_local_superuser:false ~subject:subject ~auth_user_sid:subject_identifier
+                                                       ~pool:false 
~is_local_superuser:false ~subject:subject ~auth_user_sid:subject_identifier 
~auth_user_name:subject_name
                                                        ~rbac_permissions
                                        end
                                (* we only reach this point if for some reason 
a function above forgot to catch a possible exception in the Auth_signature 
module*)

Attachment: xen-api.hg.patch
Description: Text Data

_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-API] [PATCH] CA-40427: print AD username in audit.log records even when logged through AD group in subject-list, Marcus Granado <=