Changeset dee164e

Timestamp:

Nov 30, 2010 7:20:16 PM (14 years ago)

Author:

Ted Faber <faber@…>

Branches:

axis_example, compt_changes, info-ops, master

Children:

c324ad3

Parents:

4692a16

Message:

Looks like internal works now.

Had to add default entries to the access list to accomodate that, and discovered that ABAC requires strings - not unicode.

Moved lookup_access into the aceess class as most should be able to use it directly now.

Location:

fedd/federation

Files:

• access.py (modified) (3 diffs)
• authorizer.py (modified) (5 diffs)
• deter_internal_access.py (modified) (7 diffs)
• emulab_access.py (modified) (1 diff)
• experiment_control.py (modified) (2 diffs)

fedd/federation/access.py

@@ -132 +132 @@
 
 
-    def read_access(self, fn, access_obj=None):
+    def read_access(self, fn, access_obj=None, default=[]):
         """
         Read an access DB of the form
@@ -188 +188 @@
             if a.attr in priorities:
                 a.priority = priorities[a.attr]
+
+        # default access mappings
+        for a, v in default:
+            self.access.append(
+                    access_base.access_attribute(attr=a, value=v, pri=0))
+
+
 
     def write_state(self):
@@ -226 +233 @@
                 self.log.warning(("[read_state]: No saved state: " + \
                         "Unpickling failed: %s") % e)
+
+    def lookup_access(self, req, fid, filter=None, compare=None): 
+        """
+        Check all the attributes that this controller knows how to map and see
+        if the requester is allowed to use any of them.  If so return one.
+        Filter defined the objects to check - it's a function that returns true
+        for the objects to check - and cmp defines the order to check them in
+        as the cmp field of sorted().  If filter is None, all possibilities are
+        checked.  If cmp is None, the choices are sorted by priority.
+        """
+
+        # Import request credentials into this (clone later??)
+        if self.auth.import_credentials(
+                data_list=req.get('abac_credential', [])):
+            self.auth.save()
+
+        # NB: in the default case (the else), the comparison order is reversed
+        # so numerically larger priorities are checked first.
+        if compare: c = compare
+        else: c = lambda(a, b): cmp(b,a)
+
+        if filter: f = filter
+        else: f = lambda(x): True
+
+        check = sorted([ a for a in self.access if f(a)], cmp=c)
+
+        # Check every attribute that we know how to map and take the first
+        # success.
+        for attr in check:
+            if self.auth.check_attribute(fid, attr.attr):
+                self.log.debug("Access succeeded for %s %s" % (attr.attr, fid))
+                # XXX: needs to deal with dynamics
+                return copy.copy(attr.value), (False, False, False), \
+                        [ fid ]
+            else:
+                self.log.debug("Access failed for %s %s" % (attr.attr, fid))
+        else:
+            raise service_error(service_error.access, "Access denied")
+
 
 

fedd/federation/authorizer.py

@@ -6 +6 @@
 from threading import Lock
 
-from string import join
+from string import join, hexdigits
 
 from fedid import fedid
@@ -240 +240 @@
         return abac_authorizer.clean_attr_re.sub('_', attr)
 
+
     def import_credentials(self, file_list=None, data_list=None):
         if data_list:
@@ -272 +273 @@
             if not isinstance(attr, basestring):
                 attr = "%s" % attr
+
             if self.me and self.key:
                 # Create a credential and insert it into context
@@ -338 +340 @@
         self.lock.release()
 
+    @staticmethod
+    def starts_with_fedid(attr):
+        """
+        Return true if the first 40 characters of the string are hex digits
+        followed by a dot.  False otherwise.  Used in check_attribute.
+        """
+        if attr.find('.') == 40:
+            return all([ x in hexdigits for x in attr[0:40]])
+        else:
+            return False
+
 
     def check_attribute(self, name, attr):
@@ -348 +361 @@
             if not isinstance(attr, basestring):
                 attr = "%s" % attr
-            # Naked attributes are attested by this principal
-            if attr.find('.') == -1: 
-                a = "%s.%s" % (self.fedid, self.clean_attr(attr))
-            else: 
+            # Attributes that start with a fedid only have the part of the
+            # attribute after the dot cleaned.  Others are completely cleaned
+            # and have the owner fedid attached.
+            if self.starts_with_fedid(attr):
                 r, a = attr.split('.',1)
                 a = "%s.%s" % ( r, self.clean_attr(a))
+            else: 
+                a = "%s.%s" % (self.fedid, self.clean_attr(attr))
+
+            a = str(a)
+            n = str("%s" % name)
 
             self.lock.acquire()
-            rv, proof = self.context.query(a, "%s" % name)
+            # Sigh. Unicode vs swig and swig seems to lose.  Make sure
+            # everything we pass into ABAC is a str not a unicode.
+            rv, proof = self.context.query(a, n)
             # XXX delete soon
             if not rv and attr in self.globals: rv = True

fedd/federation/deter_internal_access.py

@@ -15 +15 @@
 from allocate_project import allocate_project_local, allocate_project_remote
 from fedid import fedid, generate_fedid
-from authorizer import authorizer
+from authorizer import authorizer, abac_authorizer
 from service_error import service_error
 from remote_service import xmlrpc_handler, soap_handler, service_caller
@@ -29 +29 @@
 
 from access import access_base
+from legacy_access import legacy_access
 
 # Make log messages disappear if noone configures a fedd logger
@@ -37 +38 @@
 fl.addHandler(nullHandler())
 
-class access(access_base):
+class access(access_base, legacy_access):
     @staticmethod
     def parse_vlans(v, log=None):
@@ -81 +82 @@
         set_log_level(config, "access", self.log)
 
-        if config.has_option("access", "accessdb"):
-            self.read_access(config.get("access", "accessdb"))
-
-        # Add the ownership attributes to the authorizer.  Note that the
-        # indices of the allocation dict are strings, but the attributes are
-        # fedids, so there is a conversion.
-        self.state_lock.acquire()
-        for k in self.state.keys():
-            for o in self.state[k].get('owners', []):
-                self.auth.set_attribute(o, fedid(hexstr=k))
-            self.auth.set_attribute(fedid(hexstr=k),fedid(hexstr=k))
-            # If the allocation has a vlan assigned, remove it from the
-            # available vlans
-            v = self.state[k].get('vlan', None)
-            if v:
-                self.vlans.discard(v)
-        self.state_lock.release()
-
-        self.lookup_access = self.lookup_access_base
+
+        # authorization information
+        self.auth_type = config.get('access', 'auth_type') \
+                or 'legacy'
+        self.auth_dir = config.get('access', 'auth_dir')
+        accessdb = config.get("access", "accessdb")
+        # initialize the authorization system
+        if self.auth_type == 'legacy':
+            self.access = { }
+            if accessdb:
+                self.legacy_read_access(accessdb)
+        elif self.auth_type == 'abac':
+            self.auth = abac_authorizer(load=self.auth_dir)
+            self.access = [ ]
+            if accessdb:
+                self.read_access(accessdb, default=[('access', None)])
+        else:
+            raise service_error(service_error.internal, 
+                    "Unknown auth_type: %s" % self.auth_type)
+
+        if self.auth_type == 'legacy':
+            # Add the ownership attributes to the authorizer.  Note that the
+            # indices of the allocation dict are strings, but the attributes are
+            # fedids, so there is a conversion.
+            self.state_lock.acquire()
+            for k in self.state.keys():
+                for o in self.state[k].get('owners', []):
+                    self.auth.set_attribute(o, fedid(hexstr=k))
+                self.auth.set_attribute(fedid(hexstr=k),fedid(hexstr=k))
+                # If the allocation has a vlan assigned, remove it from the
+                # available vlans
+                v = self.state[k].get('vlan', None)
+                if v:
+                    self.vlans.discard(v)
+            self.state_lock.release()
+
+            self.lookup_access = self.legacy_lookup_access_base
+        # under ABAC we use access.lookup_access
+
 
         self.call_GetValue= service_caller('GetValue')
@@ -135 +156 @@
             raise service_error(service_error.req, "No request!?")
 
-        found, match = self.lookup_access(req, fid)
+        found, match, owners = self.lookup_access(req, fid)
         # keep track of what's been added
         allocID, alloc_cert = generate_fedid(subj="alloc", log=self.log)
@@ -143 +164 @@
         self.state[aid] = { }
         self.state[aid]['user'] = found
-        self.state[aid]['owners'] = [ fid ]
+        self.state[aid]['owners'] = owners
         self.state[aid]['vlan'] = None
         self.write_state()
@@ -149 +170 @@
         self.auth.set_attribute(fid, allocID)
         self.auth.set_attribute(allocID, allocID)
+        self.auth.save()
 
         try:

fedd/federation/emulab_access.py

@@ -328 +328 @@
                 [ fid ]
 
-    def lookup_access(self, req, fid, filter=None, compare=None): 
-        """
-        Check all the attributes that this controller knows how to map and see
-        if the requester is allowed to use any of them.  If so return one.
-        Filter defined the objects to check - it's a function that returns true
-        for the objects to check - and cmp defines the order to check them in
-        as the cmp field of sorted().  If filter is None, all possibilities are
-        checked.  If cmp is None, the choices are sorted by priority.
-        """
-
-        # Import request credentials into this (clone later??)
-        if self.auth.import_credentials(
-                data_list=req.get('abac_credential', [])):
-            self.auth.save()
-
-        # NB: in the default case (the else), the comparison order is reversed
-        # so numerically larger priorities are checked first.
-        if compare: c = compare
-        else: c = lambda(a, b): cmp(b,a)
-
-        if filter: f = filter
-        else: f = lambda(x): True
-
-        check = sorted([ a for a in self.access if f(a)], cmp=c)
-
-        # Check every attribute that we know how to map and take the first
-        # success.
-        for attr in check:
-            if self.auth.check_attribute(fid, attr.attr):
-                self.log.debug("Access succeeded for %s %s" % (attr.attr, fid))
-                # XXX: needs to deal with dynamics
-                return copy.copy(attr.value), (False, False, False), \
-                        [ fid ]
-            else:
-                self.log.debug("Access failed for %s %s" % (attr.attr, fid))
-        else:
-            raise service_error(service_error.access, "Access denied")
-
-
     def do_project_allocation(self, dyn, project, user):
         """

fedd/federation/experiment_control.py

@@ -1999 +1999 @@
             for tb in [ t for t in topo if t not in allocated]:
                 #XXX: ABAC
-                self.get_access(tb, None, tbparams, access_user, masters, tbmap)
+                if self.auth_type =='legacy':
+                    self.get_access(tb, None, tbparams, access_user, 
+                            masters, tbmap)
+                elif self.auth_type == 'abac':
+                    self.get_abac_access(tb, tbparams, fid, masters, tbmap, 
+                            expid, expcert_file)
+                else:
+                    raise service_error(service_error.internal, 
+                            "Unknown auth_type %s" % self.auth_type)
                 allocated[tb] = 1
                 store_keys = topo[tb].get_attribute('store_keys')
@@ -2044 +2052 @@
             if self.state_filename: self.write_state()
             self.state_lock.release()
+            if tmpdir and self.cleanup:
+                self.remove_dirs(tmpdir)
             raise e