[rt-users] RT::ACE example? (I think!)

Howard Jones howie at thingy.com
Mon Feb 28 10:06:42 EST 2011 

On 24/02/2011 17:39, Howard Jones wrote:
> I'm looking to write a small perl script to provision new queues. I tend
> to make them all the same way:
>
>    Create a group for the users who can handle tickets in the queue
>    Create the queue, and make that group a watcher on it
>    We use the exim-mysql config, so the mail gateway is done by magic
>    Add the same set of rights for that group, and a few roles - Everyone
> can Create, Requestor and Owner can reply.
>
> I have got as far as a Queue created, and a Group created. I think I
> need to create RT::ACE objects to add the appropriate rights. Is that
> correct? I couldn't find any examples of doing this... how are Everyone,
> Owner and Requestor done? It seems that the PrincipalID would be id of
> the group I've just created, right?
>
Thanks to Ruslan for pointing me in the right direction, here's what I
ended up with in case it's useful to someone else. You'll need to tweak
the perl and RT paths near the top, most likely.

This script will create a queue, create a new group, and give that group
(and some roles) a set of rights. The rights are in an easily editable
form near the top of the script. Just add appropriate users to the new
group to finish (assuming you have something in place to automate the
mailgate side of things). If the queue or group already exists, it will
use those, so you can also use it to 'open' an existing queue I guess.

e.g:  ./create_queue.pl internalsupport internal at example.com InternalSupport

-- snip --

#!/opt/perl/bin/perl

$queuename = $ARGV[0];
$email     = $ARGV[1];
$groupname = $ARGV[2];

if ( $queuename eq "" || $email eq "" || $groupname eq "" ) {
    print
"Usage: $0 queuename mailaddress groupname\n   Creates a queue, a new
group, and assigns standard permissions for the queue.\n";
    exit();
}

use lib qw(/opt/rt3/local/lib /opt/rt3/lib);

use RT;
use Date::Parse;
use Data::Dumper;

use RT::Interface::CLI qw(CleanEnv GetCurrentUser GetMessageContent loc);
use RT::Tickets;
use RT::Template;

#
# QUEUEGROUP is a placeholder for the group name specified on the
command-line
#
%Permissions = (

    'Everyone'  => ['CreateTicket'],
    'Requestor' => [ 'OwnTicket', 'ReplyToTicket', 'ShowTicket' ],

    'Owner'      => [ 'ReplyToTicket', 'ShowTicket' ],
    'QUEUEGROUP' => [
        'CommentOnTicket',    'CreateTicket',
        'ForwardMessage',     'ModifyTicket',
        'OwnTicket',          'ReplyToTicket',
        'SeeCustomField',     'SeeQueue',
        'ShowOutgoingEmail',  'ShowTicket',
        'ShowTicketComments', 'TakeTicket'
    ],

);

#Clean out all the nasties from the environment
CleanEnv();

# Load the config file
RT::LoadConfig();

#Connect to the database and get RT::SystemUser and RT::Nobody loaded
RT::Init();

print "\n\n\n";

my $CurrentUser = RT::SystemUser;

unless ( $CurrentUser->Id ) {
    print loc("No RT user found. Please consult your RT administrator.\n");
    exit(1);
}

my $group = RT::Group->new($RT::SystemUser);
$res = $group->LoadUserDefinedGroup($groupname);

if ( $res eq "Found Object" ) {
    print "Group $groupname already exists.\n";
}
else {
    print "Creating group $groupname\n";

    $groupid = $group->CreateUserDefinedGroup(
        Name        => $groupname,
        Description => "Users for $queuename queue",
    );
}

my $queue = RT::Queue->new($RT::SystemUser);
$res = $queue->Load($queuename);

if ( $res eq "" ) {

    print "Creating queue $queuename\n";

    my ($queueid) = $queue->Create(
        Name              => $queuename,
        Description       => "Auto-created Queue",
        CorrespondAddress => $email,
        CommentAddress    => $email,
    );

}
else {
    print "Loaded existing queue $queuename\n";
}

print "Seeding permissions for queue $queuename\n";

foreach $role ( keys %Permissions ) {
    print "------------------------\n";

    $realrole = $role;
    if ( $role eq "QUEUEGROUP" ) {
        $realrole = $group;
    }

    foreach $right ( @{ $Permissions{$role} } ) {
        print "Granting $right to $role\n";

        add_right( $queue, $realrole, $right );
    }
}

sub add_right {

    my ( $queueobject, $principal, $right ) = @_;

    unless ( ref $principal ) {
        if (   $principal eq "Everyone"
            || $principal eq "Privileged"
            || $principal eq "Unprivileged" )
        {
            $p         = $principal;
            $principal = RT::Group->new($RT::SystemUser);
            $principal->LoadSystemInternalGroup($p);

        }
        elsif ($principal eq "Owner"
            || $principal eq "Requestor"
            || $principal eq "AdminCc"
            || $principal eq "Cc" )
        {
            $p         = $principal;
            $principal = RT::Group->new($RT::SystemUser);
            $principal->LoadQueueRoleGroup(
                Queue => ( $queueobject->id ),
                Type  => $p
            );

        }
        else {
            die("Principal is not an object or a system group\n");
        }
    }

    unless ( $principal->isa('RT::Principal') ) {

        if ( $principal->can('PrincipalObj') ) {
            $principal = $principal->PrincipalObj;
        }

    }

    my ( $status, $msg ) =
      $principal->GrantRight( Object => $queueobject, Right => $right );

    $RT::Logger->debug($msg);
}

More information about the rt-users mailing list