Commit 775ca147 authored by Leigh Stoller's avatar Leigh Stoller

Bottom line on this commit: Do not update the nodetypeXpid_permissions

table by hand anymore! Update the group_policies table and then run
the script to update the permissions table (sbin/update_permissions).

Details:

My original thought when I started this was that I would be able to
replace the existing nodetypeXpid_permissions table with this new
stuff. Well, it turns out that this was not a good thing to do, for a
couple of reasons:

  * Engineering: We access the nodetypeXpid_permissions table from three
    different languages, and no way I wanted to rewrite this library in
    in python and php!

  * Performance: We access the nodetypeXpid_permissions from the web
    interface, on every single page load. In fact, we access it twice if
    if you count the FreePCs() count that we put at the top of the menu.
    Going through this library on each page load would be a serious drag.

So, rather then actually get rid of the nodetypeXpid_permissions table, I
decided to keep it as a "cache" of permissions stored in the group
policies table. Each time you update the policy tables, we need to run
the update_permissions script which will call into this library (see the
TBUpdateNodeTypeXpidPermissions() routine) to reconstruct the permissions
table. I have whacked the grantnodetype script to do exactly that.

Note that we could proably do the same thing for users by creating an
equivalent nodetypeXuid_permissions table, mapping users to types they
are allowed to use. That would be a lot rows, but the amount of data in
the table is small. That would give us very fine grained control of what
we show people in the web interface. Not sure it is worth it though.

I also added some instructions to previous commit in database-migrate.txt
on populating the new group_policies table from the existing
permissions table.
parent e5cb651a
......@@ -1891,6 +1891,7 @@ outfiles="$outfiles Makeconf GNUmakefile \
db/dhcpd_makeconf db/nodelog db/webnodelog db/unixgroups \
db/dbcheck db/interswitch db/dbboot db/schemacheck \
db/sitevarscheck db/dbfillcheck db/libadminctrl.pm \
db/update_permissions \
db/grabron db/webnfree db/stategraph db/readycount \
db/idletimes db/idlemail db/webidlemail db/xmlconvert \
db/webnewwanode db/libdb.py db/elabinelab_bossinit \
......
......@@ -598,6 +598,7 @@ outfiles="$outfiles Makeconf GNUmakefile \
db/dhcpd_makeconf db/nodelog db/webnodelog db/unixgroups \
db/dbcheck db/interswitch db/dbboot db/schemacheck \
db/sitevarscheck db/dbfillcheck db/libadminctrl.pm \
db/update_permissions \
db/grabron db/webnfree db/stategraph db/readycount \
db/idletimes db/idlemail db/webidlemail db/xmlconvert \
db/webnewwanode db/libdb.py db/elabinelab_bossinit \
......
......@@ -16,7 +16,7 @@ SBIN_SCRIPTS = avail inuse showgraph if2port backup webcontrol node_status \
genelists genelists.proxy dhcpd_makeconf nodelog unixgroups \
dbcheck interswitch dbboot grabron stategraph newwanode \
idletimes idlemail setsitevar audit changeuid \
elabinelab_bossinit
elabinelab_bossinit update_permissions
LIBEXEC_SCRIPTS = webnodelog webnfree webnewwanode webidlemail xmlconvert
LIB_SCRIPTS = libdb.pm Node.pm libdb.py libadminctrl.pm
......
This diff is collapsed.
#!/usr/bin/perl -w
#
# EMULAB-COPYRIGHT
# Copyright (c) 2003, 2005 University of Utah and the Flux Group.
# All rights reserved.
#
use English;
use Getopt::Std;
#
# Update the nodetypeXpid_permissions table, which is now just a cache
# of info in the policy tables.
#
sub usage()
{
print STDERR "Usage: update_permissions [-h]\n";
print STDERR " -h This message\n";
exit(-1);
}
my $optlist = "h";
#
# Please do not run as root. Hard to track what has happened.
#
if ($EUID == 0) {
die("*** $0:\n".
" Please do not run this as root!\n");
}
#
# Configure variables
#
my $TB = "@prefix@";
my $TBOPS = "@TBOPSEMAIL@";
my $BOSSADDR = "@BOSSNODE@";
#
# Testbed Support libraries
#
use lib "@prefix@/lib";
use libdb;
use libtestbed;
use libadminctrl;
#
# Turn off line buffering on output
#
$| = 1;
#
# Untaint the path
#
$ENV{'PATH'} = "/bin:/sbin:/usr/bin:";
#
# Parse command arguments. Once we return from getopts, all that should be
# left are the required arguments.
#
%options = ();
if (! getopts($optlist, \%options)) {
usage();
}
if (defined($options{h})) {
usage();
}
usage()
if (scalar(@ARGV));
#
# Its all in the library ...
#
exit(TBUpdateNodeTypeXpidPermissions());
......@@ -2395,6 +2395,15 @@ last_net_act,last_cpu_act,last_ext_act);
PRIMARY KEY (uid,policy,auxdata)
) TYPE=MyISAM;
Populating the tables from the existing nodetypeXpid_permissions.
insert into group_policies (pid, gid, policy, auxdata, count) \
select distinct '-','-','type',type,0 from nodetypeXpid_permissions;
insert into group_policies (pid, gid, policy, auxdata, count) \
select distinct pid,pid,'type',type,9999999 from \
nodetypeXpid_permissions;
1.308: Add a table for the robot tracking cameras.
CREATE TABLE cameras (
......
......@@ -2,7 +2,7 @@
#
# EMULAB-COPYRIGHT
# Copyright (c) 2003 University of Utah and the Flux Group.
# Copyright (c) 2003, 2005 University of Utah and the Flux Group.
# All rights reserved.
#
......@@ -39,8 +39,7 @@ if ($UID == 0) {
# Configure variables
#
my $TB = "@prefix@";
my $TBOPS = "@TBOPSEMAIL@";
my $BOSSADDR = "@BOSSNODE@";
my $update_perms = "$TB/sbin/update_permissions";
#
# Testbed Support libraries
......@@ -49,6 +48,9 @@ use lib "@prefix@/lib";
use libdb;
use libtestbed;
# Be careful not to exit on transient error
$libdb::DBQUERY_MAXTRIES = 30;
#
# Turn off line buffering on output
#
......@@ -153,10 +155,38 @@ while (my ($nodetype,$nodeclass) = $query_result->fetchrow_array()) {
foreach my $newtype (keys(%newtypes)) {
print STDERR "Granting permission to use type $newtype\n"
if ($debug);
DBQueryFatal("replace into nodetypeXpid_permissions ".
"(pid, type) ".
"values ('$pid', '$newtype')")
#
# Make sure there is a minus policy in the group_policies table;
# If not, then granting permission to use this type is silly, and
# probably means that the group_policies table needs updating.
#
$query_result =
DBQueryFatal("select * from group_policies ".
"where pid='-' and policy='type' and auxdata='$newtype'");
exit(0)
if (!$query_result);
if (!$query_result->num_rows) {
die("*** $0:\n".
" There is no '-' policy for node type $newtype! Stopping.\n");
}
#
# Add generic rules that say the project is allowed to use "infinite"
# number of nodes of each type.
#
DBQueryFatal("replace into group_policies ".
"(pid, gid, policy, auxdata, count) ".
"values ('$pid', '$pid', 'type', '$newtype', 999999)")
if (!$impotent);
}
#
# Now update the permissions table.
#
system($update_perms);
exit($? >> 8)
if ($?);
exit(0);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment