#!/usr/bin/perl # IBM_PROLOG_BEGIN_TAG # This is an automatically generated prolog. # # # # Licensed Materials - Property of IBM # # (C) COPYRIGHT International Business Machines Corp. 2004,2019 # All Rights Reserved # # US Government Users Restricted Rights - Use, duplication or # disclosure restricted by GSA ADP Schedule Contract with IBM Corp. # # IBM_PROLOG_END_TAG # sccsid = "@(#)58 1.11 src/rsct/rm/LPRM/cli/bin/chlpriacl.perl, LPRM, rsct_rady, rady2035a 11/12/15 16:38:42" ###################################################################### # # # Module: chlpriacl # # # # Purpose: # # chlpriacl - Change the access controls for the LPRM Resource # # Initial ACL. # # # # Syntax: # # To add one or more accesses to the LPRM Resource Initial ACL: # # chlpriacl [-a|-n host1[,host2,...]] [-o] [-h] [-TV] Id Perm [Id # # Perm ...] # # # # To add one or more accesses to the LPRM Resource Initial ACL # # using the same permissions: # # chlpriacl [-a|-n host1[,host2,...]] -l [-o] [-h] [-TV] Id # # [Id...] Perm # # # # To delete one or more accesses from the LPRM Resource Initial # # ACL: # # chlpriacl [-a|-n host1[,host2,...]] -d [-h] [-TV] Id [Id...] # # # # To add or delete accesses to the LPRM Resource Initial ACL with # # the accesses specified in a file: # # chlpriacl [-a|-n host1[,host2,...]] [-o|-d] -f File_name [-h] # # [-TV] # # # # To set the LPRM Resource Initial ACL to deny all accesses or to # # use the Resource Shared ACL: # # chlpriacl [-a|-n host1[,host2,...]] {-b|-x} [-h] [-TV] # # # # # # Flags: # # -a Changes the LPRM Resource Initial ACLs on all nodes in # # the domain. # # -b Set the LPRM Resource Initial ACL to use the Resource # # Shared ACL. # # -d The ACL entry for the Id specified is deleted from the # # LPRM Resource Initial ACL. # # -f The accesses are specified in a file. Each line of the # # file will be an Id and permission for that ID. If -d # # is used with -f, only the id is used. Anything else # # is ignored. # # -l There is a list of Ids followed by a single permission. # # -n host1[,host2,...] # # Changes the LPRM Resource Initial ACLs on the nodes # # specified in the domain. # # -o Overwrite any existing ACL entries. # # -x Set the LPRM Resource Initial ACL to deny all accesses. # # -h Help. Writes the command's usage statement to standard # # output. # # -T Trace. Writes the command's trace messages to standard # # error. For your software-service organization's use only.# # -V Verbose. Writes the command's verbose messages to # # standard output. # # # # Parameters: # # Id The network identity of the user. # # Perm The permission the ID is to have. # # # # Description: # # The chlpriacl command changes the LPRM Resource Initial ACL. # # This command allows an access to be added to or deleted from # # the LPRM Resource Initial ACL. The LPRM Resource Initial ACL is # # is copied to the LPRM Resource ACL of a newly created LPRM # # resource. There is one LPRM Resource Initial ACL on each node. # # # # Exit Values: # # 0 LPRM_CLI_SUCCESS Command completed successfully. # # 1 LPRM_CLI_RMC_ERROR Command terminated due to an underlying # # RMC error. # # 2 LPRM_CLI_ERROR Command terminated due to an underlying # # error in the command script. # # 3 LPRM_CLI_BAD_FLAG Command terminated due to user # # specifying an invalid flag. # # 4 LPRM_CLI_BAD_OPERAND Command terminated due to user # # specifying a bad operand. # # 5 LPRM_CLI_USER_ERROR Command terminated due to a user error, # # for example specifying a name that # # already exists. # # # # Examples: # # 1. To allow user joe on nodeA to have write permission to the # # LPRM Resource Initial ACL on nodeA, run on nodeA: # # chlpriacl joe@LOCALHOST w # # # # Man Page: # # For the most current detailed description of this command see # # the chlpriacl man page in /opt/rsct/man. # # # #--------------------------------------------------------------------# # Inputs: # # /opt/rsct/msgmaps/lprmcli.lslpriacl.mapi, - # # message mapping # # # # Outputs: # # stdout - none. # # stderr - any error message. # # # # External Ref: # # Commands: ctdspmsg # # Modules: LPRM_cli_utils.pm, LPRM_cli_rc.pm, # # LPRM_cli_include.pm, CT_cli_utils.pm # # Perl library routines: Getopt::Std # # # # Tab Settings: # # 4 and tabs should be expanded to spaces before saving this file. # # in vi: (:set ts=4 and :%!expand -4) # # # # Change Activity: # # 050107 JAC 112254: Initial design & write. # # 050126 JAC 117175: Fix for -b and -x not working. # # 050128 JAC 117280: Fix for -l not working. # # 050128 JAC 117199: Display error when no parameters specified. # # 050203 JAC 117535: Change call to process_api_error. # # 050210 JAC 117760: Don't allow -o and -d. # # 050224 JAC 118185: Add additional checking of number of inputs. # # 071028 JAC 146726: set delimiters for calling -api commands. # ###################################################################### #--------------------------------------------------------------------# # General Program Flow/Logic: # # # # 1. Parse command line flags and operands. # # 2. Print usage if -h specified. # # 3. Set the appropriate management scope. # # 4. Call RMC command chrsrcacl. Also pass along -VT if necessary. # # 5. Return back any errors. # # # #--------------------------------------------------------------------# #--------------------------------------------------------------------# # Included Libraries and Extensions # #--------------------------------------------------------------------# use lib "/opt/rsct/pm"; use locale; use Getopt::Std; use CT_cli_utils qw(printIMsg printEMsg); use LPRM_cli_rc qw(LPRM_CLI_SUCCESS LPRM_CLI_RMC_ERROR LPRM_CLI_ERROR LPRM_CLI_BAD_FLAG LPRM_CLI_BAD_OPERAND LPRM_CLI_USER_ERROR); use LPRM_cli_utils qw(error_exit printCIMsg printCEMsg process_api_error process_exit_code get_ids_perms_from_file get_ids_from_file ispermvalid); use LPRM_cli_include qw($TRUE $FALSE $RMC_LOCAL_SCOPE $RMC_LOCAL2_SCOPE $RMC_DM_SR_LOCAL_SCOPE $DELIMITERI $DELIMITERO $CTBINDIR $CTDIR); #--------------------------------------------------------------------# # Global Variables # #--------------------------------------------------------------------# $Trace = $FALSE; # default - trace off $Verbose = $FALSE; # default - verbose turned off $Opt_Deny = $FALSE; # default - no deny all access $Opt_Shared = $FALSE; # default - don't use shared acl $Opt_AllNodes = $FALSE; # default - not all nodes $Opt_NodeList = $FALSE; # default - not node list $Opt_Overwrite = $FALSE; # default - no overwrite $Opt_IDlist = $FALSE; # default - not ID ID Perm $Opt_Delete = $FALSE; # default - not delete $Opt_Filename = $FALSE; # default - no filename $PROGNAME = "chlpriacl"; # Program Name for messages $LSMSG = "$CTBINDIR/ctdspmsg"; # list / display message rtn $MSGCAT = "lprmcli.cat"; # msg catalogue for this cmd $ENV{'MSGMAPPATH'} = "$CTDIR/msgmaps"; # msg maps used by $LSMSG #--------------------------------------------------------------------# # Variables # #--------------------------------------------------------------------# my @parameters = (); # input parameters my $node_list = ""; # node list from -n my $file_name = ""; # file name from -f my $id = ""; # user id my $perm = ""; # user permission my $cmd_opts = ""; # chrsrcacl-api options my $cmd_parms = ""; # chrsrcacl-api parameters my @cmd_out = (); # chrsrcacl-api output my $i = 0; # loop counter #--------------------------------------------------------------------# # Main Code # #--------------------------------------------------------------------# my $rc = 0; # parse the command line, exit if there are errors ($rc, $node_list, $file_name, @parameters) = &parse_cmd_line; ($rc == 0) || error_exit($rc); if ($Verbose) { printIMsg("IMsgchlpriaclStart"); } if ($Trace) { $cmd_opts = $cmd_opts." -T"; } if ($Verbose) { $cmd_opts = $cmd_opts." -V"; } if ($Verbose) { printIMsg("IMsgchlpriaclSetScope"); } # if -a and -n were not specified, set local RMC scope if ( (!$Opt_AllNodes) && (!$Opt_NodeList)) { $ENV{CT_MANAGEMENT_SCOPE} = $RMC_LOCAL_SCOPE; } # set DM/SR scope is scope is not set else { # if CT_MANAGEMENT_SCOPE is not defined, set it to 4 for DM/SR/Local scope if (!defined $ENV{CT_MANAGEMENT_SCOPE}) { $ENV{CT_MANAGEMENT_SCOPE} = $RMC_DM_SR_LOCAL_SCOPE; } # if it's defined, it shouldn't be local. If it's local, set it # to 4 for DM/SR/Local scope else { if ($ENV{CT_MANAGEMENT_SCOPE} == $RMC_LOCAL_SCOPE || $ENV{CT_MANAGEMENT_SCOPE} == $RMC_LOCAL2_SCOPE) { $ENV{CT_MANAGEMENT_SCOPE} = $RMC_DM_SR_LOCAL_SCOPE; } } } if ($Verbose) { printIMsg("IMsgchlpriaclProcessOptions"); } # process the input file if necessary if ($Opt_Filename) { if ($Verbose) { printIMsg("IMsgchlpriaclProcessFileInput"); } # get the ids and permissions from the file if ($Opt_Delete) { @parameters = get_ids_from_file($file_name); } else { @parameters = get_ids_perms_from_file($file_name); } } # set up the call to chrsrcacl-api # set deny access if -x specified if ($Opt_Deny) { $cmd_opts = $cmd_opts . " -X "; $cmd_parms = ${DELIMITERI}; } # use shared acl if -b specified if ($Opt_Shared) { $cmd_opts = $cmd_opts . " -S "; $cmd_parms = ${DELIMITERI}; } # set overwrite if -o specified if ($Opt_Overwrite) { $cmd_opts = $cmd_opts . " -O "; } # build id/permission string if ($Opt_Delete) { # build list of ids with 'Z' permission for delete foreach $id (@parameters) { chomp($id); $cmd_parms = $cmd_parms . $DELIMITERI . $id . $DELIMITERI . "Z"; } } elsif ($Opt_IDlist){ # build list using last one as permission $perm = $parameters[$#parameters]; # is it a valid permission $rc = ispermvalid($perm); if ($rc !=0) { printCEMsg("EMsgLPRMcliBadPerm",$perm); exit(LPRM_CLI_USER_ERROR); } # form id/perm list for ($i=0; $i<$#parameters; $i++) { $id = $parameters[$i]; chomp($id); $cmd_parms = $cmd_parms . $DELIMITERI . $id . $DELIMITERI . $perm; } } else { # it's a id/perm repeating list # must be an even number of parameters (remember 0 origin) if (($#parameters % 2) == 0) { printCEMsg("EMsgLPRMcliBadIdPermList"); exit(LPRM_CLI_USER_ERROR); } # form id/perm list for ($i=0; $i<=$#parameters; $i=$i+2) { $id = $parameters[$i]; chomp($id); $perm = $parameters[$i+1]; chomp($perm); # is it a valid permission $rc = ispermvalid($perm); if ($rc !=0) { printCEMsg("EMsgLPRMcliBadPerm",$perm); exit(LPRM_CLI_USER_ERROR); } $cmd_parms = $cmd_parms . $DELIMITERI . $id . $DELIMITERI . $perm; } } # call chrsrcacl-api if ($Verbose) { printIMsg("IMsgchlpriaclModifyAcl"); } if ($Trace) { print STDERR "$PROGNAME: calling chrsrcacl-api\n";} @cmd_out=`$CTBINDIR/chrsrcacl-api $cmd_opts -I ${DELIMITERI} -D ${DELIMITERO} -p IBM.LPCommands${DELIMITERI}${node_list}${cmd_parms} 2>&1`; # capture the return code from chrsrcacl-api $rc = $?; $rc = process_exit_code($rc); if ($Trace) { print STDERR "chrsrcacl-api results:\n"; print STDERR "@cmd_out";} if ($Trace) { print STDERR "$PROGNAME: chrsrcacl-api returned $rc\n";} if ($Verbose) { printIMsg("IMsgchlpriaclProcessErrors"); } # show any errors if there was a bad rc if ($rc != 0) { process_api_error($DELIMITERO,$rc,@cmd_out); } if ($Verbose) { printIMsg("IMsgchlpriaclEnd"); } exit($rc); #--------------------------------------------------------------------# # End Main Code # #--------------------------------------------------------------------# #--------------------------------------------------------------------# # parse_cmd_line - Parse the command line for options and operands. # # Set appropriate global variables as outlined below, make sure we # # have a valid combination of arguments / options. # # # # Return: # # $rc 0 Command line parsed fine, no problem. # # LPRM_CLI_BAD_FLAG Command line contained a bad flag. # # $parameters List of Ids and Permissions. # # $node_list List of nodes for -n. # # $file_name File name for -f. # # # # Global Variables Modified: # # $Verbose output True (-V) turn Verbose mode on. # # $Trace output True (-T) turn Trace mode on. # # $Opt_Deny output True (-x) deny access specified. # # $Opt_Shared output True (-b) use shared ACL. # # $Opt_AllNodes output True (-a) all nodes specified. # # $Opt_NodeList output True (-n) nodes listed. # # $Opt_Overwrite output True (-o) overwrite specified. # # $Opt_IDlist output True (-l) multi Ids w/1 permission. # # $Opt_Delete output True (-d) delete specified. # # $Opt_Filename output True (-f) filename specified. # #--------------------------------------------------------------------# sub parse_cmd_line { my(@original_argv) = @ARGV; my @parameters = (); # Ids/permission list my $node_list = ""; # nodes for -n my $file_name = ""; # file name for -f my %opts = (); # Process the command line... if (!&getopts('abdf:hln:oxTV', \%opts)) { # Gather options; # if errors &print_usage; # display proper usage return LPRM_CLI_BAD_FLAG; # return bad rc - bad flag } # process h flag if (defined $opts{h}) { # -h, help request &print_usage; # print usage statement exit(0); # all done with good return! } if (defined $opts{T}) { # -T turn trace on $Trace = $TRUE; } if (defined $opts{V}) { # -V turn verbose mode on $Verbose = $TRUE; } if (defined $opts{a}) { # -a for all nodes in domain $Opt_AllNodes = $TRUE; # -a flag specified } if (defined $opts{n}) { # -n for list of nodes # error if -a is specified if ($Opt_AllNodes) { printCEMsg("EMsgLPRMcliImproperUsageCombination","-a","-n"); &print_usage; return LPRM_CLI_BAD_FLAG; } $Opt_NodeList = $TRUE; # -n flag specified $node_list = $opts{n}; } if (defined $opts{d}) { # -d to delete access $Opt_Delete = $TRUE; # -d flag specified } if (defined $opts{f}) { # -f for file input if ($#ARGV >=0) { # can't have parameters for -f printCEMsg("EMsgLPRMcliInvalidNumberOfOperands"); &print_usage; return LPRM_CLI_BAD_OPERAND; } $Opt_Filename = $TRUE; # -f flag specified $file_name = $opts{f}; } if (defined $opts{l}) { # -l for list of Ids # error if -d is specified if ($Opt_Delete) { printCEMsg("EMsgLPRMcliImproperUsageCombination","-l","-d"); &print_usage; return LPRM_CLI_BAD_FLAG; } # error if -f is specified if ($Opt_Filename) { printCEMsg("EMsgLPRMcliImproperUsageCombination","-l","-f"); &print_usage; return LPRM_CLI_BAD_FLAG; } $Opt_IDlist = $TRUE; # -l flag specified } if (defined $opts{o}) { # -o to overwrite access # error if -d is specified if ($Opt_Delete) { printCEMsg("EMsgLPRMcliImproperUsageCombination","-o","-d"); &print_usage; return LPRM_CLI_BAD_FLAG; } $Opt_Overwrite = $TRUE; # -o flag specified } if (defined $opts{x}) { # -x for deny all access if ($#ARGV >=0) { # can't have parameters for -x printCEMsg("EMsgLPRMcliInvalidNumberOfOperands"); &print_usage; return LPRM_CLI_BAD_OPERAND; } # error if -d is specified if ($Opt_Delete) { printCEMsg("EMsgLPRMcliImproperUsageCombination","-x","-d"); &print_usage; return LPRM_CLI_BAD_FLAG; } # error if -f is specified if ($Opt_Filename) { printCEMsg("EMsgLPRMcliImproperUsageCombination","-x","-f"); &print_usage; return LPRM_CLI_BAD_FLAG; } # error if -l is specified if ($Opt_IDlist) { printCEMsg("EMsgLPRMcliImproperUsageCombination","-x","-l"); &print_usage; return LPRM_CLI_BAD_FLAG; } $Opt_Deny = $TRUE; # -x flag specified } if (defined $opts{b}) { # -b to use shared acl if ($#ARGV >=0) { # can't have parameters for -b printCEMsg("EMsgLPRMcliInvalidNumberOfOperands"); &print_usage; return LPRM_CLI_BAD_OPERAND; } # error if -x is specified if ($Opt_Deny) { printCEMsg("EMsgLPRMcliImproperUsageCombination","-b","-x"); &print_usage; return LPRM_CLI_BAD_FLAG; } # error if -d is specified if ($Opt_Delete) { printCEMsg("EMsgLPRMcliImproperUsageCombination","-b","-d"); &print_usage; return LPRM_CLI_BAD_FLAG; } # error if -f is specified if ($Opt_Filename) { printCEMsg("EMsgLPRMcliImproperUsageCombination","-b","-f"); &print_usage; return LPRM_CLI_BAD_FLAG; } # error if -l is specified if ($Opt_IDlist) { printCEMsg("EMsgLPRMcliImproperUsageCombination","-b","-l"); &print_usage; return LPRM_CLI_BAD_FLAG; } $Opt_Shared = $TRUE; # -b flag specified } # Get the arguments... # Operands: Id perm Id perm OR Id Id perm or Id or nada if ($#ARGV >= 0) { # Name and Ids and perms # if -d used, must be at least 1 argument unless -f also is used if ( $Opt_Delete ) { if ( $Opt_Filename ) { printCEMsg("EMsgLPRMcliInvalidNumberOfOperands"); &print_usage; return LPRM_CLI_BAD_OPERAND; } else { if (! ($#ARGV >= 0) ) { printCEMsg("EMsgLPRMcliInvalidNumberOfOperands"); &print_usage; return LPRM_CLI_BAD_OPERAND; } } @parameters = @ARGV; # get them all } # if -x or -f used, should be no parameters elsif ( $Opt_Deny || $Opt_Filename ) { printCEMsg("EMsgLPRMcliInvalidNumberOfOperands"); &print_usage; return LPRM_CLI_BAD_OPERAND; } # else there must be at least 2 arguments elsif ( $#ARGV <= 0 ) { printCEMsg("EMsgLPRMcliInvalidNumberOfOperands"); &print_usage; return LPRM_CLI_BAD_OPERAND; } else { @parameters = @ARGV; # get them all } } else { # if no args, display error unless -f|-x|-b used if (! ($Opt_Deny || $Opt_Filename || $Opt_Shared) ) { printCEMsg("EMsgLPRMcliInvalidNumberOfOperands"); &print_usage; return LPRM_CLI_BAD_OPERAND; } } return(0, $node_list, $file_name, @parameters); # success } # end parse_cmd_line #--------------------------------------------------------------------# # print_usage : print the usage statement (syntax) to stdout. # #--------------------------------------------------------------------# sub print_usage { &printIMsg("IMsgchlpriaclUsage"); } # end print_usage