"""
Configures acls for various users/groups so they can access the cobbler command
line as non-root. Now that CLI is largely remoted (XMLRPC) this is largely just
useful for not having to log in (access to shared-secret) file but also grants
access to hand-edit various cobbler_collections files and other useful things.
"""
from builtins import object
from cobbler.cexceptions import CX
from cobbler import clogger
from cobbler import utils
[docs]class AclConfig(object):
def __init__(self, collection_mgr, logger=None):
"""
Constructor
"""
self.collection_mgr = collection_mgr
self.api = collection_mgr.api
self.settings = collection_mgr.settings()
if logger is None:
logger = clogger.Logger()
self.logger = logger
[docs] def run(self, adduser=None, addgroup=None, removeuser=None, removegroup=None):
"""
Automate setfacl commands
"""
ok = False
if adduser:
ok = True
self.modacl(True, True, adduser)
if addgroup:
ok = True
self.modacl(True, False, addgroup)
if removeuser:
ok = True
self.modacl(False, True, removeuser)
if removegroup:
ok = True
self.modacl(False, False, removegroup)
if not ok:
raise CX("no arguments specified, nothing to do")
[docs] def modacl(self, isadd, isuser, who):
snipdir = self.settings.autoinstall_snippets_dir
tftpboot = self.settings.tftpboot_location
PROCESS_DIRS = {
"/var/log/cobbler": "rwx",
"/var/log/cobbler/tasks": "rwx",
"/var/lib/cobbler": "rwx",
"/etc/cobbler": "rwx",
tftpboot: "rwx",
"/var/lib/cobbler/triggers": "rwx"
}
if not snipdir.startswith("/var/lib/cobbler/"):
PROCESS_DIRS[snipdir] = "r"
cmd = "-R"
if isadd:
cmd = "%s -m" % cmd
else:
cmd = "%s -x" % cmd
if isuser:
cmd = "%s u:%s" % (cmd, who)
else:
cmd = "%s g:%s" % (cmd, who)
for d in PROCESS_DIRS:
how = PROCESS_DIRS[d]
if isadd:
cmd2 = "%s:%s" % (cmd, how)
else:
cmd2 = cmd
cmd2 = "%s %s" % (cmd2, d)
rc = utils.subprocess_call(self.logger, "setfacl -d %s" % cmd2, shell=True)
if not rc == 0:
utils.die(self.logger, "command failed")
rc = utils.subprocess_call(self.logger, "setfacl %s" % cmd2, shell=True)
if not rc == 0:
utils.die(self.logger, "command failed")