grantimage.in 7.1 KB
Newer Older
1 2
#!/usr/bin/perl -w
#
3
# Copyright (c) 2003-2017 University of Utah and the Flux Group.
4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
# 
# {{{EMULAB-LICENSE
# 
# This file is part of the Emulab network testbed software.
# 
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
# 
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public
# License for more details.
# 
# You should have received a copy of the GNU Affero General Public License
# along with this file.  If not, see <http://www.gnu.org/licenses/>.
# 
# }}}
23 24 25 26 27 28 29 30 31 32
#
use strict;
use English;
use Getopt::Std;

#
# Grant and revoke permission to use specific images.
#
sub usage()
{
33
    print STDERR "Usage: grantimage [-r] [-w] [-x] ";
34
    print STDERR "[-g <gid> | -u <uid> | -a] <imageid>\n";
35 36 37 38 39
    print STDERR "       grantimage -l <imageid>\n";
    print STDERR "	-h   This message\n";
    print STDERR "	-l   List permissions\n";
    print STDERR "	-w   Grant write permission; defaults to read only\n";
    print STDERR "	-r   Revoke access instead of grant\n";
40 41 42
    print STDERR "	-u   Grant access to a specific user\n";
    print STDERR "	-g   Grant access to a specific group (project)\n";
    print STDERR "	-a   Grant global read-only access\n";
43
    print STDERR "	-x   Also grant access to protogeni users\n";
44 45
    print STDERR "      -c   Set the noclone flag. Clear with -r\n";
    print STDERR "      -p   Set the noexport flag. Clear with -r\n";
46
    print STDERR "      -V   Apply mods to all image Versions\n";
47
    print STDERR "Alternate form for permissions:\n";
48 49
    print STDERR "  -R acl   Grant project|global read-only access\n";
    print STDERR "  -W acl   Grant creator|project write access\n";
50 51
    exit(-1);
}
52
my $optlist  = "hg:dnru:wlaxR:W:cpV";
53 54 55 56 57
my $impotent = 0;
my $debug    = 0;
my $revoke   = 0;
my $writable = 0;
my $listonly = 0;
58
my $global   = 0;
59
my $protogeni= 0;
60 61
my $noclone  = 0;
my $noexport = 0;
62
my $allvers  = 0;
63 64 65
my $gid;
my $uid;
my $target;
66 67
my $read_access;
my $write_access;
68 69 70 71 72 73 74 75 76 77 78 79 80 81 82

# Protos
sub fatal($);

#
# Please do not run as root. Hard to track what has happened.
#
if ($UID == 0) {
    die("*** $0:\n".
	"    Please do not run this as root!\n");
}

#
# Configure variables
#
83 84 85
my $TB            = "@prefix@";
my $PGENISUPPORT  = @PROTOGENI_SUPPORT@;
my $POSTIMAGEDATA = "$TB/sbin/protogeni/postimagedata";
86 87 88 89 90 91 92 93 94 95 96 97

#
# Testbed Support libraries
#
use lib "@prefix@/lib";
use emdb;
use EmulabConstants;
use libtestbed;
use Experiment;
use Project;
use Group;
use User;
98
use OSImage;
99
use libEmulab;
100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127

#
# Turn off line buffering on output
#
$| = 1;

#
# Untaint the path
# 
$ENV{'PATH'} = "/bin:/sbin:/usr/bin:";

#
# Parse command arguments. Once we return from getopts, all that should be
# left are the required arguments.
#
my %options = ();
if (! getopts($optlist, \%options)) {
    usage();
}
if (defined($options{h})) {
    usage();
}
if (defined($options{l})) {
    $listonly = 1;
}
if (defined($options{n})) {
    $impotent = 1;
}
128 129 130
if (defined($options{a})) {
    $global = 1;
}
131 132 133 134 135 136 137 138 139
if (defined($options{r})) {
    $revoke = 1;
}
if (defined($options{d})) {
    $debug = 1;
}
if (defined($options{w})) {
    $writable = 1;
}
140 141 142
if (defined($options{x})) {
    $protogeni = 1;
}
143 144 145 146 147 148
if (defined($options{c})) {
    $noclone = 1;
}
if (defined($options{p})) {
    $noexport = 1;
}
149 150 151
if (defined($options{V})) {
    $allvers = 1;
}
152 153 154 155 156 157
if (defined($options{g})) {
    $gid = $options{g};
}
if (defined($options{u})) {
    $uid = $options{u};
}
158 159 160 161 162 163 164 165 166 167 168
if (defined($options{"R"})) {
    $read_access = $options{"R"};
    usage()
	if ($read_access !~ /^(global|project)$/);
}
if (defined($options{"W"})) {
    $write_access = $options{"W"};
    usage()
	if ($write_access !~ /^(creator|project)$/);
}

169 170 171
usage()
    if (@ARGV != 1);
usage()
172
    if (! ($listonly || $global || defined($gid) || defined($uid) ||
173 174
	   defined($read_access) || defined($write_access) ||
	   $noclone || $noexport));
175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197

my $imageid = $ARGV[0];

#
# Verify user.
#
my $this_user = User->ThisUser();
if (! defined($this_user)) {
    fatal("You ($UID) do not exist!");
}

if (defined($gid)) {
    $target = Group->Lookup($gid);
    if (!defined($target)) {
	fatal("No such project or group $gid\n");
    }
}
elsif (defined($uid)) {
    $target = User->Lookup($uid);
    if (!defined($target)) {
	fatal("No such user $uid\n");
    }
}
198
my $image = OSImage->Lookup($imageid);
199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225
if (!defined($image)) {
    fatal("No such image exists");
}
$imageid = $image->imageid();
    
# User must have permission.
if (! $image->AccessCheck($this_user, TB_IMAGEID_EXPORT())) {
    fatal("You do not have permission to change the external permissions");
}

if ($listonly) {
    my $query_result =
	DBQueryFatal("select * from image_permissions ".
		     "where imageid='$imageid'");

    while (my $row = $query_result->fetchrow_hashref()) {
	my $perm_type = $row->{'permission_type'};
	my $perm_id   = $row->{'permission_id'};
	my $perm_idx  = $row->{'permission_idx'};
	my $write     = $row->{'allow_write'};

	print "$perm_type: $perm_id ($perm_idx) ";
	print "writable" if ($write);
	print "\n";
    }
    exit(0);
}
226 227 228
elsif ($noclone || $noexport) {
    my $val = ($revoke ? 0 : 1);
    
229
    $image->Update({"noclone" => $val}, $allvers)
230
	if ($noclone);
231
    $image->Update({"noexport" => $val}, $allvers)
232 233 234
	if ($noexport);
    exit(0);
}
235 236 237 238
elsif ($global || defined($read_access)) {
    if (defined($read_access) && $read_access eq "project") {
	$revoke = 1;
    }
239
    my $val = ($revoke ? 0 : 1);
240
    $image->Update({"global" => $val}, $allvers) == 0
241 242
	or fatal("Could not update global flag");
    
243 244
    $image->Update({"shared" => $val}, $allvers) == 0
	or fatal("Could not update shared flag");
245

246 247 248
    if ($protogeni) {
	$image->Update({"protogeni_export" => '1'}, $allvers) == 0
	    or fatal("Could not update protogeni flag");
249 250
    }
}
251 252 253
elsif ($revoke) {
    $image->RevokeAccess($target) == 0
	or fatal("Could not revoke permission for $target");
254

255 256 257
    if ($protogeni) {
	$image->Update({"protogeni_export" => '0'}, $allvers) == 0
	    or fatal("Could not update protogeni flag");
258
    }
259
}
260 261 262 263 264 265 266 267 268 269 270 271 272 273
elsif (defined($write_access)) {
    my $project = $image->GetProject();
    
    if (defined($write_access)) {
	if ($write_access eq "creator") {
	    $image->RevokeAccess($project);
	    $image->GrantAccess($project, 0);
	}
	else {
	    $image->RevokeAccess($project);
	    $image->GrantAccess($project, 1);
	}
    }
}
274 275 276
else {
    $image->GrantAccess($target, $writable) == 0
	or fatal("Could not grant permission for $target");
277

278 279 280
    if ($protogeni) {
	$image->Update({"protogeni_export" => '1'}, $allvers) == 0
	    or fatal("Could not update protogeni flag");
281
    }
282
}
283 284 285 286 287 288 289 290 291 292

if ($PGENISUPPORT &&
    GetSiteVar("protogeni/use_imagetracker")) {
    my $imageid = $image->imageid();
    print "Posting image $imageid to the image server ...\n";
    system("$POSTIMAGEDATA $imageid");
    if ($?) {
	print STDERR "Could not post alias to the image server\n";
    }
}
293 294 295 296 297 298 299 300 301 302
exit(0);

sub fatal($)
{
    my ($mesg) = $_[0];

    die("*** $0:\n".
	"    $mesg\n");
}