Пример #1
0
Файл: acl.py Проект: tradej/pcs
def acl_cmd(argv):
    if len(argv) == 0:
        argv = ["show"]

    sub_cmd = argv.pop(0)

    # If we're using help or show we don't upgrade, otherwise upgrade if necessary
    if sub_cmd not in ["help","show"]:
        utils.checkAndUpgradeCIB(2,0,0)

    if (sub_cmd == "help"):
        usage.acl(argv)
    elif (sub_cmd == "show"):
        acl_show(argv)
#    elif (sub_cmd == "grant"):
#        acl_grant(argv)
    elif (sub_cmd == "enable"):
        acl_enable(argv)
    elif (sub_cmd == "disable"):
        acl_disable(argv)
    elif (sub_cmd == "role"):
        acl_role(argv)
    elif (sub_cmd == "target" or sub_cmd == "user"):
        acl_target(argv)
    elif sub_cmd == "group":
        acl_target(argv, True)
    elif sub_cmd == "permission":
        acl_permission(argv)
    else:
        usage.acl()
        sys.exit(1)
Пример #2
0
Файл: acl.py Проект: ingted/pcs
def acl_cmd(argv):
    if len(argv) == 0:
        argv = ["show"]

    sub_cmd = argv.pop(0)

    # If we're using help or show we don't upgrade, otherwise upgrade if necessary
    if sub_cmd not in ["help", "show"]:
        utils.checkAndUpgradeCIB(2, 0, 0)

    if (sub_cmd == "help"):
        usage.acl(argv)
    elif (sub_cmd == "show"):
        acl_show(argv)


#    elif (sub_cmd == "grant"):
#        acl_grant(argv)
    elif (sub_cmd == "enable"):
        acl_enable(argv)
    elif (sub_cmd == "disable"):
        acl_disable(argv)
    elif (sub_cmd == "role"):
        acl_role(argv)
    elif (sub_cmd == "target" or sub_cmd == "user"):
        acl_target(argv)
    elif sub_cmd == "group":
        acl_target(argv, True)
    elif sub_cmd == "permission":
        acl_permission(argv)
    else:
        usage.acl()
        sys.exit(1)
Пример #3
0
def acl_permission(argv):
    if len(argv) < 1:
        usage.acl("permission")
        sys.exit(1)

    dom = utils.get_cib_dom()
    dom, acls = get_acls(dom)

    command = argv.pop(0)
    if command == "add":
        if len(argv) < 4:
            usage.acl("permission add")
            sys.exit(1)
        role_id = argv.pop(0)
        found = False
        for role in dom.getElementsByTagName("acl_role"):
            if role.getAttribute("id") == role_id:
                found = True
                break
        if found == False:
            acl_role(["create", role_id] + argv) 
            return

        while len(argv) >= 3:
            kind = argv.pop(0)
            se = dom.createElement("acl_permission")
            se.setAttribute("id", utils.find_unique_id(dom, role_id + "-" + kind))
            se.setAttribute("kind", kind)
            xp_id = argv.pop(0)
            if xp_id == "xpath":
                xpath_query = argv.pop(0)
                se.setAttribute("xpath",xpath_query)
            elif xp_id == "id":
                acl_ref = argv.pop(0)
                se.setAttribute("reference",acl_ref)
            else:
                usage.acl("permission add")
            role.appendChild(se)

        utils.replace_cib_configuration(dom)

    elif command == "delete":
        if len(argv) < 1:
            usage.acl("permission delete")
            sys.exit(1)

        perm_id = argv.pop(0)
        found = False
        for elem in dom.getElementsByTagName("acl_permission"):
            if elem.getAttribute("id") == perm_id:
                elem.parentNode.removeChild(elem)
                found = True
        if not found:
            utils.err("Unable to find permission with id: %s" % perm_id)

        utils.replace_cib_configuration(dom)

    else:
        usage.acl("permission")
        sys.exit(1)
Пример #4
0
def acl_target(argv,group=False):
    if len(argv) < 2:
        if group:
            usage.acl("group")
            sys.exit(1)
        else:
            usage.acl("target")
            sys.exit(1)

    dom = utils.get_cib_dom()
    dom, acls = get_acls(dom)

    command = argv.pop(0)
    tug_id = argv.pop(0)
    if command == "create":
        if utils.does_id_exist(dom,tug_id):
            utils.err(tug_id + " already exists in cib")

        if group:
            element = dom.createElement("acl_group")
        else:
            element = dom.createElement("acl_target")
        element.setAttribute("id", tug_id)

        acls.appendChild(element)
        for role in argv:
            r = dom.createElement("role")
            r.setAttribute("id", role)
            element.appendChild(r)

        utils.replace_cib_configuration(dom)
    elif command == "delete":
        found = False
        if group:
            elist = dom.getElementsByTagName("acl_group")
        else:
            elist = dom.getElementsByTagName("acl_target")

        for elem in elist:
            if elem.getAttribute("id") == tug_id:
                found = True
                elem.parentNode.removeChild(elem)
                break
        if not found:
            if group:
                utils.err("unable to find acl group: %s" % tug_id)
            else:
                utils.err("unable to find acl target/user: %s" % tug_id)
        utils.replace_cib_configuration(dom)
    else:
        if group:
            usage.acl("group")
        else:
            usage.acl("target")
        sys.exit(1)
Пример #5
0
def acl_target(argv, group=False):
    if len(argv) < 2:
        if group:
            usage.acl("group")
            sys.exit(1)
        else:
            usage.acl("target")
            sys.exit(1)

    dom = utils.get_cib_dom()
    dom, acls = get_acls(dom)

    command = argv.pop(0)
    tug_id = argv.pop(0)
    if command == "create":
        if utils.does_id_exist(dom, tug_id):
            utils.err(tug_id + " already exists in cib")

        if group:
            element = dom.createElement("acl_group")
        else:
            element = dom.createElement("acl_target")
        element.setAttribute("id", tug_id)

        acls.appendChild(element)
        for role in argv:
            r = dom.createElement("role")
            r.setAttribute("id", role)
            element.appendChild(r)

        utils.replace_cib_configuration(dom)
    elif command == "delete":
        found = False
        if group:
            elist = dom.getElementsByTagName("acl_group")
        else:
            elist = dom.getElementsByTagName("acl_target")

        for elem in elist:
            if elem.getAttribute("id") == tug_id:
                found = True
                elem.parentNode.removeChild(elem)
                break
        if not found:
            if group:
                utils.err("unable to find acl group: %s" % tug_id)
            else:
                utils.err("unable to find acl target/user: %s" % tug_id)
        utils.replace_cib_configuration(dom)
    else:
        if group:
            usage.acl("group")
        else:
            usage.acl("target")
        sys.exit(1)
Пример #6
0
Файл: acl.py Проект: tradej/pcs
def acl_role(argv):
    if len(argv) < 2:
        usage.acl(["role"])
        sys.exit(1)

    dom = utils.get_cib_dom()
    dom, acls = get_acls(dom)

    command = argv.pop(0)
    if command == "create":
        role_name = argv.pop(0)
        if argv and argv[0].startswith('description=') and len(argv[0]) > 12:
            description = argv.pop(0)[12:]
        else:
            description = ""
        id_valid, id_error = utils.validate_xml_id(role_name, 'ACL role')
        if not id_valid:
            utils.err(id_error)
        if utils.dom_get_element_with_id(dom, "acl_role", role_name):
            utils.err("role %s already exists" % role_name)
        if utils.does_id_exist(dom,role_name):
            utils.err(role_name + " already exists")

        element = dom.createElement("acl_role")
        element.setAttribute("id",role_name)
        if description != "":
            element.setAttribute("description", description)
        acls.appendChild(element)

        if not add_permissions_to_role(element, argv):
            usage.acl(["role create"])
            sys.exit(1)
        utils.replace_cib_configuration(dom)

    elif command == "delete":
        if len(argv) < 1:
            usage.acl(["role delete"])
            sys.exit(1)

        role_id = argv.pop(0)
        found = False
        for elem in dom.getElementsByTagName("acl_role"):
            if elem.getAttribute("id") == role_id:
                found = True
                elem.parentNode.removeChild(elem)
                break
        if not found:
            utils.err("unable to find acl role: %s" % role_id)

        # Remove any references to this role in acl_target or acl_group
        for elem in dom.getElementsByTagName("role"):
            if elem.getAttribute("id") == role_id:
                user_group = elem.parentNode
                user_group.removeChild(elem)
                if "--autodelete" in utils.pcs_options:
                    if not user_group.getElementsByTagName("role"):
                        user_group.parentNode.removeChild(user_group)

        utils.replace_cib_configuration(dom)
    elif command == "assign":
        if len(argv) < 2:
            usage.acl(["role assign"])
            sys.exit(1)

        if len(argv) == 2:
            role_id = argv[0]
            ug_id = argv[1]
        elif len(argv) > 2 and argv[1] == "to":
            role_id = argv[0]
            ug_id = argv[2]
        else:
            usage.acl(["role assign"])
            sys.exit(1)

        found = False
        for role in dom.getElementsByTagName("acl_role"):
            if role.getAttribute("id") == role_id:
                found = True
                break

        if not found:
            utils.err("cannot find role: %s" % role_id)

        found = False
        for ug in dom.getElementsByTagName("acl_target") + dom.getElementsByTagName("acl_group"):
            if ug.getAttribute("id") == ug_id:
                found = True
                break

        if not found:
            utils.err("cannot find user or group: %s" % ug_id)

        for current_role in ug.getElementsByTagName("role"):
            if current_role.getAttribute("id") == role_id:
                utils.err(role_id + " is already assigned to " + ug_id)

        new_role = dom.createElement("role")
        new_role.setAttribute("id", role_id)
        ug.appendChild(new_role)
        utils.replace_cib_configuration(dom)
    elif command == "unassign":
        if len(argv) < 2:
            usage.acl(["role unassign"])
            sys.exit(1)

        role_id = argv.pop(0)
        if len(argv) > 1 and argv[0] == "from":
            ug_id = argv[1]
        else:
            ug_id = argv[0]

        found = False
        for ug in dom.getElementsByTagName("acl_target") + dom.getElementsByTagName("acl_group"):
            if ug.getAttribute("id") == ug_id:
                found = True
                break

        if not found:
            utils.err("cannot find user or group: %s" % ug_id)

        found = False
        for current_role in ug.getElementsByTagName("role"):
            if current_role.getAttribute("id") == role_id:
                found = True
                current_role.parentNode.removeChild(current_role)
                break

        if not found:
            utils.err("cannot find role: %s, assigned to user/group: %s" % (role_id, ug_id))

        if "--autodelete" in utils.pcs_options:
            if not ug.getElementsByTagName("role"):
                ug.parentNode.removeChild(ug)

        utils.replace_cib_configuration(dom)

    else:
        utils.err("Unknown pcs acl role command: '" + command + "' (try create or delete)")
Пример #7
0
Файл: acl.py Проект: tradej/pcs
def acl_permission(argv):
    if len(argv) < 1:
        usage.acl(["permission"])
        sys.exit(1)

    dom = utils.get_cib_dom()
    dom, acls = get_acls(dom)

    command = argv.pop(0)
    if command == "add":
        if len(argv) < 4:
            usage.acl(["permission add"])
            sys.exit(1)
        role_id = argv.pop(0)
        found = False
        for role in dom.getElementsByTagName("acl_role"):
            if role.getAttribute("id") == role_id:
                found = True
                break
        if found == False:
            acl_role(["create", role_id] + argv) 
            return

        if not argv:
            usage.acl(["permission add"])
            sys.exit(1)
        if not add_permissions_to_role(role, argv):
            usage.acl(["permission add"])
            sys.exit(1)
        utils.replace_cib_configuration(dom)

    elif command == "delete":
        if len(argv) < 1:
            usage.acl(["permission delete"])
            sys.exit(1)

        perm_id = argv.pop(0)
        found = False
        for elem in dom.getElementsByTagName("acl_permission"):
            if elem.getAttribute("id") == perm_id:
                elem.parentNode.removeChild(elem)
                found = True
        if not found:
            utils.err("Unable to find permission with id: %s" % perm_id)

        utils.replace_cib_configuration(dom)

    else:
        usage.acl(["permission"])
        sys.exit(1)
Пример #8
0
Файл: acl.py Проект: tradej/pcs
def acl_target(argv,group=False):
    if len(argv) < 2:
        if group:
            usage.acl(["group"])
            sys.exit(1)
        else:
            usage.acl(["user"])
            sys.exit(1)

    dom = utils.get_cib_dom()
    dom, acls = get_acls(dom)

    command = argv.pop(0)
    tug_id = argv.pop(0)
    if command == "create":
        # pcsd parses the error message in order to determine whether the id is
        # assigned to user/group or some other cib element
        if group and utils.dom_get_element_with_id(dom, "acl_group", tug_id):
            utils.err("group %s already exists" % tug_id)
        if not group and utils.dom_get_element_with_id(dom, "acl_target", tug_id):
            utils.err("user %s already exists" % tug_id)
        if utils.does_id_exist(dom,tug_id):
            utils.err(tug_id + " already exists")

        if group:
            element = dom.createElement("acl_group")
        else:
            element = dom.createElement("acl_target")
        element.setAttribute("id", tug_id)

        acls.appendChild(element)
        for role in argv:
            if not utils.dom_get_element_with_id(acls, "acl_role", role):
                utils.err("cannot find acl role: %s" % role)
            r = dom.createElement("role")
            r.setAttribute("id", role)
            element.appendChild(r)

        utils.replace_cib_configuration(dom)
    elif command == "delete":
        found = False
        if group:
            elist = dom.getElementsByTagName("acl_group")
        else:
            elist = dom.getElementsByTagName("acl_target")

        for elem in elist:
            if elem.getAttribute("id") == tug_id:
                found = True
                elem.parentNode.removeChild(elem)
                break
        if not found:
            if group:
                utils.err("unable to find acl group: %s" % tug_id)
            else:
                utils.err("unable to find acl target/user: %s" % tug_id)
        utils.replace_cib_configuration(dom)
    else:
        if group:
            usage.acl(["group"])
        else:
            usage.acl(["user"])
        sys.exit(1)
Пример #9
0
def acl_role(argv):
    if len(argv) < 2:
        usage.acl("role")
        sys.exit(1)

    dom = utils.get_cib_dom()
    dom, acls = get_acls(dom)

    command = argv.pop(0)
    if command == "create":
        role_name = argv.pop(0)
        if len(argv) < 3:
            usage.acl("role create")
            sys.exit(1)
        if argv[0].startswith('description=') and len(argv[0]) > 12:
            description = argv.pop(0)[12:]
        else:
            description = ""
        if utils.does_id_exist(dom,role_name):
            utils.err(role_name + " already exists")

        element = dom.createElement("acl_role")
        element.setAttribute("id",role_name)
        if description != "":
            element.setAttribute("description", description)
        acls.appendChild(element)
        
        while (len(argv) > 2):
            rwd = argv.pop(0)
            if not rwd in ["read","write","deny"]:
                usage.acl("role create")
                sys.exit(1)
            se = dom.createElement("acl_permission")
            se.setAttribute("id", utils.find_unique_id(dom,role_name + "-" + rwd))
            se.setAttribute("kind", rwd)
            xp_id = argv.pop(0)
            if xp_id == "xpath":
                xpath_query = argv.pop(0)
                se.setAttribute("xpath",xpath_query)
            elif xp_id == "id":
                acl_ref = argv.pop(0)
                se.setAttribute("reference",acl_ref)
            else:
                usage.acl("role create")

            element.appendChild(se)

        utils.replace_cib_configuration(dom)
    elif command == "delete":
        if len(argv) < 1:
            usage.acl("acl role delete")

        role_id = argv.pop(0)
        found = False
        for elem in dom.getElementsByTagName("acl_role"):
            if elem.getAttribute("id") == role_id:
                found = True
                elem.parentNode.removeChild(elem)
                break
        if not found:
            utils.err("unable to find acl role: %s" % role_id)

        # Remove any references to this role in acl_target or acl_group
        for elem in dom.getElementsByTagName("role"):
            if elem.getAttribute("id") == role_id:
                elem.parentNode.removeChild(elem)

        utils.replace_cib_configuration(dom)
    elif command == "assign":
        if len(argv) < 2:
            usage.acl("role assign")
            sys.exit(1)

        if len(argv) == 2:
            role_id = argv[0]
            ug_id = argv[1]
        elif len(argv) > 2 and argv[1] == "to":
            role_id = argv[0]
            ug_id = argv[2]
        else:
            usage.acl("role assign")
            sys.exit(1)

        found = False
        for role in dom.getElementsByTagName("acl_role"):
            if role.getAttribute("id") == role_id:
                found = True
                break

        if not found:
            utils.err("cannot find role: %s" % role_id)

        found = False
        for ug in dom.getElementsByTagName("acl_target") + dom.getElementsByTagName("acl_group"):
            if ug.getAttribute("id") == ug_id:
                found = True
                break

        if not found:
            utils.err("cannot find user or group: %s" % ug_id)

        for current_role in ug.getElementsByTagName("role"):
            if current_role.getAttribute("id") == role_id:
                utils.err(role_id + " is already assigned to " + ug_id)

        new_role = dom.createElement("role")
        new_role.setAttribute("id", role_id)
        ug.appendChild(new_role)
        utils.replace_cib_configuration(dom)
    elif command == "unassign":
        if len(argv) < 2:
            usage.acl("role unassign")
            sys.exit(1)

        role_id = argv.pop(0)
        if len(argv) > 1 and argv[0] == "from":
            ug_id = argv[1]
        else:
            ug_id = argv[0]

        found = False
        for ug in dom.getElementsByTagName("acl_target") + dom.getElementsByTagName("acl_group"):
            if ug.getAttribute("id") == ug_id:
                found = True
                break

        if not found:
            utils.err("cannot find user or group: %s" % ug_id)

        found = False
        for current_role in ug.getElementsByTagName("role"):
            if current_role.getAttribute("id") == role_id:
                found = True
                current_role.parentNode.removeChild(current_role)
                break

        if not found:
            utils.err("cannot find role: %s, assigned to user/group: %s" % (role_id, ug_id))
        utils.replace_cib_configuration(dom)
        
    else:
        utils.err("Unknown pcs acl role command: '" + command + "' (try create or delete)")
Пример #10
0
Файл: acl.py Проект: ingted/pcs
def acl_role(argv):
    if len(argv) < 2:
        usage.acl(["role"])
        sys.exit(1)

    dom = utils.get_cib_dom()
    dom, acls = get_acls(dom)

    command = argv.pop(0)
    if command == "create":
        role_name = argv.pop(0)
        if argv and argv[0].startswith('description=') and len(argv[0]) > 12:
            description = argv.pop(0)[12:]
        else:
            description = ""
        id_valid, id_error = utils.validate_xml_id(role_name, 'ACL role')
        if not id_valid:
            utils.err(id_error)
        if utils.dom_get_element_with_id(dom, "acl_role", role_name):
            utils.err("role %s already exists" % role_name)
        if utils.does_id_exist(dom, role_name):
            utils.err(role_name + " already exists")

        element = dom.createElement("acl_role")
        element.setAttribute("id", role_name)
        if description != "":
            element.setAttribute("description", description)
        acls.appendChild(element)

        if not add_permissions_to_role(element, argv):
            usage.acl(["role create"])
            sys.exit(1)
        utils.replace_cib_configuration(dom)

    elif command == "delete":
        if len(argv) < 1:
            usage.acl(["role delete"])
            sys.exit(1)

        role_id = argv.pop(0)
        found = False
        for elem in dom.getElementsByTagName("acl_role"):
            if elem.getAttribute("id") == role_id:
                found = True
                elem.parentNode.removeChild(elem)
                break
        if not found:
            utils.err("unable to find acl role: %s" % role_id)

        # Remove any references to this role in acl_target or acl_group
        for elem in dom.getElementsByTagName("role"):
            if elem.getAttribute("id") == role_id:
                user_group = elem.parentNode
                user_group.removeChild(elem)
                if "--autodelete" in utils.pcs_options:
                    if not user_group.getElementsByTagName("role"):
                        user_group.parentNode.removeChild(user_group)

        utils.replace_cib_configuration(dom)
    elif command == "assign":
        if len(argv) < 2:
            usage.acl(["role assign"])
            sys.exit(1)

        if len(argv) == 2:
            role_id = argv[0]
            ug_id = argv[1]
        elif len(argv) > 2 and argv[1] == "to":
            role_id = argv[0]
            ug_id = argv[2]
        else:
            usage.acl(["role assign"])
            sys.exit(1)

        found = False
        for role in dom.getElementsByTagName("acl_role"):
            if role.getAttribute("id") == role_id:
                found = True
                break

        if not found:
            utils.err("cannot find role: %s" % role_id)

        found = False
        for ug in dom.getElementsByTagName(
                "acl_target") + dom.getElementsByTagName("acl_group"):
            if ug.getAttribute("id") == ug_id:
                found = True
                break

        if not found:
            utils.err("cannot find user or group: %s" % ug_id)

        for current_role in ug.getElementsByTagName("role"):
            if current_role.getAttribute("id") == role_id:
                utils.err(role_id + " is already assigned to " + ug_id)

        new_role = dom.createElement("role")
        new_role.setAttribute("id", role_id)
        ug.appendChild(new_role)
        utils.replace_cib_configuration(dom)
    elif command == "unassign":
        if len(argv) < 2:
            usage.acl(["role unassign"])
            sys.exit(1)

        role_id = argv.pop(0)
        if len(argv) > 1 and argv[0] == "from":
            ug_id = argv[1]
        else:
            ug_id = argv[0]

        found = False
        for ug in dom.getElementsByTagName(
                "acl_target") + dom.getElementsByTagName("acl_group"):
            if ug.getAttribute("id") == ug_id:
                found = True
                break

        if not found:
            utils.err("cannot find user or group: %s" % ug_id)

        found = False
        for current_role in ug.getElementsByTagName("role"):
            if current_role.getAttribute("id") == role_id:
                found = True
                current_role.parentNode.removeChild(current_role)
                break

        if not found:
            utils.err("cannot find role: %s, assigned to user/group: %s" %
                      (role_id, ug_id))

        if "--autodelete" in utils.pcs_options:
            if not ug.getElementsByTagName("role"):
                ug.parentNode.removeChild(ug)

        utils.replace_cib_configuration(dom)

    else:
        utils.err("Unknown pcs acl role command: '" + command +
                  "' (try create or delete)")
Пример #11
0
Файл: acl.py Проект: ingted/pcs
def acl_permission(argv):
    if len(argv) < 1:
        usage.acl(["permission"])
        sys.exit(1)

    dom = utils.get_cib_dom()
    dom, acls = get_acls(dom)

    command = argv.pop(0)
    if command == "add":
        if len(argv) < 4:
            usage.acl(["permission add"])
            sys.exit(1)
        role_id = argv.pop(0)
        found = False
        for role in dom.getElementsByTagName("acl_role"):
            if role.getAttribute("id") == role_id:
                found = True
                break
        if found == False:
            acl_role(["create", role_id] + argv)
            return

        if not argv:
            usage.acl(["permission add"])
            sys.exit(1)
        if not add_permissions_to_role(role, argv):
            usage.acl(["permission add"])
            sys.exit(1)
        utils.replace_cib_configuration(dom)

    elif command == "delete":
        if len(argv) < 1:
            usage.acl(["permission delete"])
            sys.exit(1)

        perm_id = argv.pop(0)
        found = False
        for elem in dom.getElementsByTagName("acl_permission"):
            if elem.getAttribute("id") == perm_id:
                elem.parentNode.removeChild(elem)
                found = True
        if not found:
            utils.err("Unable to find permission with id: %s" % perm_id)

        utils.replace_cib_configuration(dom)

    else:
        usage.acl(["permission"])
        sys.exit(1)
Пример #12
0
Файл: acl.py Проект: ingted/pcs
def acl_target(argv, group=False):
    if len(argv) < 2:
        if group:
            usage.acl(["group"])
            sys.exit(1)
        else:
            usage.acl(["user"])
            sys.exit(1)

    dom = utils.get_cib_dom()
    dom, acls = get_acls(dom)

    command = argv.pop(0)
    tug_id = argv.pop(0)
    if command == "create":
        # pcsd parses the error message in order to determine whether the id is
        # assigned to user/group or some other cib element
        if group and utils.dom_get_element_with_id(dom, "acl_group", tug_id):
            utils.err("group %s already exists" % tug_id)
        if not group and utils.dom_get_element_with_id(dom, "acl_target",
                                                       tug_id):
            utils.err("user %s already exists" % tug_id)
        if utils.does_id_exist(dom, tug_id):
            utils.err(tug_id + " already exists")

        if group:
            element = dom.createElement("acl_group")
        else:
            element = dom.createElement("acl_target")
        element.setAttribute("id", tug_id)

        acls.appendChild(element)
        for role in argv:
            if not utils.dom_get_element_with_id(acls, "acl_role", role):
                utils.err("cannot find acl role: %s" % role)
            r = dom.createElement("role")
            r.setAttribute("id", role)
            element.appendChild(r)

        utils.replace_cib_configuration(dom)
    elif command == "delete":
        found = False
        if group:
            elist = dom.getElementsByTagName("acl_group")
        else:
            elist = dom.getElementsByTagName("acl_target")

        for elem in elist:
            if elem.getAttribute("id") == tug_id:
                found = True
                elem.parentNode.removeChild(elem)
                break
        if not found:
            if group:
                utils.err("unable to find acl group: %s" % tug_id)
            else:
                utils.err("unable to find acl target/user: %s" % tug_id)
        utils.replace_cib_configuration(dom)
    else:
        if group:
            usage.acl(["group"])
        else:
            usage.acl(["user"])
        sys.exit(1)
Пример #13
0
def acl_role(argv):
    if len(argv) < 2:
        usage.acl("role")
        sys.exit(1)

    dom = utils.get_cib_dom()
    dom, acls = get_acls(dom)

    command = argv.pop(0)
    if command == "create":
        role_name = argv.pop(0)
        if len(argv) < 3:
            usage.acl("role create")
            sys.exit(1)
        if argv[0].startswith('description=') and len(argv[0]) > 12:
            description = argv.pop(0)[12:]
        else:
            description = ""
        if utils.does_id_exist(dom, role_name):
            utils.err(role_name + " already exists")

        element = dom.createElement("acl_role")
        element.setAttribute("id", role_name)
        if description != "":
            element.setAttribute("description", description)
        acls.appendChild(element)

        while (len(argv) > 2):
            rwd = argv.pop(0)
            if not rwd in ["read", "write", "deny"]:
                usage.acl("role create")
                sys.exit(1)
            se = dom.createElement("acl_permission")
            se.setAttribute("id",
                            utils.find_unique_id(dom, role_name + "-" + rwd))
            se.setAttribute("kind", rwd)
            xp_id = argv.pop(0)
            if xp_id == "xpath":
                xpath_query = argv.pop(0)
                se.setAttribute("xpath", xpath_query)
            elif xp_id == "id":
                acl_ref = argv.pop(0)
                se.setAttribute("reference", acl_ref)
            else:
                usage.acl("role create")

            element.appendChild(se)

        utils.replace_cib_configuration(dom)
    elif command == "delete":
        if len(argv) < 1:
            usage.acl("acl role delete")

        role_id = argv.pop(0)
        found = False
        for elem in dom.getElementsByTagName("acl_role"):
            if elem.getAttribute("id") == role_id:
                found = True
                elem.parentNode.removeChild(elem)
                break
        if not found:
            utils.err("unable to find acl role: %s" % role_id)

        # Remove any references to this role in acl_target or acl_group
        for elem in dom.getElementsByTagName("role"):
            if elem.getAttribute("id") == role_id:
                elem.parentNode.removeChild(elem)

        utils.replace_cib_configuration(dom)
    elif command == "assign":
        if len(argv) < 2:
            usage.acl("role assign")
            sys.exit(1)

        if len(argv) == 2:
            role_id = argv[0]
            ug_id = argv[1]
        elif len(argv) > 2 and argv[1] == "to":
            role_id = argv[0]
            ug_id = argv[2]
        else:
            usage.acl("role assign")
            sys.exit(1)

        found = False
        for role in dom.getElementsByTagName("acl_role"):
            if role.getAttribute("id") == role_id:
                found = True
                break

        if not found:
            utils.err("cannot find role: %s" % role_id)

        found = False
        for ug in dom.getElementsByTagName(
                "acl_target") + dom.getElementsByTagName("acl_group"):
            if ug.getAttribute("id") == ug_id:
                found = True
                break

        if not found:
            utils.err("cannot find user or group: %s" % ug_id)

        for current_role in ug.getElementsByTagName("role"):
            if current_role.getAttribute("id") == role_id:
                utils.err(role_id + " is already assigned to " + ug_id)

        new_role = dom.createElement("role")
        new_role.setAttribute("id", role_id)
        ug.appendChild(new_role)
        utils.replace_cib_configuration(dom)
    elif command == "unassign":
        if len(argv) < 2:
            usage.acl("role unassign")
            sys.exit(1)

        role_id = argv.pop(0)
        if len(argv) > 1 and argv[0] == "from":
            ug_id = argv[1]
        else:
            ug_id = argv[0]

        found = False
        for ug in dom.getElementsByTagName(
                "acl_target") + dom.getElementsByTagName("acl_group"):
            if ug.getAttribute("id") == ug_id:
                found = True
                break

        if not found:
            utils.err("cannot find user or group: %s" % ug_id)

        found = False
        for current_role in ug.getElementsByTagName("role"):
            if current_role.getAttribute("id") == role_id:
                found = True
                current_role.parentNode.removeChild(current_role)
                break

        if not found:
            utils.err("cannot find role: %s, assigned to user/group: %s" %
                      (role_id, ug_id))
        utils.replace_cib_configuration(dom)

    else:
        utils.err("Unknown pcs acl role command: '" + command +
                  "' (try create or delete)")
Пример #14
0
def acl_permission(argv):
    if len(argv) < 1:
        usage.acl("permission")
        sys.exit(1)

    dom = utils.get_cib_dom()
    dom, acls = get_acls(dom)

    command = argv.pop(0)
    if command == "add":
        if len(argv) < 4:
            usage.acl("permission add")
            sys.exit(1)
        role_id = argv.pop(0)
        found = False
        for role in dom.getElementsByTagName("acl_role"):
            if role.getAttribute("id") == role_id:
                found = True
                break
        if found == False:
            acl_role(["create", role_id] + argv)
            return

        while len(argv) >= 3:
            kind = argv.pop(0)
            se = dom.createElement("acl_permission")
            se.setAttribute("id",
                            utils.find_unique_id(dom, role_id + "-" + kind))
            se.setAttribute("kind", kind)
            xp_id = argv.pop(0)
            if xp_id == "xpath":
                xpath_query = argv.pop(0)
                se.setAttribute("xpath", xpath_query)
            elif xp_id == "id":
                acl_ref = argv.pop(0)
                se.setAttribute("reference", acl_ref)
            else:
                usage.acl("permission add")
            role.appendChild(se)

        utils.replace_cib_configuration(dom)

    elif command == "delete":
        if len(argv) < 1:
            usage.acl("permission delete")
            sys.exit(1)

        perm_id = argv.pop(0)
        found = False
        for elem in dom.getElementsByTagName("acl_permission"):
            if elem.getAttribute("id") == perm_id:
                elem.parentNode.removeChild(elem)
                found = True
        if not found:
            utils.err("Unable to find permission with id: %s" % perm_id)

        utils.replace_cib_configuration(dom)

    else:
        usage.acl("permission")
        sys.exit(1)