Re-arrange the authz configuration.

In particular, even if we allow for mixing of multiple authz
mechanisms at some point, you won't have multiple instances of the
locker authz type, so the "type" shouldn't be a property of each of
the cells we specify how to authenticate against.

svn path=/trunk/packages/invirt-web/; revision=2557

diff --git a/code/cache_acls.py b/code/cache_acls.py
index f92ad91..75f4720 100755 (executable)
--- a/code/cache_acls.py
+++ b/code/cache_acls.py
@@ -39,7 +39,7 @@ def expandName(name):
             return [name]
         return []
     try:
             return [name]
         return []
     try:

-        return getafsgroups.getAfsGroupMembers(name, config.authz[0].cell)
+        return getafsgroups.getAfsGroupMembers(name, config.authz.cells[0].cell)

     except getafsgroups.AfsProcessError:
         return []
 
     except getafsgroups.AfsProcessError:
         return []
 

diff --git a/code/getafsgroups.py b/code/getafsgroups.py
index 7067e53..21de4d7 100755 (executable)
--- a/code/getafsgroups.py
+++ b/code/getafsgroups.py
@@ -30,8 +30,8 @@ class AfsProcessError(Exception):
 
 def getAfsGroupMembers(group, cell):
     encrypt = True
 
 def getAfsGroupMembers(group, cell):
     encrypt = True

-    for c in config.authz:
-        if c.type == 'afs' and c.cell == cell and hasattr(c, 'auth'):
+    for c in config.authz.cells:
+        if c.cell == cell and hasattr(c, 'auth'):

             encrypt = c.auth
     subprocess.check_call(['aklog', cell], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     p = subprocess.Popen(["pts", "membership", "-encrypt" if encrypt else '-noauth', group, '-c', cell],
             encrypt = c.auth
     subprocess.check_call(['aklog', cell], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     p = subprocess.Popen(["pts", "membership", "-encrypt" if encrypt else '-noauth', group, '-c', cell],

diff --git a/code/validation.py b/code/validation.py
index 0285044..4cbc7c0 100644 (file)
--- a/code/validation.py
+++ b/code/validation.py
@@ -222,7 +222,7 @@ def testAdmin(user, admin, machine):
             return admin
         admin = 'system:' + admin
     try:
             return admin
         admin = 'system:' + admin
     try:

-        if user in getafsgroups.getAfsGroupMembers(admin, config.authz[0].cell):
+        if user in getafsgroups.getAfsGroupMembers(admin, config.authz.cells[0].cell):

             return admin
     except getafsgroups.AfsProcessError, e:
         errmsg = str(e)
             return admin
     except getafsgroups.AfsProcessError, e:
         errmsg = str(e)

diff --git a/invirt-cache-acls b/invirt-cache-acls
index b099eca..922d9ba 100755 (executable)
--- a/invirt-cache-acls
+++ b/invirt-cache-acls
@@ -1,9 +1,7 @@
 #!/bin/sh
 cells () {
 #!/bin/sh
 cells () {

-  for i in $(invirt-getconf -l authz); do
-    if [ afs = "$(invirt-getconf authz.$i.type)" ]; then
-      invirt-getconf authz.$i.cell
-    fi
+  for i in $(invirt-getconf -l authz.cells); do
+    invirt-getconf authz.cells.$i.cell

   done
 }
 kinit -k -t /etc/invirt/keytab daemon/$(hostname -f)
   done
 }
 kinit -k -t /etc/invirt/keytab daemon/$(hostname -f)