The branch, master has been updated via 1bcff08085a4d7816d8258bb972ead1688b068e5 (commit) via 16e9356345684e24cf259701a79a28934762c867 (commit) from 75a711dd713a90b74f0c0e372a20287ed3ace747 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 1bcff08085a4d7816d8258bb972ead1688b068e5 Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Date: Tue Jan 29 05:58:50 2013 +0100 add config option (global): ignore-primary-group-memberships, defaults to true commit 16e9356345684e24cf259701a79a28934762c867 Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Date: Tue Jan 29 05:46:22 2013 +0100 fix typo ----------------------------------------------------------------------- Summary of changes: etc/x2gobroker.conf | 5 ++ x2gobroker/brokers/base_broker.py | 24 ++++++-- x2gobroker/defaults.py | 1 + x2gobroker/nameservices/testsuite_nameservice.py | 7 ++- x2gobroker/tests/test_broker_base.py | 70 ++++++++++++++++++++++ 5 files changed, 99 insertions(+), 8 deletions(-) The diff of changes is: diff --git a/etc/x2gobroker.conf b/etc/x2gobroker.conf index 024c388..0999376 100644 --- a/etc/x2gobroker.conf +++ b/etc/x2gobroker.conf @@ -85,6 +85,11 @@ #default-user-db = libnss #default-group-db = libnss +# on large deployments it is recommended to ignore primary group memberships +# traversing into all user accounts for primary group detection can be quite +# CPU intensive on the X2Go Broker server. +#ignore-primary-group-memberships = True + ### ### BACKEND section ### diff --git a/x2gobroker/brokers/base_broker.py b/x2gobroker/brokers/base_broker.py index 1daf79a..85984d3 100644 --- a/x2gobroker/brokers/base_broker.py +++ b/x2gobroker/brokers/base_broker.py @@ -86,6 +86,20 @@ class X2GoBroker(object): """ return self.config.get_section('global') + def get_global_value(self, option): + """\ + Get the configuration setting for an option in the global section of the + configuration file. + + @param option: option name in the global configuration section + @type option: C{unicode} + + @return: the value for the given global C{option} + @rtype: C{bool}, C{unicode}, C{int} or C{list} + + """ + return self.config.get_value('global', option) + def get_backend_config(self): """\ Get the configuration section of a specific backend. @@ -96,18 +110,18 @@ class X2GoBroker(object): """ return self.config.get_section(self.backend_name) - def get_backend_value(self, backend='zeroconf', option='enabled'): + def get_backend_value(self, backend='zeroconf', option='enable'): """\ Get the configuration setting for backend C{backend} and option C{option}. @param backend: the name of the backend - @type backend: C{str} + @type backend: C{unicode} @param option: option name of the backend's configuration section - @type option: C{str} + @type option: C{unicode} @return: the value for the given C{backend} C{option} - @rtype: C{dict} + @rtype: C{bool}, C{unicode}, C{int} or C{list} """ return self.config.get_value(backend, option) @@ -266,7 +280,7 @@ class X2GoBroker(object): _allow_group = False _deny_group = False - _user_groups = [u'ALL'] + self.get_user_groups(username, primary_groups=True) + _user_groups = [u'ALL'] + self.get_user_groups(username, primary_groups=not self.get_global_value('ignore-primary-group-memberships')) _allow_group = bool(len(set(_user_groups).intersection( set(_acls[u'acl-groups-allow']) ))) _deny_group = bool(len(set(_user_groups).intersection( set(_acls[u'acl-groups-deny']) ))) diff --git a/x2gobroker/defaults.py b/x2gobroker/defaults.py index f2b67e4..81dc346 100644 --- a/x2gobroker/defaults.py +++ b/x2gobroker/defaults.py @@ -60,6 +60,7 @@ X2GOBROKER_CONFIG_DEFAULTS = { u'default-auth-mech': u'pam', u'default-user-db': u'libnss', u'default-group-db': u'libnss', + u'ignore-primary-group-memberships': True, }, 'zeroconf': { u'enable': True, diff --git a/x2gobroker/nameservices/testsuite_nameservice.py b/x2gobroker/nameservices/testsuite_nameservice.py index a0ea7e2..90c9b33 100644 --- a/x2gobroker/nameservices/testsuite_nameservice.py +++ b/x2gobroker/nameservices/testsuite_nameservice.py @@ -46,8 +46,9 @@ class X2GoBrokerNameService(base.X2GoBrokerNameService): _members = [] if group in _groups.keys(): _members.extend(_groups[group]) - for username in self.get_users(): - if unicode(group) == self.get_primary_group(username): - _members.append(username) + if primary_groups: + for username in self.get_users(): + if unicode(group) == self.get_primary_group(username): + _members.append(username) return _members diff --git a/x2gobroker/tests/test_broker_base.py b/x2gobroker/tests/test_broker_base.py index 14a9e21..8891103 100644 --- a/x2gobroker/tests/test_broker_base.py +++ b/x2gobroker/tests/test_broker_base.py @@ -504,6 +504,76 @@ enable = true } self.assertEqual(base_backend.check_profile_acls(username, acls), False) + def test_checkprofileacls_group_primarygroups(self): + username_f = 'flip' # is a male grasshopper + username_m = 'maja' # is a female bee + username_w = 'willi' # is a drone (male bee) + _config_defaults = copy.deepcopy(x2gobroker.defaults.X2GOBROKER_CONFIG_DEFAULTS) + _config = """ +[global] +default-user-db = testsuite +default-group-db = testsuite + +[base] +enable = true +""" + tf = tempfile.NamedTemporaryFile() + print >> tf, _config + tf.seek(0) + base_backend = base.X2GoBroker(config_file=tf.name, config_defaults=_config_defaults) + acls = { + 'acl-groups-allow': ['bees','flip'], + 'acl-groups-deny': ['ALL'], + 'acl-groups-order': 'deny-allow', + } + self.assertEqual(base_backend.check_profile_acls(username_m, acls), True) + self.assertEqual(base_backend.check_profile_acls(username_f, acls), False) + self.assertEqual(base_backend.check_profile_acls(username_w, acls), True) + _config_defaults = copy.deepcopy(x2gobroker.defaults.X2GOBROKER_CONFIG_DEFAULTS) + _config = """ +[global] +default-user-db = testsuite +default-group-db = testsuite +ignore-primary-group-memberships = true + +[base] +enable = true +""" + tf = tempfile.NamedTemporaryFile() + print >> tf, _config + tf.seek(0) + base_backend = base.X2GoBroker(config_file=tf.name, config_defaults=_config_defaults) + acls = { + 'acl-groups-allow': ['bees','flip'], + 'acl-groups-deny': ['ALL'], + 'acl-groups-order': 'deny-allow', + } + self.assertEqual(base_backend.check_profile_acls(username_m, acls), True) + self.assertEqual(base_backend.check_profile_acls(username_f, acls), False) + self.assertEqual(base_backend.check_profile_acls(username_w, acls), True) + _config_defaults = copy.deepcopy(x2gobroker.defaults.X2GOBROKER_CONFIG_DEFAULTS) + _config = """ +[global] +default-user-db = testsuite +default-group-db = testsuite +ignore-primary-group-memberships = false + +[base] +enable = true +""" + tf = tempfile.NamedTemporaryFile() + print >> tf, _config + tf.seek(0) + base_backend = base.X2GoBroker(config_file=tf.name, config_defaults=_config_defaults) + acls = { + 'acl-groups-allow': ['bees','flip'], + 'acl-groups-deny': ['ALL'], + 'acl-groups-order': 'deny-allow', + } + self.assertEqual(base_backend.check_profile_acls(username_m, acls), True) + self.assertEqual(base_backend.check_profile_acls(username_f, acls), True) + self.assertEqual(base_backend.check_profile_acls(username_w, acls), True) + def test_checkprofileacls_group_combitests(self): _config_defaults = copy.deepcopy(x2gobroker.defaults.X2GOBROKER_CONFIG_DEFAULTS) _config = """ hooks/post-receive -- x2gobroker.git (HTTP(S) Session broker for X2Go) This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "x2gobroker.git" (HTTP(S) Session broker for X2Go).