source: trunk/packages/invirt-web/code/cache_acls.py @ 2596

Last change on this file since 2596 was 2590, checked in by broder, 15 years ago

Store AFS cell configuration at authz.afs.cells instead of just
authz.cells, to be more clear about purpose.

  • Property svn:executable set to *
File size: 2.6 KB
RevLine 
[249]1#!/usr/bin/python
[863]2from invirt.database import *
[879]3from invirt.config import structs as config
[249]4import sys
5import getafsgroups
6import subprocess
7
8def expandLocker(name):
[1155]9    try:
10        groups = getafsgroups.getLockerAcl(name)
11    except getafsgroups.AfsProcessError, e:
12        if e.message.startswith("fs: You don't have the required access rights on"):
[1986]13            return []
14        elif e.message.endswith("doesn't exist\n"):
15            # presumably deactivated
16            return []
[1958]17        else:
18            raise
[249]19    cell = getafsgroups.getCell(name)
20    ans = set()
21    for group in groups:
22        if ':' in group:
23            ans.update(getafsgroups.getAfsGroupMembers(group, cell))
24        else:
25            ans.add(group)
26    return ans
27
28def isUser(name):
29    p = subprocess.Popen(['vos', 'examine', 'user.'+name],
30                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
31    if p.wait():
32        return False
33    return True
34   
35
36def expandName(name):
37    if ':' not in name:
38        if isUser(name):
39            return [name]
[434]40        return []
[413]41    try:
[2590]42        return getafsgroups.getAfsGroupMembers(name, config.authz.afs.cells[0].cell)
[413]43    except getafsgroups.AfsProcessError:
44        return []
[249]45
[410]46def accessList(m):
[263]47    people = set()
48    people.update(expandLocker(m.owner))
[1709]49    if m.administrator is not None:
50        people.update(expandName(m.administrator))
[410]51    return people
52
53def refreshMachine(m):
54    people = accessList(m)
[263]55    old_people = set(a.user for a in m.acl)
56    for removed in old_people - people:
57        ma = [x for x in m.acl if x.user == removed][0]
[1013]58        session.delete(ma)
[263]59    for p in people - old_people:
[589]60        ma = MachineAccess(user=p)
61        m.acl.append(ma)
[1013]62        session.save_or_update(ma)
[263]63   
[262]64def refreshCache():
[1013]65    session.begin()
[257]66
67    try:
[1095]68        machines = Machine.query().all()
[257]69        for m in machines:
[263]70            refreshMachine(m)
[1013]71        session.flush()
[257]72           
[2223]73        # Update the admin ACL as well
74        admin_acl = set(expandName(config.adminacl))
75        old_admin_acl = set(a.user for a in Admin.query())
76        for removed in old_admin_acl - admin_acl:
[2226]77            old = Admin.query.filter_by(user=removed).first()
78            session.delete(old)
[2223]79        for added in admin_acl - old_admin_acl:
80            a = Admin(user=added)
81            session.save_or_update(a)
82        session.flush()
83   
[257]84        # Atomically execute our changes
[1013]85        session.commit()
[257]86    except:
87        # Failed! Rollback all the changes.
[1013]88        session.rollback()
[257]89        raise
[262]90
91if __name__ == '__main__':
[863]92    connect()
[262]93    refreshCache()
Note: See TracBrowser for help on using the repository browser.