Exemple #1
0
def run_role_delete(argv):
    if len(argv) < 1:
        usage.acl(["role delete"])
        sys.exit(1)

    role_id = argv.pop(0)
    dom = utils.get_cib_dom()
    found = False
    for elem in dom.getElementsByTagName("acl_role"):
        if elem.getAttribute("id") == role_id:
            found = True
            elem.parentNode.removeChild(elem)
            break
    if not found:
        utils.err("unable to find acl role: %s" % role_id)

    # Remove any references to this role in acl_target or acl_group
    for elem in dom.getElementsByTagName("role"):
        if elem.getAttribute("id") == role_id:
            user_group = elem.parentNode
            user_group.removeChild(elem)
            if "--autodelete" in utils.pcs_options:
                if not user_group.getElementsByTagName("role"):
                    user_group.parentNode.removeChild(user_group)

    utils.replace_cib_configuration(dom)
Exemple #2
0
def acl_cmd(lib, argv, modifiers):
    if len(argv) < 1:
        sub_cmd, argv_next = "show", []
    else:
        sub_cmd, argv_next = argv[0], argv[1:]

    try:
        if sub_cmd == "help":
            usage.acl(argv_next)
        elif sub_cmd == "show":
            show_acl_config(lib, argv_next, modifiers)
        elif sub_cmd == "enable":
            acl_enable(argv_next)
        elif sub_cmd == "disable":
            acl_disable(argv_next)
        elif sub_cmd == "role":
            acl_role(lib, argv_next, modifiers)
        elif sub_cmd in ["target", "user"]:
            acl_user(lib, argv_next, modifiers)
        elif sub_cmd == "group":
            acl_group(lib, argv_next, modifiers)
        elif sub_cmd == "permission":
            acl_permission(lib, argv_next, modifiers)
        else:
            raise CmdLineInputError()
    except LibraryError as e:
        utils.process_library_reports(e.args)
    except CmdLineInputError as e:
        utils.exit_on_cmdline_input_errror(e, "acl", sub_cmd)
Exemple #3
0
def acl_cmd(argv):
    if len(argv) == 0:
        argv = ["show"]

    sub_cmd = argv.pop(0)

    # If we're using help or show we don't upgrade, otherwise upgrade if necessary
    if sub_cmd not in ["help","show"]:
        utils.checkAndUpgradeCIB(2,0,0)

    if (sub_cmd == "help"):
        usage.acl(argv)
    elif (sub_cmd == "show"):
        acl_show(argv)
    elif (sub_cmd == "enable"):
        acl_enable(argv)
    elif (sub_cmd == "disable"):
        acl_disable(argv)
    elif (sub_cmd == "role"):
        acl_role(argv)
    elif (sub_cmd == "target" or sub_cmd == "user"):
        acl_target(argv)
    elif sub_cmd == "group":
        acl_target(argv, True)
    elif sub_cmd == "permission":
        acl_permission(argv)
    else:
        usage.acl()
        sys.exit(1)
Exemple #4
0
def acl_cmd(lib, argv, modifiers):
    if len(argv) < 1:
        sub_cmd, argv_next = "show", []
    else:
        sub_cmd, argv_next = argv[0], argv[1:]

    try:
        if sub_cmd == "help":
            usage.acl(argv_next)
        elif sub_cmd == "show":
            show_acl_config(lib, argv_next, modifiers)
        elif sub_cmd == "enable":
            acl_enable(argv_next)
        elif sub_cmd == "disable":
            acl_disable(argv_next)
        elif sub_cmd == "role":
            acl_role(lib, argv_next, modifiers)
        elif sub_cmd in ["target", "user"]:
            acl_user(lib, argv_next, modifiers)
        elif sub_cmd == "group":
            acl_group(lib, argv_next, modifiers)
        elif sub_cmd == "permission":
            acl_permission(lib, argv_next, modifiers)
        else:
            raise CmdLineInputError()
    except LibraryError as e:
        utils.process_library_reports(e.args)
    except CmdLineInputError as e:
        utils.exit_on_cmdline_input_errror(e, "acl", sub_cmd)
Exemple #5
0
def run_permission_delete(argv):
    dom = utils.get_cib_dom()
    if len(argv) < 1:
        usage.acl(["permission delete"])
        sys.exit(1)

    perm_id = argv.pop(0)
    found = False
    for elem in dom.getElementsByTagName("acl_permission"):
        if elem.getAttribute("id") == perm_id:
            elem.parentNode.removeChild(elem)
            found = True
    if not found:
        utils.err("Unable to find permission with id: %s" % perm_id)

    utils.replace_cib_configuration(dom)
Exemple #6
0
def run_role_assign(argv):
    if len(argv) < 2:
        usage.acl(["role assign"])
        sys.exit(1)

    if len(argv) == 2:
        role_id = argv[0]
        ug_id = argv[1]
    elif len(argv) > 2 and argv[1] == "to":
        role_id = argv[0]
        ug_id = argv[2]
    else:
        usage.acl(["role assign"])
        sys.exit(1)

    dom = utils.get_cib_dom()
    found = False
    for role in dom.getElementsByTagName("acl_role"):
        if role.getAttribute("id") == role_id:
            found = True
            break

    if not found:
        utils.err("cannot find role: %s" % role_id)

    found = False
    for ug in dom.getElementsByTagName("acl_target") + dom.getElementsByTagName("acl_group"):
        if ug.getAttribute("id") == ug_id:
            found = True
            break

    if not found:
        utils.err("cannot find user or group: %s" % ug_id)

    for current_role in ug.getElementsByTagName("role"):
        if current_role.getAttribute("id") == role_id:
            utils.err(role_id + " is already assigned to " + ug_id)

    new_role = dom.createElement("role")
    new_role.setAttribute("id", role_id)
    ug.appendChild(new_role)
    utils.replace_cib_configuration(dom)
Exemple #7
0
def acl_permission(argv):
    if len(argv) < 1:
        usage.acl(["permission"])
        sys.exit(1)

    command = argv.pop(0)
    if command == "add":
        try:
            run_permission_add(argv)
        except utils.CmdLineInputError as e:
            exit_on_cmdline_input_errror('permission add')
        except LibraryError as e:
            utils.process_library_reports(e.args)

    elif command == "delete":
        run_permission_delete(argv)

    else:
        usage.acl(["permission"])
        sys.exit(1)
Exemple #8
0
def acl_role(argv):
    if len(argv) < 2:
        usage.acl(["role"])
        sys.exit(1)

    command = argv.pop(0)
    if command == "create":
        try:
            run_create_role(argv)
        except utils.CmdLineInputError as e:
            exit_on_cmdline_input_errror('role create')
        except LibraryError as e:
            utils.process_library_reports(e.args)


    elif command == "delete":
        run_role_delete(argv)
    elif command == "assign":
        run_role_assign(argv)
    elif command == "unassign":
        run_role_unassign(argv)
    else:
        usage.acl(["role"])
        sys.exit(1)
Exemple #9
0
def run_role_unassign(argv):
    if len(argv) < 2:
        usage.acl(["role unassign"])
        sys.exit(1)

    role_id = argv.pop(0)
    if len(argv) > 1 and argv[0] == "from":
        ug_id = argv[1]
    else:
        ug_id = argv[0]

    dom = utils.get_cib_dom()
    found = False
    for ug in dom.getElementsByTagName("acl_target") + dom.getElementsByTagName("acl_group"):
        if ug.getAttribute("id") == ug_id:
            found = True
            break

    if not found:
        utils.err("cannot find user or group: %s" % ug_id)

    found = False
    for current_role in ug.getElementsByTagName("role"):
        if current_role.getAttribute("id") == role_id:
            found = True
            current_role.parentNode.removeChild(current_role)
            break

    if not found:
        utils.err("cannot find role: %s, assigned to user/group: %s" % (role_id, ug_id))

    if "--autodelete" in utils.pcs_options:
        if not ug.getElementsByTagName("role"):
            ug.parentNode.removeChild(ug)

    utils.replace_cib_configuration(dom)
Exemple #10
0
from pcs import (
    acl,
    usage,
)
from pcs.cli.common.routing import create_router

acl_cmd = create_router(
    {
        "help":
        lambda lib, argv, modifiers: usage.acl(argv),
        "show":
        acl.show_acl_config,
        "enable":
        acl.acl_enable,
        "disable":
        acl.acl_disable,
        "role":
        create_router(
            {
                "create": acl.role_create,
                "delete": acl.role_delete,
                "remove": acl.role_delete,
                "assign": acl.role_assign,
                "unassign": acl.role_unassign,
            },
            ["acl", "role"],
        ),
        "user":
        create_router(
            {
                "create": acl.user_create,
Exemple #11
0
from pcs import (
    acl,
    usage,
)
from pcs.cli.common.routing import create_router


acl_cmd = create_router(
    {
        "help": lambda lib, argv, modifiers: usage.acl(argv),
        "show": acl.show_acl_config,
        "enable": acl.acl_enable,
        "disable": acl.acl_disable,
        "role": create_router(
            {
                "create": acl.role_create,
                "delete": acl.role_delete,
                "remove": acl.role_delete,
                "assign": acl.role_assign,
                "unassign": acl.role_unassign,
            },
            ["acl", "role"],
        ),
        "user": create_router(
            {
                "create": acl.user_create,
                "delete": acl.user_delete,
                "remove": acl.user_delete,
            },
            ["acl", "user"]
        ),
Exemple #12
0
def exit_on_cmdline_input_errror(usage_name):
    usage.acl([usage_name])
    sys.exit(1)
Exemple #13
0
def acl_target(argv,group=False):
    if len(argv) < 2:
        if group:
            usage.acl(["group"])
            sys.exit(1)
        else:
            usage.acl(["user"])
            sys.exit(1)

    dom = utils.get_cib_dom()
    acls = utils.get_acls(dom)

    command = argv.pop(0)
    tug_id = argv.pop(0)
    if command == "create":
        # pcsd parses the error message in order to determine whether the id is
        # assigned to user/group or some other cib element
        if group and utils.dom_get_element_with_id(dom, "acl_group", tug_id):
            utils.err("group %s already exists" % tug_id)
        if not group and utils.dom_get_element_with_id(dom, "acl_target", tug_id):
            utils.err("user %s already exists" % tug_id)
        if utils.does_id_exist(dom,tug_id):
            utils.err(tug_id + " already exists")

        if group:
            element = dom.createElement("acl_group")
        else:
            element = dom.createElement("acl_target")
        element.setAttribute("id", tug_id)

        acls.appendChild(element)
        for role in argv:
            if not utils.dom_get_element_with_id(acls, "acl_role", role):
                utils.err("cannot find acl role: %s" % role)
            r = dom.createElement("role")
            r.setAttribute("id", role)
            element.appendChild(r)

        utils.replace_cib_configuration(dom)
    elif command == "delete":
        found = False
        if group:
            elist = dom.getElementsByTagName("acl_group")
        else:
            elist = dom.getElementsByTagName("acl_target")

        for elem in elist:
            if elem.getAttribute("id") == tug_id:
                found = True
                elem.parentNode.removeChild(elem)
                break
        if not found:
            if group:
                utils.err("unable to find acl group: %s" % tug_id)
            else:
                utils.err("unable to find acl target/user: %s" % tug_id)
        utils.replace_cib_configuration(dom)
    else:
        if group:
            usage.acl(["group"])
        else:
            usage.acl(["user"])
        sys.exit(1)
Exemple #14
0
from pcs import (
    acl,
    usage,
)
from pcs.cli.common.routing import create_router

acl_cmd = create_router(
    {
        "help":
        lambda lib, argv, modifiers: print(usage.acl(argv)),
        # TODO remove, deprecated command
        # replaced with 'config'
        "show":
        acl.show_acl_config,
        "config":
        acl.acl_config,
        "enable":
        acl.acl_enable,
        "disable":
        acl.acl_disable,
        "role":
        create_router(
            {
                "create": acl.role_create,
                "delete": acl.role_delete,
                "remove": acl.role_delete,
                "assign": acl.role_assign,
                "unassign": acl.role_unassign,
            },
            ["acl", "role"],
        ),