Context Navigation

source: fedd/federation/access.py @ 5d3f239

axis_examplecompt_changesinfo-opsversion-1.30version-2.00version-3.01version-3.02

Last change on this file since 5d3f239 was 5d3f239, checked in by Ted Faber <faber@…>, 15 years ago
change package name to avoid conflicts with fedd on install
Property mode set to `100644`
File size: 24.4 KB

Line
1	#!/usr/local/bin/python
2
3	import os,sys
4	import re
5	import string
6	import copy
7	import pickle
8	import logging
9
10	from threading import *
11
12	from util import *
13	from allocate_project import allocate_project_local, allocate_project_remote
14	from access_project import access_project
15	from fedid import fedid, generate_fedid
16	from authorizer import authorizer
17	from service_error import service_error
18	from remote_service import xmlrpc_handler, soap_handler, service_caller
19
20
21	# Make log messages disappear if noone configures a fedd logger
22	class nullHandler(logging.Handler):
23	def emit(self, record): pass
24
25	fl = logging.getLogger("fedd.access")
26	fl.addHandler(nullHandler())
27
28	class access:
29	"""
30	The implementation of access control based on mapping users to projects.
31
32	Users can be mapped to existing projects or have projects created
33	dynamically. This implements both direct requests and proxies.
34	"""
35
36	class parse_error(RuntimeError): pass
37
38	bool_attrs = ("project_priority", "allow_proxy")
39	emulab_attrs = ("boss", "ops", "domain", "fileserver", "eventserver")
40	id_attrs = ("testbed", "proxy",
41	"proxy_cert_file", "proxy_cert_pwd", "proxy_trusted_certs",
42	"project_allocation_uri", "project_allocation_cert_file",
43	"project_allocation_cert_pwd", "project_allocation_trusted_certs")
44	id_list_attrs = ("restricted",)
45
46	proxy_RequestAccess= service_caller('RequestAccess')
47	proxy_ReleaseAccess= service_caller('ReleaseAccess')
48
49	def __init__(self, config=None, auth=None):
50	"""
51	Initializer. Pulls parameters out of the ConfigParser's access section.
52	"""
53
54	# Make sure that the configuration is in place
55	if config:
56	if not config.has_section("access"):
57	config.add_section("access")
58	if not config.has_section("globals"):
59	config.add_section("globals")
60	else:
61	raise RunTimeError("No config to fedd.access")
62
63	# Create instance attributes from the static lists
64	for a in access.bool_attrs:
65	if config.has_option("access", a):
66	setattr(self, a, config.get("access", a))
67	else:
68	setattr(self, a, False)
69
70	for a in access.emulab_attrs + access.id_attrs:
71	if config.has_option("access", a):
72	setattr(self, a, config.get("access",a))
73	else:
74	setattr(self, a, None)
75
76	self.attrs = { }
77	self.access = { }
78	self.restricted = [ ]
79	self.fedid_category = { }
80	self.projects = { }
81	self.keys = { }
82	self.allocation = { }
83	self.state = {
84	'projects': self.projects,
85	'allocation' : self.allocation,
86	'keys' : self.keys
87	}
88	self.log = logging.getLogger("fedd.access")
89	set_log_level(config, "access", self.log)
90	self.state_lock = Lock()
91
92	if auth: self.auth = auth
93	else:
94	self.log.error(\
95	"[access]: No authorizer initialized, creating local one.")
96	auth = authorizer()
97
98	self.fedid_default = "testbed"
99	if config.has_option("access", "accessdb"):
100	self.read_access(config.get("access", "accessdb"))
101
102	self.state_filename = config.get("access", "access_state", "")
103	self.read_state()
104	# Certs are promoted from the generic to the specific, so without a
105	# specific proxy certificate, the main certificates are used for
106	# proxy interactions. If no dynamic project certificates, then
107	# proxy certs are used, and if none of those the main certs.
108
109	if config.has_option("globals", "proxy_cert_file"):
110	if not self.project_allocation_cert_file:
111	self.project_allocation_cert_file = \
112	config.get("globals", "proxy_cert_file")
113	if config.has_option("globals", "proxy_cert_pwd"):
114	self.project_allocation_cert_pwd = \
115	config.get("globals", "proxy_cert_pwd")
116
117	if config.has_option("globals", "proxy_trusted_certs"):
118	if not self.project_allocation_trusted_certs:
119	self.project_allocation_trusted_certs =\
120	config.get("globals", proxy_trusted_certs)
121
122	if config.has_option("globals", "cert_file"):
123	has_pwd = config.has_option("globals", "cert_pwd")
124	if not self.project_allocation_cert_file:
125	self.project_allocation_cert_file = \
126	config.get("globals", "cert_file")
127	if has_pwd:
128	self.project_allocation_cert_pwd = \
129	config.get("globals", "cert_pwd")
130	if not self.proxy_cert_file:
131	self.proxy_cert_file = config.get("globals", "cert_file")
132	if has_pwd:
133	self.proxy_cert_pwd = config.get("globals", "cert_pwd")
134
135	if config.get("globals", "trusted_certs"):
136	if not self.proxy_trusted_certs:
137	self.proxy_trusted_certs = \
138	config.get("globals", "trusted_certs")
139	if not self.project_allocation_trusted_certs:
140	self.project_allocation_trusted_certs = \
141	config.get("globals", "trusted_certs")
142
143	proj_certs = (self.project_allocation_cert_file,
144	self.project_allocation_trusted_certs,
145	self.project_allocation_cert_pwd)
146
147	self.soap_services = {\
148	'RequestAccess': soap_handler("RequestAccess", self.RequestAccess),
149	'ReleaseAccess': soap_handler("ReleaseAccess", self.ReleaseAccess),
150	}
151	self.xmlrpc_services = {\
152	'RequestAccess': xmlrpc_handler('RequestAccess',
153	self.RequestAccess),
154	'ReleaseAccess': xmlrpc_handler('ReleaseAccess',
155	self.ReleaseAccess),
156	}
157
158
159	if not config.has_option("allocate", "uri"):
160	self.allocate_project = \
161	allocate_project_local(config, auth)
162	else:
163	self.allocate_project = \
164	allocate_project_remote(config, auth)
165
166	# If the project allocator exports services, put them in this object's
167	# maps so that classes that instantiate this can call the services.
168	self.soap_services.update(self.allocate_project.soap_services)
169	self.xmlrpc_services.update(self.allocate_project.xmlrpc_services)
170
171
172	def read_access(self, config):
173	"""
174	Read a configuration file and set internal parameters.
175
176	The format is more complex than one might hope. The basic format is
177	attribute value pairs separated by colons(:) on a signle line. The
178	attributes in bool_attrs, emulab_attrs and id_attrs can all be set
179	directly using the name: value syntax. E.g.
180	boss: hostname
181	sets self.boss to hostname. In addition, there are access lines of the
182	form (tb, proj, user) -> (aproj, auser) that map the first tuple of
183	names to the second for access purposes. Names in the key (left side)
184	can include "<NONE> or <ANY>" to act as wildcards or to require the
185	fields to be empty. Similarly aproj or auser can be <SAME> or
186	<DYNAMIC> indicating that either the matching key is to be used or a
187	dynamic user or project will be created. These names can also be
188	federated IDs (fedid's) if prefixed with fedid:. Finally, the aproj
189	can be followed with a colon-separated list of node types to which that
190	project has access (or will have access if dynamic).
191	Testbed attributes outside the forms above can be given using the
192	format attribute: name value: value. The name is a single word and the
193	value continues to the end of the line. Empty lines and lines startin
194	with a # are ignored.
195
196	Parsing errors result in a self.parse_error exception being raised.
197	"""
198	lineno=0
199	name_expr = "["+string.ascii_letters + string.digits + "\.\-_]+"
200	fedid_expr = "fedid:[" + string.hexdigits + "]+"
201	key_name = "(<ANY>\|<NONE>\|"+fedid_expr + "\|"+ name_expr + ")"
202	access_proj = "(<DYNAMIC>(?::" + name_expr +")*\|"+ \
203	"<SAME>" + "(?::" + name_expr + ")*\|" + \
204	fedid_expr + "(?::" + name_expr + ")*\|" + \
205	name_expr + "(?::" + name_expr + ")*)"
206	access_name = "(<DYNAMIC>\|<SAME>\|" + fedid_expr + "\|"+ name_expr + ")"
207
208	restricted_re = re.compile("restricted:\s(.)", re.IGNORECASE)
209	attr_re = re.compile('attribute:\s([\._\-a-z0-9]+)\s+value:\s(.*)',
210	re.IGNORECASE)
211	access_re = re.compile('\('+key_name+'\s,\s'+key_name+'\s,\s'+
212	key_name+'\s\)\s->\s\('+access_proj + '\s,\s*' +
213	access_name + '\s,\s' + access_name + '\s*\)', re.IGNORECASE)
214
215	def parse_name(n):
216	if n.startswith('fedid:'): return fedid(hexstr=n[len('fedid:'):])
217	else: return n
218
219	def auth_name(n):
220	if isinstance(n, basestring):
221	if n =='<any>' or n =='<none>': return None
222	else: return unicode(n)
223	else:
224	return n
225
226	f = open(config, "r");
227	for line in f:
228	lineno += 1
229	line = line.strip();
230	if len(line) == 0 or line.startswith('#'):
231	continue
232
233	# Extended (attribute: x value: y) attribute line
234	m = attr_re.match(line)
235	if m != None:
236	attr, val = m.group(1,2)
237	self.attrs[attr] = val
238	continue
239
240	# Restricted entry
241	m = restricted_re.match(line)
242	if m != None:
243	val = m.group(1)
244	self.restricted.append(val)
245	continue
246
247	# Access line (t, p, u) -> (ap, cu, su) line
248	m = access_re.match(line)
249	if m != None:
250	access_key = tuple([ parse_name(x) for x in m.group(1,2,3)])
251	auth_key = tuple([ auth_name(x) for x in access_key])
252	aps = m.group(4).split(":");
253	if aps[0] == 'fedid:':
254	del aps[0]
255	aps[0] = fedid(hexstr=aps[0])
256
257	cu = parse_name(m.group(5))
258	su = parse_name(m.group(6))
259
260	access_val = (access_project(aps[0], aps[1:]),
261	parse_name(m.group(5)), parse_name(m.group(6)))
262
263	self.access[access_key] = access_val
264	self.auth.set_attribute(auth_key, "access")
265	continue
266
267	# Nothing matched to here: unknown line - raise exception
268	f.close()
269	raise self.parse_error("Unknown statement at line %d of %s" % \
270	(lineno, config))
271	f.close()
272
273
274	def dump_state(self):
275	"""
276	Dump the state read from a configuration file. Mostly for debugging.
277	"""
278	for a in access.bool_attrs:
279	print "%s: %s" % (a, getattr(self, a ))
280	for a in access.emulab_attrs + access.id_attrs:
281	print "%s: %s" % (a, getattr(self, a))
282	for k, v in self.attrs.iteritems():
283	print "%s %s" % (k, v)
284	print "Access DB:"
285	for k, v in self.access.iteritems():
286	print "%s %s" % (k, v)
287	print "Trust DB:"
288	for k, v in self.fedid_category.iteritems():
289	print "%s %s" % (k, v)
290	print "Restricted: %s" % str(',').join(sorted(self.restricted))
291
292	def get_users(self, obj):
293	"""
294	Return a list of the IDs of the users in dict
295	"""
296	if obj.has_key('user'):
297	return [ unpack_id(u['userID']) \
298	for u in obj['user'] if u.has_key('userID') ]
299	else:
300	return None
301
302	def write_state(self):
303	try:
304	f = open(self.state_filename, 'w')
305	pickle.dump(self.state, f)
306	except IOError, e:
307	self.log.error("Can't write file %s: %s" % \
308	(self.state_filename, e))
309	except pickle.PicklingError, e:
310	self.log.error("Pickling problem: %s" % e)
311	except TypeError, e:
312	self.log.error("Pickling problem (TypeError): %s" % e)
313
314
315	def read_state(self):
316	"""
317	Read a new copy of access state. Old state is overwritten.
318
319	State format is a simple pickling of the state dictionary.
320	"""
321	try:
322	f = open(self.state_filename, "r")
323	self.state = pickle.load(f)
324
325	self.allocation = self.state['allocation']
326	self.projects = self.state['projects']
327	self.keys = self.state['keys']
328
329	self.log.debug("[read_state]: Read state from %s" % \
330	self.state_filename)
331	except IOError, e:
332	self.log.warning("[read_state]: No saved state: Can't open %s: %s"\
333	% (self.state_filename, e))
334	except EOFError, e:
335	self.log.warning("[read_state]: Empty or damaged state file: %s:"\
336	% self.state_filename)
337	except pickle.UnpicklingError, e:
338	self.log.warning(("[read_state]: No saved state: " + \
339	"Unpickling failed: %s") % e)
340
341	# Add the ownership attributes to the authorizer. Note that the
342	# indices of the allocation dict are strings, but the attributes are
343	# fedids, so there is a conversion.
344	for k in self.allocation.keys():
345	for o in self.allocation[k].get('owners', []):
346	self.auth.set_attribute(o, fedid(hexstr=k))
347
348
349	def permute_wildcards(self, a, p):
350	"""Return a copy of a with various fields wildcarded.
351
352	The bits of p control the wildcards. A set bit is a wildcard
353	replacement with the lowest bit being user then project then testbed.
354	"""
355	if p & 1: user = ["<any>"]
356	else: user = a[2]
357	if p & 2: proj = "<any>"
358	else: proj = a[1]
359	if p & 4: tb = "<any>"
360	else: tb = a[0]
361
362	return (tb, proj, user)
363
364	def find_access(self, search):
365	"""
366	Search the access DB for a match on this tuple. Return the matching
367	access tuple and the user that matched.
368
369	NB, if the initial tuple fails to match we start inserting wildcards in
370	an order determined by self.project_priority. Try the list of users in
371	order (when wildcarded, there's only one user in the list).
372	"""
373	if self.project_priority: perm = (0, 1, 2, 3, 4, 5, 6, 7)
374	else: perm = (0, 2, 1, 3, 4, 6, 5, 7)
375
376	for p in perm:
377	s = self.permute_wildcards(search, p)
378	# s[2] is None on an anonymous, unwildcarded request
379	if s[2] != None:
380	for u in s[2]:
381	if self.access.has_key((s[0], s[1], u)):
382	return (self.access[(s[0], s[1], u)], u)
383	else:
384	if self.access.has_key(s):
385	return (self.access[s], None)
386	return None, None
387
388	def lookup_access(self, req, fid):
389	"""
390	Determine the allowed access for this request. Return the access and
391	which fields are dynamic.
392
393	The fedid is needed to construct the request
394	"""
395	# Search keys
396	tb = None
397	project = None
398	user = None
399	# Return values
400	rp = access_project(None, ())
401	ru = None
402
403	if req.has_key('project'):
404	p = req['project']
405	if p.has_key('name'):
406	project = unpack_id(p['name'])
407	user = self.get_users(p)
408	else:
409	user = self.get_users(req)
410
411	user_fedids = [ u for u in user if isinstance(u, fedid)]
412	# Determine how the caller is representing itself. If its fedid shows
413	# up as a project or a singleton user, let that stand. If neither the
414	# usernames nor the project name is a fedid, the caller is a testbed.
415	if project and isinstance(project, fedid):
416	if project == fid:
417	# The caller is the project (which is already in the tuple
418	# passed in to the authorizer)
419	owners = user_fedids
420	owners.append(project)
421	else:
422	raise service_error(service_error.req,
423	"Project asserting different fedid")
424	else:
425	if fid not in user_fedids:
426	tb = fid
427	owners = user_fedids
428	owners.append(fid)
429	else:
430	if len(fedids) > 1:
431	raise service_error(service_error.req,
432	"User asserting different fedid")
433	else:
434	# Which is a singleton
435	owners = user_fedids
436	# Confirm authorization
437	for u in user:
438	self.log.debug("[lookup_access] Checking access for %s" % \
439	((tb, project, u),))
440	if self.auth.check_attribute((tb, project, u), 'access'):
441	self.log.debug("[lookup_access] Access granted")
442	break
443	else:
444	self.log.debug("[lookup_access] Access Denied")
445	else:
446	raise service_error(service_error.access, "Access denied")
447
448	# This maps a valid user to the Emulab projects and users to use
449	found, user_match = self.find_access((tb, project, user))
450
451	if found == None:
452	raise service_error(service_error.access,
453	"Access denied - cannot map access")
454
455	# resolve <dynamic> and <same> in found
456	dyn_proj = False
457	dyn_create_user = False
458	dyn_service_user = False
459
460	if found[0].name == "<same>":
461	if project != None:
462	rp.name = project
463	else :
464	raise service_error(\
465	service_error.server_config,
466	"Project matched <same> when no project given")
467	elif found[0].name == "<dynamic>":
468	rp.name = None
469	dyn_proj = True
470	else:
471	rp.name = found[0].name
472	rp.node_types = found[0].node_types;
473
474	if found[1] == "<same>":
475	if user_match == "<any>":
476	if user != None: rcu = user[0]
477	else: raise service_error(\
478	service_error.server_config,
479	"Matched <same> on anonymous request")
480	else:
481	rcu = user_match
482	elif found[1] == "<dynamic>":
483	rcu = None
484	dyn_create_user = True
485
486	if found[2] == "<same>":
487	if user_match == "<any>":
488	if user != None: rsu = user[0]
489	else: raise service_error(\
490	service_error.server_config,
491	"Matched <same> on anonymous request")
492	else:
493	rsu = user_match
494	elif found[2] == "<dynamic>":
495	rsu = None
496	dyn_service_user = True
497
498	return (rp, rcu, rsu), (dyn_create_user, dyn_service_user, dyn_proj),\
499	owners
500
501	def build_response(self, alloc_id, ap):
502	"""
503	Create the SOAP response.
504
505	Build the dictionary description of the response and use
506	fedd_utils.pack_soap to create the soap message. ap is the allocate
507	project message returned from a remote project allocation (even if that
508	allocation was done locally).
509	"""
510	# Because alloc_id is already a fedd_services_types.IDType_Holder,
511	# there's no need to repack it
512	msg = {
513	'allocID': alloc_id,
514	'emulab': {
515	'domain': self.domain,
516	'boss': self.boss,
517	'ops': self.ops,
518	'fileServer': self.fileserver,
519	'eventServer': self.eventserver,
520	'project': ap['project']
521	},
522	}
523	if len(self.attrs) > 0:
524	msg['emulab']['fedAttr'] = \
525	[ { 'attribute': x, 'value' : y } \
526	for x,y in self.attrs.iteritems()]
527	return msg
528
529	def RequestAccess(self, req, fid):
530	"""
531	Handle the access request. Proxy if not for us.
532
533	Parse out the fields and make the allocations or rejections if for us,
534	otherwise, assuming we're willing to proxy, proxy the request out.
535	"""
536
537	# The dance to get into the request body
538	if req.has_key('RequestAccessRequestBody'):
539	req = req['RequestAccessRequestBody']
540	else:
541	raise service_error(service_error.req, "No request!?")
542
543	if req.has_key('destinationTestbed'):
544	dt = unpack_id(req['destinationTestbed'])
545
546	if dt == None or dt == self.testbed:
547	# Request for this fedd
548	found, dyn, owners = self.lookup_access(req, fid)
549	restricted = None
550	ap = None
551
552	# If this is a request to export a project and the access project
553	# is not the project to export, access denied.
554	if req.has_key('exportProject'):
555	ep = unpack_id(req['exportProject'])
556	if ep != found[0].name:
557	raise service_error(service_error.access,
558	"Cannot export %s" % ep)
559
560	# Check for access to restricted nodes
561	if req.has_key('resources') and req['resources'].has_key('node'):
562	resources = req['resources']
563	restricted = [ t for n in resources['node'] \
564	if n.has_key('hardware') \
565	for t in n['hardware'] \
566	if t in self.restricted ]
567	inaccessible = [ t for t in restricted \
568	if t not in found[0].node_types]
569	if len(inaccessible) > 0:
570	raise service_error(service_error.access,
571	"Access denied (nodetypes %s)" % \
572	str(', ').join(inaccessible))
573	# These collect the keys for the two roles into single sets, one
574	# for creation and one for service. The sets are a simple way to
575	# eliminate duplicates
576	create_ssh = set([ x['sshPubkey'] \
577	for x in req['createAccess'] \
578	if x.has_key('sshPubkey')])
579
580	service_ssh = set([ x['sshPubkey'] \
581	for x in req['serviceAccess'] \
582	if x.has_key('sshPubkey')])
583
584	if len(create_ssh) > 0 and len(service_ssh) >0:
585	if dyn[1]:
586	# Compose the dynamic project request
587	# (only dynamic, dynamic currently allowed)
588	preq = { 'AllocateProjectRequestBody': \
589	{ 'project' : {\
590	'user': [ \
591	{ \
592	'access': [ { 'sshPubkey': s } \
593	for s in service_ssh ],
594	'role': "serviceAccess",\
595	}, \
596	{ \
597	'access': [ { 'sshPubkey': s } \
598	for s in create_ssh ],
599	'role': "experimentCreation",\
600	}, \
601	], \
602	}\
603	}\
604	}
605	if restricted != None and len(restricted) > 0:
606	preq['AllocateProjectRequestBody']['resources'] = \
607	[ {'node': { 'hardware' : [ h ] } } \
608	for h in restricted ]
609	ap = self.allocate_project.dynamic_project(preq)
610	else:
611	preq = {'StaticProjectRequestBody' : \
612	{ 'project': \
613	{ 'name' : { 'localname' : found[0].name },\
614	'user' : [ \
615	{\
616	'userID': { 'localname' : found[1] }, \
617	'access': [ { 'sshPubkey': s }
618	for s in create_ssh ],
619	'role': 'experimentCreation'\
620	},\
621	{\
622	'userID': { 'localname' : found[2] }, \
623	'access': [ { 'sshPubkey': s }
624	for s in service_ssh ],
625	'role': 'serviceAccess'\
626	},\
627	]}\
628	}\
629	}
630	if restricted != None and len(restricted) > 0:
631	preq['StaticProjectRequestBody']['resources'] = \
632	[ {'node': { 'hardware' : [ h ] } } \
633	for h in restricted ]
634	ap = self.allocate_project.static_project(preq)
635	else:
636	raise service_error(service_error.req,
637	"SSH access parameters required")
638	# keep track of what's been added
639	allocID, alloc_cert = generate_fedid(subj="alloc", log=self.log)
640	aid = unicode(allocID)
641
642	self.state_lock.acquire()
643	self.allocation[aid] = { }
644	if dyn[1]:
645	try:
646	pname = ap['project']['name']['localname']
647	except KeyError:
648	self.state_lock.release()
649	raise service_error(service_error.internal,
650	"Misformed allocation response?")
651	if self.projects.has_key(pname): self.projects[pname] += 1
652	else: self.projects[pname] = 1
653	self.allocation[aid]['project'] = pname
654
655	self.allocation[aid]['keys'] = [ ]
656
657	try:
658	for u in ap['project']['user']:
659	uname = u['userID']['localname']
660	for k in [ k['sshPubkey'] for k in u['access'] \
661	if k.has_key('sshPubkey') ]:
662	kv = "%s:%s" % (uname, k)
663	if self.keys.has_key(kv): self.keys[kv] += 1
664	else: self.keys[kv] = 1
665	self.allocation[aid]['keys'].append((uname, k))
666	except KeyError:
667	self.state_lock.release()
668	raise service_error(service_error.internal,
669	"Misformed allocation response?")
670
671	self.allocation[aid]['owners'] = owners
672	self.write_state()
673	self.state_lock.release()
674	for o in owners:
675	self.auth.set_attribute(o, allocID)
676	resp = self.build_response({ 'fedid': allocID } , ap)
677	return resp
678	else:
679	if self.allow_proxy:
680	resp = self.proxy_RequestAccess.call_service(dt, req,
681	self.proxy_cert_file, self.proxy_cert_pwd,
682	self.proxy_trusted_certs)
683	if resp.has_key('RequestAccessResponseBody'):
684	return resp['RequestAccessResponseBody']
685	else:
686	return None
687	else:
688	raise service_error(service_error.access,
689	"Access proxying denied")
690
691	def ReleaseAccess(self, req, fid):
692	# The dance to get into the request body
693	if req.has_key('ReleaseAccessRequestBody'):
694	req = req['ReleaseAccessRequestBody']
695	else:
696	raise service_error(service_error.req, "No request!?")
697
698	if req.has_key('destinationTestbed'):
699	dt = unpack_id(req['destinationTestbed'])
700	else:
701	dt = None
702
703	if dt == None or dt == self.testbed:
704	# Local request
705	try:
706	if req['allocID'].has_key('localname'):
707	auth_attr = aid = req['allocID']['localname']
708	elif req['allocID'].has_key('fedid'):
709	aid = unicode(req['allocID']['fedid'])
710	auth_attr = req['allocID']['fedid']
711	else:
712	raise service_error(service_error.req,
713	"Only localnames and fedids are understood")
714	except KeyError:
715	raise service_error(service_error.req, "Badly formed request")
716
717	if not self.auth.check_attribute(fid, auth_attr):
718	raise service_error(service_error.access, "Access Denied")
719
720	# If we know this allocation, reduce the reference counts and
721	# remove the local allocations. Otherwise report an error. If
722	# there is an allocation to delete, del_users will be a dictonary
723	# of sets where the key is the user that owns the keys in the set.
724	# We use a set to avoid duplicates. del_project is just the name
725	# of any dynamic project to delete. We're somewhat lazy about
726	# deleting authorization attributes. Having access to something
727	# that doesn't exist isn't harmful.
728	del_users = { }
729	del_project = None
730	if self.allocation.has_key(aid):
731	self.state_lock.acquire()
732	for k in self.allocation[aid]['keys']:
733	kk = "%s:%s" % k
734	self.keys[kk] -= 1
735	if self.keys[kk] == 0:
736	if not del_users.has_key(k[0]):
737	del_users[k[0]] = set()
738	del_users[k[0]].add(k[1])
739	del self.keys[kk]
740
741	if self.allocation[aid].has_key('project'):
742	pname = self.allocation[aid]['project']
743	self.projects[pname] -= 1
744	if self.projects[pname] == 0:
745	del_project = pname
746	del self.projects[pname]
747
748	del self.allocation[aid]
749	self.write_state()
750	self.state_lock.release()
751	# If we actually have resources to deallocate, prepare the call.
752	if del_project or del_users:
753	msg = { 'project': { }}
754	if del_project:
755	msg['project']['name']= {'localname': del_project}
756	users = [ ]
757	for u in del_users.keys():
758	users.append({ 'userID': { 'localname': u },\
759	'access' : \
760	[ {'sshPubkey' : s } for s in del_users[u]]\
761	})
762	if users:
763	msg['project']['user'] = users
764	if self.allocate_project.release_project:
765	msg = { 'ReleaseProjectRequestBody' : msg}
766	self.allocate_project.release_project(msg)
767	return { 'allocID': req['allocID'] }
768	else:
769	raise service_error(service_error.req, "No such allocation")
770
771	else:
772	if self.allow_proxy:
773	resp = self.proxy_ReleaseAccess.call_service(dt, req,
774	self.proxy_cert_file, self.proxy_cert_pwd,
775	self.proxy_trusted_certs)
776	if resp.has_key('ReleaseAccessResponseBody'):
777	return resp['ReleaseAccessResponseBody']
778	else:
779	return None
780	else:
781	raise service_error(service_error.access,
782	"Access proxying denied")
783
784

Note: See TracBrowser for help on using the repository browser.

Download in other formats: