def delete_user(user):
"""
This command deletes an existing user from the RBAC database. The command is valid if and only if the user to be deleted is a member of the USERS data set.
The USERS and UA data sets and the assigned_users function are updated. This method performs a "hard" delete.
It completely removes all data associated with this user from the directory.
User entity must exist in directory prior to making this call else exception will be thrown.
required parameters:
user.uid - maps to INetOrgPerson uid
"""
utils.validate_user(user)
# get the user's role assignments from its entry.
out_user = userdao.read(user)
# it's needed to remove the user membership from associated role entries.
for role_nm in out_user.roles:
try:
roledao.remove_member(Role(name=role_nm), user.uid)
logger.info('admin.delete_user:'******', removed as member of role:' + role_nm)
except RbacError as e:
if e.id != global_ids.URLE_ASSIGN_NOT_EXIST:
raise RbacError(msg=e.msg, id=e.id)
else:
logger.warn('admin.delete_user:'******', is not occupant of role:' + role_nm)
# now remove the user entry:
return userdao.delete(user)
def deassign(user, role):
"""
This command deletes the assignment of the User from the Role entities.
The command is valid if and only if the user is a member of the USERS data set, the role is a member of the ROLES data set,
and the user is assigned to the role. Any sessions that currently have this role activated will not be effected.
Successful completion includes:
User entity in USER data set has role assignment removed.
Role entity in ROLE data set has userId removed as role occupant.
required parameters:
user.uid - existing user.
role.name - existing role.
"""
utils.validate_user(user)
utils.validate_role(role)
out_user = userdao.read(user)
for constraint in out_user.role_constraints:
if constraint.name == role.name:
found = True
userdao.deassign(user, constraint)
try:
roledao.remove_member(role, user.uid)
except RbacError as e:
if e.id != global_ids.URLE_ASSIGN_NOT_EXIST:
raise RbacError(msg=e.msg, id=e.id)
else:
logger.warn('admin.deassign remove member failed because not occupant. user:'******', role:' + role.name)
if not found:
raise RbacError(msg='Role deassign failed constraint not found', id=global_ids.URLE_DEASSIGN_FAILED)
def delete_role(role):
"""
This command deletes an existing role from the RBAC database. The command is valid if and only if the role to be deleted is a member of the ROLES data set.
This command will also deassign role from all users.
required parameters:
role.name - maps to INetOrgPerson uid
"""
utils.validate_role(role)
# if role has members, deassign all.
members, constraint = roledao.get_members_constraint (role)
for member in members:
try:
userdao.deassign(User(uid=member), constraint)
logger.info('admin.delete_role:' + role.name + ', remove assign for user:'******'admin.delete_role:' + role.name + ', assign not exist for user:'******'admin.delete_role:' + role.name + ', remove grant for perm obj_name:' + perm.obj_name + ', op_name:' + perm.op_name)
# now remove the role entry.
return roledao.delete(role)
def delete_object(perm_obj):
"""
This method will remove permission object to perms container in directory. This method will also remove in associated permissions that are attached to this object.
required parameters:
perm.obj_name - maps to existing perm object.
"""
utils.validate_perm_obj(perm_obj)
try:
permdao.delete_obj(perm_obj)
except RbacError as e:
# if entry has children.
if e.id == global_ids.PERM_OBJECT_DELETE_FAILED_NONLEAF:
logger.warn('admin.delete_object non-leaf, obj_name:' + perm_obj.obj_name)
# remove all of them.
pList = permdao.search(Perm(obj_name=perm_obj.obj_name, op_name='*'))
for perm in pList:
permdao.delete(perm)
logger.warn('admin.delete_object child obj_name:' + perm.obj_name + ', op_name:' + perm.op_name)
# now try to remove this node once again
permdao.delete_obj(perm_obj)
logger.warn('admin.delete_object success after retry, obj_name:' + perm.obj_name)
else:
# can't handle this error so rethrow.
raise RbacError(msg=e.msg, id=e.id)
return
def bootstrap():
suffix_nm = __get_rdn_name(__SUFX_DN)
try:
create_suffix(suffix_nm)
except NotUnique:
logger.warn('create suffix failed, already present, name=' + suffix_nm)
try:
create_ou(global_ids.USER_OU)
except NotUnique:
logger.warn('create users container failed, already present')
try:
create_ou(global_ids.ROLE_OU)
except NotUnique:
logger.warn('create roles container failed, already present')
try:
create_ou(global_ids.PERM_OU)
except NotUnique:
logger.warn('create perms container failed, already present')