Re: Bulk deletion of mailbox ACLs under Cyrus 2.4.4
On 06/09/11 13:29, Jeroen van Meeuwen (Kolab Systems) wrote: > Uch, mind where I said "just that", I neglected to mention the attached > script only removes ACL entries for which the identifier (assuming it's > an individual identifier, admittedly) has no corresponding mailbox. > > > My apologies for pressing send too fast! Hi Jeroen, No worries - thanks a lot for taking a look and it's interesting to see another approach to the same problem. Were you able to take a look at my cyradm patch at https://bugzilla.cyrusimap.org/show_bug.cgi?id=3550 at all? Note that I was trying to remove ACLs for accounts which still existed but needed to be removed so they could be replaced with group permissions instead rather than removing "dead" ACLs entries. Many thanks, Mark. -- Mark Cave-Ayland - Senior Technical Architect PostgreSQL - PostGIS Sirius Corporation plc - control through freedom http://www.siriusit.co.uk t: +44 870 608 0063 Sirius Labs: http://www.siriusit.co.uk/labs Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: Bulk deletion of mailbox ACLs under Cyrus 2.4.4
Jeroen van Meeuwen (Kolab Systems) wrote: > Bron Gondwana wrote: > > The correct way[tm] is to iterate over all the mailboxes and do a > > "setacl" for each one you want to change, probably using an external > > script that talks IMAP. > > While obviously needing some work, I've attached a script that -I think- > does just that. > Uch, mind where I said "just that", I neglected to mention the attached script only removes ACL entries for which the identifier (assuming it's an individual identifier, admittedly) has no corresponding mailbox. My apologies for pressing send too fast! Kind regards, Jeroen van Meeuwen -- Senior Engineer, Kolab Systems AG e: vanmeeuwen at kolabsys.com t: +44 144 340 9500 m: +44 74 2516 3817 w: http://www.kolabsys.com pgp: 9342 BF08 Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: Bulk deletion of mailbox ACLs under Cyrus 2.4.4
Bron Gondwana wrote:
> The correct way[tm] is to iterate over all the mailboxes and do a
> "setacl" for each one you want to change, probably using an external
> script that talks IMAP.
>
While obviously needing some work, I've attached a script that -I think- does
just that.
Kind regards,
Jeroen van Meeuwen
--
Senior Engineer, Kolab Systems AG
e: vanmeeuwen at kolabsys.com
t: +44 144 340 9500
m: +44 74 2516 3817
w: http://www.kolabsys.com
pgp: 9342 BF08
import sys
sys.path.append('..')
import pykolab
conf = pykolab.getConf()
conf.debuglevel = 9
conf.read_config("../conf/kolab-shc.conf")
imap = pykolab.imap
imap.connect()
# List the shared and user folders
shared_folders = imap.lm("shared/*@mydomain.com")
user_folders = imap.lm("user/*@mydomain.com")
# Placeholder for valid ACL entries
valid_acls = {
# These are special keywords used in ACLs
'anyone': True
}
# Loop through the user folders found, ...
for user_folder in user_folders:
# ... and distill the user@domain ACL qualifier.
folder_parts = imap.parse_mailbox(user_folder)
if folder_parts['domain']:
valid_acl = "%s@%s" %(folder_parts['path_parts'][1],folder_parts['domain'])
else:
valid_acl = "%s" %(folder_parts['path_parts'])
# 'valid_acl' now contains the fully qualified user identifier (i.e.
# u...@domain.tld), which may be used in the ACL entries on the other
# folders. Store the valid ACL entry.
if not valid_acls.has_key(valid_acl):
valid_acls[valid_acl] = True
# For all folders (shared and user), ...
folders = user_folders + shared_folders
print "Iterating over %d folders" %(len(folders))
# ... loop through them and ...
for folder in folders:
# ... list the ACL entries
acls = imap.lam(folder)
# For each ACL entry, see if we think it is a current, valid entry
for acl_entry in acls.keys():
# If the key 'acl_entry' does not exist in the dictionary of valid
# ACL entries, this ACL entry has got to go.
if not valid_acls.has_key(acl_entry):
# Set the ACL to '' (effectively deleting the ACL entry)
imap.sam(folder, acl_entry, '')
signature.asc
Description: This is a digitally signed message part.
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: Bulk deletion of mailbox ACLs under Cyrus 2.4.4
On 03/09/11 12:50, Mark Cave-Ayland wrote: > Thanks for the heads up. Does that mean I should invoke reconstruct on > all the mailboxes whose permissions I've changed in this way in order to > bring the backup ACLs back in line with the mailboxes.db changes? Sigh. So as soon as I ran reconstruct on the parts of the tree I had changed using my previous approach, it noticed that the backup ACLs weren't included in mailboxes.db and hence added them all back in again :/ Following on from your previous email, I ended up patching cyradm in order to allow a wildcard ACL deletion which worked really well, although some mailboxes were still confused to the point where I had to remove individual ACLs from the mailbox as a bulk deletion didn't work (I guess again this was confusion caused by a combination of different backup ACLs, reconstruct and mailboxes.db). Since these problem ACLs were removed, everything now works fine so I can recursively drop and rebuild all ACLs on our shared folder tree using a small bash script :) > Also is there any reason why cyradm couldn't be modified to accept > wildcards for uids in order to remove all of them? It strikes me that > this is almost a bug given that I can sam an entire mailbox hierarchy > but not do the same with dam. The perl code seemed reasonably easy to follow with a good API design and so the resulting patch is quite neat. I've created a new bug in bugzilla and attached the patch there as it would be very useful to have this included within the main cyrus codebase: https://bugzilla.cyrusimap.org/show_bug.cgi?id=3550. Many thanks, Mark. -- Mark Cave-Ayland - Senior Technical Architect PostgreSQL - PostGIS Sirius Corporation plc - control through freedom http://www.siriusit.co.uk t: +44 870 608 0063 Sirius Labs: http://www.siriusit.co.uk/labs Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: Bulk deletion of mailbox ACLs under Cyrus 2.4.4
On 03/09/11 06:16, Bron Gondwana wrote: >> Just for the archives: I managed to find an alternative solution to my >> problem. I ended up analysing the output of ctl_mboxlist -d and then >> writing a bit of perl to generate an output file with the same format >> for just the mailboxes I was interested in changing but with no ACLs. I >> then fed the resulting file into ctl_mboxlist -u and as if by magic the >> job was done :) > > FYI - while that kinda works, it is slightly skanky, and leaves the > mailboxes.db and the "backup copy of the ACL" in the mailbox header > out of sync. It's also going to break in future when the content > of mailboxes.db changes. It's also somewhat incompatible with > replication, murder, etc. > > The correct way[tm] is to iterate over all the mailboxes and do a > "setacl" for each one you want to change, probably using an external > script that talks IMAP. Hi Bron, Thanks for the heads up. Does that mean I should invoke reconstruct on all the mailboxes whose permissions I've changed in this way in order to bring the backup ACLs back in line with the mailboxes.db changes? Also is there any reason why cyradm couldn't be modified to accept wildcards for uids in order to remove all of them? It strikes me that this is almost a bug given that I can sam an entire mailbox hierarchy but not do the same with dam. Many thanks, Mark. -- Mark Cave-Ayland - Senior Technical Architect PostgreSQL - PostGIS Sirius Corporation plc - control through freedom http://www.siriusit.co.uk t: +44 870 608 0063 Sirius Labs: http://www.siriusit.co.uk/labs Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: Bulk deletion of mailbox ACLs under Cyrus 2.4.4
On Fri, Sep 02, 2011 at 05:57:38PM +0100, Mark Cave-Ayland wrote: > > I've also tried using the "anyone"/"all" aliases instead of "*" but that > > doesn't seem to work either - is anyone able to point me in the right > > direction as to the correct syntax to completely remove all ACLs for all > > users from a mailbox? > > Just for the archives: I managed to find an alternative solution to my > problem. I ended up analysing the output of ctl_mboxlist -d and then > writing a bit of perl to generate an output file with the same format > for just the mailboxes I was interested in changing but with no ACLs. I > then fed the resulting file into ctl_mboxlist -u and as if by magic the > job was done :) FYI - while that kinda works, it is slightly skanky, and leaves the mailboxes.db and the "backup copy of the ACL" in the mailbox header out of sync. It's also going to break in future when the content of mailboxes.db changes. It's also somewhat incompatible with replication, murder, etc. The correct way[tm] is to iterate over all the mailboxes and do a "setacl" for each one you want to change, probably using an external script that talks IMAP. Bron. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: Bulk deletion of mailbox ACLs under Cyrus 2.4.4
On 31/08/11 16:20, Mark Cave-Ayland wrote: > Hi all, > > I'm currently trying to recursively remove all ACLs from part of a Cyrus > tree so I can replace them with newer ones based upon group membership > rather than individual users. However I can't seem to get this to work > at the moment using a wildcard under cyradm: > > localhost> cm public.mcatest > localhost> lam public.mcatest > user1 lrs > user2 lrs > localhost> dam public.mcatest * > localhost> lam public.mcatest > user1 lrs > user2 lrs > localhost> dam public.mcatest user1 > localhost> lam public.mcatest > user2 lrs > > I've also tried using the "anyone"/"all" aliases instead of "*" but that > doesn't seem to work either - is anyone able to point me in the right > direction as to the correct syntax to completely remove all ACLs for all > users from a mailbox? Just for the archives: I managed to find an alternative solution to my problem. I ended up analysing the output of ctl_mboxlist -d and then writing a bit of perl to generate an output file with the same format for just the mailboxes I was interested in changing but with no ACLs. I then fed the resulting file into ctl_mboxlist -u and as if by magic the job was done :) HTH, Mark. -- Mark Cave-Ayland - Senior Technical Architect PostgreSQL - PostGIS Sirius Corporation plc - control through freedom http://www.siriusit.co.uk t: +44 870 608 0063 Sirius Labs: http://www.siriusit.co.uk/labs Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Bulk deletion of mailbox ACLs under Cyrus 2.4.4
Hi all, I'm currently trying to recursively remove all ACLs from part of a Cyrus tree so I can replace them with newer ones based upon group membership rather than individual users. However I can't seem to get this to work at the moment using a wildcard under cyradm: localhost> cm public.mcatest localhost> lam public.mcatest user1 lrs user2 lrs localhost> dam public.mcatest * localhost> lam public.mcatest user1 lrs user2 lrs localhost> dam public.mcatest user1 localhost> lam public.mcatest user2 lrs I've also tried using the "anyone"/"all" aliases instead of "*" but that doesn't seem to work either - is anyone able to point me in the right direction as to the correct syntax to completely remove all ACLs for all users from a mailbox? Many thanks, Mark. -- Mark Cave-Ayland - Senior Technical Architect PostgreSQL - PostGIS Sirius Corporation plc - control through freedom http://www.siriusit.co.uk t: +44 870 608 0063 Sirius Labs: http://www.siriusit.co.uk/labs Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
