[autotest] Always direct restricted user to google storage.
Currently, retrieve_logs.cgi will check all the drones and shards
to see if it has the requested result and return a url pointing
to drone or shards if result if found. However,
restricted users do not have access to drones or shards.
Simply always redirect them to google storage for results.
TEST=Test on a ganeti instance. Make sure the link redirect correctly.
BUG=chromium:561131
Change-Id: Ib174886857e694763337d01d69b773fef84b1a77
Reviewed-on: https://chromium-review.googlesource.com/316492
Commit-Ready: Fang Deng <fdeng@chromium.org>
Tested-by: Fang Deng <fdeng@chromium.org>
Reviewed-by: Dan Shi <dshi@google.com>
diff --git a/apache/conf/site-sso-directives b/apache/conf/site-sso-directives
index a7f6da9..6a3e69d 100755
--- a/apache/conf/site-sso-directives
+++ b/apache/conf/site-sso-directives
@@ -1,5 +1,5 @@
-<LocationMatch "^/(afe|new_tko|loginz).*">
+<LocationMatch "^/(afe|tko|new_tko|loginz).*">
AuthType google-sso
AuthName ChromeOSAutotest
RpMode v2_v1accepted
diff --git a/global_config.ini b/global_config.ini
index aabd73f..41eb0e2 100644
--- a/global_config.ini
+++ b/global_config.ini
@@ -32,6 +32,11 @@
# is too much verbosity for 'production' systems, hence turned off by default.
sql_debug_mode: False
+# Restricted user group. The users in the specified groups only have
+# access to master server. Will always direct them to google storage for logs
+# rather than drones or shards.
+restricted_groups: USE SHADOW RESTRICTED_GROUPS
+
# The tko parser will use these database settings.
# This is for sharding: Even when sharding, the results (tko tables) should
# still be written to the master database.
diff --git a/server/site_utils.py b/server/site_utils.py
index 5880c67..4d676f3 100644
--- a/server/site_utils.py
+++ b/server/site_utils.py
@@ -3,6 +3,7 @@
# found in the LICENSE file.
+import grp
import httplib
import json
import logging
@@ -478,6 +479,26 @@
return bool(hostname)
+def is_restricted_user(username):
+ """Determines if a user is in a restricted group.
+
+ User in restricted group only have access to master.
+
+ @param username: A string, representing a username.
+
+ @returns: True if the user is in a restricted group.
+ """
+ if not username:
+ return False
+
+ restricted_groups = global_config.global_config.get_config_value(
+ 'AUTOTEST_WEB', 'restricted_groups', default='').split(',')
+ for group in restricted_groups:
+ if group and username in grp.getgrnam(group).gr_mem:
+ return True
+ return False
+
+
def get_special_task_status(is_complete, success, is_active):
"""Get the status of a special task.
diff --git a/tko/retrieve_logs.cgi b/tko/retrieve_logs.cgi
index 9ce6143..6717ba3 100755
--- a/tko/retrieve_logs.cgi
+++ b/tko/retrieve_logs.cgi
@@ -107,7 +107,10 @@
# This cgi script is run only in master (cautotest) and shards.
# Drones do not run this script when receiving '/results/...' request.
# Only master should check drones and shards for the requested log.
- if not server_utils.is_shard():
+ # Also restricted users do not have access to drones or shards,
+ # always point them to localhost or google storage.
+ if (not server_utils.is_shard() and
+ not server_utils.is_restricted_user(os.environ.get('REMOTE_USER'))):
shards = []
if server_manager_utils.use_server_db():
drones = server_manager_utils.get_drones()