Changeset 0a49bd7 for fedd/federation/emulab_access.py

Timestamp:

Jan 15, 2011 5:52:15 PM (14 years ago)

Author:

Ted Faber <faber@…>

Branches:

axis_example, compt_changes, info-ops, master

Children:

aaf7f41

Parents:

ac15159 (diff), 944b746 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.

git-author:

Ted Faber <faber@…> (01/15/11 17:51:40)

git-committer:

Ted Faber <faber@…> (01/15/11 17:52:15)

Message:

merge from current

File:

• fedd/federation/emulab_access.py (modified) (15 diffs)

fedd/federation/emulab_access.py

@@ -24 +24 @@
 from service_error import service_error
 from remote_service import xmlrpc_handler, soap_handler, service_caller
+from proof import proof as access_proof
 
 import httplib
@@ -254 +255 @@
                     'Bad mapping (unbalanced parens or more than 1 comma)')
 
-
     # RequestAccess support routines
 
@@ -384 +384 @@
         self.state_lock.acquire()
         self.allocation[aid] = { }
+        self.allocation[aid]['auth'] = set()
         try:
             pname = ap['project']['name']['localname']
@@ -480 +481 @@
 
         if self.auth_type == "legacy":
-            found, dyn, owners = self.legacy_lookup_access(req, fid)
+            found, dyn, owners= self.legacy_lookup_access(req, fid)
+            proof = access_proof("me", fid, "create")
         elif self.auth_type == 'abac':
-            found, dyn, owners = self.lookup_access(req, fid, filter=pf)
+            found, dyn, owners, proof = self.lookup_access(req, fid, filter=pf)
         else:
             raise service_error(service_error.internal, 
@@ -511 +513 @@
         for k, v in svc_state.items():
             self.allocation[aid][k] = v
+        self.append_allocation_authorization(aid, 
+                set([(o, allocID) for o in owners]), state_attr='allocation')
         self.write_state()
         self.state_lock.release()
-        # Give the owners the right to change this allocation
-        for o in owners:
-            self.auth.set_attribute(o, allocID)
-        self.auth.save()
         try:
             f = open("%s/%s.pem" % (self.certdir, aid), "w")
@@ -525 +525 @@
                     "Can't open %s/%s : %s" % (self.certdir, aid, e))
         resp = self.build_access_response({ 'fedid': allocID } ,
-                ap, services)
+                ap, services, proof)
         return resp
 
@@ -572 +572 @@
         self.log.debug("[access] deallocation requested for %s by %s" % \
                 (aid, fid))
-        if not self.auth.check_attribute(fid, auth_attr):
+        access_ok, proof = self.auth.check_attribute(fid, auth_attr, 
+                with_proof=True)
+        if not access_ok:
             self.log.debug("[access] deallocation denied for %s", aid)
             raise service_error(service_error.access, "Access Denied")
@@ -591 +593 @@
         if aid in self.allocation:
             self.log.debug("Found allocation for %s" %aid)
+            self.clear_allocation_authorization(aid, state_attr='allocation')
             for k in self.allocation[aid]['keys']:
                 kk = "%s:%s" % k
@@ -625 +628 @@
             self.log.debug("Removing %s" % cf)
             os.remove(cf)
-            return { 'allocID': req['allocID'] } 
+            return { 'allocID': req['allocID'], 'proof': proof.to_dict() } 
         else:
             self.state_lock.release()
@@ -998 +1001 @@
         return (ename, proj, user, pubkey_base, secretkey_base, alloc_log)
 
-    def finalize_experiment(self, starter, topo, aid, alloc_id):
+    def finalize_experiment(self, starter, topo, aid, alloc_id, proof):
         """
         Store key bits of experiment state in the global repository, including
@@ -1023 +1026 @@
                     'topdldescription': topo.clone().to_dict()
                     },
-                'embedding': embedding
+                'embedding': embedding,
+                'proof': proof.to_dict(),
                 }
         retval = copy.copy(self.allocation[aid]['started'])
@@ -1047 +1051 @@
         aid = "%s" % auth_attr
         attrs = req.get('fedAttr', [])
-        if not self.auth.check_attribute(fid, auth_attr):
+
+        access_ok, proof = self.auth.check_attribute(fid, auth_attr, 
+                with_proof=True)
+        if not access_ok:
             raise service_error(service_error.access, "Access denied")
         else:
@@ -1113 +1120 @@
 
         if rv:
-            return self.finalize_experiment(starter, topo, aid, req['allocID'])
+            return self.finalize_experiment(starter, topo, aid, req['allocID'],
+                    proof)
         elif err:
             raise service_error(service_error.federant,
@@ -1129 +1137 @@
         aid = "%s" % auth_attr
         attrs = req.get('fedAttr', [])
-        if not self.auth.check_attribute(fid, auth_attr):
+
+        access_ok, proof = self.auth.check_attribute(fid, auth_attr, 
+                with_proof=True)
+        if not access_ok:
             raise service_error(service_error.access, "Access denied")
 
@@ -1158 +1169 @@
                 debug=self.create_debug, boss=self.boss, cert=self.xmlrpc_cert)
         stopper(self, user, proj, ename)
-        return { 'allocID': req['allocID'] }
+        return { 'allocID': req['allocID'], 'proof': proof.to_dict() }