X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/xvm-authz-locker.git/blobdiff_plain/5d59bd7a0556e1d10cec3548cd3cf85e2fa7530c..refs/heads/gdb:/python/xvm/authz/locker.py diff --git a/python/xvm/authz/locker.py b/python/xvm/authz/locker.py index cbfc28a..5945ab6 100644 --- a/python/xvm/authz/locker.py +++ b/python/xvm/authz/locker.py @@ -3,6 +3,7 @@ import errno from afs import acl from afs import fs from afs import pts +from afs import _util from invirt import common from invirt.config import structs as config @@ -41,22 +42,19 @@ def expandOwner(name): allowed.difference_update(_expandGroup(ent, cell=cell, auth=auth)) return allowed - except OSError, e: + except (_util.AFSException, OSError), e: if e.errno in (errno.ENOENT, errno.EACCES): return [] else: raise -def expandAdmin(name, owner): +def expandAdmin(name): """Expand an administrator to a list of authorized users. - Because the interpretation of an administrator might depend on the - owner, the owner is passed in as an argument. - - However, in the case of locker-based authentication, the - administrator is always interpreted as an AFS entry (either a user - or a group) in the home cell (athena.mit.edu for XVM). + For locker-based authorization, the administrator is always + interpreted as an AFS entry (either a user or a group) in the + machine's home cell (athena.mit.edu for XVM). """ cell = config.authz.afs.cells[0].cell auth = _authenticate(cell) @@ -116,6 +114,13 @@ def _expandGroup(name, cell=None, auth=False): return set([ent.name]) else: return set([x.name for x in ent.members]) + except _util.AFSException, e: + if e.errno in (267268, # User or group doesn't exist + 267269 # Permission denied + ): + return set() + else: + raise except OSError, e: if e.errno in (errno.ENOENT, errno.EACCESS): return set()