def add_user_permission_group(self, permission_group, user_object, vm_object=None, ignore_duplicate=False): """Add a user to a permissions group on a VM object.""" assert permission_group in PERMISSION_GROUPS.keys() assert isinstance( self._convert_remote_object(user_object), self._get_registered_object('user_factory').USER_CLASS) assert isinstance( self._convert_remote_object(vm_object), self._get_registered_object( 'virtual_machine_factory').VIRTUAL_MACHINE_CLASS) ArgumentValidator.validate_boolean(ignore_duplicate) # Check if user running script is able to add users to permission group if not (self.is_superuser() or (vm_object and self.assert_permission( PERMISSIONS.MANAGE_VM_USERS, vm_object) and permission_group == 'user')): raise InsufficientPermissionsException( 'VM owners cannot add manager other owners') user_object = self._convert_remote_object(user_object) vm_object = self._convert_remote_object( vm_object) if vm_object is not None else None username = user_object.get_username() # Check if user is already in the group if (vm_object): config_object = vm_object.get_config_object() else: config_object = MCVirtConfig() if (username not in self.get_users_in_permission_group( permission_group, vm_object)): # Add user to permission configuration for VM def add_user_to_config(config): config['permissions'][permission_group].append(username) config_object.update_config( add_user_to_config, 'Added user \'%s\' to group \'%s\'' % (username, permission_group)) # @TODO FIX ME if self._is_cluster_master: cluster_object = self._get_registered_object('cluster') vm_name = vm_object.get_name() if vm_object else None cluster_object.run_remote_command( 'auth-add_user_permission_group', { 'permission_group': permission_group, 'username': username, 'vm_name': vm_name }) elif not ignore_duplicate: raise DuplicatePermissionException( 'User \'%s\' already in group \'%s\'' % (username, permission_group))
def delete_user_permission_group(self, permission_group, user_object, vm_object=None): """Remove user from a permissions group on a VM object.""" assert permission_group in PERMISSION_GROUPS.keys() assert isinstance( self._convert_remote_object(user_object), self._get_registered_object('user_factory').USER_CLASS) assert isinstance( self._convert_remote_object(vm_object), self._get_registered_object( 'virtual_machine_factory').VIRTUAL_MACHINE_CLASS) # Check if user running script is able to remove users to permission group if not (self.is_superuser() or (self.assert_permission(PERMISSIONS.MANAGE_VM_USERS, vm_object) and permission_group == 'user') and vm_object): raise InsufficientPermissionsException( 'Does not have required permission') user_object = self._convert_remote_object(user_object) vm_object = self._convert_remote_object( vm_object) if vm_object is not None else None username = user_object.get_username() # Check if user exists in the group if username not in self.get_users_in_permission_group( permission_group, vm_object): raise UserNotPresentInGroup('User \'%s\' not in group \'%s\'' % (username, permission_group)) if vm_object: config_object = vm_object.get_config_object() vm_name = vm_object.get_name() else: config_object = MCVirtConfig() vm_name = None # Remove user from permission configuration for VM def remove_user_from_group(config): config['permissions'][permission_group].remove(username) config_object.update_config( remove_user_from_group, 'Removed user \'%s\' from group \'%s\'' % (username, permission_group)) # @TODO FIX ME if self._is_cluster_master: cluster_object = self._get_registered_object('cluster') cluster_object.run_remote_command( 'auth-delete_user_permission_group', { 'permission_group': permission_group, 'username': username, 'vm_name': vm_name })
def assert_permission(self, permission_enum, vm_object=None): """Use check_permission function to determine if a user has a given permission and throws an exception if the permission is not present. """ if self.check_permission(permission_enum, vm_object): return True else: # If the permission has not been found, throw an exception explaining that # the user does not have permission raise InsufficientPermissionsException('User does not have the' ' required permission: %s' % permission_enum.name)
def add_superuser(self, user_object, ignore_duplicate=False): """Add a new superuser.""" assert isinstance( self._convert_remote_object(user_object), self._get_registered_object('user_factory').USER_CLASS) ArgumentValidator.validate_boolean(ignore_duplicate) # Ensure the user is a superuser if not self.is_superuser(): raise InsufficientPermissionsException( 'User must be a superuser to manage superusers') user_object = self._convert_remote_object(user_object) username = user_object.get_username() mcvirt_config = MCVirtConfig() # Ensure user is not already a superuser if username not in self.get_superusers(): def update_config(config): config['superusers'].append(username) mcvirt_config.update_config(update_config, 'Added superuser \'%s\'' % username) elif not ignore_duplicate: raise DuplicatePermissionException( 'User \'%s\' is already a superuser' % username) if self._is_cluster_master: def remote_command(connection): remote_user_factory = connection.get_connection('user_factory') remote_user = remote_user_factory.get_user_by_username( user_object.get_username()) remote_auth = connection.get_connection('auth') remote_auth.add_superuser(remote_user, ignore_duplicate=ignore_duplicate) cluster = self._get_registered_object('cluster') cluster.run_remote_command(remote_command)
def delete_superuser(self, user_object): """Remove a superuser.""" assert isinstance( self._convert_remote_object(user_object), self._get_registered_object('user_factory').USER_CLASS) # Ensure the user is a superuser if not self.is_superuser(): raise InsufficientPermissionsException( 'User must be a superuser to manage superusers') user_object = self._convert_remote_object(user_object) username = user_object.get_username() # Ensure user to be removed is a superuser if (username not in self.get_superusers()): raise UserNotPresentInGroup('User \'%s\' is not a superuser' % username) mcvirt_config = MCVirtConfig() def update_config(config): config['superusers'].remove(username) mcvirt_config.update_config( update_config, 'Removed \'%s\' from superuser group' % username) if self._is_cluster_master: def remote_command(connection): remote_user_factory = connection.get_connection('user_factory') remote_user = remote_user_factory.get_user_by_username( user_object.get_username()) remote_auth = connection.get_connection('auth') remote_auth.delete_superuser(remote_user) cluster = self._get_registered_object('cluster') cluster.run_remote_command(remote_command)
def assert_user_type(self, *user_type_names): """Ensure that the currently logged in user is of a specified type.""" if not self.check_user_type(*user_type_names): raise InsufficientPermissionsException( 'User must be on the following: %s' % ', '.join(user_type_names))
def delete_user_permission_group(self, permission_group, user_object, vm_object=None): """Remove user from a permissions group on a VM object.""" assert permission_group in PERMISSION_GROUPS.keys() assert isinstance( self._convert_remote_object(user_object), self._get_registered_object('user_factory').USER_CLASS) if vm_object: assert isinstance( self._convert_remote_object(vm_object), self._get_registered_object( 'virtual_machine_factory').VIRTUAL_MACHINE_CLASS) # Check if user running script is able to remove users to permission group if not (self.is_superuser() or (self.assert_permission(PERMISSIONS.MANAGE_VM_USERS, vm_object) and permission_group == 'user') and vm_object): raise InsufficientPermissionsException( 'Does not have required permission') user_object = self._convert_remote_object(user_object) username = user_object.get_username() # Check if user exists in the group if username not in self.get_users_in_permission_group( permission_group, vm_object): raise UserNotPresentInGroup('User \'%s\' not in group \'%s\'' % (username, permission_group)) if vm_object: vm_object = self._convert_remote_object(vm_object) config_object = vm_object.get_config_object() else: config_object = MCVirtConfig() # Remove user from permission configuration for VM def remove_user_from_group(config): config['permissions'][permission_group].remove(username) config_object.update_config( remove_user_from_group, 'Removed user \'%s\' from group \'%s\'' % (username, permission_group)) if self._is_cluster_master: def add_remote_user_to_group(connection): remote_user_factory = connection.get_connection('user_factory') remote_user = remote_user_factory.get_user_by_username( user_object.get_username()) connection.annotate_object(remote_user) remote_auth = connection.get_connection('auth') if vm_object: remote_vm_factory = connection.get_connection( 'virtual_machine_factory') remote_vm = remote_vm_factory.getVirtualMachineByName( vm_object.get_name()) else: remote_vm = None remote_auth.delete_user_permission_group( permission_group, remote_user, remote_vm) cluster_object = self._get_registered_object('cluster') cluster_object.run_remote_command(add_remote_user_to_group)