source: package_branches/invirt-web/cherrypy/code/cache_acls.py @ 2558

Last change on this file since 2558 was 2558, checked in by broder, 14 years ago

"Cherry-pick" r2557 (Re-arrange the authz configuration.) to the
cherrypy branch.

(It's somewhat tenuous to claim this is a cherry-pick, given that all
of the changes would have conflicted had I actually tried to
cherry-pick the change. Oh well)
  • Property svn:executable set to *
File size: 2.6 KB
Line 
1#!/usr/bin/python
2from invirt.database import *
3from invirt.config import structs as config
4import sys
5import getafsgroups
6import subprocess
7
8def expandLocker(name):
9    try:
10        groups = getafsgroups.getLockerAcl(name)
11    except getafsgroups.AfsProcessError, e:
12        if e.message.startswith("fs: You don't have the required access rights on"):
13            return []
14        elif e.message.endswith("doesn't exist\n"):
15            # presumably deactivated
16            return []
17        else:
18            raise
19    cell = getafsgroups.getCell(name)
20    ans = set()
21    for group in groups:
22        if ':' in group:
23            ans.update(getafsgroups.getAfsGroupMembers(group, cell))
24        else:
25            ans.add(group)
26    return ans
27
28def isUser(name):
29    p = subprocess.Popen(['vos', 'examine', 'user.'+name],
30                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
31    if p.wait():
32        return False
33    return True
34   
35
36def expandName(name):
37    if ':' not in name:
38        if isUser(name):
39            return [name]
40        return []
41    try:
42        return getafsgroups.getAfsGroupMembers(name, config.authz.cells[0].cell)
43    except getafsgroups.AfsProcessError:
44        return []
45
46def accessList(m):
47    people = set()
48    people.update(expandLocker(m.owner))
49    if m.administrator is not None:
50        people.update(expandName(m.administrator))
51    return people
52
53def refreshMachine(m):
54    people = accessList(m)
55    old_people = set(a.user for a in m.acl)
56    for removed in old_people - people:
57        ma = [x for x in m.acl if x.user == removed][0]
58        session.delete(ma)
59    for p in people - old_people:
60        ma = MachineAccess(user=p)
61        m.acl.append(ma)
62        session.save_or_update(ma)
63   
64def refreshCache():
65    session.begin()
66
67    try:
68        machines = Machine.query().all()
69        for m in machines:
70            refreshMachine(m)
71        session.flush()
72           
73        # Update the admin ACL as well
74        admin_acl = set(expandName(config.adminacl))
75        old_admin_acl = set(a.user for a in Admin.query())
76        for removed in old_admin_acl - admin_acl:
77            old = Admin.query.filter_by(user=removed).first()
78            session.delete(old)
79        for added in admin_acl - old_admin_acl:
80            a = Admin(user=added)
81            session.save_or_update(a)
82        session.flush()
83   
84        # Atomically execute our changes
85        session.commit()
86    except:
87        # Failed! Rollback all the changes.
88        session.rollback()
89        raise
90
91if __name__ == '__main__':
92    connect()
93    refreshCache()
Note: See TracBrowser for help on using the repository browser.