Skip to content

Commit

Permalink
Also use policy check for rodsadmins.
Browse files Browse the repository at this point in the history
  • Loading branch information
@lwesterhof
lwesterhof committed Oct 3, 2023
1 parent 6899d56 commit bab70ef
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 51 deletions.
25 changes: 0 additions & 25 deletions uuGroupPolicies.r
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,31 +130,6 @@ uuGroupPreSudoGroupRemove(*groupName, *policyKv) {
fail;
}

# Specific handling for rodsadmin when removing a group
uuGroupPreSudoGroupRemoveForAdmin(*groupName, *policyKv) {

*prefix = "";
*base = "";

uuChop(*groupName, *prefix, *base, "-", true);
*vaultName = "vault-*base";
*zoneName = $rodsZoneClient;
*vaultIsEmpty = true;

# Check whether vault still holds data
msiMakeGenQuery("COLL_NAME",
"COLL_NAME like '/*zoneName/home/*vaultName/%'", *genQIn);
msiExecGenQuery(*genQIn, *genQOut);
foreach(*genQOut){
*vaultIsEmpty = false; break;
}
if (*vaultIsEmpty) {
succeed;
}

fail;
}

uuGroupPreSudoGroupMemberAdd(*groupName, *userName, *policyKv) {

*groupToCheck = *groupName
Expand Down
45 changes: 22 additions & 23 deletions uuGroupPolicyChecks.r
View file
Original file line number Diff line number Diff line change
Expand Up @@ -203,7 +203,7 @@ uuGroupPolicyCanGroupAdd(*actor, *groupName, *category, *subcategory, *expiratio
} else {
*reason = "Invalid expiration date when adding group: '*expiration_date'";
}

} else {
# schema not valid -> report error
*reason = "Invalid schema-id used when adding group: '*schema_id'";
Expand Down Expand Up @@ -376,28 +376,27 @@ uuGroupPolicyCanGroupRemove(*actor, *groupName, *allowed, *reason) {
}

if (*homeCollectionIsEmpty) {
if (*groupName like regex "(research)-.*") {
# Research groups an only be removed when nu vault packages exist
uuChop(*groupName, *prefix, *base, "-", true);
*vaultName = "vault-*base";
*zoneName = $rodsZoneClient;
*vaultIsEmpty = true;

# Check whether vault still holds data
msiMakeGenQuery("COLL_NAME",
"COLL_NAME like '/*zoneName/home/*vaultName/%'", *genQIn);
msiExecGenQuery(*genQIn, *genQOut);
foreach(*genQOut){
*vaultIsEmpty = false; break;
}
if (*vaultIsEmpty) {
*allowed = 1;
} else {
*reason = "There are still datapackages in the vault for group: *groupName. Please remove these first before removing this group.";
}
} else {
*allowed = 1;
}
if (*groupName like regex "(research)-.*") {
# Research groups an only be removed when no vault packages are present.
uuChop(*groupName, *prefix, *base, "-", true);
*vaultName = "vault-*base";
*zoneName = $rodsZoneClient;
*vaultIsEmpty = true;

# Check whether vault still holds data
msiMakeGenQuery("COLL_NAME", "COLL_NAME like '/*zoneName/home/*vaultName/%'", *genQIn);
msiExecGenQuery(*genQIn, *genQOut);
foreach(*genQOut){
*vaultIsEmpty = false; break;
}
if (*vaultIsEmpty) {
*allowed = 1;
} else {
*reason = "Cannot remove group, there are data packages in the vault for group: *groupName.";
}
} else {
*allowed = 1;
}
} else {
*reason = "The group's directory is not empty. Please remove all of its files and subdirectories before removing this group.";
}
Expand Down
4 changes: 1 addition & 3 deletions uuSudoPolicies.r
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,9 +58,7 @@ acPreSudoGroupAdd(*groupName, *initialAttr, *initialValue, *initialUnit, *policy
acPreSudoGroupRemove(*groupName, *policyKv) {
writeLine("serverLog", "In acPreSudoGroupRemove, group is <*groupName>, actor is <$userNameClient#$rodsZoneClient>");
uuGetUserType(uuClientFullName, *userType);
if (*userType != "rodsadmin") { fail; }
# So we're an admin. Now check whether the vault has no datapackages left for this research group
uuGroupPreSudoGroupRemoveForAdmin(*groupName, *policyKv);
fail;
}

acPreSudoGroupMemberAdd(*groupName, *userName, *policyKv) {
Expand Down

0 comments on commit bab70ef

Please sign in to comment.