[19cc408] | 1 | #!/usr/local/bin/python |
---|
| 2 | |
---|
[e2ff75d] | 3 | import sys |
---|
| 4 | |
---|
[3c6dbec] | 5 | import emulab_access |
---|
[23dec62] | 6 | import dragon_access |
---|
[9c2e4e1] | 7 | import protogeni_access |
---|
[175b444] | 8 | import deter_internal_access |
---|
[c261c0f] | 9 | import containers_access |
---|
[1819839] | 10 | import desktop_access |
---|
[7888aee] | 11 | import skeleton_access |
---|
[175b444] | 12 | |
---|
[ec4fb42] | 13 | from experiment_control import experiment_control_local |
---|
[5f6929a] | 14 | from ns2topdl import ns2topdl_local |
---|
[05191a6] | 15 | from util import read_simple_accessdb |
---|
[6bedbdba] | 16 | from deter import fedid |
---|
[19cc408] | 17 | |
---|
[73ded03] | 18 | from authorizer import authorizer, abac_authorizer |
---|
[3f6bc5f] | 19 | |
---|
[7454054] | 20 | class deter_impl: |
---|
[19cc408] | 21 | """ |
---|
| 22 | The implementation of access control based on mapping users to projects. |
---|
| 23 | |
---|
| 24 | Users can be mapped to existing projects or have projects created |
---|
| 25 | dynamically. This implements both direct requests and proxies. |
---|
| 26 | """ |
---|
| 27 | # Used by the SOAP caller |
---|
[e77c86e] | 28 | soap_namespaces = ('http://www.isi.edu/fedd.wsdl', |
---|
| 29 | 'http://www.isi.edu/fedd_internal.wsdl') |
---|
[19cc408] | 30 | |
---|
[72ed6e4] | 31 | def __init__(self, config=None): |
---|
[19cc408] | 32 | """ |
---|
[ec4fb42] | 33 | Initializer. Uses the parsed configuration to create appropriate |
---|
| 34 | components. |
---|
[19cc408] | 35 | """ |
---|
[72ed6e4] | 36 | self.soap_services = { } |
---|
| 37 | self.xmlrpc_services = { } |
---|
[73ded03] | 38 | self.auth = None |
---|
[72ed6e4] | 39 | |
---|
| 40 | if config: |
---|
| 41 | self.cert_file = config.get("globals", "cert_file"); |
---|
| 42 | self.cert_pwd = config.get("globals", "cert_pwd"); |
---|
| 43 | self.trusted_certs = config.get("globals", "trusted_certs"); |
---|
[3c6dbec] | 44 | self.access_type = config.get("globals", "access_type", "emulab") |
---|
[73ded03] | 45 | self.auth_type = config.get("globals", "auth_type", "legacy") |
---|
| 46 | |
---|
[e2ff75d] | 47 | for mp in config.get("globals", "module_path","").split(":"): |
---|
| 48 | sys.path.append(mp) |
---|
| 49 | |
---|
[73ded03] | 50 | if self.auth_type == 'legacy': |
---|
| 51 | self.auth = authorizer() |
---|
| 52 | elif self.auth_type == 'abac': |
---|
| 53 | auth_url = config.get('globals', 'auth_url') |
---|
| 54 | if not auth_url: |
---|
| 55 | raise RuntimeError("auth_url required for ABAC " + \ |
---|
| 56 | "authorization") |
---|
| 57 | if self.cert_file: |
---|
| 58 | me = fedid(file=self.cert_file) |
---|
| 59 | else: |
---|
| 60 | raise RuntimeError("ABAC authorization needs a " +\ |
---|
| 61 | "certificate file") |
---|
| 62 | self.auth= abac_authorizer(url=auth_url, |
---|
| 63 | cert_file=self.cert_file, cert_pwd=self.cert_pwd, |
---|
| 64 | trusted_certs=self.trusted_certs, me=me) |
---|
| 65 | else: |
---|
| 66 | raise RuntimeError("Unknown authorizer type %s" % \ |
---|
| 67 | self.auth_type) |
---|
[72ed6e4] | 68 | |
---|
[05191a6] | 69 | access_db = config.get("globals", "accessdb") |
---|
| 70 | |
---|
| 71 | if access_db: |
---|
| 72 | try: |
---|
| 73 | read_simple_accessdb(access_db, self.auth) |
---|
[d3c8759] | 74 | except EnvironmentError, e: |
---|
[0b4e272] | 75 | raise RuntimeError( |
---|
[05191a6] | 76 | "Error reading accessDB %s: %s" % (access_db, e)) |
---|
[cc8d8e9] | 77 | except ValueError, e: |
---|
[0b4e272] | 78 | raise RuntimeError("%s" % e) |
---|
[05191a6] | 79 | |
---|
[72ed6e4] | 80 | if config.has_section("access"): |
---|
[3c6dbec] | 81 | if self.access_type == "emulab": |
---|
| 82 | self.access = emulab_access.access(config, self.auth) |
---|
[23dec62] | 83 | elif self.access_type == "dragon": |
---|
| 84 | self.access = dragon_access.access(config, self.auth) |
---|
[9c2e4e1] | 85 | elif self.access_type == "protogeni": |
---|
| 86 | self.access = protogeni_access.access(config, self.auth) |
---|
[175b444] | 87 | elif self.access_type == "deter_internal": |
---|
| 88 | self.access = deter_internal_access.access(config, |
---|
| 89 | self.auth) |
---|
[c261c0f] | 90 | elif self.access_type == "containers": |
---|
| 91 | self.access = containers_access.access(config, self.auth) |
---|
[1819839] | 92 | elif self.access_type == "desktop": |
---|
| 93 | self.access = desktop_access.access(config, self.auth) |
---|
[7888aee] | 94 | elif self.access_type == "skel": |
---|
| 95 | self.access = skeleton_access.access(config, self.auth) |
---|
[3c6dbec] | 96 | else: |
---|
[e2ff75d] | 97 | try: |
---|
| 98 | exec 'from %s import access as plugin_access' \ |
---|
| 99 | % self.access_type |
---|
| 100 | self.access = plugin_access(config, self.auth) |
---|
| 101 | except ImportError, e: |
---|
| 102 | raise RuntimeError( |
---|
| 103 | "Unknown access_type: %s (import failed: %s)" \ |
---|
| 104 | % (self.access_type, e)) |
---|
[72ed6e4] | 105 | self.soap_services.update(self.access.soap_services) |
---|
| 106 | self.xmlrpc_services.update(self.access.xmlrpc_services) |
---|
[09b4dc4] | 107 | else: |
---|
| 108 | self.access = None |
---|
[72ed6e4] | 109 | |
---|
| 110 | if config.has_section("experiment_control"): |
---|
[3f6bc5f] | 111 | self.experiment = \ |
---|
[ec4fb42] | 112 | experiment_control_local(config, self.auth) |
---|
[5fffd82] | 113 | # Tell the experiment control where local access control is and |
---|
[5a6b75b] | 114 | # what testbeds it pertains to. |
---|
[c9318dc] | 115 | if getattr(self, 'access', None): |
---|
[5a6b75b] | 116 | for t in self.access.testbed: |
---|
| 117 | self.experiment.local_access[t] = self.access |
---|
[5fffd82] | 118 | |
---|
[72ed6e4] | 119 | self.soap_services.update(self.experiment.soap_services) |
---|
| 120 | self.xmlrpc_services.update(self.experiment.xmlrpc_services) |
---|
[81a7f3f] | 121 | self.get_handler = self.experiment.get_handler |
---|
| 122 | else: |
---|
[39ee3cc] | 123 | if self.access and getattr(self.access, 'get_handler', None): |
---|
[dac2316] | 124 | self.get_handler = self.access.get_handler |
---|
| 125 | else: |
---|
| 126 | self.get_handler = None |
---|
[72ed6e4] | 127 | |
---|
[5f6929a] | 128 | if config.has_section("ns2topdl"): |
---|
| 129 | self.ns2topdl = ns2topdl_local(config, self.auth) |
---|
| 130 | self.soap_services.update(self.ns2topdl.soap_services) |
---|
| 131 | self.xmlrpc_services.update(self.ns2topdl.xmlrpc_services) |
---|
[f4f4117] | 132 | |
---|
[72ed6e4] | 133 | def new_feddservice(config): |
---|
[7454054] | 134 | return deter_impl(config) |
---|