1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
|
OpenLMI Account usage
=====================
General manipulation of users and groups are done with the objects
from following classes:
* :ref:`LMI_AccountManagementService <LMI-AccountManagementService>`
* :ref:`LMI_Account <LMI-Account>`
* :ref:`LMI_Group <LMI-Group>`
* :ref:`LMI_MemberOfGroup <LMI-MemberOfGroup>`
* :ref:`LMI_Identity <LMI-Identity>`
* :ref:`LMI_AccountInstanceCreationIndication <LMI-AccountInstanceCreationIndication>`
* :ref:`LMI_AccountInstanceDeletionIndication <LMI-AccountInstanceDeletionIndication>`
Some common use cases are described in the following parts
List users
----------
List of users are provided by :ref:`LMI_Account <LMI-Account>`. Each one object
of this class represents one user on the system. Both system and non-sytem users
are directly in :ref:`LMI_Account <LMI-Account>` class::
# List user by name
print c.root.cimv2.LMI_Account.first_instance({"Name": "root"})
# List user by id
print c.root.cimv2.LMI_Account.first_instance({"UserID": "0"})
List groups
-----------
Similarly like users, groups are represented by objects
of :ref:`LMI_Group <LMI-Group>` class::
# List group by name
print c.root.cimv2.LMI_Group.first_instance({"Name": "root"})
# List group by id
print c.root.cimv2.LMI_Group.first_instance({"InstanceID": "LMI:GID:0"})
List group members
------------------
:ref:`LMI_Identity <LMI-Identity>` is class representing users and groups
on the system. Group membership is represented
by :ref:`LMI_MemberOfGroup <LMI-MemberOfGroup>` association. It associates
:ref:`LMI_Group <LMI-Group>` and :ref:`LMI_Identity <LMI-Identity>`, where
:ref:`LMI_Identity <LMI-Identity>` is associated
by :ref:`LMI_AssignedAccountIdentity <LMI-AssignedAccountIdentity>` with
:ref:`LMI_Account <LMI-Account>`::
# Get users from root group
# 1) Get root group object
root_group = c.root.cimv2.LMI_Group.first_instance({"Name": "root")
# 2) Get LMI_Identity objects associated with root group
identities = root_group.associators(ResultClass="LMI_Identity", AssocClass="LMI_MemberOfGroup")
# 3) go through all identites, get LMI_Account associated with identity and print user name
# Note: associators returns a list, but there is just one LMI_Account
for i in identities:
print i.first_associator(ResultClass="LMI_Account").Name
Create user
-----------
For user creation we have to use
:ref:`LMI_AccountManagementService <LMI-AccountManagementService>`. There is
:ref:`CreateAccount <LMI-AccountManagementService-CreateAccount>` method,
which will create user with descired attributes::
# get computer system
cs = c.root.cimv2.PG_ComputerSystem.first_instance()
# get service
lams = c.root.cimv2.LMI_AccountManagementService.first_instance()
# invoke method, print result
lams.CreateAccount(Name="lmishell-user", System=cs)
Create group
------------
Similarly like creating user, creating groups are don in
:ref:`LMI_AccountManagementService <LMI-AccountManagementService>`, using
:ref:`CreateGroup <LMI-AccountManagementService-CreateGroup>` method::
# get computer system
cs = c.root.cimv2.PG_ComputerSystem.first_instance()
# get service
lams = c.root.cimv2.LMI_AccountManagementService.first_instance()
# invoke method, print result
print lams.CreateGroup(Name="lmishell-group", System=cs)
Delete user
-----------
User deletion is done with :ref:`DeleteUser <LMI-Account-DeleteUser>`
method on the desired :ref:`LMI_Account <LMI-Account>` object.
::
# get the desired user
acci = c.root.cimv2.LMI_Account.first_instance({"Name": "tobedeleted"})
# delete the user
acci.DeleteUser()
.. note::
Previous releases allowed to use ``DeleteInstance`` intrinsic method to
delete ``LMI_Account``. This method is now deprecated and
will be removed from future releases of OpenLMI Account. The reason is that
``DeleteInstance`` cannot have parameters; it is equivalent to call
``DeleteAccount`` without specifying parameters.
Delete group
------------
Group deletion is done with :ref:`DeleteGroup <LMI-Group-DeleteGroup>`
method on the desired :ref:`LMI_Group <LMI-Group>` object,
::
# get the desired group
grp = c.root.cimv2.LMI_Group.first_instance({"Name": "tobedeleted"})
# delete the group
grp.DeleteGroup()
.. note::
Previous releases allowed to use ``DeleteInstance`` intrinsic method to
delete ``LMI_Group``. This method is now deprecated and
will be removed from future releases of OpenLMI Account. The reason is that
we want to have consistent way to delete user and group.
Add user to group
-----------------
Adding user to group is done with ``CreateInstance`` intrinsic method on the
:ref:`LMI_MemberOfGroup <LMI-MemberOfGroup>` class, which requires reference
to :ref:`LMI_Group <LMI-Group>` and :ref:`LMI_Identity <LMI-Identity>`::
# We will add root user to pegasus group
# get group pegasus
grp = c.root.cimv2.LMI_Group.first_instance({"Name": "pegasus"})
# get user root
acc = c.root.cimv2.LMI_Account.first_instance({"Name": "root"})
# get identity of root user
identity = acc.first_associator(ResultClass="LMI_Identity")
# create instance of LMI_MemberOfGroup with the above references
c.root.cimv2.LMI_MemberOfGroup.create_instance({"Member":identity.path, "Collection":grp.path})
Remove user from group
----------------------
Removing user from group is done with ``DeleteInstance`` intrinsic method
on the desired :ref:`LMI_MemberOfGroup <LMI-MemberOfGroup>` object::
# We will remove root user from pegasus group
# get group pegasus
grp = c.root.cimv2.LMI_Group.first_instance({"Name": "pegasus"})
# get user root
acc = c.root.cimv2.LMI_Account.first_instance({"Name": "root"})
# get identity of root user
identity = acc.associators(ResultClass="LMI_Identity")[0]
# iterate through all LMI_MemberOfGroup associated with identity and remove the one with our group
for mog in identity.references(ResultClass="LMI_MemberOfGroup"):
if mog.Collection == grp.path:
mog.delete()
Modify user
-----------
It is also possible to modify user details and it is done by ``ModifyInstance``
intrinsic method on the desired :ref:`LMI_Account <LMI-Account>` object::
# Change login shell of test user
acci = c.root.cimv2.LMI_Account.first_instance({"Name": "test"})
acci.LoginShell = '/bin/sh'
# propagate changes
acci.push()
Indications
-----------
OpenLMI Account supports the following indications:
* :ref:`LMI_AccountInstanceCreationIndication <LMI-AccountInstanceCreationIndication>`
* :ref:`LMI_AccountInstanceDeletionIndication <LMI-AccountInstanceDeletionIndication>`
Both indications works only on the following classes:
* :ref:`LMI_Account <LMI-Account>`
* :ref:`LMI_Group <LMI-Group>`
* :ref:`LMI_Identity <LMI-Identity>`
See more below.
Creation Indication
^^^^^^^^^^^^^^^^^^^
Client can be notified when instance of class has been created. It is done with
:ref:`LMI_AccountInstanceCreationIndication <LMI-AccountInstanceCreationIndication>`. The indication filter query must be in the following form:
``SELECT * FROM LMI_AccountInstanceCreationIndication WHERE SOURCEINSTANCE ISA class_name``, where ``class_name`` is one of the allowed classes.
The following example creates filter, handler and subscription (lmi shell do it in one step), which will notify client when user is created:
::
# Notify when a user is created
c.subscribe_indication(
FilterCreationClassName="CIM_IndicationFilter",
FilterSystemCreationClassName="CIM_ComputerSystem",
FilterSourceNamespace="root/cimv2",
QueryLanguage="DMTF:CQL",
Query='SELECT * FROM LMI_AccountInstanceCreationIndication WHERE SOURCEINSTANCE ISA LMI_Account',
Name="account_creation",
CreationNamespace="root/interop",
SubscriptionCreationClassName="CIM_IndicationSubscription",
HandlerCreationClassName="CIM_IndicationHandlerCIMXML",
HandlerSystemCreationClassName="CIM_ComputerSystem",
Destination="http://192.168.122.1:5988" # this is the destination computer, where all the indications will be delivered
)
Deletion Indication
^^^^^^^^^^^^^^^^^^^
Client can be notified when instance is deleted. The same rules like in `Creation Indication`_ applies here:
::
# Notify when a user is deleted
c.subscribe_indication(
FilterCreationClassName="CIM_IndicationFilter",
FilterSystemCreationClassName="CIM_ComputerSystem",
FilterSourceNamespace="root/cimv2",
QueryLanguage="DMTF:CQL",
Query='SELECT * FROM LMI_AccountInstanceDeletionIndication WHERE SOURCEINSTANCE ISA LMI_Account',
Name="account_deletion",
CreationNamespace="root/interop",
SubscriptionCreationClassName="CIM_IndicationSubscription",
HandlerCreationClassName="CIM_IndicationHandlerCIMXML",
HandlerSystemCreationClassName="CIM_ComputerSystem",
Destination="http://192.168.122.1:5988" # this is the destination computer, where all the indications will be delivered
)
.. note::
Both indications uses indication manager and polling.
|
