From b4aa88984ee1f2eb0d11d61737099032816732a4 Mon Sep 17 00:00:00 2001
From: Evan Broder <broder@mit.edu>
Date: Fri, 27 Feb 2009 21:35:15 -0500
Subject: [PATCH 1/1] Allow anyone on the adminacl to issue web remctls.

svn path=/trunk/packages/invirt-remote/; revision=2234
---
 debian/changelog                    |    6 ++++++
 server/etc/remctl/conf.d/invirt-web |    2 +-
 server/usr/sbin/invirt-remconffs    |   12 +++++++++++-
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 321e411..58bd62f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+invirt-remote (0.3.8) unstable; urgency=low
+
+  * Allow anyone on the adminacl to issue web remctls.
+
+ -- Evan Broder <broder@mit.edu>  Fri, 27 Feb 2009 21:28:19 -0500
+
 invirt-remote (0.3.7) unstable; urgency=low
 
   * Add an availability remctl for when we get around to letting us make
diff --git a/server/etc/remctl/conf.d/invirt-web b/server/etc/remctl/conf.d/invirt-web
index af81d8a..e0f56d2 100644
--- a/server/etc/remctl/conf.d/invirt-web
+++ b/server/etc/remctl/conf.d/invirt-web
@@ -1,3 +1,3 @@
-web ALL          /usr/sbin/invirt-remote-proxy-web /etc/remctl/acl/web
+web ALL          /usr/sbin/invirt-remote-proxy-web /etc/remctl/remconffs/adminacl
 control help	 /usr/sbin/invirt-remctl-help	ANYUSER
 help ALL	 /usr/sbin/invirt-remctl-help	ANYUSER
diff --git a/server/usr/sbin/invirt-remconffs b/server/usr/sbin/invirt-remconffs
index 6421164..ac4fe15 100755
--- a/server/usr/sbin/invirt-remconffs
+++ b/server/usr/sbin/invirt-remconffs
@@ -14,6 +14,7 @@ class RemConfFS(routefs.RouteFS):
     """
     RemConfFS creates a filesytem for configuring remctl, like this:
     /
+    |-- adminacl
     |-- acl
     |   |-- machine1
     |   ...
@@ -39,11 +40,12 @@ class RemConfFS(routefs.RouteFS):
         m.connect('', controller='getroot')
         m.connect('acl', controller='getmachines')
         m.connect('acl/:machine', controller='getacl')
+        m.connect('adminacl', controller='getadmin')
         m.connect('conf', controller='getconf')
         return m
     
     def getroot(self, **kw):
-        return ['acl', 'conf']
+        return ['adminacl', 'acl', 'conf']
     
     def getacl(self, machine, **kw):
         """Build the ACL file for a machine
@@ -70,6 +72,14 @@ class RemConfFS(routefs.RouteFS):
     def getmachines(self, **kw):
         """Get the list of VMs in the database. Does not cache to prevent race conditions."""
         return list(row[0] for row in database.session.execute(sa.sql.select([database.Machine.c.name])))
+
+    def getadmin(self, **kw):
+        """
+        Get the list of administrators for the global ACL.
+        """
+        acl = [self.userToPrinc(row[0]) for row in database.session.execute(sa.sql.select([database.admins_table.c.user]))]
+        acl.append('include /etc/remctl/acl/web\n')
+        return '\n'.join(acl)
     
     def userToPrinc(self, user):
         """Convert Kerberos v4-style names to v5-style and append a default
-- 
1.7.9.5