Google Git
Sign in
vanadium / release.go.x.ref / 7a854a56a2775c2a6b1852e116f92e92ac73109c / . / tools / mgmt / nodex / acl_impl.go
blob: 72967025b638cae31f8c4859e6adf92cfbfeb772 [file] [log] [blame]
Robert Kroeger90104522014-11-11 15:29:17 -0800[diff] [blame]1package main
2
3// Commands to get/set ACLs.
4
5import (
6 "fmt"
Robert Kroeger90104522014-11-11 15:29:17 -0800[diff] [blame]7
Jiri Simsabc26d692014-11-19 18:30:55 -0800[diff] [blame]8 "veyron.io/lib/cmdline"
Robert Kroeger1e4721a2014-11-12 17:59:46 -0800[diff] [blame]9 "veyron.io/veyron/veyron2/security"
Robert Kroeger90104522014-11-11 15:29:17 -0800[diff] [blame]10 "veyron.io/veyron/veyron2/services/mgmt/node"
Robert Kroeger1e4721a2014-11-12 17:59:46 -0800[diff] [blame]11 "veyron.io/veyron/veyron2/services/security/access"
12 "veyron.io/veyron/veyron2/verror"
Robert Kroeger90104522014-11-11 15:29:17 -0800[diff] [blame]13)
14
15var cmdGet = &cmdline.Command{
16 Run: runGet,
17 Name: "get",
18 Short: "Get ACLs for the given target.",
Robert Kroeger2c25fcf2014-11-17 09:44:59 -0800[diff] [blame]19 Long: "Get ACLs for the given target.",
Robert Kroeger90104522014-11-11 15:29:17 -0800[diff] [blame]20 ArgsName: "<node manager name>",
21 ArgsLong: `
22<node manager name> can be a Vanadium name for a node manager,
23application installation or instance.`,
24}
25
Robert Kroeger90104522014-11-11 15:29:17 -0800[diff] [blame]26func runGet(cmd *cmdline.Command, args []string) error {
Robert Kroeger90104522014-11-11 15:29:17 -0800[diff] [blame]27 if expected, got := 1, len(args); expected != got {
Robert Kroeger2c25fcf2014-11-17 09:44:59 -0800[diff] [blame]28 return cmd.UsageErrorf("get: incorrect number of arguments, expected %d, got %d", expected, got)
Robert Kroeger90104522014-11-11 15:29:17 -0800[diff] [blame]29 }
30
31 vanaName := args[0]
Matt Rosencrantz5180d162014-12-03 13:48:40 -0800[diff] [blame]32 objACL, _, err := node.ApplicationClient(vanaName).GetACL(runtime.NewContext())
Robert Kroeger90104522014-11-11 15:29:17 -0800[diff] [blame]33 if err != nil {
34 return fmt.Errorf("GetACL on %s failed: %v", vanaName, err)
35 }
Asim Shankar68885192014-11-26 12:48:35 -0800[diff] [blame]36 // Convert objACL (TaggedACLMap) into aclEntries for pretty printing.
37 entries := make(aclEntries)
38 for tag, acl := range objACL {
39 for _, p := range acl.In {
40 entries.Tags(string(p))[tag] = false
41 }
42 for _, b := range acl.NotIn {
43 entries.Tags(b)[tag] = true
44 }
Robert Kroeger90104522014-11-11 15:29:17 -0800[diff] [blame]45 }
Asim Shankar68885192014-11-26 12:48:35 -0800[diff] [blame]46 fmt.Fprintf(cmd.Stdout(), "%v", entries)
Robert Kroeger90104522014-11-11 15:29:17 -0800[diff] [blame]47 return nil
48}
49
Robert Kroeger1e4721a2014-11-12 17:59:46 -0800[diff] [blame]50var cmdSet = &cmdline.Command{
51 Run: runSet,
52 Name: "set",
53 Short: "Set ACLs for the given target.",
54 Long: "Set ACLs for the given target",
Asim Shankar68885192014-11-26 12:48:35 -0800[diff] [blame]55 ArgsName: "<node manager name> (<blessing> [!]<tag>(,[!]<tag>)*",
Robert Kroeger1e4721a2014-11-12 17:59:46 -0800[diff] [blame]56 ArgsLong: `
57<node manager name> can be a Vanadium name for a node manager,
58application installation or instance.
59
60<blessing> is a blessing pattern.
Asim Shankar68885192014-11-26 12:48:35 -0800[diff] [blame]61If the same pattern is repeated multiple times in the command, then
62the only the last occurrence will be honored.
Robert Kroeger1e4721a2014-11-12 17:59:46 -0800[diff] [blame]63
Asim Shankar68885192014-11-26 12:48:35 -0800[diff] [blame]64<tag> is a subset of defined access types ("Admin", "Read", "Write" etc.).
65If the access right is prefixed with a '!' then <blessing> is added to the
66NotIn list for that right. Using "^" as a "tag" causes all occurrences of
67<blessing> in the current ACL to be cleared.
Robert Kroeger1e4721a2014-11-12 17:59:46 -0800[diff] [blame]68
Asim Shankar68885192014-11-26 12:48:35 -0800[diff] [blame]69Examples:
70set root/self ^
71will remove "root/self" from the In and NotIn lists for all access rights.
Robert Kroeger1e4721a2014-11-12 17:59:46 -0800[diff] [blame]72
Asim Shankar68885192014-11-26 12:48:35 -0800[diff] [blame]73set root/self Read,!Write
74will add "root/self" to the In list for Read access and the NotIn list
75for Write access (and remove "root/self" from both the In and NotIn
76lists of all other access rights)`,
Robert Kroeger1e4721a2014-11-12 17:59:46 -0800[diff] [blame]77}
78
79func runSet(cmd *cmdline.Command, args []string) error {
80 if got := len(args); !((got%2) == 1 && got >= 3) {
81 return cmd.UsageErrorf("set: incorrect number of arguments %d, must be 1 + 2n", got)
82 }
83
84 vanaName := args[0]
85 pairs := args[1:]
86
Asim Shankar68885192014-11-26 12:48:35 -0800[diff] [blame]87 entries := make(aclEntries)
Robert Kroeger1e4721a2014-11-12 17:59:46 -0800[diff] [blame]88 for i := 0; i < len(pairs); i += 2 {
Asim Shankar68885192014-11-26 12:48:35 -0800[diff] [blame]89 blessing := pairs[i]
90 tags, err := parseAccessTags(pairs[i+1])
91 if err != nil {
92 return cmd.UsageErrorf("failed to parse access tags for %q: %v", blessing, err)
Robert Kroeger1e4721a2014-11-12 17:59:46 -0800[diff] [blame]93 }
Asim Shankar68885192014-11-26 12:48:35 -0800[diff] [blame]94 entries[blessing] = tags
Robert Kroeger1e4721a2014-11-12 17:59:46 -0800[diff] [blame]95 }
96
Asim Shankar68885192014-11-26 12:48:35 -0800[diff] [blame]97 // Set the ACLs on the specified names.
Matt Rosencrantz5180d162014-12-03 13:48:40 -0800[diff] [blame]98 ctx := runtime.NewContext()
Robert Kroeger1e4721a2014-11-12 17:59:46 -0800[diff] [blame]99 for {
Matt Rosencrantz5180d162014-12-03 13:48:40 -0800[diff] [blame]100 objACL, etag, err := node.ApplicationClient(vanaName).GetACL(ctx)
Robert Kroeger1e4721a2014-11-12 17:59:46 -0800[diff] [blame]101 if err != nil {
102 return cmd.UsageErrorf("GetACL(%s) failed: %v", vanaName, err)
103 }
Asim Shankar68885192014-11-26 12:48:35 -0800[diff] [blame]104 for blessingOrPattern, tags := range entries {
105 objACL.Clear(blessingOrPattern) // Clear out any existing references
106 for tag, blacklist := range tags {
107 if blacklist {
108 objACL.Blacklist(blessingOrPattern, tag)
109 } else {
110 objACL.Add(security.BlessingPattern(blessingOrPattern), tag)
111 }
Robert Kroeger1e4721a2014-11-12 17:59:46 -0800[diff] [blame]112 }
Robert Kroeger1e4721a2014-11-12 17:59:46 -0800[diff] [blame]113 }
Matt Rosencrantz5180d162014-12-03 13:48:40 -0800[diff] [blame]114 switch err := node.ApplicationClient(vanaName).SetACL(ctx, objACL, etag); {
Robert Kroeger1e4721a2014-11-12 17:59:46 -0800[diff] [blame]115 case err != nil && !verror.Is(err, access.ErrBadEtag):
116 return cmd.UsageErrorf("SetACL(%s) failed: %v", vanaName, err)
117 case err == nil:
118 return nil
119 }
120 fmt.Fprintf(cmd.Stderr(), "WARNING: trying again because of asynchronous change\n")
121 }
122 return nil
123}
Robert Kroeger90104522014-11-11 15:29:17 -0800[diff] [blame]124
125func aclRoot() *cmdline.Command {
126 return &cmdline.Command{
127 Name: "acl",
Robert Kroeger1e4721a2014-11-12 17:59:46 -0800[diff] [blame]128 Short: "Tool for setting node manager ACLs",
Robert Kroeger90104522014-11-11 15:29:17 -0800[diff] [blame]129 Long: `
Robert Kroeger2c25fcf2014-11-17 09:44:59 -0800[diff] [blame]130The acl tool manages ACLs on the node manger, installations and instances.
Robert Kroeger90104522014-11-11 15:29:17 -0800[diff] [blame]131`,
Robert Kroeger1e4721a2014-11-12 17:59:46 -0800[diff] [blame]132 Children: []*cmdline.Command{cmdGet, cmdSet},
Robert Kroeger90104522014-11-11 15:29:17 -0800[diff] [blame]133 }
134}