source: trunk/packages/invirt-web/code/cache_acls.py @ 2563

Last change on this file since 2563 was 2557, checked in by broder, 15 years ago

Re-arrange the authz configuration.

In particular, even if we allow for mixing of multiple authz
mechanisms at some point, you won't have multiple instances of the
locker authz type, so the "type" shouldn't be a property of each of
the cells we specify how to authenticate against.

  • Property svn:executable set to *
File size: 2.6 KB
RevLine 
[249]1#!/usr/bin/python
[863]2from invirt.database import *
[879]3from invirt.config import structs as config
[249]4import sys
5import getafsgroups
6import subprocess
7
8def expandLocker(name):
[1155]9    try:
10        groups = getafsgroups.getLockerAcl(name)
11    except getafsgroups.AfsProcessError, e:
12        if e.message.startswith("fs: You don't have the required access rights on"):
[1986]13            return []
14        elif e.message.endswith("doesn't exist\n"):
15            # presumably deactivated
16            return []
[1958]17        else:
18            raise
[249]19    cell = getafsgroups.getCell(name)
20    ans = set()
21    for group in groups:
22        if ':' in group:
23            ans.update(getafsgroups.getAfsGroupMembers(group, cell))
24        else:
25            ans.add(group)
26    return ans
27
28def isUser(name):
29    p = subprocess.Popen(['vos', 'examine', 'user.'+name],
30                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
31    if p.wait():
32        return False
33    return True
34   
35
36def expandName(name):
37    if ':' not in name:
38        if isUser(name):
39            return [name]
[434]40        return []
[413]41    try:
[2557]42        return getafsgroups.getAfsGroupMembers(name, config.authz.cells[0].cell)
[413]43    except getafsgroups.AfsProcessError:
44        return []
[249]45
[410]46def accessList(m):
[263]47    people = set()
48    people.update(expandLocker(m.owner))
[1709]49    if m.administrator is not None:
50        people.update(expandName(m.administrator))
[410]51    return people
52
53def refreshMachine(m):
54    people = accessList(m)
[263]55    old_people = set(a.user for a in m.acl)
56    for removed in old_people - people:
57        ma = [x for x in m.acl if x.user == removed][0]
[1013]58        session.delete(ma)
[263]59    for p in people - old_people:
[589]60        ma = MachineAccess(user=p)
61        m.acl.append(ma)
[1013]62        session.save_or_update(ma)
[263]63   
[262]64def refreshCache():
[1013]65    session.begin()
[257]66
67    try:
[1095]68        machines = Machine.query().all()
[257]69        for m in machines:
[263]70            refreshMachine(m)
[1013]71        session.flush()
[257]72           
[2223]73        # Update the admin ACL as well
74        admin_acl = set(expandName(config.adminacl))
75        old_admin_acl = set(a.user for a in Admin.query())
76        for removed in old_admin_acl - admin_acl:
[2226]77            old = Admin.query.filter_by(user=removed).first()
78            session.delete(old)
[2223]79        for added in admin_acl - old_admin_acl:
80            a = Admin(user=added)
81            session.save_or_update(a)
82        session.flush()
83   
[257]84        # Atomically execute our changes
[1013]85        session.commit()
[257]86    except:
87        # Failed! Rollback all the changes.
[1013]88        session.rollback()
[257]89        raise
[262]90
91if __name__ == '__main__':
[863]92    connect()
[262]93    refreshCache()
Note: See TracBrowser for help on using the repository browser.