1 | #!/usr/local/bin/python |
---|
2 | |
---|
3 | import sys |
---|
4 | |
---|
5 | import emulab_access |
---|
6 | import dragon_access |
---|
7 | import protogeni_access |
---|
8 | import deter_internal_access |
---|
9 | import skeleton_access |
---|
10 | |
---|
11 | from experiment_control import experiment_control_local |
---|
12 | from ns2topdl import ns2topdl_local |
---|
13 | from util import read_simple_accessdb |
---|
14 | from deter import fedid |
---|
15 | |
---|
16 | from authorizer import authorizer, abac_authorizer |
---|
17 | |
---|
18 | class deter_impl: |
---|
19 | """ |
---|
20 | The implementation of access control based on mapping users to projects. |
---|
21 | |
---|
22 | Users can be mapped to existing projects or have projects created |
---|
23 | dynamically. This implements both direct requests and proxies. |
---|
24 | """ |
---|
25 | # Used by the SOAP caller |
---|
26 | soap_namespaces = ('http://www.isi.edu/fedd.wsdl', |
---|
27 | 'http://www.isi.edu/fedd_internal.wsdl') |
---|
28 | |
---|
29 | def __init__(self, config=None): |
---|
30 | """ |
---|
31 | Initializer. Uses the parsed configuration to create appropriate |
---|
32 | components. |
---|
33 | """ |
---|
34 | self.soap_services = { } |
---|
35 | self.xmlrpc_services = { } |
---|
36 | self.auth = None |
---|
37 | |
---|
38 | if config: |
---|
39 | self.cert_file = config.get("globals", "cert_file"); |
---|
40 | self.cert_pwd = config.get("globals", "cert_pwd"); |
---|
41 | self.trusted_certs = config.get("globals", "trusted_certs"); |
---|
42 | self.access_type = config.get("globals", "access_type", "emulab") |
---|
43 | self.auth_type = config.get("globals", "auth_type", "legacy") |
---|
44 | |
---|
45 | for mp in config.get("globals", "module_path","").split(":"): |
---|
46 | sys.path.append(mp) |
---|
47 | |
---|
48 | if self.auth_type == 'legacy': |
---|
49 | self.auth = authorizer() |
---|
50 | elif self.auth_type == 'abac': |
---|
51 | auth_url = config.get('globals', 'auth_url') |
---|
52 | if not auth_url: |
---|
53 | raise RuntimeError("auth_url required for ABAC " + \ |
---|
54 | "authorization") |
---|
55 | if self.cert_file: |
---|
56 | me = fedid(file=self.cert_file) |
---|
57 | else: |
---|
58 | raise RuntimeError("ABAC authorization needs a " +\ |
---|
59 | "certificate file") |
---|
60 | self.auth= abac_authorizer(url=auth_url, |
---|
61 | cert_file=self.cert_file, cert_pwd=self.cert_pwd, |
---|
62 | trusted_certs=self.trusted_certs, me=me) |
---|
63 | else: |
---|
64 | raise RuntimeError("Unknown authorizer type %s" % \ |
---|
65 | self.auth_type) |
---|
66 | |
---|
67 | access_db = config.get("globals", "accessdb") |
---|
68 | |
---|
69 | if access_db: |
---|
70 | try: |
---|
71 | read_simple_accessdb(access_db, self.auth) |
---|
72 | except EnvironmentError, e: |
---|
73 | raise RuntimeError( |
---|
74 | "Error reading accessDB %s: %s" % (access_db, e)) |
---|
75 | except ValueError, e: |
---|
76 | raise RuntimeError("%s" % e) |
---|
77 | |
---|
78 | if config.has_section("access"): |
---|
79 | if self.access_type == "emulab": |
---|
80 | self.access = emulab_access.access(config, self.auth) |
---|
81 | elif self.access_type == "dragon": |
---|
82 | self.access = dragon_access.access(config, self.auth) |
---|
83 | elif self.access_type == "protogeni": |
---|
84 | self.access = protogeni_access.access(config, self.auth) |
---|
85 | elif self.access_type == "deter_internal": |
---|
86 | self.access = deter_internal_access.access(config, |
---|
87 | self.auth) |
---|
88 | elif self.access_type == "skel": |
---|
89 | self.access = skeleton_access.access(config, self.auth) |
---|
90 | else: |
---|
91 | try: |
---|
92 | exec 'from %s import access as plugin_access' \ |
---|
93 | % self.access_type |
---|
94 | self.access = plugin_access(config, self.auth) |
---|
95 | except ImportError, e: |
---|
96 | raise RuntimeError( |
---|
97 | "Unknown access_type: %s (import failed: %s)" \ |
---|
98 | % (self.access_type, e)) |
---|
99 | self.soap_services.update(self.access.soap_services) |
---|
100 | self.xmlrpc_services.update(self.access.xmlrpc_services) |
---|
101 | else: |
---|
102 | self.access = None |
---|
103 | |
---|
104 | if config.has_section("experiment_control"): |
---|
105 | self.experiment = \ |
---|
106 | experiment_control_local(config, self.auth) |
---|
107 | # Tell the experiment control where local access control is and |
---|
108 | # what testbeds it pertains to. |
---|
109 | if getattr(self, 'access', None): |
---|
110 | for t in self.access.testbed: |
---|
111 | self.experiment.local_access[t] = self.access |
---|
112 | |
---|
113 | self.soap_services.update(self.experiment.soap_services) |
---|
114 | self.xmlrpc_services.update(self.experiment.xmlrpc_services) |
---|
115 | self.get_handler = self.experiment.get_handler |
---|
116 | else: |
---|
117 | if self.access and getattr(self.access, 'get_handler', None): |
---|
118 | self.get_handler = self.access.get_handler |
---|
119 | else: |
---|
120 | self.get_handler = None |
---|
121 | |
---|
122 | if config.has_section("ns2topdl"): |
---|
123 | self.ns2topdl = ns2topdl_local(config, self.auth) |
---|
124 | self.soap_services.update(self.ns2topdl.soap_services) |
---|
125 | self.xmlrpc_services.update(self.ns2topdl.xmlrpc_services) |
---|
126 | |
---|
127 | def new_feddservice(config): |
---|
128 | return deter_impl(config) |
---|