Commit bd7d9d05 authored by Leigh Stoller's avatar Leigh Stoller

Extension policy changes:

* New tables to store policies for users and projects/groups. At the
  moment, there is only one policy (with associated reason); disabled.
  This allows us to mark projects/groups/users with enable/disable
  flags. Note that policies are applied consecutively, so you can
  disable extensions for a project, but enable them for a user in that
  project.

* Apply extensions when experiments are created, send mail to the audit
  log when policies cause extensions to be disabled.

* New driver script (manage_extensions) to change the policy tables.
parent e1b6076f
......@@ -1183,6 +1183,98 @@ sub AptAggregateList($)
return @results;
}
#
# Apply extension policies.
#
sub ApplyExtensionPolicies($)
{
my ($self) = @_;
my $uuid = $self->uuid();
my $pid = $self->pid();
my $name = $self->name();
my $pid_idx = $self->pid_idx();
my $gid_idx = $self->gid_idx();
my $uid_idx = $self->creator_idx();
my $current = $self->extension_disabled();
my $policy;
my $disabled = 0;
my $reason;
#
# Apply in order project, group, then user.
#
my $query_result =
DBQueryWarn("select disabled,reason from apt_extension_group_policies ".
"where pid_idx='$pid_idx' and gid_idx=pid_idx");
return -1
if (!defined($query_result));
if ($query_result->numrows) {
($disabled,$reason) = $query_result->fetchrow_array();
if ($disabled && !defined($reason)) {
$reason = "project restriction";
}
$policy = "Project";
}
$query_result =
DBQueryWarn("select disabled,reason from apt_extension_group_policies ".
"where pid_idx='$pid_idx' and gid_idx='$gid_idx'");
return -1
if (!defined($query_result));
if ($query_result->numrows) {
my ($d,$r) = $query_result->fetchrow_array();
if ($d) {
$disabled = 1;
$reason = (defined($r) ? $r : "group restriction");
}
else {
$disabled = 0;
$reason = undef;
}
$policy = "Group";
}
$query_result =
DBQueryWarn("select disabled,reason from apt_extension_user_policies ".
"where uid_idx='$uid_idx'");
return -1
if (!defined($query_result));
if ($query_result->numrows) {
my ($d,$r) = $query_result->fetchrow_array();
if ($d) {
$disabled = 1;
$reason = (defined($r) ? $r : "user restriction");
}
else {
$disabled = 0;
$reason = undef;
}
$policy = "User";
}
# Apply disabled flag
$self->Update({"extension_disabled" => $disabled}) == 0
or return -1;
# Set the reason only if disabled, clear otherwise.
if ($disabled && defined($reason)) {
$self->Update({"extension_disabled_reason" => $reason}) == 0
or return -1;
}
else {
DBQueryWarn("update apt_instances set extension_disabled_reason=NULL ".
"where uuid='$uuid'")
or return -1;
}
if ($disabled != $current) {
my $which = ($disabled ? "disabled" : "enabled");
SENDMAIL($TBAUDIT,
"Portal experiment $uuid extensions $which",
"$policy policy has $which extensions for $pid/$name\n\n".
(defined($reason) ? "Reason:\n$reason\n\n" : "").
$self->adminURL() . "\n",
$TBOPS);
}
return 0;
}
###################################################################
package APT_Instance::ExtensionInfo;
use emdb;
......
......@@ -33,7 +33,7 @@ SUBDIRS =
BIN_SCRIPTS = manage_profile manage_instance manage_dataset \
create_instance rungenilib ns2rspec nsgenilib.py \
rspec2genilib ns2genilib manage_reservations manage_gitrepo \
manage_images rtecheck checkprofile
manage_images rtecheck checkprofile manage_extensions
SBIN_SCRIPTS = apt_daemon aptevent_daemon portal_xmlrpc apt_checkup \
portal_monitor
LIB_SCRIPTS = APT_Profile.pm APT_Instance.pm APT_Dataset.pm APT_Geni.pm \
......
......@@ -874,6 +874,11 @@ if (!defined($instance)) {
fatal(defined($errmsg) ? $errmsg :
"Could not create instance record for $quickvm_uuid");
}
# Apply policies,
if ($instance->ApplyExtensionPolicies()) {
$instance->Delete();
fatal("Error applying policies");
}
#
# Get the set of keys (accounts) that need to be sent along. We build
......
This diff is collapsed.
......@@ -63,6 +63,7 @@ sub usage()
print("Usage: manage_instance idledata instance\n");
print("Usage: manage_instance openstackstats instance\n");
print("Usage: manage_instance getmanifests instance\n");
print("Usage: manage_instance applyextensionpolicy instance\n");
exit(-1);
}
my $optlist = "dt:s";
......@@ -142,6 +143,7 @@ sub DoCheckAutoApprove();
sub CheckAutoApprove($$);
sub CheckReservationInternal($$$);
sub DoMaxExtension();
sub DoApplyExtensionPolicy();
sub WriteCredentials();
sub StartMonitor();
sub StartMonitorInternal(;$@);
......@@ -278,6 +280,9 @@ elsif ($action eq "maxextension") {
elsif ($action eq "checkautoapprove") {
DoCheckAutoApprove()
}
elsif ($action eq "applyextensionpolicy") {
DoApplyExtensionPolicy()
}
else {
usage();
}
......@@ -4276,6 +4281,20 @@ sub DoSchedTerminate()
exit($errcode);
}
#
# Apply extension policies.
#
sub DoApplyExtensionPolicy()
{
if ($instance->ApplyExtensionPolicies()) {
fatal("Could not apply extension policies!");
}
$instance->Refresh();
my $disabled = ($instance->extension_disabled() ? "disabled" : "enabled");
print "Extensions are now $disabled\n";
}
#
# Write instance credentials to files.
#
......
......@@ -173,6 +173,40 @@ CREATE TABLE `apt_datasets` (
UNIQUE KEY `uuid` (`uuid`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
--
-- Table structure for table `apt_extension_group_policies`
--
DROP TABLE IF EXISTS `apt_extension_group_policies`;
CREATE TABLE `apt_extension_group_policies` (
`pid` varchar(48) default NULL,
`pid_idx` mediumint(8) unsigned NOT NULL default '0',
`gid` varchar(32) NOT NULL default '',
`gid_idx` mediumint(8) unsigned NOT NULL default '0',
`creator` varchar(8) default NULL,
`creator_idx` mediumint(8) unsigned default NULL,
`disabled` tinyint(1) NOT NULL default '0',
`created` datetime default NULL,
`reason` mediumtext,
PRIMARY KEY (`pid_idx`,`gid_idx`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
--
-- Table structure for table `apt_extension_user_policies`
--
DROP TABLE IF EXISTS `apt_extension_user_policies`;
CREATE TABLE `apt_extension_user_policies` (
`uid` varchar(8) default NULL,
`uid_idx` mediumint(8) unsigned NOT NULL default '0',
`creator` varchar(8) default NULL,
`creator_idx` mediumint(8) unsigned default NULL,
`disabled` tinyint(1) NOT NULL default '0',
`created` datetime default NULL,
`reason` mediumtext,
PRIMARY KEY (`uid_idx`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
--
-- Table structure for table `apt_instance_aggregate_history`
--
......
use strict;
use libdb;
sub DoUpdate($$$)
{
my ($dbhandle, $dbname, $version) = @_;
if (!DBTableExists("apt_extension_group_policies")) {
DBQueryFatal("CREATE TABLE `apt_extension_group_policies` ( ".
" `pid` varchar(48) default NULL, ".
" `pid_idx` mediumint(8) unsigned NOT NULL default '0', ".
" `gid` varchar(32) NOT NULL default '', ".
" `gid_idx` mediumint(8) unsigned NOT NULL default '0', ".
" `creator` varchar(8) default NULL, ".
" `creator_idx` mediumint(8) unsigned default NULL, ".
" `disabled` tinyint(1) NOT NULL default '0', ".
" `created` datetime default NULL, ".
" `reason` mediumtext, ".
" PRIMARY KEY (`pid_idx`,`gid_idx`) ".
") ENGINE=MyISAM DEFAULT CHARSET=latin1");
}
if (!DBTableExists("apt_extension_user_policies")) {
DBQueryFatal("CREATE TABLE `apt_extension_user_policies` ( ".
" `uid` varchar(8) default NULL, ".
" `uid_idx` mediumint(8) unsigned NOT NULL default '0', ".
" `creator` varchar(8) default NULL, ".
" `creator_idx` mediumint(8) unsigned default NULL, ".
" `disabled` tinyint(1) NOT NULL default '0', ".
" `created` datetime default NULL, ".
" `reason` mediumtext, ".
" PRIMARY KEY (`uid_idx`) ".
") ENGINE=MyISAM DEFAULT CHARSET=latin1");
}
return 0;
}
# Local Variables:
# mode:perl
# End:
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment