def register_system(client, minion):
"""
Adds a spacewalk registration for a minion.
"""
# ask for the minion data to get its id that tell us
# if it is registered, and data to register it
ret = client.cmd_iter(minion, GRAINS_ITEMS_CMD)
for grains in ret:
logger.info("Registering new minion: %s", minion)
if minion in grains:
values = grains[minion]['ret']
logger.debug("%s grains:\n%s", minion, pp.pformat(values))
username = client.cmd(minion, PILLAR_GET_CMD,
[ADMIN_USER_PILLAR_KEY])
if not username[minion]:
logger.error("Can't get admin user from pillar key '%s'",
ADMIN_USER_PILLAR_KEY)
continue
user = rhnUser.search(username[minion])
rhnSQL.clear_log_id()
newserv = rhnServer.Server(user, values['osarch'])
token = client.cmd(minion, PILLAR_GET_CMD,
[ACTIVATION_KEY_PILLAR_KEY])
if not token[minion]:
tokens_obj = rhnServer.search_org_token(user.contact["org_id"])
rhnFlags.set("universal_registration_token", tokens_obj)
else:
tokens_obj = rhnServer.search_token(token[minion])
rhnFlags.set("registration_token", tokens_obj)
# reserve the id
newserv.getid()
# overrite the digital id
# FIXME: None of these values appear in the systems properties
newserv.server['digital_server_id'] = 'SALT-ID-%s' % minion
newserv.server['release'] = values['osrelease']
newserv.server['os'] = values['osfullname']
newserv.server['name'] = minion
newserv.server['running_kernel'] = values['kernelrelease']
newserv.virt_uuid = None
newserv.save()
rhnSQL.commit()
logger.info("%s registered as %s", minion, newserv.getid())
else:
logger.error("Registration failed: Can't get grains for %s",
minion)
def search(server_id, username = None):
log_debug(3, server_id, username)
s = Server(None)
if not s.reload(server_id) == 0:
log_error("Reloading server id %d failed" % server_id)
# we can't say that the server is not really found
raise rhnFault(20)
# now that it is reloaded, fix up the s.user field
if username:
s.user = rhnUser.search(username)
return s
def login(self, username, password):
""" This function that takes in the username
and password and returns a session string if they are correct. It raises a
rhnFault if the user/pass combo is not acceptable.
"""
log_debug(5, username)
user = rhnUser.search(username)
if not user or not user.check_password(password):
raise rhnFault(2)
session = user.create_session()
return session.get_session()
def login(self, dict):
log_debug(1)
username = dict.get('username')
password = dict.get('password')
self.user = rhnUser.search(username)
if not self.user or not (self.user.check_password(password)):
raise rhnFault(2)
# Good to go
session = self.user.create_session()
return session.get_session()
def login(self, dict):
log_debug(1)
username = dict.get('username')
password = dict.get('password')
self.user = rhnUser.search(username)
if not self.user or not (self.user.check_password(password)):
raise rhnFault(2)
# Good to go
session = self.user.create_session()
return session.get_session()
def search(server_id, username=None):
""" search for a server in the database and return the Server object """
log_debug(3, server_id, username)
s = Server(None)
if not s.reload(server_id) == 0:
log_error("Reloading server id %d failed" % server_id)
# we can't say that the server is not really found
raise rhnFault(20)
# now that it is reloaded, fix up the s.user field
if username:
s.user = rhnUser.search(username)
return s
def available_eus_channels(self, username, password, arch,
version, release, other=None):
'''
Given a server arch, redhat-release version, and redhat-release release
returns the eligible channels for that system based on the entitlements
in the org specified by username/password
Returns a dict of the available channels in the format:
{'default_channel' : 'channel_label',
'receiving_updates' : ['channel_label1', 'channel_label2'],
'channels' : {'channel_label1' : 'channel_name1',
'channel_lable2' : 'channel_name2'}
}
'''
user = rhnUser.search(username)
if user is None:
log_error("invalid username", username)
raise rhnFault(2)
if not user.check_password(password):
log_error("User password check failed", username)
raise rhnFault(2)
server_arch = normalize_server_arch(arch)
user_id = user.getid()
org_id = user.contact['org_id']
channels = rhnChannel.base_eus_channel_for_ver_rel_arch(
version, release, server_arch,
org_id, user_id)
log_debug(4, "EUS Channels are: %s" % str(channels))
default_channel = ''
eus_channels = {}
receiving_updates = []
if channels is not None:
eus_channels = {}
for channel in channels:
eus_channels[channel['label']] = channel['name']
if channel['is_default'] == 'Y':
default_channel = channel['label']
if channel['receiving_updates'] == 'Y':
receiving_updates.append(channel['label'])
return {'default_channel' : default_channel,
'receiving_updates' : receiving_updates,
'channels' : eus_channels}
def available_eus_channels(self, username, password, arch,
version, release, other=None):
'''
Given a server arch, redhat-release version, and redhat-release release
returns the eligible channels for that system based on the entitlements
in the org specified by username/password
Returns a dict of the available channels in the format:
{'default_channel' : 'channel_label',
'receiving_updates' : ['channel_label1', 'channel_label2'],
'channels' : {'channel_label1' : 'channel_name1',
'channel_lable2' : 'channel_name2'}
}
'''
user = rhnUser.search(username)
if user is None:
log_error("invalid username", username)
raise rhnFault(2)
if not user.check_password(password):
log_error("User password check failed", username)
raise rhnFault(2)
server_arch = normalize_server_arch(arch)
user_id = user.getid()
org_id = user.contact['org_id']
channels = rhnChannel.base_eus_channel_for_ver_rel_arch(
version, release, server_arch,
org_id, user_id)
log_debug(4, "EUS Channels are: %s" % str(channels))
default_channel = ''
eus_channels = {}
receiving_updates = []
if channels is not None:
eus_channels = {}
for channel in channels:
eus_channels[channel['label']] = channel['name']
if channel['is_default'] == 'Y':
default_channel = channel['label']
if channel['receiving_updates'] == 'Y':
receiving_updates.append(channel['label'])
return {'default_channel' : default_channel,
'receiving_updates' : receiving_updates,
'channels' : eus_channels}
def register_system(client, minion):
"""
Adds a spacewalk registration for a minion.
"""
# ask for the minion data to get its id that tell us
# if it is registered, and data to register it
ret = client.cmd_iter(minion, GRAINS_ITEMS_CMD)
for grains in ret:
logger.info("Registering new minion: %s", minion)
if minion in grains:
values = grains[minion]['ret']
logger.debug("%s grains:\n%s", minion, pp.pformat(values))
username = client.cmd(minion, PILLAR_GET_CMD, [ADMIN_USER_PILLAR_KEY])
if not username[minion]:
logger.error("Can't get admin user from pillar key '%s'", ADMIN_USER_PILLAR_KEY)
continue
user = rhnUser.search(username[minion])
rhnSQL.clear_log_id()
newserv = rhnServer.Server(user, values['osarch'])
token = client.cmd(minion, PILLAR_GET_CMD, [ACTIVATION_KEY_PILLAR_KEY])
if not token[minion]:
tokens_obj = rhnServer.search_org_token(user.contact["org_id"])
rhnFlags.set("universal_registration_token", tokens_obj)
else:
tokens_obj = rhnServer.search_token(token[minion])
rhnFlags.set("registration_token", tokens_obj)
# reserve the id
newserv.getid()
# overrite the digital id
# FIXME: None of these values appear in the systems properties
newserv.server['digital_server_id'] = 'SALT-ID-%s' % minion
newserv.server['release'] = values['osrelease']
newserv.server['os'] = values['osfullname']
newserv.server['name'] = minion
newserv.server['running_kernel'] = values['kernelrelease']
newserv.virt_uuid = None
newserv.save()
rhnSQL.commit()
logger.info("%s registered as %s", minion, newserv.getid())
else:
logger.error("Registration failed: Can't get grains for %s",
minion)
def test_server_search(use_key=0):
if use_key:
user = None
else:
user = '******'
u = rhnUser.search(user)
s = rhnServer.Server(u, arch="athlon")
s.server["release"] = "2.1AS"
s.server["name"] = "test 1"
if use_key:
rhnFlags.set("registration_token", 'a02487cf77e72f86338f44212d23140d')
s.save()
print s.server["id"]
def test_disabled_users_are_listed(self):
"Create a user, disable it and check if it is listed"
u = misc_functions.create_new_user()
self._verify_new_user(u)
username = u.contact['login']
uid = u.getid()
h = rhnSQL.prepare("""
INSERT INTO rhnwebcontactchangelog
(id, web_contact_id, change_state_id)
VALUES
(5555, :user_id, 2)
""")
h.execute(user_id=uid)
self.assertNotEqual(rhnUser.search(username), None)
def update_contact_info(self, username, password, info={}):
""" this API call is no longer used """
log_debug(5, username, info)
username, password = str(username), str(password)
user = rhnUser.search(username)
if user is None:
log_error("invalid username", username)
raise rhnFault(2)
if not user.check_password(password):
log_error("User password check failed", username)
raise rhnFault(2)
return 0
def test_disabled_users_are_listed(self):
"Create a user, disable it and check if it is listed"
u = misc_functions.create_new_user()
self._verify_new_user(u)
username = u.contact['login']
uid = u.getid()
h = rhnSQL.prepare("""
INSERT INTO rhnwebcontactchangelog
(id, web_contact_id, change_state_id)
VALUES
(5555, :user_id, 2)
""")
h.execute(user_id=uid)
self.assertNotEqual(rhnUser.search(username), None)
def update_contact_info(self, username, password, info={}):
""" this API call is no longer used """
log_debug(5, username, info)
username, password = str(username), str(password)
user = rhnUser.search(username)
if user is None:
log_error("invalid username", username)
raise rhnFault(2)
if not user.check_password(password):
log_error("User password check failed", username)
raise rhnFault(2)
return 0
def _lookup_org_id(self, org_id):
if isinstance(org_id, types.StringType):
# Is it a user?
u = rhnUser.search(org_id)
if not u:
raise InvalidUserError(org_id)
return u.contact['org_id']
t = rhnSQL.Table('web_customer', 'id')
row = t[org_id]
if not row:
raise InvalidOrgError(org_id)
return row['id']
def _lookup_org_id(self, org_id):
if isinstance(org_id, types.StringType):
# Is it a user?
u = rhnUser.search(org_id)
if not u:
raise InvalidUserError(org_id)
return u.contact['org_id']
t = rhnSQL.Table('web_customer', 'id')
row = t[org_id]
if not row:
raise InvalidOrgError(org_id)
return row['id']
def login(self, dict):
log_debug(1)
username = dict.get('username')
password = dict.get('password')
self.user = rhnUser.search(username)
if not self.user or not (self.user.check_password(password)):
raise rhnFault(2)
if rhnUser.is_user_disabled(username):
msg = _("""
%s Account has been deactivated on this server.
Please contact your Org administrator for more help.""")
raise rhnFault(1, msg % username, explain=0)
# Good to go
session = self.user.create_session()
return session.get_session()
def login(self, dict):
log_debug(1)
username = dict.get('username')
password = dict.get('password')
self.user = rhnUser.search(username)
if not self.user or not (self.user.check_password(password)):
raise rhnFault(2)
if rhnUser.is_user_disabled(username):
msg = _("""
%s Account has been deactivated on this server.
Please contact your Org administrator for more help.""")
raise rhnFault(1, msg % username, explain=0)
# Good to go
session = self.user.create_session()
return session.get_session()
def lookup_org_id(org_id):
"Look up the org id by user name"
if isinstance(org_id, types.StringType):
# Is it a user?
u = rhnUser.search(org_id)
if not u:
raise rhnServerGroup.InvalidUserError(org_id)
return u.contact['org_id']
t = rhnSQL.Table('web_customer', 'id')
row = t[org_id]
if not row:
raise rhnServerGroup.InvalidOrgError(org_id)
return row['id']
def lookup_org_id(org_id):
"Look up the org id by user name"
if isinstance(org_id, types.StringType):
# Is it a user?
u = rhnUser.search(org_id)
if not u:
raise rhnServerGroup.InvalidUserError(org_id)
return u.contact['org_id']
t = rhnSQL.Table('web_customer', 'id')
row = t[org_id]
if not row:
raise rhnServerGroup.InvalidOrgError(org_id)
return row['id']
def getUserGroups(login, password):
# Authenticates a user and returns the list of groups it belongs
# to, and the org id
add_to_seclist(password)
log_debug(4, login)
user = rhnUser.search(login)
if not user:
log_debug("rhnUser.search failed")
raise rhnFault(2)
# Check the user's password
if not user.check_password(password):
log_debug("user.check_password failed")
raise rhnFault(2)
return getUserGroupsFromUserInstance(user)
def login(self, username, password):
""" This function that takes in the username
and password and returns a session string if they are correct. It raises a
rhnFault if the user/pass combo is not acceptable.
"""
log_debug(5, username)
user = rhnUser.search(username)
if not user or not user.check_password(password):
raise rhnFault(2)
if rhnUser.is_user_disabled(username):
msg = _("""
%s Account has been deactivated on this server.
Please contact your Org administrator for more help.""")
raise rhnFault(1, msg % username, explain=0)
if rhnUser.is_user_read_only(user.username):
raise rhnFault(702)
session = user.create_session()
return session.get_session()
def login(self, username, password):
""" This function that takes in the username
and password and returns a session string if they are correct. It raises a
rhnFault if the user/pass combo is not acceptable.
"""
log_debug(5, username)
user = rhnUser.search(username)
if not user or not user.check_password(password):
raise rhnFault(2)
if rhnUser.is_user_disabled(username):
msg = _("""
%s Account has been deactivated on this server.
Please contact your Org administrator for more help.""")
raise rhnFault(1, msg % username, explain=0)
if rhnUser.is_user_read_only(user.username):
raise rhnFault(702)
session = user.create_session()
return session.get_session()
def loadcert(self, cert, load_user=1):
log_debug(4, cert)
# certificate is presumed to be already verified
if not isinstance(cert, Certificate):
return -1
# reload the whole thing based on the cert data
server = cert["system_id"]
row = server_lib.getServerID(server)
if row is None:
return -1
sid = row["id"]
# standard reload based on an ID
ret = self.reload(sid)
if not ret == 0:
return ret
# the reload() will never be able to fill in the username. It
# would require from the database standpoint insuring that for
# a given server we can have only one owner at any given time.
# cert includes it and it's valid because it has been verified
# through checksuming before we got here
self.user = None
# Load the user if at all possible. If it's not possible,
# self.user will be None, which should be a handled case wherever
# self.user is used.
if load_user:
# Load up the username associated with this profile
self.user = rhnUser.search(cert["username"])
# 4/27/05 wregglej - Commented out this block because it was causing problems
# with rhn_check/up2date when the user that registered the system was deleted.
# if not self.user:
# log_error("Invalid username for server id",
# cert["username"], server, cert["profile_name"])
# raise rhnFault(9, "Invalid username '%s' for server id %s" %(
# cert["username"], server))
# XXX: make sure that the database thinks that the server
# registrnt is the same as this certificate thinks. The
# certificate passed checksum checks, but it never hurts to be
# too careful now with satellites and all.
return 0
def loadcert(self, cert, load_user=1):
log_debug(4, cert)
# certificate is presumed to be already verified
if not isinstance(cert, Certificate):
return -1
# reload the whole thing based on the cert data
server = cert["system_id"]
row = server_lib.getServerID(server)
if row is None:
return -1
sid = row["id"]
# standard reload based on an ID
ret = self.reload(sid)
if not ret == 0:
return ret
# the reload() will never be able to fill in the username. It
# would require from the database standpoint insuring that for
# a given server we can have only one owner at any given time.
# cert includes it and it's valid because it has been verified
# through checksuming before we got here
self.user = None
# Load the user if at all possible. If it's not possible,
# self.user will be None, which should be a handled case wherever
# self.user is used.
if load_user:
# Load up the username associated with this profile
self.user = rhnUser.search(cert["username"])
# 4/27/05 wregglej - Commented out this block because it was causing problems
# with rhn_check/up2date when the user that registered the system was deleted.
# if not self.user:
# log_error("Invalid username for server id",
# cert["username"], server, cert["profile_name"])
# raise rhnFault(9, "Invalid username '%s' for server id %s" %(
# cert["username"], server))
# XXX: make sure that the database thinks that the server
# registrnt is the same as this certificate thinks. The
# certificate passed checksum checks, but it never hurts to be
# too careful now with satellites and all.
return 0
def system_id(self):
log_debug(3, self.server, self.cert)
if self.cert is None:
# need to instantiate it
cert = Certificate()
cert["system_id"] = self.server["digital_server_id"]
cert["os_release"] = self.server["release"]
cert["operating_system"] = self.server["os"]
cert["architecture"] = self.archname
cert["profile_name"] = self.server["name"]
cert["description"] = self.server["description"]
if not self.user:
log_debug(1, "The username is not available. Taking an active " \
"administrator from the same organization")
self.user = rhnUser.search(self._get_active_org_admins(
self.server["org_id"])[0]["login"])
cert["username"] = self.user.contact["login"]
cert["type"] = self.type
cert.set_secret(self.server["secret"])
self.cert = cert
return self.cert.certificate()
def validate_system_user(self, username, password):
username, password = rhnUser.check_user_password(username,
password)
user = rhnUser.search(username)
if user is None:
log_error("Can't register server to non-existent user")
raise rhnFault(2, _("Attempt to register a system to an invalid username"))
# This check validates username and password
if not user.check_password(password):
log_error("User password check failed", username)
raise rhnFault(2)
if rhnUser.is_user_disabled(username):
msg = _("""
%s Account has been deactivated on this server.
Please contact your Org administrator for more help.""")
raise rhnFault(1, msg % username, explain=0)
return user
def validate_system_user(self, username, password):
username, password = rhnUser.check_user_password(username,
password)
user = rhnUser.search(username)
if user is None:
log_error("Can't register server to non-existent user")
raise rhnFault(2, _("Attempt to register a system to an invalid username"))
# This check validates username and password
if not user.check_password(password):
log_error("User password check failed", username)
raise rhnFault(2)
if rhnUser.is_user_disabled(username):
msg = _("""
%s Account has been deactivated on this server.
Please contact your Org administrator for more help.""")
raise rhnFault(1, msg % username, explain=0)
return user
def system_id(self):
log_debug(3, self.server, self.cert)
if self.cert is None:
# need to instantiate it
cert = Certificate()
cert["system_id"] = self.server["digital_server_id"]
cert["os_release"] = self.server["release"]
cert["operating_system"] = self.server["os"]
cert["architecture"] = self.archname
cert["profile_name"] = self.server["name"]
cert["description"] = self.server["description"]
if not self.user:
log_debug(1, "The username is not available. Taking an active " \
"administrator from the same organization")
self.user = rhnUser.search(self._get_active_org_admins(
self.server["org_id"])[0]["login"])
cert["username"] = self.user.contact["login"]
cert["type"] = self.type
cert.set_secret(self.server["secret"])
self.cert = cert
return self.cert.certificate()
def getUserGroups(login, password):
# Authenticates a user and returns the list of groups it belongs
# to, and the org id
add_to_seclist(password)
log_debug(4, login)
user = rhnUser.search(login)
if not user:
log_debug("rhnUser.search failed")
raise rhnFault(2)
# Check the user's password
if not user.check_password(password):
log_debug("user.check_password failed")
raise rhnFault(2)
if rhnUser.is_user_disabled(username):
msg = _("""
%s Account has been deactivated on this server.
Please contact your Org administrator for more help.""")
raise rhnFault(1, msg % username, explain=0)
return getUserGroupsFromUserInstance(user)
def getUserGroups(login, password):
# Authenticates a user and returns the list of groups it belongs
# to, and the org id
add_to_seclist(password)
log_debug(4, login)
user = rhnUser.search(login)
if not user:
log_debug("rhnUser.search failed")
raise rhnFault(2)
# Check the user's password
if not user.check_password(password):
log_debug("user.check_password failed")
raise rhnFault(2)
if rhnUser.is_user_disabled(username):
msg = _("""
%s Account has been deactivated on this server.
Please contact your Org administrator for more help.""")
raise rhnFault(1, msg % username, explain=0)
return getUserGroupsFromUserInstance(user)
# Copyright (c) 2008--2013 Red Hat, Inc.
#
# This software is licensed to you under the GNU General Public License,
# version 2 (GPLv2). There is NO WARRANTY for this software, express or
# implied, including the implied warranties of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
# along with this software; if not, see
# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
#
# Red Hat trademarks are not licensed under GPLv2. No permission is
# granted to use or replicate Red Hat trademarks that are incorporated
# in this software or its documentation.
#
from spacewalk.common.rhnConfig import initCFG
from spacewalk.server import rhnSQL, rhnUser
rhnSQL.initDB("rhnuser/rhnuser@webdev")
initCFG('server.xmlrpc')
u = rhnUser.search("mibanescu-channel-admin")
session = u.create_session()
s = session.get_session()
print("Checking with session", s)
u = rhnUser.session_reload(s)
print(u)
print(u.username)
def create_new_user(org_id=None,
username=None,
password=None,
roles=None,
encrypt_password=False):
"Create a new user"
if org_id is None:
org_id = create_new_org()
else:
org_id = lookup_org_id(org_id)
if username is None:
username = "******" % time.time()
if password is None:
password = "******" % time.time()
if encrypt_password:
password = rhnUser.encrypt_password(password)
if roles is None:
roles = []
login = username
oracle_contact_id = None
prefix = "Mr."
first_names = "First Name %3.f" % time.time()
last_name = "Last Name %3.f" % time.time()
genqual = None
parent_company = None
company = "ACME"
title = ""
phone = ""
fax = ""
email = "*****@*****.**" % username
pin = 0
first_names_ol = " "
last_name_ol = " "
address1 = " "
address2 = " "
address3 = " "
city = " "
state = " "
zip_code = " "
country = " "
alt_first_names = None
alt_last_name = None
contact_call = "N"
contact_mail = "N"
contact_email = "N"
contact_fax = "N"
f = rhnSQL.Function('create_new_user', rhnSQL.types.NUMBER())
ret = f(org_id, login, password, oracle_contact_id, prefix, first_names,
last_name, genqual, parent_company, company, title, phone, fax,
email, pin, first_names_ol, last_name_ol, address1, address2,
address3, city, state, zip_code, country, alt_first_names,
alt_last_name, contact_call, contact_mail, contact_email,
contact_fax)
u = rhnUser.search(username)
if u is None:
raise Exception("Couldn't create the new user - user not found")
# Set roles
h = rhnSQL.prepare("""
select ug.id
from rhnUserGroupType ugt, rhnUserGroup ug
where ug.org_id = :org_id
and ug.group_type = ugt.id
and ugt.label = :role
""")
create_ugm = rhnSQL.Procedure("rhn_user.add_to_usergroup")
for role in roles:
h.execute(org_id=org_id, role=role)
row = h.fetchone_dict()
if not row:
raise InvalidRoleError(org_id, role)
user_group_id = row['id']
create_ugm(u.getid(), user_group_id)
return u
def create_new_user(org_id=None, username=None, password=None, roles=None, encrypt_password = False):
"Create a new user"
if org_id is None:
org_id = create_new_org()
else:
org_id = lookup_org_id(org_id)
if username is None:
username = "******" % time.time()
if password is None:
password = "******" % time.time()
if encrypt_password:
password = rhnUser.encrypt_password(password)
if roles is None:
roles = []
login = username
oracle_contact_id = None
prefix = "Mr."
first_names = "First Name %3.f" % time.time()
last_name = "Last Name %3.f" % time.time()
genqual = None
parent_company = None
company = "ACME"
title = ""
phone = ""
fax = ""
email = "*****@*****.**" % username
pin = 0
first_names_ol = " "
last_name_ol = " "
address1 = " "
address2 = " "
address3 = " "
city = " "
state = " "
zip_code = " "
country = " "
alt_first_names = None
alt_last_name = None
contact_call = "N"
contact_mail = "N"
contact_email = "N"
contact_fax = "N"
f = rhnSQL.Function('create_new_user', rhnSQL.types.NUMBER())
ret = f(
org_id,
login,
password,
oracle_contact_id,
prefix,
first_names,
last_name,
genqual,
parent_company,
company,
title,
phone,
fax,
email,
pin,
first_names_ol,
last_name_ol,
address1,
address2,
address3,
city,
state,
zip_code,
country,
alt_first_names,
alt_last_name,
contact_call,
contact_mail,
contact_email,
contact_fax
)
u = rhnUser.search(username)
if u is None:
raise Exception("Couldn't create the new user - user not found")
# Set roles
h = rhnSQL.prepare("""
select ug.id
from rhnUserGroupType ugt, rhnUserGroup ug
where ug.org_id = :org_id
and ug.group_type = ugt.id
and ugt.label = :role
""")
create_ugm = rhnSQL.Procedure("rhn_user.add_to_usergroup")
for role in roles:
h.execute(org_id=org_id, role=role)
row = h.fetchone_dict()
if not row:
raise InvalidRoleError(org_id, role)
user_group_id = row['id']
create_ugm(u.getid(), user_group_id)
return u
