def project_add(pid, name):
if project_exists(pid):
run_utils.exit_fail("Project with same project pid exists")
project_name = project_id_to_name(pid)
for role in ("", "-a", "-p"):
grp = "%s%s" % (project_name, role)
run_utils.launch_cmd("/usr/sbin/pw groupadd -n %s " % grp)
phome = project_home(pid)
run_utils.launch_cmd("/bin/mkdir %s " % phome)
admin_group = "%s-a" % project_name
run_utils.launch_cmd("/usr/sbin/chown -R root:%s %s" %
(admin_group, phome))
set_project_name(phome, cleanup_project_name(name))
storage_facade.permissions_strict_owner_only(phome)
run_utils.launch_cmd("/bin/chflags -h nosunlink %s" % phome)
acls = [
'everyone@:------a-R-c--s:------:allow',
'group@:r-xp--a-R-c--s:fd----:allow',
'owner@:rwxp-daARWcC-s:fd----:allow',
'group:%s:rwxp--a-R-cC-s:-d----:allow' % project_name,
'group:%s:r-x---a-R-cC-s:f-----:allow' % project_name,
'group:%s:----D---------:-d----:deny' % project_name,
'group:%s-p:rwxpD-aAR-cC-s:fd----:allow' % project_name,
'group:%s-a:rwxpD-aARWcCos:fd----:allow' % project_name
]
for acl in acls:
flag = ('-m' if ('@' in acl) else '-a0')
run_utils.launch_cmd("/bin/setfacl -h %s %s %s " % (flag, acl, phome))
print("project added successfully")
def test_ssh(nels_id):
feed_utils.heading("ssh use case. nels_id: %s" % nels_id)
credentail = ssh_utils.get_ssh_credentials(nels_id)
if not credentail:
feed_utils.failed("fetching key")
return False
feed_utils.ok("ssh key fetched")
(host, username, key_file) = credentail
(status, items,
error) = run_utils.launch_remote_with_key(key_file, username, host, "ls ")
if status != 0:
feed_utils.error(error)
return False
if "Personal" in items:
feed_utils.ok("Personal folder found")
else:
feed_utils.failed("Personal folder not found")
if "Projects" in items:
feed_utils.ok("Projects folder found")
else:
feed_utils.failed("Projects folder not found")
feed_utils.info("cleaning key file")
run_utils.launch_cmd("rm -f %s" % key_file)
return True
def get_ssh_credentials(nels_id):
credentail = storage.get_ssh_credential(nels_id)
if not credentail:
return None
(host, username) = (credentail[0], credentail[1])
feed_utils.info("fetching keys. host: %s, username:%s " % (host, username))
key_file = path.join(config.TEMP_DIR, "%s.nels" % nels_id)
feed_utils.info("writing key file: %s" % key_file)
file_utils.write_to_file(key_file, credentail[2])
run_utils.launch_cmd("chmod 600 %s" % key_file)
return [credentail[0], credentail[1], key_file]
def project_del(pid):
if not project_exists(pid):
run_utils.exit_fail("Project not found")
for role in ("", "-a", "-p"):
grp = "%s%s" % (project_id_to_name(pid), role)
if not storage_facade.group_exists(grp):
continue
for nels_id in storage_facade.member_nels_ids(grp):
project_user_remove(pid, nels_id)
run_utils.launch_cmd("/usr/sbin/pw groupdel -n %s -q " % grp)
# caution, this deletes all files of the project
run_utils.launch_cmd("/bin/rm -rf %s" % project_home(pid))
print("project removed successfully")
def project_user_add(pid, uid, role):
if is_user_member(pid, uid):
project_user_remove(pid, uid)
proot = path.join(storage_facade.USERS_ROOT_DIR,
user_facade.nels_id_to_username(uid), "Projects")
plink = project_link_path(pid, uid)
run_utils.launch_cmd(
"/usr/sbin/pw groupmod -n %s -m %s" %
(role_to_group(pid, role), user_facade.nels_id_to_username(uid)))
run_utils.launch_cmd("/bin/chflags -h nosimmutable,nosunlink %s" % proot)
run_utils.launch_cmd("/bin/ln -s -f -h %s %s " % (path.join(
storage_facade.PROJECTS_ROOT_DIR, project_id_to_name(pid)), plink))
run_utils.launch_cmd("/bin/chflags -h simmutable,sunlink %s" % proot)
def project_user_remove(pid, uid):
if not is_user_member(pid, uid):
run_utils.exit_fail("User is not a member of the project")
proot = path.join(storage_facade.USERS_ROOT_DIR,
user_facade.nels_id_to_username(uid), "Projects")
plink = project_link_path(pid, uid)
for role in ["member", "poweruser", "admin"]:
run_utils.launch_cmd(
"/usr/sbin/pw groupmod -n %s -d %s " %
(role_to_group(pid, role), user_facade.nels_id_to_username(uid)))
if path.exists(plink):
run_utils.launch_cmd("/bin/chflags -h nosimmutable,nosunlink %s" %
proot)
run_utils.launch_cmd("/bin/rm -f %s " % plink)
run_utils.launch_cmd("/bin/chflags -h simmutable,sunlink %s" % proot)
def permissions_strict_owner_only(directory):
owner = file_owner_get(directory)
setfacl = '/bin/setfacl'
chmod = '/bin/chmod'
if owner == "root":
owner = ''
run_utils.launch_cmd("%s -h -b %s" % (setfacl, directory), owner)
run_utils.launch_cmd("%s 700 %s" % (chmod, directory), owner)
run_utils.launch_cmd("%s -h -m %s %s" % (setfacl, "'owner@:rwxp--aARWcCos:fd:allow'", directory), owner)
def group_exists(grp):
result = run_utils.launch_cmd("/usr/sbin/pw groupshow %s" % grp)
return result[0] == 0
def permissions_add_full_control_to_groupname(directory, group_name):
run_utils.launch_cmd("/bin/setfacl -h -m 'g:%s:rwxpDdaARWcC:fd:allow' %s" % (group_name, directory))
def allow_nels_storage_admin(directory):
run_utils.launch_cmd("/bin/setfacl -h -a2 %s %s" % ("'g:nels_storage_admin:xaRcs:fd:allow'", directory))
def file_owner_get(directory):
cmd = "stat -f '%Su' " + directory
feed_utils.info(cmd)
result = run_utils.launch_cmd(cmd)
# caution: this is not safe. Should be changed
return result[1][0].replace('\n', '')
if __name__ == "__main__":
usage = 'usage: %prog [options] nels_id link_to_clean'
version = '%prog 1.0'
parser = OptionParser(usage=usage, version=version)
parser.add_option('-v', '--verbose', dest="verbose", action="store_true", help='turn verbosity on', default=False)
# get options and arguments
(options, args) = parser.parse_args()
feed_utils.VERBOSE = options.verbose
args_utils.require_args_length(parser, args, 2)
args_utils.require_arg_number(parser, args, 0, "nels_id")
config.init()
proot = path.join(storage_facade.USERS_ROOT_DIR, user_facade.nels_id_to_username(int(args[0])), "Projects")
plink = path.join(proot, args[1])
if not path.exists(plink):
run_utils.exit_fail("symbolic link not found")
# unlock folder, remove link and lock folder again
run_utils.launch_cmd("/bin/chflags -h nosimmutable,nosunlink %s" % proot)
run_utils.launch_cmd("/bin/rm -f %s " % plink)
run_utils.launch_cmd("/bin/chflags -h simmutable,sunlink %s" % proot)
#verify
if path.exists(plink):
feed_utils.failed("link still exists")
else:
feed_utils.ok("link removed successfully")
def set_project_name(project_home, name):
run_utils.launch_cmd(
"/usr/sbin/setextattr user nels.project.name \"%s\" \"%s\" " %
(cleanup_project_name(name), project_home))
def project_exists(pid):
feed_utils.info("cheking project existence. pid: %s" % pid)
return run_utils.launch_cmd('/usr/bin/getent group %s' %
project_id_to_name(pid))[0] == 0
def project_name_by_pname(pname):
result = run_utils.launch_cmd(
"/usr/sbin/getextattr -q -h user 'nels.project.name' %s" %
path.join(storage_facade.PROJECTS_ROOT_DIR, pname))
return result[1][0].replace("\n", "")