import bcrypt
+from mgr_module import CLIReadCommand, CLIWriteCommand
+
from .. import mgr, logger
from ..security import Scope, Permission
from ..exceptions import RoleAlreadyExists, RoleDoesNotExist, ScopeNotValid, \
# CLI dashboard access control scope commands
-ACCESS_CONTROL_COMMANDS = [
- # for backwards compatibility
- {
- 'cmd': 'dashboard set-login-credentials '
- 'name=username,type=CephString '
- 'name=password,type=CephString',
- 'desc': 'Set the login credentials',
- 'perm': 'w'
- },
- {
- 'cmd': 'dashboard ac-role-show '
- 'name=rolename,type=CephString,req=false',
- 'desc': 'Show role info',
- 'perm': 'r'
- },
- {
- 'cmd': 'dashboard ac-role-create '
- 'name=rolename,type=CephString '
- 'name=description,type=CephString,req=false',
- 'desc': 'Create a new access control role',
- 'perm': 'w'
- },
- {
- 'cmd': 'dashboard ac-role-delete '
- 'name=rolename,type=CephString',
- 'desc': 'Delete an access control role',
- 'perm': 'w'
- },
- {
- 'cmd': 'dashboard ac-role-add-scope-perms '
- 'name=rolename,type=CephString '
- 'name=scopename,type=CephString '
- 'name=permissions,type=CephString,n=N',
- 'desc': 'Add the scope permissions for a role',
- 'perm': 'w'
- },
- {
- 'cmd': 'dashboard ac-role-del-scope-perms '
- 'name=rolename,type=CephString '
- 'name=scopename,type=CephString',
- 'desc': 'Delete the scope permissions for a role',
- 'perm': 'w'
- },
- {
- 'cmd': 'dashboard ac-user-show '
- 'name=username,type=CephString,req=false',
- 'desc': 'Show user info',
- 'perm': 'r'
- },
- {
- 'cmd': 'dashboard ac-user-create '
- 'name=username,type=CephString '
- 'name=password,type=CephString,req=false '
- 'name=rolename,type=CephString,req=false '
- 'name=name,type=CephString,req=false '
- 'name=email,type=CephString,req=false',
- 'desc': 'Create a user',
- 'perm': 'w'
- },
- {
- 'cmd': 'dashboard ac-user-delete '
- 'name=username,type=CephString',
- 'desc': 'Delete user',
- 'perm': 'w'
- },
- {
- 'cmd': 'dashboard ac-user-set-roles '
- 'name=username,type=CephString '
- 'name=roles,type=CephString,n=N',
- 'desc': 'Set user roles',
- 'perm': 'w'
- },
- {
- 'cmd': 'dashboard ac-user-add-roles '
- 'name=username,type=CephString '
- 'name=roles,type=CephString,n=N',
- 'desc': 'Add roles to user',
- 'perm': 'w'
- },
- {
- 'cmd': 'dashboard ac-user-del-roles '
- 'name=username,type=CephString '
- 'name=roles,type=CephString,n=N',
- 'desc': 'Delete roles from user',
- 'perm': 'w'
- },
- {
- 'cmd': 'dashboard ac-user-set-password '
- 'name=username,type=CephString '
- 'name=password,type=CephString',
- 'desc': 'Set user password',
- 'perm': 'w'
- },
- {
- 'cmd': 'dashboard ac-user-set-info '
- 'name=username,type=CephString '
- 'name=name,type=CephString '
- 'name=email,type=CephString',
- 'desc': 'Set user info',
- 'perm': 'w'
- }
-]
-
-
-def handle_access_control_command(cmd):
- if cmd['prefix'] == 'dashboard set-login-credentials':
- username = cmd['username']
- password = cmd['password']
- try:
- user = ACCESS_CTRL_DB.get_user(username)
- user.set_password(password)
- except UserDoesNotExist:
- user = ACCESS_CTRL_DB.create_user(username, password, None, None)
- user.set_roles([ADMIN_ROLE])
- ACCESS_CTRL_DB.save()
+@CLIWriteCommand('dashboard set-login-credentials',
+ 'name=username,type=CephString '
+ 'name=password,type=CephString',
+ 'Set the login credentials')
+def set_login_credentials_cmd(_, username, password):
+ try:
+ user = ACCESS_CTRL_DB.get_user(username)
+ user.set_password(password)
+ except UserDoesNotExist:
+ user = ACCESS_CTRL_DB.create_user(username, password, None, None)
+ user.set_roles([ADMIN_ROLE])
- return 0, '''\
+ ACCESS_CTRL_DB.save()
+
+ return 0, '''\
******************************************************************
*** WARNING: this command is deprecated. ***
*** Please use the ac-user-* related commands to manage users. ***
******************************************************************
Username and password updated''', ''
- if cmd['prefix'] == 'dashboard ac-role-show':
- rolename = cmd['rolename'] if 'rolename' in cmd else None
- if not rolename:
- roles = dict(ACCESS_CTRL_DB.roles)
- roles.update(SYSTEM_ROLES)
- roles_list = [name for name, _ in roles.items()]
- return 0, json.dumps(roles_list), ''
- try:
- role = ACCESS_CTRL_DB.get_role(rolename)
- except RoleDoesNotExist as ex:
- if rolename not in SYSTEM_ROLES:
- return -errno.ENOENT, '', str(ex)
- role = SYSTEM_ROLES[rolename]
- return 0, json.dumps(role.to_dict()), ''
- elif cmd['prefix'] == 'dashboard ac-role-create':
- rolename = cmd['rolename']
- description = cmd['description'] if 'description' in cmd else None
- try:
- role = ACCESS_CTRL_DB.create_role(rolename, description)
- ACCESS_CTRL_DB.save()
- return 0, json.dumps(role.to_dict()), ''
- except RoleAlreadyExists as ex:
- return -errno.EEXIST, '', str(ex)
-
- elif cmd['prefix'] == 'dashboard ac-role-delete':
- rolename = cmd['rolename']
- try:
- ACCESS_CTRL_DB.delete_role(rolename)
- ACCESS_CTRL_DB.save()
- return 0, "Role '{}' deleted".format(rolename), ""
- except RoleDoesNotExist as ex:
- if rolename in SYSTEM_ROLES:
- return -errno.EPERM, '', "Cannot delete system role '{}'" \
- .format(rolename)
+@CLIReadCommand('dashboard ac-role-show',
+ 'name=rolename,type=CephString,req=false',
+ 'Show role info')
+def ac_role_show_cmd(_, rolename=None):
+ if not rolename:
+ roles = dict(ACCESS_CTRL_DB.roles)
+ roles.update(SYSTEM_ROLES)
+ roles_list = [name for name, _ in roles.items()]
+ return 0, json.dumps(roles_list), ''
+ try:
+ role = ACCESS_CTRL_DB.get_role(rolename)
+ except RoleDoesNotExist as ex:
+ if rolename not in SYSTEM_ROLES:
return -errno.ENOENT, '', str(ex)
- except RoleIsAssociatedWithUser as ex:
- return -errno.EPERM, '', str(ex)
+ role = SYSTEM_ROLES[rolename]
+ return 0, json.dumps(role.to_dict()), ''
- elif cmd['prefix'] == 'dashboard ac-role-add-scope-perms':
- rolename = cmd['rolename']
- scopename = cmd['scopename']
- permissions = cmd['permissions']
- try:
- role = ACCESS_CTRL_DB.get_role(rolename)
- perms_array = [perm.strip() for perm in permissions]
- role.set_scope_permissions(scopename, perms_array)
- ACCESS_CTRL_DB.update_users_with_roles(role)
- ACCESS_CTRL_DB.save()
- return 0, json.dumps(role.to_dict()), ''
- except RoleDoesNotExist as ex:
- if rolename in SYSTEM_ROLES:
- return -errno.EPERM, '', "Cannot update system role '{}'" \
- .format(rolename)
- return -errno.ENOENT, '', str(ex)
- except ScopeNotValid as ex:
- return -errno.EINVAL, '', str(ex) + "\n Possible values: {}" \
- .format(Scope.all_scopes())
- except PermissionNotValid as ex:
- return -errno.EINVAL, '', str(ex) + \
- "\n Possible values: {}" \
- .format(Permission.all_permissions())
-
- elif cmd['prefix'] == 'dashboard ac-role-del-scope-perms':
- rolename = cmd['rolename']
- scopename = cmd['scopename']
- try:
- role = ACCESS_CTRL_DB.get_role(rolename)
- role.del_scope_permissions(scopename)
- ACCESS_CTRL_DB.update_users_with_roles(role)
- ACCESS_CTRL_DB.save()
- return 0, json.dumps(role.to_dict()), ''
- except RoleDoesNotExist as ex:
- if rolename in SYSTEM_ROLES:
- return -errno.EPERM, '', "Cannot update system role '{}'" \
- .format(rolename)
- return -errno.ENOENT, '', str(ex)
- except ScopeNotInRole as ex:
- return -errno.ENOENT, '', str(ex)
-
- elif cmd['prefix'] == 'dashboard ac-user-show':
- username = cmd['username'] if 'username' in cmd else None
- if not username:
- users = ACCESS_CTRL_DB.users
- users_list = [name for name, _ in users.items()]
- return 0, json.dumps(users_list), ''
- try:
- user = ACCESS_CTRL_DB.get_user(username)
- return 0, json.dumps(user.to_dict()), ''
- except UserDoesNotExist as ex:
- return -errno.ENOENT, '', str(ex)
- elif cmd['prefix'] == 'dashboard ac-user-create':
- username = cmd['username']
- password = cmd['password'] if 'password' in cmd else None
- rolename = cmd['rolename'] if 'rolename' in cmd else None
- name = cmd['name'] if 'name' in cmd else None
- email = cmd['email'] if 'email' in cmd else None
- try:
- role = ACCESS_CTRL_DB.get_role(rolename) if rolename else None
- except RoleDoesNotExist as ex:
- if rolename not in SYSTEM_ROLES:
- return -errno.ENOENT, '', str(ex)
- role = SYSTEM_ROLES[rolename]
+@CLIWriteCommand('dashboard ac-role-create',
+ 'name=rolename,type=CephString '
+ 'name=description,type=CephString,req=false',
+ 'Create a new access control role')
+def ac_role_create_cmd(_, rolename, description=None):
+ try:
+ role = ACCESS_CTRL_DB.create_role(rolename, description)
+ ACCESS_CTRL_DB.save()
+ return 0, json.dumps(role.to_dict()), ''
+ except RoleAlreadyExists as ex:
+ return -errno.EEXIST, '', str(ex)
- try:
- user = ACCESS_CTRL_DB.create_user(username, password, name, email)
- except UserAlreadyExists as ex:
- return -errno.EEXIST, '', str(ex)
- if role:
- user.set_roles([role])
+@CLIWriteCommand('dashboard ac-role-delete',
+ 'name=rolename,type=CephString',
+ 'Delete an access control role')
+def ac_role_delete_cmd(_, rolename):
+ try:
+ ACCESS_CTRL_DB.delete_role(rolename)
+ ACCESS_CTRL_DB.save()
+ return 0, "Role '{}' deleted".format(rolename), ""
+ except RoleDoesNotExist as ex:
+ if rolename in SYSTEM_ROLES:
+ return -errno.EPERM, '', "Cannot delete system role '{}'" \
+ .format(rolename)
+ return -errno.ENOENT, '', str(ex)
+ except RoleIsAssociatedWithUser as ex:
+ return -errno.EPERM, '', str(ex)
+
+
+@CLIWriteCommand('dashboard ac-role-add-scope-perms',
+ 'name=rolename,type=CephString '
+ 'name=scopename,type=CephString '
+ 'name=permissions,type=CephString,n=N',
+ 'Add the scope permissions for a role')
+def ac_role_add_scope_perms_cmd(_, rolename, scopename, permissions):
+ try:
+ role = ACCESS_CTRL_DB.get_role(rolename)
+ perms_array = [perm.strip() for perm in permissions]
+ role.set_scope_permissions(scopename, perms_array)
+ ACCESS_CTRL_DB.update_users_with_roles(role)
+ ACCESS_CTRL_DB.save()
+ return 0, json.dumps(role.to_dict()), ''
+ except RoleDoesNotExist as ex:
+ if rolename in SYSTEM_ROLES:
+ return -errno.EPERM, '', "Cannot update system role '{}'" \
+ .format(rolename)
+ return -errno.ENOENT, '', str(ex)
+ except ScopeNotValid as ex:
+ return -errno.EINVAL, '', str(ex) + "\n Possible values: {}" \
+ .format(Scope.all_scopes())
+ except PermissionNotValid as ex:
+ return -errno.EINVAL, '', str(ex) + \
+ "\n Possible values: {}" \
+ .format(Permission.all_permissions())
+
+
+@CLIWriteCommand('dashboard ac-role-del-scope-perms',
+ 'name=rolename,type=CephString '
+ 'name=scopename,type=CephString',
+ 'Delete the scope permissions for a role')
+def ac_role_del_scope_perms_cmd(_, rolename, scopename):
+ try:
+ role = ACCESS_CTRL_DB.get_role(rolename)
+ role.del_scope_permissions(scopename)
+ ACCESS_CTRL_DB.update_users_with_roles(role)
ACCESS_CTRL_DB.save()
+ return 0, json.dumps(role.to_dict()), ''
+ except RoleDoesNotExist as ex:
+ if rolename in SYSTEM_ROLES:
+ return -errno.EPERM, '', "Cannot update system role '{}'" \
+ .format(rolename)
+ return -errno.ENOENT, '', str(ex)
+ except ScopeNotInRole as ex:
+ return -errno.ENOENT, '', str(ex)
+
+
+@CLIReadCommand('dashboard ac-user-show',
+ 'name=username,type=CephString,req=false',
+ 'Show user info')
+def ac_user_show_cmd(_, username=None):
+ if not username:
+ users = ACCESS_CTRL_DB.users
+ users_list = [name for name, _ in users.items()]
+ return 0, json.dumps(users_list), ''
+ try:
+ user = ACCESS_CTRL_DB.get_user(username)
return 0, json.dumps(user.to_dict()), ''
-
- elif cmd['prefix'] == 'dashboard ac-user-delete':
- username = cmd['username']
- try:
- ACCESS_CTRL_DB.delete_user(username)
- ACCESS_CTRL_DB.save()
- return 0, "User '{}' deleted".format(username), ""
- except UserDoesNotExist as ex:
+ except UserDoesNotExist as ex:
+ return -errno.ENOENT, '', str(ex)
+
+
+@CLIWriteCommand('dashboard ac-user-create',
+ 'name=username,type=CephString '
+ 'name=password,type=CephString,req=false '
+ 'name=rolename,type=CephString,req=false '
+ 'name=name,type=CephString,req=false '
+ 'name=email,type=CephString,req=false',
+ 'Create a user')
+def ac_user_create_cmd(_, username, password=None, rolename=None, name=None,
+ email=None):
+ try:
+ role = ACCESS_CTRL_DB.get_role(rolename) if rolename else None
+ except RoleDoesNotExist as ex:
+ if rolename not in SYSTEM_ROLES:
return -errno.ENOENT, '', str(ex)
+ role = SYSTEM_ROLES[rolename]
- elif cmd['prefix'] == 'dashboard ac-user-set-roles':
- username = cmd['username']
- rolesname = cmd['roles']
- roles = []
- for rolename in rolesname:
- try:
- roles.append(ACCESS_CTRL_DB.get_role(rolename))
- except RoleDoesNotExist as ex:
- if rolename not in SYSTEM_ROLES:
- return -errno.ENOENT, '', str(ex)
- roles.append(SYSTEM_ROLES[rolename])
- try:
- user = ACCESS_CTRL_DB.get_user(username)
- user.set_roles(roles)
- ACCESS_CTRL_DB.save()
- return 0, json.dumps(user.to_dict()), ''
- except UserDoesNotExist as ex:
- return -errno.ENOENT, '', str(ex)
+ try:
+ user = ACCESS_CTRL_DB.create_user(username, password, name, email)
+ except UserAlreadyExists as ex:
+ return -errno.EEXIST, '', str(ex)
- elif cmd['prefix'] == 'dashboard ac-user-add-roles':
- username = cmd['username']
- rolesname = cmd['roles']
- roles = []
- for rolename in rolesname:
- try:
- roles.append(ACCESS_CTRL_DB.get_role(rolename))
- except RoleDoesNotExist as ex:
- if rolename not in SYSTEM_ROLES:
- return -errno.ENOENT, '', str(ex)
- roles.append(SYSTEM_ROLES[rolename])
- try:
- user = ACCESS_CTRL_DB.get_user(username)
- user.add_roles(roles)
- ACCESS_CTRL_DB.save()
- return 0, json.dumps(user.to_dict()), ''
- except UserDoesNotExist as ex:
- return -errno.ENOENT, '', str(ex)
+ if role:
+ user.set_roles([role])
+ ACCESS_CTRL_DB.save()
+ return 0, json.dumps(user.to_dict()), ''
- elif cmd['prefix'] == 'dashboard ac-user-del-roles':
- username = cmd['username']
- rolesname = cmd['roles']
- roles = []
- for rolename in rolesname:
- try:
- roles.append(ACCESS_CTRL_DB.get_role(rolename))
- except RoleDoesNotExist as ex:
- if rolename not in SYSTEM_ROLES:
- return -errno.ENOENT, '', str(ex)
- roles.append(SYSTEM_ROLES[rolename])
- try:
- user = ACCESS_CTRL_DB.get_user(username)
- user.del_roles(roles)
- ACCESS_CTRL_DB.save()
- return 0, json.dumps(user.to_dict()), ''
- except UserDoesNotExist as ex:
- return -errno.ENOENT, '', str(ex)
- except RoleNotInUser as ex:
- return -errno.ENOENT, '', str(ex)
- elif cmd['prefix'] == 'dashboard ac-user-set-password':
- username = cmd['username']
- password = cmd['password']
+@CLIWriteCommand('dashboard ac-user-delete',
+ 'name=username,type=CephString',
+ 'Delete user')
+def ac_user_delete_cmd(_, username):
+ try:
+ ACCESS_CTRL_DB.delete_user(username)
+ ACCESS_CTRL_DB.save()
+ return 0, "User '{}' deleted".format(username), ""
+ except UserDoesNotExist as ex:
+ return -errno.ENOENT, '', str(ex)
+
+
+@CLIWriteCommand('dashboard ac-user-set-roles',
+ 'name=username,type=CephString '
+ 'name=roles,type=CephString,n=N',
+ 'Set user roles')
+def ac_user_set_roles_cmd(_, username, roles):
+ rolesname = roles
+ roles = []
+ for rolename in rolesname:
try:
- user = ACCESS_CTRL_DB.get_user(username)
- user.set_password(password)
+ roles.append(ACCESS_CTRL_DB.get_role(rolename))
+ except RoleDoesNotExist as ex:
+ if rolename not in SYSTEM_ROLES:
+ return -errno.ENOENT, '', str(ex)
+ roles.append(SYSTEM_ROLES[rolename])
+ try:
+ user = ACCESS_CTRL_DB.get_user(username)
+ user.set_roles(roles)
+ ACCESS_CTRL_DB.save()
+ return 0, json.dumps(user.to_dict()), ''
+ except UserDoesNotExist as ex:
+ return -errno.ENOENT, '', str(ex)
+
+
+@CLIWriteCommand('dashboard ac-user-add-roles',
+ 'name=username,type=CephString '
+ 'name=roles,type=CephString,n=N',
+ 'Add roles to user')
+def ac_user_add_roles_cmd(_, username, roles):
+ rolesname = roles
+ roles = []
+ for rolename in rolesname:
+ try:
+ roles.append(ACCESS_CTRL_DB.get_role(rolename))
+ except RoleDoesNotExist as ex:
+ if rolename not in SYSTEM_ROLES:
+ return -errno.ENOENT, '', str(ex)
+ roles.append(SYSTEM_ROLES[rolename])
+ try:
+ user = ACCESS_CTRL_DB.get_user(username)
+ user.add_roles(roles)
+ ACCESS_CTRL_DB.save()
+ return 0, json.dumps(user.to_dict()), ''
+ except UserDoesNotExist as ex:
+ return -errno.ENOENT, '', str(ex)
+
+
+@CLIWriteCommand('dashboard ac-user-del-roles',
+ 'name=username,type=CephString '
+ 'name=roles,type=CephString,n=N',
+ 'Delete roles from user')
+def ac_user_del_roles_cmd(_, username, roles):
+ rolesname = roles
+ roles = []
+ for rolename in rolesname:
+ try:
+ roles.append(ACCESS_CTRL_DB.get_role(rolename))
+ except RoleDoesNotExist as ex:
+ if rolename not in SYSTEM_ROLES:
+ return -errno.ENOENT, '', str(ex)
+ roles.append(SYSTEM_ROLES[rolename])
+ try:
+ user = ACCESS_CTRL_DB.get_user(username)
+ user.del_roles(roles)
+ ACCESS_CTRL_DB.save()
+ return 0, json.dumps(user.to_dict()), ''
+ except UserDoesNotExist as ex:
+ return -errno.ENOENT, '', str(ex)
+ except RoleNotInUser as ex:
+ return -errno.ENOENT, '', str(ex)
+
+
+@CLIWriteCommand('dashboard ac-user-set-password',
+ 'name=username,type=CephString '
+ 'name=password,type=CephString',
+ 'Set user password')
+def ac_user_set_password(_, username, password):
+ try:
+ user = ACCESS_CTRL_DB.get_user(username)
+ user.set_password(password)
- ACCESS_CTRL_DB.save()
- return 0, json.dumps(user.to_dict()), ''
- except UserDoesNotExist as ex:
- return -errno.ENOENT, '', str(ex)
+ ACCESS_CTRL_DB.save()
+ return 0, json.dumps(user.to_dict()), ''
+ except UserDoesNotExist as ex:
+ return -errno.ENOENT, '', str(ex)
- elif cmd['prefix'] == 'dashboard ac-user-set-info':
- username = cmd['username']
- name = cmd['name']
- email = cmd['email']
- try:
- user = ACCESS_CTRL_DB.get_user(username)
- if name:
- user.name = name
- if email:
- user.email = email
- ACCESS_CTRL_DB.save()
- return 0, json.dumps(user.to_dict()), ''
- except UserDoesNotExist as ex:
- return -errno.ENOENT, '', str(ex)
- return -errno.ENOSYS, '', ''
+@CLIWriteCommand('dashboard ac-user-set-info',
+ 'name=username,type=CephString '
+ 'name=name,type=CephString '
+ 'name=email,type=CephString',
+ 'Set user info')
+def ac_user_set_info(_, username, name, email):
+ try:
+ user = ACCESS_CTRL_DB.get_user(username)
+ if name:
+ user.name = name
+ if email:
+ user.email = email
+ ACCESS_CTRL_DB.save()
+ return 0, json.dumps(user.to_dict()), ''
+ except UserDoesNotExist as ex:
+ return -errno.ENOENT, '', str(ex)
class LocalAuthenticator(object):
projects / ceph.git / commitdiff