Source code for cobbler.actions.acl

"""
Configures acls for various users/groups so they can access the cobbler command
line as non-root.  Now that CLI is largely remoted (XMLRPC) this is largely just
useful for not having to log in (access to shared-secret) file but also grants
access to hand-edit various cobbler_collections files and other useful things.
"""


from builtins import object
from cobbler.cexceptions import CX
from cobbler import clogger
from cobbler import utils


[docs]class AclConfig(object): def __init__(self, collection_mgr, logger=None): """ Constructor """ self.collection_mgr = collection_mgr self.api = collection_mgr.api self.settings = collection_mgr.settings() if logger is None: logger = clogger.Logger() self.logger = logger
[docs] def run(self, adduser=None, addgroup=None, removeuser=None, removegroup=None): """ Automate setfacl commands """ ok = False if adduser: ok = True self.modacl(True, True, adduser) if addgroup: ok = True self.modacl(True, False, addgroup) if removeuser: ok = True self.modacl(False, True, removeuser) if removegroup: ok = True self.modacl(False, False, removegroup) if not ok: raise CX("no arguments specified, nothing to do")
[docs] def modacl(self, isadd, isuser, who): snipdir = self.settings.autoinstall_snippets_dir tftpboot = self.settings.tftpboot_location PROCESS_DIRS = { "/var/log/cobbler": "rwx", "/var/log/cobbler/tasks": "rwx", "/var/lib/cobbler": "rwx", "/etc/cobbler": "rwx", tftpboot: "rwx", "/var/lib/cobbler/triggers": "rwx" } if not snipdir.startswith("/var/lib/cobbler/"): PROCESS_DIRS[snipdir] = "r" cmd = "-R" if isadd: cmd = "%s -m" % cmd else: cmd = "%s -x" % cmd if isuser: cmd = "%s u:%s" % (cmd, who) else: cmd = "%s g:%s" % (cmd, who) for d in PROCESS_DIRS: how = PROCESS_DIRS[d] if isadd: cmd2 = "%s:%s" % (cmd, how) else: cmd2 = cmd cmd2 = "%s %s" % (cmd2, d) rc = utils.subprocess_call(self.logger, "setfacl -d %s" % cmd2, shell=True) if not rc == 0: utils.die(self.logger, "command failed") rc = utils.subprocess_call(self.logger, "setfacl %s" % cmd2, shell=True) if not rc == 0: utils.die(self.logger, "command failed")