fix(rm-policies-from-grps): Recreate built in grps before granting po…

…licies (#773)
uc-cdis · May 4, 2020 · 78fb020 · 78fb020
1 parent 56b48e4
commit 78fb020
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/fence/sync/sync_users.py b/fence/sync/sync_users.py
@@ -1349,8 +1349,16 @@ def _update_arborist(self, session, user_yaml):
             except ArboristError as e:
                 self.logger.info("couldn't put group: {}".format(str(e)))
 
-        # add policies for `anonymous` and `logged-in` groups
+        # Update policies for built-in (`anonymous` and `logged-in`) groups
 
+        # First recreate these groups in order to clear out old, possibly deleted policies
+        for builtin_group in ["anonymous", "logged-in"]:
+            try:
+                response = self.arborist_client.put_group(builtin_group)
+            except ArboristError as e:
+                self.logger.info("couldn't put group: {}".format(str(e)))
+
+        # Now add back policies that are in the user.yaml
         for policy in user_yaml.authz.get("anonymous_policies", []):
             self.arborist_client.grant_group_policy("anonymous", policy)