On 1/29/2014 8:47 PM, Shu Ming wrote:
2014/1/30 4:10, Adam King:
> On 1/29/2014 12:07 PM, Shu Ming wrote:
>> This module provide interfaces to create default groups
>> for kimchi, vmuser and vmadmin. Also it provide interfaces
>> to assign a user to one group as his supplementary group
> With the design we discussed on the list, we do not want or need to
> create kimchi unique groups.
I think using supplementary group is a implementation detail, not
necessary linked to the design.
As I read the patch, I didn't view it as an
implementation detail.
Maybe I would see it differently if I had a better understanding
of the meaning of "supplementary group". Can you elaborate?
One impediment to the proposed implementation will be the use of
read only LDAPs which will prevent Kimchi from creating groups.
From your reply, I am not sure what is your implementation to have a
group/role mapping. Can you explain it in detail?
My proposal is to store the
group/role mapping in the <domain> document
using the <metadata> tag. The authorization would be stored, and
transported with the VM definition.
>> Signed-off-by: Shu Ming <shuming(a)linux.vnet.ibm.com>
>> ---
>> src/kimchi/rolegroups.py | 36 ++++++++++++++++++++++++++++++++++++
>> 1 file changed, 36 insertions(+)
>> create mode 100644 src/kimchi/rolegroups.py
>>
>> diff --git a/src/kimchi/rolegroups.py b/src/kimchi/rolegroups.py
>> new file mode 100644
>> index 0000000..174c0f0
>> --- /dev/null
>> +++ b/src/kimchi/rolegroups.py
>> @@ -0,0 +1,36 @@
>> +import subprocess
>> +import grp
>> +from kimchi.utils import kimchi_log
>> +
>> +def new_group(gnam):
>> + cmd = " ".join(('groupadd', gnam))
>> +
>> + try:
>> + subprocess.call(cmd, shell=True,
>> + stdout=subprocess.PIPE, stderr=subprocess.PIPE)
>> + except Exception, e:
>> + kimchi_log.info('Exception running command %s: %s', cmd, e)
>> +
>> +def vmadmin_group_check():
>> + try:
>> + grp.getgrnam("vmadmin")
>> + except KeyError:
>> + new_group("vmadmin");
>> +
>> +def vmuser_group_check():
>> + try:
>> + grp.getgrnam("vmuser")
>> + except KeyError:
>> + new_group("vmuser");
>> +
>> +def user_add_group(usernam, grpnam):
>> + cmd = " ".join(('usermod', '-a', '-G',
grpnam, usernam)
>> + try:
>> + subprocess.call(cmd, shell=True,
>> + stdout=subprocess.PIPE, stderr=subprocess.PIPE)
>> + except Exception, e:
>> + kimchi_log.info('Exception running command %s: %s', cmd, e)
>> +
>> +if __name__ == '__main__':
>> + vmuser_group_check()
>> + vmadmin_group_check()
--
Adam King <rak(a)linux.vnet.ibm.com>
IBM CSI