Changeset 05191a6 for fedd/fedd/allocate_project.py

Timestamp:

Dec 1, 2008 3:07:40 PM (15 years ago)

Author:

Ted Faber <faber@…>

Branches:

axis_example, compt_changes, info-ops, master, version-1.30, version-2.00, version-3.01, version-3.02

Children:

f816079

Parents:

f069052

Message:

All services use authorizer. Global authorization file, shared routine to read simple authorization files. Fixes some more partial state errors in experiment_control.

File:

• fedd/fedd/allocate_project.py (modified) (12 diffs)

fedd/fedd/allocate_project.py

@@ -48 +48 @@
         """
 
-        self.debug = config.get("access", "debug_project", False)
-        self.wap = config.get('access', 'wap', '/usr/testbed/sbin/wap')
-        self.newproj = config.get('access', 'newproj',
+        self.debug = config.get("allocate", "debug", False)
+        self.wap = config.get('allocate', 'wap', '/usr/testbed/sbin/wap')
+        self.newproj = config.get('allocate', 'newproj',
                 '/usr/testbed/sbin/newproj')
-        self.mkproj = config.get('access', 'mkproj', '/usr/testbed/sbin/mkproj')
-        self.rmproj = config.get('access', 'rmproj', '/usr/testbed/sbin/rmproj')
-        self.addpubkey = config.get('access', 'addpubkey', 
+        self.mkproj = config.get('allocate', 'mkproj', 
+                '/usr/testbed/sbin/mkproj')
+        self.rmproj = config.get('allocate', 'rmproj',
+                '/usr/testbed/sbin/rmproj')
+        self.addpubkey = config.get('allocate', 'addpubkey', 
                 '/usr/testbed/sbin/taddpubkey')
-        self.grantnodetype = config.get('access', 'grantnodetype', 
+        self.grantnodetype = config.get('allocate', 'grantnodetype', 
                 '/usr/testbed/sbin/grantnodetype')
-        self.confirmkey = config.get('access', 'confirmkey', 
+        self.confirmkey = config.get('allocate', 'confirmkey', 
                 '/usr/testbed/sbin/taddpubkey')
-        self.allocation_level = config.get("access", "allocation_level", "none")
+        self.allocation_level = config.get("allocate", "allocation_level", 
+                "none")
         self.log = logging.getLogger("fedd.allocate.local")
+        set_log_level(config, "allocate", self.log)
+
+        if auth:
+            self.auth = auth
+        else:
+            auth = authorizer()
+            log.warn("[allocate] No authorizer passed in, using local one")
 
         try:
@@ -71 +81 @@
             self.allocation_level = self.none
 
-
-        set_log_level(config, "access", self.log)
-        fixed_key_db = config.get("access", "fixed_keys", None)
-        fixed_project_db = config.get("access", "fixed_projects", None)
+        access_db = config.get("allocate", "accessdb")
+        if access_db:
+            try:
+                read_simple_accessdb(access_db, self.auth, 'allocate')
+            except IOError, e:
+                raise service_error(service_error.internal,
+                        "Error reading accessDB %s: %s" % (access_db, e))
+            except ValueError:
+                raise service_error(service_error.internal, "%s" % e)
+
+
+        fixed_key_db = config.get("allocate", "fixed_keys", None)
+        fixed_project_db = config.get("allocate", "fixed_projects", None)
         self.fixed_keys = set()
         self.fixed_projects = set()
@@ -129 +148 @@
         Req includes the project and resources as a dictionary
         """
+
+        # Internal calls do not have a fedid parameter (i.e., local calls on
+        # behalf of already vetted fedids)
+        if fedid and not self.auth.check_attribute(fedid, "allocate"):
+            self.log.debug("[allocate] Access denied (%s)" % fedid)
+            raise service_error(service_error.access, "Access Denied")
 
         if self.allocation_level < self.dynamic_projects:
@@ -256 +281 @@
         cmds =  []
 
+        # Internal calls do not have a fedid parameter (i.e., local calls on
+        # behalf of already vetted fedids)
+        if fedid and not self.auth.check_attribute(fedid, "allocate"):
+            self.log.debug("[allocate] Access denied (%s)" % fedid)
+            raise service_error(service_error.access, "Access Denied")
         # While we should be more careful about this, for the short term, add
         # the keys to the specified users.
@@ -321 +351 @@
         similar protections for projects.
         """
+        # Internal calls do not have a fedid parameter (i.e., local calls on
+        # behalf of already vetted fedids)
+        if fedid and not self.auth.check_attribute(fedid, "allocate"):
+            self.log.debug("[allocate] Access denied (%s)" % fedid)
+            raise service_error(service_error.access, "Access Denied")
 
         cmds = []
@@ -380 +415 @@
         """
 
-        def __init__(self, url, cert_file, cert_pwd, trusted_certs, method):
+        def __init__(self, url, cert_file, cert_pwd, trusted_certs, auth, 
+                method):
             service_caller.__init__(self, method)
             self.url = url
@@ -386 +422 @@
             self.cert_pwd = cert_pwd
             self.trusted_certs = trusted_certs
-            self.resp_name = resp_name
+            self.request_body__name = "%sRequestBody" % method
+            self.resp_name = "%sResponseBody" % method
+            self.auth = auth
             # Calling the proxy object directly invokes the proxy_call method,
             # not the service_call method.
@@ -394 +432 @@
         # Define the proxy, NB, the parameters to make_proxy are visible to the
         # definition of proxy.
-        def proxy_call(self, req, fedid=None):
+        def proxy_call(self, req, fid=None):
             """
             Send req on to a remote project instantiator.
@@ -405 +443 @@
                 req = req[self.request_body_name]
             else:
+                print "request error"
                 raise service_error(service_error.req, "Bad formated request");
 
@@ -412 +451 @@
                 return r[self.resp_name]
             else:
+                print "response error"
                 raise service_error(service_error.protocol, 
                         "Bad proxy response")
@@ -421 +461 @@
         """
 
-        self.debug = config.get("access", "debug_project", False)
-        self.url = config.get("access", "project_allocation_uri", "")
-
-        self.cert_file = config.get("access", "cert_file", None)
-        self.cert_pwd = config.get("access", "cert_pwd", None)
-        self.trusted_certs = config.get("access", "trusted_certs", None)
+        self.debug = config.get("allocate", "debug", False)
+        self.url = config.get("allocate", "uri", "")
+
+        self.cert_file = config.get("allocate", "cert_file", None)
+        self.cert_pwd = config.get("allocate", "cert_pwd", None)
+        self.trusted_certs = config.get("allocate", "trusted_certs", None)
 
         # Certs are promoted from the generic to the specific, so without a if
@@ -457 +497 @@
         self.xmlrpc_services = { }
         self.log = logging.getLogger("fedd.allocate.remote")
-        set_log_level(config, "access", self.log)
+        set_log_level(config, "allocate", self.log)
+
+        if auth:
+            self.auth = auth
+        else:
+            auth = authorizer()
+            log.warn("[allocate] No authorizer passed in, using local one")
 
         # The specializations of the proxy functions
         self.dynamic_project = self.proxy(self.url, self.cert_file, 
-                self.cert_pwd, self.trusted_certs, "AllocateProject")
+                self.cert_pwd, self.trusted_certs, self.auth, 
+                "AllocateProject")
         self.static_project = self.proxy(self.url, self.cert_file, 
-                self.cert_pwd, self.trusted_certs, "StaticProject")
+                self.cert_pwd, self.trusted_certs, self.auth, 
+                "StaticProject")
         self.release_project = self.proxy(self.url, self.cert_file,
-                self.cert_pwd, self.trusted_certs, "ReleaseProject")
-
+                self.cert_pwd, self.trusted_certs, self.auth, 
+                "ReleaseProject")
+