| [249] | 1 | #!/usr/bin/python |
|---|
| [863] | 2 | from invirt.database import * |
|---|
| [879] | 3 | from invirt.config import structs as config |
|---|
| [249] | 4 | import sys |
|---|
| 5 | import getafsgroups |
|---|
| 6 | import subprocess |
|---|
| 7 | |
|---|
| 8 | def expandLocker(name): |
|---|
| [1155] | 9 | try: |
|---|
| 10 | groups = getafsgroups.getLockerAcl(name) |
|---|
| 11 | except getafsgroups.AfsProcessError, e: |
|---|
| 12 | if e.message.startswith("fs: You don't have the required access rights on"): |
|---|
| [1986] | 13 | return [] |
|---|
| 14 | elif e.message.endswith("doesn't exist\n"): |
|---|
| 15 | # presumably deactivated |
|---|
| 16 | return [] |
|---|
| [1958] | 17 | else: |
|---|
| 18 | raise |
|---|
| [249] | 19 | cell = getafsgroups.getCell(name) |
|---|
| 20 | ans = set() |
|---|
| 21 | for group in groups: |
|---|
| 22 | if ':' in group: |
|---|
| 23 | ans.update(getafsgroups.getAfsGroupMembers(group, cell)) |
|---|
| 24 | else: |
|---|
| 25 | ans.add(group) |
|---|
| 26 | return ans |
|---|
| 27 | |
|---|
| 28 | def isUser(name): |
|---|
| 29 | p = subprocess.Popen(['vos', 'examine', 'user.'+name], |
|---|
| 30 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
|---|
| 31 | if p.wait(): |
|---|
| 32 | return False |
|---|
| 33 | return True |
|---|
| 34 | |
|---|
| 35 | |
|---|
| 36 | def expandName(name): |
|---|
| 37 | if ':' not in name: |
|---|
| 38 | if isUser(name): |
|---|
| 39 | return [name] |
|---|
| [434] | 40 | return [] |
|---|
| [413] | 41 | try: |
|---|
| [2590] | 42 | return getafsgroups.getAfsGroupMembers(name, config.authz.afs.cells[0].cell) |
|---|
| [413] | 43 | except getafsgroups.AfsProcessError: |
|---|
| 44 | return [] |
|---|
| [249] | 45 | |
|---|
| [410] | 46 | def accessList(m): |
|---|
| [263] | 47 | people = set() |
|---|
| 48 | people.update(expandLocker(m.owner)) |
|---|
| [1709] | 49 | if m.administrator is not None: |
|---|
| 50 | people.update(expandName(m.administrator)) |
|---|
| [410] | 51 | return people |
|---|
| 52 | |
|---|
| 53 | def refreshMachine(m): |
|---|
| 54 | people = accessList(m) |
|---|
| [263] | 55 | old_people = set(a.user for a in m.acl) |
|---|
| 56 | for removed in old_people - people: |
|---|
| 57 | ma = [x for x in m.acl if x.user == removed][0] |
|---|
| [1013] | 58 | session.delete(ma) |
|---|
| [263] | 59 | for p in people - old_people: |
|---|
| [589] | 60 | ma = MachineAccess(user=p) |
|---|
| 61 | m.acl.append(ma) |
|---|
| [1013] | 62 | session.save_or_update(ma) |
|---|
| [263] | 63 | |
|---|
| [262] | 64 | def refreshCache(): |
|---|
| [1013] | 65 | session.begin() |
|---|
| [257] | 66 | |
|---|
| 67 | try: |
|---|
| [1095] | 68 | machines = Machine.query().all() |
|---|
| [257] | 69 | for m in machines: |
|---|
| [263] | 70 | refreshMachine(m) |
|---|
| [1013] | 71 | session.flush() |
|---|
| [257] | 72 | |
|---|
| [2223] | 73 | # Update the admin ACL as well |
|---|
| 74 | admin_acl = set(expandName(config.adminacl)) |
|---|
| 75 | old_admin_acl = set(a.user for a in Admin.query()) |
|---|
| 76 | for removed in old_admin_acl - admin_acl: |
|---|
| [2226] | 77 | old = Admin.query.filter_by(user=removed).first() |
|---|
| 78 | session.delete(old) |
|---|
| [2223] | 79 | for added in admin_acl - old_admin_acl: |
|---|
| 80 | a = Admin(user=added) |
|---|
| 81 | session.save_or_update(a) |
|---|
| 82 | session.flush() |
|---|
| 83 | |
|---|
| [257] | 84 | # Atomically execute our changes |
|---|
| [1013] | 85 | session.commit() |
|---|
| [257] | 86 | except: |
|---|
| 87 | # Failed! Rollback all the changes. |
|---|
| [1013] | 88 | session.rollback() |
|---|
| [257] | 89 | raise |
|---|
| [262] | 90 | |
|---|
| 91 | if __name__ == '__main__': |
|---|
| [863] | 92 | connect() |
|---|
| [262] | 93 | refreshCache() |
|---|
