All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

Commit bd7d9d05 authored by Leigh B Stoller's avatar Leigh B Stoller

Extension policy changes:

* New tables to store policies for users and projects/groups. At the
  moment, there is only one policy (with associated reason); disabled.
  This allows us to mark projects/groups/users with enable/disable
  flags. Note that policies are applied consecutively, so you can
  disable extensions for a project, but enable them for a user in that
  project.

* Apply extensions when experiments are created, send mail to the audit
  log when policies cause extensions to be disabled.

* New driver script (manage_extensions) to change the policy tables.
parent e1b6076f
......@@ -1183,6 +1183,98 @@ sub AptAggregateList($)
return @results;
}
#
# Apply extension policies.
#
sub ApplyExtensionPolicies($)
{
my ($self) = @_;
my $uuid = $self->uuid();
my $pid = $self->pid();
my $name = $self->name();
my $pid_idx = $self->pid_idx();
my $gid_idx = $self->gid_idx();
my $uid_idx = $self->creator_idx();
my $current = $self->extension_disabled();
my $policy;
my $disabled = 0;
my $reason;
#
# Apply in order project, group, then user.
#
my $query_result =
DBQueryWarn("select disabled,reason from apt_extension_group_policies ".
"where pid_idx='$pid_idx' and gid_idx=pid_idx");
return -1
if (!defined($query_result));
if ($query_result->numrows) {
($disabled,$reason) = $query_result->fetchrow_array();
if ($disabled && !defined($reason)) {
$reason = "project restriction";
}
$policy = "Project";
}
$query_result =
DBQueryWarn("select disabled,reason from apt_extension_group_policies ".
"where pid_idx='$pid_idx' and gid_idx='$gid_idx'");
return -1
if (!defined($query_result));
if ($query_result->numrows) {
my ($d,$r) = $query_result->fetchrow_array();
if ($d) {
$disabled = 1;
$reason = (defined($r) ? $r : "group restriction");
}
else {
$disabled = 0;
$reason = undef;
}
$policy = "Group";
}
$query_result =
DBQueryWarn("select disabled,reason from apt_extension_user_policies ".
"where uid_idx='$uid_idx'");
return -1
if (!defined($query_result));
if ($query_result->numrows) {
my ($d,$r) = $query_result->fetchrow_array();
if ($d) {
$disabled = 1;
$reason = (defined($r) ? $r : "user restriction");
}
else {
$disabled = 0;
$reason = undef;
}
$policy = "User";
}
# Apply disabled flag
$self->Update({"extension_disabled" => $disabled}) == 0
or return -1;
# Set the reason only if disabled, clear otherwise.
if ($disabled && defined($reason)) {
$self->Update({"extension_disabled_reason" => $reason}) == 0
or return -1;
}
else {
DBQueryWarn("update apt_instances set extension_disabled_reason=NULL ".
"where uuid='$uuid'")
or return -1;
}
if ($disabled != $current) {
my $which = ($disabled ? "disabled" : "enabled");
SENDMAIL($TBAUDIT,
"Portal experiment $uuid extensions $which",
"$policy policy has $which extensions for $pid/$name\n\n".
(defined($reason) ? "Reason:\n$reason\n\n" : "").
$self->adminURL() . "\n",
$TBOPS);
}
return 0;
}
###################################################################
package APT_Instance::ExtensionInfo;
use emdb;
......
......@@ -33,7 +33,7 @@ SUBDIRS =
BIN_SCRIPTS = manage_profile manage_instance manage_dataset \
create_instance rungenilib ns2rspec nsgenilib.py \
rspec2genilib ns2genilib manage_reservations manage_gitrepo \
manage_images rtecheck checkprofile
manage_images rtecheck checkprofile manage_extensions
SBIN_SCRIPTS = apt_daemon aptevent_daemon portal_xmlrpc apt_checkup \
portal_monitor
LIB_SCRIPTS = APT_Profile.pm APT_Instance.pm APT_Dataset.pm APT_Geni.pm \
......
......@@ -874,6 +874,11 @@ if (!defined($instance)) {
fatal(defined($errmsg) ? $errmsg :
"Could not create instance record for $quickvm_uuid");
}
# Apply policies,
if ($instance->ApplyExtensionPolicies()) {
$instance->Delete();
fatal("Error applying policies");
}
#
# Get the set of keys (accounts) that need to be sent along. We build
......
This diff is collapsed.
......@@ -63,6 +63,7 @@ sub usage()
print("Usage: manage_instance idledata instance\n");
print("Usage: manage_instance openstackstats instance\n");
print("Usage: manage_instance getmanifests instance\n");
print("Usage: manage_instance applyextensionpolicy instance\n");
exit(-1);
}
my $optlist = "dt:s";
......@@ -142,6 +143,7 @@ sub DoCheckAutoApprove();
sub CheckAutoApprove($$);
sub CheckReservationInternal($$$);
sub DoMaxExtension();
sub DoApplyExtensionPolicy();
sub WriteCredentials();
sub StartMonitor();
sub StartMonitorInternal(;$@);
......@@ -278,6 +280,9 @@ elsif ($action eq "maxextension") {
elsif ($action eq "checkautoapprove") {
DoCheckAutoApprove()
}
elsif ($action eq "applyextensionpolicy") {
DoApplyExtensionPolicy()
}
else {
usage();
}
......@@ -4276,6 +4281,20 @@ sub DoSchedTerminate()
exit($errcode);
}
#
# Apply extension policies.
#
sub DoApplyExtensionPolicy()
{
if ($instance->ApplyExtensionPolicies()) {
fatal("Could not apply extension policies!");
}
$instance->Refresh();
my $disabled = ($instance->extension_disabled() ? "disabled" : "enabled");
print "Extensions are now $disabled\n";
}
#
# Write instance credentials to files.
#
......
......@@ -173,6 +173,40 @@ CREATE TABLE `apt_datasets` (
UNIQUE KEY `uuid` (`uuid`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
--
-- Table structure for table `apt_extension_group_policies`
--
DROP TABLE IF EXISTS `apt_extension_group_policies`;
CREATE TABLE `apt_extension_group_policies` (
`pid` varchar(48) default NULL,
`pid_idx` mediumint(8) unsigned NOT NULL default '0',
`gid` varchar(32) NOT NULL default '',
`gid_idx` mediumint(8) unsigned NOT NULL default '0',
`creator` varchar(8) default NULL,
`creator_idx` mediumint(8) unsigned default NULL,
`disabled` tinyint(1) NOT NULL default '0',
`created` datetime default NULL,
`reason` mediumtext,
PRIMARY KEY (`pid_idx`,`gid_idx`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
--
-- Table structure for table `apt_extension_user_policies`
--
DROP TABLE IF EXISTS `apt_extension_user_policies`;
CREATE TABLE `apt_extension_user_policies` (
`uid` varchar(8) default NULL,
`uid_idx` mediumint(8) unsigned NOT NULL default '0',
`creator` varchar(8) default NULL,
`creator_idx` mediumint(8) unsigned default NULL,
`disabled` tinyint(1) NOT NULL default '0',
`created` datetime default NULL,
`reason` mediumtext,
PRIMARY KEY (`uid_idx`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
--
-- Table structure for table `apt_instance_aggregate_history`
--
......
use strict;
use libdb;
sub DoUpdate($$$)
{
my ($dbhandle, $dbname, $version) = @_;
if (!DBTableExists("apt_extension_group_policies")) {
DBQueryFatal("CREATE TABLE `apt_extension_group_policies` ( ".
" `pid` varchar(48) default NULL, ".
" `pid_idx` mediumint(8) unsigned NOT NULL default '0', ".
" `gid` varchar(32) NOT NULL default '', ".
" `gid_idx` mediumint(8) unsigned NOT NULL default '0', ".
" `creator` varchar(8) default NULL, ".
" `creator_idx` mediumint(8) unsigned default NULL, ".
" `disabled` tinyint(1) NOT NULL default '0', ".
" `created` datetime default NULL, ".
" `reason` mediumtext, ".
" PRIMARY KEY (`pid_idx`,`gid_idx`) ".
") ENGINE=MyISAM DEFAULT CHARSET=latin1");
}
if (!DBTableExists("apt_extension_user_policies")) {
DBQueryFatal("CREATE TABLE `apt_extension_user_policies` ( ".
" `uid` varchar(8) default NULL, ".
" `uid_idx` mediumint(8) unsigned NOT NULL default '0', ".
" `creator` varchar(8) default NULL, ".
" `creator_idx` mediumint(8) unsigned default NULL, ".
" `disabled` tinyint(1) NOT NULL default '0', ".
" `created` datetime default NULL, ".
" `reason` mediumtext, ".
" PRIMARY KEY (`uid_idx`) ".
") ENGINE=MyISAM DEFAULT CHARSET=latin1");
}
return 0;
}
# Local Variables:
# mode:perl
# End:
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment