/** * Create a new project based on project name. This function will also create * all roles needed by the project. * * @static * @param $projectname * @return bool */ static function createProject($projectname) { global $wgAuth; global $wgOpenStackManagerLDAPUser; global $wgOpenStackManagerLDAPProjectBaseDN; OpenStackNovaLdapConnection::connect(); $project = array(); $project['objectclass'][] = 'groupofnames'; $project['objectclass'][] = 'posixgroup'; $project['cn'] = $projectname; $project['owner'] = $wgOpenStackManagerLDAPUser; $project['gidnumber'] = OpenStackNovaUser::getNextIdNumber($wgAuth, 'gidnumber'); $projectdn = 'cn=' . $projectname . ',' . $wgOpenStackManagerLDAPProjectBaseDN; $success = LdapAuthenticationPlugin::ldap_add($wgAuth->ldapconn, $projectdn, $project); $project = new OpenStackNovaProject($projectname); if ($success) { foreach (self::$rolenames as $rolename) { $role = OpenStackNovaRole::createRole($rolename, $project); # TODO: If role addition fails, find a way to fail gracefully # Though, if the project was added successfully, it is unlikely # that role addition will fail. } $wgAuth->printDebug("Successfully added project {$projectname}", NONSENSITIVE); return true; } else { $wgAuth->printDebug("Failed to add project {$projectname}", NONSENSITIVE); return false; } }
/** * @param $formData * @param string $entryPoint * @return bool */ function tryDeleteMemberSubmit( $formData, $entryPoint = 'internal' ) { $projectname = $formData['projectname']; if ( $projectname ) { $project = OpenStackNovaProject::getProjectByName( $projectname ); if ( ! $project ) { $this->getOutput()->addWikiMsg( 'openstackmanager-nonexistentproject' ); return true; } $role = OpenStackNovaRole::getProjectRoleByName( $formData['rolename'], $project ); } else { $role = OpenStackNovaRole::getGlobalRoleByName( $formData['rolename'] ); } if ( ! $role ) { $this->getOutput()->addWikiMsg( 'openstackmanager-nonexistentrole' ); return true; } foreach ( $formData['members'] as $member ) { $success = $role->deleteMember( $member ); if ( $success ) { $this->getOutput()->addWikiMsg( 'openstackmanager-removedfrom', $member, $formData['rolename'] ); } else { $this->getOutput()->addWikiMsg( 'openstackmanager-failedtoremove', $member, $formData['rolename'] ); } } $out = '<br />'; $returnto = Title::newFromText( $formData['returnto'] ); $out .= Linker::link( $returnto, wfMsgHtml( 'openstackmanager-backprojectlist' ) ); $this->getOutput()->addHTML( $out ); return true; }
/** * Create a new project based on project name. This function will also create * all roles needed by the project. * * @static * @param $projectname * @return bool */ static function createProject($projectname) { global $wgAuth; global $wgOpenStackManagerLDAPUser; global $wgOpenStackManagerLDAPProjectBaseDN; OpenStackNovaLdapConnection::connect(); $project = array(); $project['objectclass'][] = 'extensibleobject'; $project['objectclass'][] = 'groupofnames'; $project['cn'] = $projectname; $project['member'] = $wgOpenStackManagerLDAPUser; $projectdn = 'cn=' . $projectname . ',' . $wgOpenStackManagerLDAPProjectBaseDN; // if we're not going to use project groups, // then create this project as a posixgroup if (!OpenStackNovaProject::useProjectGroup()) { $project['gidnumber'] = OpenStackNovaUser::getNextIdNumber($wgAuth, 'gidnumber'); $project['objectclass'][] = 'posixgroup'; } $success = LdapAuthenticationPlugin::ldap_add($wgAuth->ldapconn, $projectdn, $project); $project = new OpenStackNovaProject($projectname); if ($success) { foreach (self::$rolenames as $rolename) { OpenStackNovaRole::createRole($rolename, $project); # TODO: If role addition fails, find a way to fail gracefully # Though, if the project was added successfully, it is unlikely # that role addition will fail. } $sudoerOU = array(); $sudoerOU['objectclass'][] = 'organizationalunit'; $sudoerOU['ou'] = 'sudooers'; $sudoerOUdn = 'ou=sudoers,' . $projectdn; LdapAuthenticationPlugin::ldap_add($wgAuth->ldapconn, $sudoerOUdn, $sudoerOU); # TODO: If sudoerOU creation fails we need to be able to fail gracefully $wgAuth->printDebug("Successfully added project {$projectname}", NONSENSITIVE); // Now that we've created the Project, if we // are supposed to use a corresponding Project Group // to manage posix group permissions, do so now. if (OpenStackNovaProject::useProjectGroup()) { OpenStackNovaProjectGroup::createProjectGroup($projectname); # TODO: If project group creation fails we need to be able to fail gracefully } // Create two default, permissive sudo policies. First, // allow sudo (as root) for all members... $projectGroup = "%" . $project->getProjectGroup()->getProjectGroupName(); if (OpenStackNovaSudoer::createSudoer('default-sudo', $projectname, array($projectGroup), array(), array('ALL'), array('!authenticate'))) { $wgAuth->printDebug("Successfully created default sudo policy for {$projectname}", NONSENSITIVE); } // Now, allow all project members to sudo to all other users. $projectGroup = "%" . $project->getProjectGroup()->getProjectGroupName(); if (OpenStackNovaSudoer::createSudoer('default-sudo-as', $projectname, array($projectGroup), array("{$projectGroup}"), array('ALL'), array('!authenticate'))) { $wgAuth->printDebug("Successfully created default sudo-as policy for {$projectname}", NONSENSITIVE); } } else { $wgAuth->printDebug("Failed to add project {$projectname}", NONSENSITIVE); return false; } OpenStackNovaProject::createServiceGroupOUs($projectname); return true; }