diff --git a/info.textgrid.middleware.tgauth.pdp2posix/syncFromRBAC b/info.textgrid.middleware.tgauth.pdp2posix/syncFromRBAC
index 7a00a1dfee3e112c09fdaf5494993b40648128da..68b486689b1e08f0aba09068b7162f00767e05cc 100755
--- a/info.textgrid.middleware.tgauth.pdp2posix/syncFromRBAC
+++ b/info.textgrid.middleware.tgauth.pdp2posix/syncFromRBAC
@@ -1,16 +1,46 @@
#!/usr/bin/perl -w
-#
-# Syncs an external PDP's policy (here: the contents of the LDAP Database of
-# a TextGrid TG-auth* RBAC instance into group and extendeded Access Control entries in the
-# resource's file system.
+############################################
+# Syncs an external PDP's policy (here: the contents of the LDAP Database
+# of a TextGrid TG-auth* openRBAC instance) into group and extendeded Access
+# Control entries in the Grid resource's file system.
#
# Author: Martin Haase / DAASI International GmbH / Gap-SLC
#
-# History:
-# version 0.1 2010-07-13 first proof-of-concept
-# version 0.2 2010-12-06 separated configuration and code, documentation
-# version 0.2 2010-12-23 error handling, configuration with DAASIlib
+### Detailed function:
+# * Every role in a TextGrid project will be mapped to a system group entry.
+# * Every performer of this role will be added as a member to this group.
+# * A TextGrid project is mapped to a directory under <project creator's home>/.textgrid/
+# * A TextGrid object is mapped to a file in a project directory
+# * Extended POSIX ACLs will be used to ensure each resource can be accessed by the right project members.
#
+### Some remarks:
+
+### A user's account must exist in the system's grid-mapfile. You can
+#use the companion gap-SLC script, Pseudo_dgridmap.perl, to accomplish
+#this.
+
+### Currently only a subset of the accounts in the gri-mapfile is
+#honored, i.e. only those which are issued by the Short-Lived
+#Certificate Service (SLCS). Why? We need a mapping from the PDP. A
+#user's identity in TG-auth* is by reference to his
+#eduPersonPrincipalName, and the SLCS DNs contain exactly the
+#ePPN. This way the mapping can be established.
+
+### Permissions for roles are still hard-wired, as they are in
+#TG-auth* as well
+
+### we contact the LDAP database of TG-auth*/openRBAC
+#directly. Re-implementors might wish to create dedicated accessor
+#functions in the PDP they wish to contact.
+
+### see syncFromRBAC -h for the man page
+#
+#
+# History:
+# version 0.1 2010-07-13 first proof-of-concept
+# version 0.2 2010-12-06 separated configuration and code, documentation
+# version 0.2b 2010-12-23 error handling, configuration with DAASIlib, first check-in to SVN
+# version 0.2c 2010-12-27 further documentation
### imports ===========================================
use Data::Dump qw(dump);
@@ -44,6 +74,7 @@ $logfilepath = $conf->{data}->{logfile};
$last_modifyTimestamp_path = $conf->{data}->{last_modifyTimestamp_path};
$alternative_last_modify_timestamp = $conf->{data}->{alternative_last_modify_timestamp};
+# these roles are currently hard-wired in TG-auth*
@standardroles = (
{rolename => "Projektleiter", projectperms => "", resourceperms => ""},
{rolename => "Administrator", projectperms => "wx", resourceperms => ""},
@@ -71,15 +102,15 @@ if (defined $alternative_last_modify_timestamp ) {
open LOG, ">>$logfilepath"; # used by logg();
if ($last_modifyTimestamp !~/^\d{4}[01]\d[0123]\d[012]\d[0-5]\d[0-5]\dZ$/) {
- logg ("invalid timestamp ($last_modifyTimestamp) specified, shold be YYYYMMDDhhmmssZ.");
+ logg ("invalid timestamp ($last_modifyTimestamp) specified, should be YYYYMMDDhhmmssZ.");
exit 0;
}
logg ("Start synchronizing LDAP from timestamp ($last_modifyTimestamp)");
-# $last_modifyTimestamp = "20100202114936Z";
-# logg ("no, not, use $last_modifyTimestamp for testing still");
-# MAIN ===========================================
+############## MAIN ===========================================
+
+# user must exist in grid-mapfile, and we only take those DNs into account that are issued by DFN's SLCS
$userhash = parse_gridmap ( $gridmapfilepath, $conf->{data}->{slcs_dn_prefix});
$grouphash = parse_groupfile ($groupfilepath);
@@ -113,7 +144,7 @@ if (not $DRY_RUN) {
print LMTS $now_timestamp;
close LMTS;
} else {
- logg ("This has been a DRY RUN, did NOT write system timestamp of last ldapsearch ($now_timestamp) to file. Force write with -w.");
+ logg ("This has been a DRY RUN, did NOT alter anything on the system nor write timestamp of last ldapsearch ($now_timestamp) to file. After verifying from the logs that everything is correct, you can force this with -w.");
}
close LOG;
@@ -121,6 +152,9 @@ exit 0;
# FUNCTIONS ======================================
+# this function handles ordinary TextGridObjects. As CRUD has written
+# them already, including the project directory they live in, no mkdir
+# has to be issued.
sub handle_resource {
my $e = shift;
my ($tgpr, $dir, $uuid) = parse_uuid ($e->get_value("TGResourceUUID"));
@@ -154,12 +188,15 @@ sub parse_uuid {
# format:
# gsiftp://ingrid.sub.uni-goettingen.de//home/ttest/.textgrid/TGPR29/a084e9c0-e7d4-3802-b16d-37a223414c82
if ($u =~ /gsiftp:\/\/ingrid.sub.uni-goettingen.de\/(\/home\/[^\/]+\/.textgrid)\/([^\/]+)\/(\S+)/) {
- return ($2, "$1/$2", $3);
+ return ($2, "$1/$2", $3); # i.e. TGPR29, /home/ttest/.textgrid/TGPR29, a084e9c0-e7d4-3802-b16d-37a223414c82
} else {
return (0,0,0)
}
}
+# this functions handles any change in a project role entry, either
+# the project itself (it is a role as well in TG-auth*) or sub-roles.
+# takes existing group entries into account and only makes a diff
sub handle_role {
my $e = shift;
@@ -350,7 +387,7 @@ sub ldapConnect {
}
if ( $rh_ldapdef->{is_tls} ) {
- logg("starting TLS ");
+ debugg("starting TLS ");
debugg("verify: $rh_ldapdef->{tls_verify}, cafile: $rh_ldapdef->{tls_cafile} cypher: $rh_ldapdef->{tls_cypher}");
my $tlsmesg = $ldap->start_tls ( verify => $rh_ldapdef->{tls_verify},
cafile => $rh_ldapdef->{tls_cafile},
@@ -362,8 +399,8 @@ sub ldapConnect {
}
else {
debugg ( "Start_TLS operation succeeded");
- logg ( "tls cipher: " . $ldap->cipher . "\n" );
- logg ( "tls certificate: " . $ldap->certificate . "\n" );
+ debugg ( "tls cipher: " . $ldap->cipher . "\n" );
+ debugg ( "tls certificate: " . $ldap->certificate . "\n" );
}
}
@@ -401,7 +438,7 @@ sub ldapSearch {
);
if ( $mesg->code == Net::LDAP::LDAP_SUCCESS ) {
- logg("search performed without error" );
+ debugg("search performed without error" );
} else {
errorExit ( "Error in search: ". $mesg->error);
}