Changeset 6843d14 for fedd/access_to_abac.py

Timestamp:

Aug 23, 2012 4:12:54 PM (12 years ago)

Author:

Ted Faber <faber@…>

Branches:

master

Children:

be1742d

Parents:

b90c44d (diff), d4946da (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.

Message:

Merge branch 'master' of tardis.deterlab.net:/var/local/git/fedd

File:

• fedd/access_to_abac.py (modified) (3 diffs)

fedd/access_to_abac.py

@@ -69 +69 @@
 # attributes mapping and the global one creates the access policy credentials.
 
-#  All the local parsing functions get 
-#    * the unparsed remainder of the line in l.  This is everything on the
-#       input line from the first comma after the -> to the end of the line.
-#    * the current list of credentials to be issued.  This is a list of
-#      credential objects assigned from this principal (me) to principals
-#      making requests.  They are derived from the three-name and delegation
-#      credentials.  This routine adds any credentials that will be mapped to
-#      local access control information to creds.
-#    * me is this princpal - the access controller
-#    * to_id is a dict that maps the local name access control information into
-#      a list of credentials that imply the principal should be mapped to them.
-#      For example, parse_emulab is assigning (project, user, cert, key) to
-#      principals.  The key of to_id is that tuple and it maps to a list of
-#      ABAC attributes.  If an access controller wants to see if a caller can
-#      use a 4-tuple of credentials, it tries to prove that the caller has one
-#      of those attributes.
-#    * p is the principal that assigned the project and group.  It is the name
-#       of an external experiment controller.
-#    * gp is the group asserted by the experiment controller
-#    * gu is the user asserted by the experiment controller
-#    * lr is the linking role used for delegation.  If present credentials
-#    should be created with it.  If it is None the credential construator will
-#    ignore it.  It is hard to go wrong just passing it to the credential
-#    constructor.
-#
-# These functions map an assertion of (testbed, project, user) into the
-# local parameters (local project, password, etc.) that triple gives the caller
-# the caller to.  These local parameters are parsed out of l.  Those
-# credentials are the keys to the to_id dict that will become the abac map.
-# The c = credential... and creds.add(c)  lines
-# in parse_emulab can be taken as boilerplate for creating ABAC credentials.
-# Each ABAC credential created by that boilerplate should be added to to_id,
-# keyed by the local credentials.
+#  All the local parsing functions get the unparsed remainder of the line
+#  (after the three-name and the attribute it maps to), the credential list to
+#  add the new ABAC credential(s) that will be mapped into the local
+#  credentials, the fedid of this entity, a dict mapping the local credentials
+#  to ABAC credentials that are required to exercise those local rights and the
+#  three-name (p, gp, gu) that is being mapped.
 def parse_emulab(l, creds, me, to_id, p, gp, gu, lr):
     '''
@@ -207 +180 @@
     else:
         raise parse_error("Badly formatted local mapping: %s" % l)
-
+def parse_starbed(l,creds,me, to_id,p,gp, gu, lr):
+        '''
+        Parse the starbed credientials
+        '''
+        right_side_str = '\s*,\s*\(\s*(%s)\s*,\s*(%s)\s*,\s*(%s)\s*\)' % \
+                (id_str,id_str,id_str)
+        m = re.match(right_side_str,l)
+        if m:
+                user,passwd,project = m.group(1,2,3)
+                if gp and gu:
+                        a = 'project_%s_user_%s' % (gp, gu)
+                elif gp:
+                        a = 'project_%s' % gp
+                elif gu:
+                         a = 'user_%s' % gu
+                else:
+                        raise parse_error("No mapping for %s/%s!?" % (gp, gu))
+                c = credential(me, a, 
+                        [attribute(p, x, lr) for x in (gp, gu) if x is not None])
+                creds.add(c)
+                if (user,passwd,project) in to_id: to_id[(user,passwd,project)].append(c)
+                else: to_id[(user,passwd,project)] = [ c ]
+        else:
+                raise parse_error("Badly formatted local mapping: %s" % l)      
 # internal plug-ins have no local attributes.
 def parse_internal(l, creds, me, to_id, p, gp, gu, lr): pass
@@ -263 +259 @@
             'skel': parse_skel,
             'protogeni': parse_protogeni,
+            'starbed' : parse_starbed,
             }