Commit e0234031 authored by Leigh Stoller's avatar Leigh Stoller

Add revoke option (-r) to grantnodetype script. Does what you think

it does.

Change the code that rebuilds nodetypeXpid_permissions so that if
a node is specifically revoked, make sure it is granted to all
other projects. This is kinda gross, but in fact, we really need to
ditch nodetypeXpid_permissions and use the policy tables directly,
but I do not have time to do that.

Remove all that robot lab open/close stuff in libadminctrl. Silly
stuff that is no longer used.
parent 9dce4f34
#!/usr/bin/perl -w
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2008 University of Utah and the Flux Group.
# Copyright (c) 2000-2010 University of Utah and the Flux Group.
# All rights reserved.
#
#
......@@ -863,86 +863,6 @@ sub TestPolicies($$$$)
$failcount++
if (!$result);
}
# Skip Robot Lab checks if already failed.
return 0
if ($failcount);
#
# The Robot lab stuff is handled specially until I come up with a better
# approach for global policies.
#
my $robotlab_isopen;
return -1
if (! TBGetSiteVar("robotlab/open", \$robotlab_isopen));
if ($robotlab_isopen) {
#
# If the lab is open, then normal policies apply, except for
# exclusive use of the lab.
#
my $robotlab_exclusive;
return -1
if (! TBGetSiteVar("robotlab/exclusive", \$robotlab_exclusive));
if ($robotlab_exclusive) {
# See who is using the Robot lab.
my ($rpid, $reid);
if (TBRobotLabExpt(\$rpid, \$reid) &&
! ($pid eq $rpid && $eid eq $reid)) {
#
# Lab in use by another experiment.
#
foreach my $type (keys(%node_types)) {
my $class = $node_types{$type};
if ($class eq "robot") {
if ($assignflag) {
UpdateForAssign($type, 0);
}
else {
#
# If user wants a robot type, then fail cause
# the lab is currently closed.
#
if (exists($virt_types{$type}) ||
exists($virt_classes{$class})) {
Declare("The Robot Lab is already in use!");
$failcount++;
}
}
}
}
}
}
}
else {
#
# Lab is closed. Make sure assign gets zeros for the types, or if
# doing the prepass, check for user defined usage.
#
foreach my $type (keys(%node_types)) {
my $class = $node_types{$type};
if ($class eq "robot") {
if ($assignflag) {
UpdateForAssign($type, 0);
}
else {
#
# If user wants a robot type, then fail cause the lab
# is currently closed.
#
if (exists($virt_types{$type}) ||
exists($virt_classes{$class})) {
Declare("The Robot Lab is closed!");
$failcount++;
}
}
}
}
}
return 0
if ($failcount);
return 1;
......@@ -957,10 +877,31 @@ sub UpdateNodeTypeXpidPermissions()
my %plus_policies = ();
my %permissions = ();
my $defgroup = Group->Lookup(TBOPSPID(), TBOPSPID());
if (!defined($defgroup)) {
Declare("Could not get operations group\n");
return -1;
}
#
# For non-zero defaults, we have to explicitly grant permission
# to everyone. It will get revoked below if there is a group
# policy.
#
my $query_result =
DBQueryWarn("select pid_idx from projects");
return -1
if (!$query_result);
my @allprojects = ();
while (my ($pid_idx) = $query_result->fetchrow_array()) {
push(@allprojects, $pid_idx);
$permissions{$pid_idx} = {};
}
#
# Get global policies
#
my $query_result =
$query_result =
DBQueryWarn("select * from group_policies ".
"where pid='+' or pid='-' ".
"order by pid,gid desc");
......@@ -987,6 +928,24 @@ sub UpdateNodeTypeXpidPermissions()
elsif ($ppid eq "-") {
$minus_policies{$auxdata} = $count;
}
#
# Anything that has a default must be in the table for it to
# work right. At some point, this table must go away, but for
# now the use emulab-ops for the default cause emulab-ops always
# has access to everything.
#
$permissions{$defgroup->gid_idx()}->{$auxdata} = $count;
#
# And if the number is positive, must insert an entry for
# everyone, which might get removed below.
#
if ($count) {
foreach my $pid_idx (@allprojects) {
$permissions{$pid_idx}->{$auxdata} = $count;
}
}
}
#
......@@ -1011,20 +970,22 @@ sub UpdateNodeTypeXpidPermissions()
print "Type Perm: $ppid, $pgid, $count, $auxdata\n";
}
next
if ($count == 0);
my $group = Group->Lookup($gid_idx);
next
if (!defined($group) || !$group->IsProjectGroup());
next
if (exists($plus_policies{$auxdata}) &&
plus_policies{$auxdata} == 0);
$permissions{"$gid_idx"} = {}
if (!exists($permissions{"$gid_idx"}));
if ($count == 0 ||
(exists($plus_policies{$auxdata}) &&
plus_policies{$auxdata} == 0)) {
delete($permissions{"$gid_idx"}->{$auxdata})
if (exists($permissions{"$gid_idx"}->{$auxdata}));
next;
}
$permissions{"$gid_idx"}->{$auxdata} = 1;
}
......
#!/usr/bin/perl -wT
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2009 University of Utah and the Flux Group.
# Copyright (c) 2000-2010 University of Utah and the Flux Group.
# All rights reserved.
#
use English;
......@@ -49,6 +49,7 @@ my $MKACCT = "$TB/sbin/tbacct add";
my $CVSBIN = "/usr/bin/cvs";
my $CHOWN = "/usr/sbin/chown";
my $GRANTTYPE = "$TB/sbin/grantnodetype -d";
my $UPDATEPERMS = "$TB/sbin/update_permissions";
my $ELABINELAB = @ELABINELAB@;
my $WIKISUPPORT = @WIKISUPPORT@;
my $BUGDBSUPPORT = @BUGDBSUPPORT@;
......@@ -493,6 +494,17 @@ if (!$ELABINELAB) {
}
}
}
else {
#
# Need to update the permissions table.
#
$EUID = $UID;
system("$UPDATEPERMS") == 0 or
fatal("Could not update permissions table!");
$EUID = 0;
}
}
#
......
......@@ -2,7 +2,7 @@
#
# EMULAB-COPYRIGHT
# Copyright (c) 2003, 2005, 2007 University of Utah and the Flux Group.
# Copyright (c) 2003-2010 University of Utah and the Flux Group.
# All rights reserved.
#
......@@ -17,13 +17,15 @@ use Getopt::Std;
#
sub usage()
{
print STDERR "Usage: grantnodetype [-h] -p <pid> <type>\n";
print STDERR "Usage: grantnodetype [-h] [-r] -p <pid> <type>\n";
print STDERR " -h This message\n";
print STDERR " -r Revoke access instead of grant\n";
exit(-1);
}
my $optlist = "hp:dn";
my $optlist = "hp:dnr";
my $impotent = 0;
my $debug = 0;
my $revoke = 0;
my %newtypes = ();
my $pid;
......@@ -77,6 +79,9 @@ if (defined($options{h})) {
if (defined($options{n})) {
$impotent = 1;
}
if (defined($options{r})) {
$revoke = 1;
}
if (defined($options{d})) {
$debug = 1;
}
......@@ -163,7 +168,9 @@ while (my ($nodetype,$nodeclass) = $query_result->fetchrow_array()) {
# Run the queries.
#
foreach my $newtype (keys(%newtypes)) {
print STDERR "Granting permission to use type $newtype\n"
print STDERR
($revoke ? "Revoking" : "Granting") . " " .
"permission to use type $newtype\n"
if ($debug);
#
......@@ -186,11 +193,13 @@ foreach my $newtype (keys(%newtypes)) {
#
# Add generic rules that say the project is allowed to use "infinite"
# number of nodes of each type.
#
#
my $count = ($revoke ? 0 : 999999);
DBQueryFatal("replace into group_policies ".
"(pid_idx, gid_idx, pid, gid, policy, auxdata, count) ".
"values ($pid_idx, $pid_idx, '$pid', '$pid', ".
" 'type', '$newtype', 999999)")
" 'type', '$newtype', $count)")
if (!$impotent);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment