ganeti_web/backend/queries.py

   1 # Copyright (C) 2012 Oregon State University et al.
   2 #
   3 # This program is free software; you can redistribute it and/or
   4 # modify it under the terms of the GNU General Public License
   5 # as published by the Free Software Foundation; either version 2
   6 # of the License, or (at your option) any later version.
   7 #
   8 # This program is distributed in the hope that it will be useful,
   9 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  10 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  11 # GNU General Public License for more details.
  12 #
  13 # You should have received a copy of the GNU General Public License
  14 # along with this program; if not, write to the Free Software
  15 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301,
  16 # USA.
  17
  18 from django.db.models import Q
  19
  20 from object_permissions import get_users_any, get_groups_any
  21
  22 from ganeti_web.models import Cluster, ClusterUser, VirtualMachine
  23
  24
  25 def cluster_qs_for_user(user, groups=True, readonly=True, **kwargs):
  26     """
  27     Return clusters which a user has access to
  28     """
  29     if user.is_superuser:
  30         qs = Cluster.objects.all()
  31     elif user.is_anonymous():
  32         qs = Cluster.objects.none()
  33     else:
  34         qs = user.get_objects_any_perms(Cluster, ['admin', 'create_vm'],
  35                                         groups=groups, **kwargs)
  36
  37     if not readonly:
  38         # Exclude all read-only clusters.
  39         qs = qs.exclude(Q(username='') | Q(mtime__isnull=True))
  40
  41     return qs
  42
  43
  44 def admin_qs_for_cluster(cluster):
  45     """
  46     Get all users and groups which have admin permissions on a cluster.
  47
  48     This includes users who have admin permissions on a cluster
  49     via their group.
  50
  51     Note: This does not serve many purposes anymore
  52           owner_qs has mostly replaced its functionality.
  53     """
  54
  55     # get_users_any() can't deal with None, and at any rate, nobody can
  56     # possibly own a null cluster.
  57     if not cluster:
  58         return ClusterUser.objects.none()
  59
  60     # Get all superusers.
  61     superusers_qs = ClusterUser.objects.filter(
  62         profile__user__is_superuser=True)
  63
  64     # Get all users who have the given permissions on the given cluster.
  65     # This will include users who's groups have admin privs.
  66     users = get_users_any(cluster, ["admin"], groups=True)
  67     # Get the actual groups themselves.
  68     groups = get_groups_any(cluster, ["admin"])
  69
  70     qs = ClusterUser.objects.filter(Q(profile__user__in=users) |
  71                                     Q(organization__group__in=groups))
  72     qs |= superusers_qs
  73     return qs.distinct()
  74
  75 def owner_qs(cluster, user):
  76     """
  77     Get all owners for a cluster given a cluster and a user.
  78
  79     This only returns ClusterUser ojbjects which have admin permissions on the
  80     object.  This is mostly because this is used to assign an owner which is
  81     used for quotas. Quotas should only be assigned to objects with admin
  82     permissions.
  83     """
  84
  85     if not cluster:
  86         return ClusterUser.objects.none()
  87
  88     if user.is_superuser:
  89         return owner_qs_for_superuser(cluster)
  90
  91     user_is_admin = user.has_any_perms(
  92         cluster, ['admin', 'create_vm'], groups=False
  93     )
  94
  95     groups = admin_group_qs(cluster, user)
  96     # Translates to:
  97     # ClusterUser's Organization's Group is in the `groups` list.
  98     groups_q = Q(organization__group__in=groups)
  99     if user_is_admin:
 100         # User is admin, so we want to include them.
 101         qs = ClusterUser.objects.filter(Q(profile__user=user) | groups_q)
 102     else:
 103         qs = ClusterUser.objects.filter(groups_q)
 104
 105     return qs.order_by('name')
 106
 107 def admin_group_qs(cluster, user):
 108     """
 109     Given a cluster and a user, return the groups the user is in
 110     which have admin permissions on the cluster.
 111     """
 112     # Get the list of groups the user is in
 113     users_groups = user.profile.user.groups.all().distinct()
 114     # Get a list of groups which has admin on this cluster
 115     admin_groups = get_groups_any(cluster, ["admin", 'create_vm'])
 116     # Intersection: Which groups are both the users group and admin groups
 117     groups = users_groups & admin_groups
 118     return groups
 119
 120 def owner_qs_for_superuser(cluster):
 121     "Return all the users since we are superuser"
 122     return ClusterUser.objects.all().order_by('name')
 123
 124 def vm_qs_for_admins(user):
 125     """
 126     Retrieve a queryset of all of the virtual machines for which this user is
 127     an administrator.
 128     """
 129
 130     if user.is_superuser:
 131         qs = VirtualMachine.objects.all()
 132     elif user.is_anonymous():
 133         qs = VirtualMachine.objects.none()
 134     else:
 135         qs = user.get_objects_any_perms(VirtualMachine, groups=True,
 136                                         perms=["admin"])
 137         qs |= cluster_vm_qs(user, ['admin'])
 138
 139     return qs
 140
 141
 142 def vm_qs_for_users(user, clusters=True):
 143     """
 144     Retrieves a queryset of all the virtual machines for which the user has
 145     any permission.
 146     """
 147
 148     if user.is_superuser:
 149         qs = VirtualMachine.objects.all()
 150     elif user.is_anonymous():
 151         qs = VirtualMachine.objects.none()
 152     else:
 153         # If no permissions are provided, then *any* permission will cause a VM
 154         # to be added to the query.
 155         qs = user.get_objects_any_perms(VirtualMachine, groups=True)
 156
 157         # Add all VMs including VMs you have permission to via Cluster Perms
 158         if clusters:
 159             # Union of vms a user has any permissions to
 160             # and vms a user has admin permissions to via cluster perms
 161             qs |= cluster_vm_qs(user, ['admin'])
 162
 163     return qs.distinct()
 164
 165 def cluster_vm_qs(user, perms=[], groups=True):
 166     """
 167     Retrieves a queryset of all VMs a user has any of the given permissions
 168     through cluster permissions.
 169     """
 170     # first we get the IDs of the clusters which a user has perms to
 171     cluster_ids = user.get_objects_any_perms(
 172         Cluster, perms, groups
 173     ).values_list('pk', flat=True)
 174     # # a queryset of VMs
 175     vms = VirtualMachine.objects.filter(
 176         cluster__pk__in=cluster_ids # VMs we have perms to
 177     ).distinct()
 178
 179     return vms