Changeset 0a49bd7 for fedd/federation/skeleton_access.py
- Timestamp:
- Jan 15, 2011 5:52:15 PM (13 years ago)
- Branches:
- axis_example, compt_changes, info-ops, master
- Children:
- aaf7f41
- Parents:
- ac15159 (diff), 944b746 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the(diff)
links above to see all the changes relative to each parent. - git-author:
- Ted Faber <faber@…> (01/15/11 17:51:40)
- git-committer:
- Ted Faber <faber@…> (01/15/11 17:52:15)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
fedd/federation/skeleton_access.py
rac15159 r0a49bd7 163 163 } 164 164 165 def RequestAccess(self, req, fid): 166 """ 167 Handle an access request. Success here maps the requester into the 168 local access control space and establishes state about that user keyed 169 to a fedid. We also save a copy of the certificate underlying that 170 fedid so this allocation can access configuration information and 171 shared parameters on the experiment controller. 172 """ 173 174 # The dance to get into the request body 175 if req.has_key('RequestAccessRequestBody'): 176 req = req['RequestAccessRequestBody'] 177 else: 178 raise service_error(service_error.req, "No request!?") 179 180 # Base class lookup routine. If this fails, it throws a service 181 # exception denying access that triggers a fault response back to the 182 # caller. 183 found, match, owners = self.lookup_access(req, fid) 184 self.log.info( 185 "[RequestAccess] Access granted to %s with local creds %s" % \ 186 (match, found)) 187 # Make a fedid for this allocation 188 allocID, alloc_cert = generate_fedid(subj="alloc", log=self.log) 189 aid = unicode(allocID) 190 191 # Store the data about this allocation: 192 self.state_lock.acquire() 193 self.state[aid] = { } 194 self.state[aid]['user'] = found 195 self.state[aid]['owners'] = owners 196 self.write_state() 197 self.state_lock.release() 198 # Authorize the creating fedid and the principal representing the 199 # allocation to manipulate it. 200 self.auth.set_attribute(fid, allocID) 201 self.auth.set_attribute(allocID, allocID) 202 self.auth.save() 203 204 # Create a directory to stash the certificate in, ans stash it. 205 try: 206 f = open("%s/%s.pem" % (self.certdir, aid), "w") 207 print >>f, alloc_cert 208 f.close() 209 except EnvironmentError, e: 210 raise service_error(service_error.internal, 211 "Can't open %s/%s : %s" % (self.certdir, aid, e)) 212 self.log.debug('[RequestAccess] Returning allocation ID: %s' % allocID) 213 return { 'allocID': { 'fedid': allocID } } 214 215 def ReleaseAccess(self, req, fid): 216 """ 217 Release the allocation granted earlier. Access to the allocation is 218 checked and if valid, the state and cached certificate are destroyed. 219 """ 220 # The dance to get into the request body 221 if req.has_key('ReleaseAccessRequestBody'): 222 req = req['ReleaseAccessRequestBody'] 223 else: 224 raise service_error(service_error.req, "No request!?") 225 226 # Pull a key out of the request. One can request to delete an 227 # allocation by a local human readable name or by a fedid. This finds 228 # both choices. 229 try: 230 if 'localname' in req['allocID']: 231 auth_attr = aid = req['allocID']['localname'] 232 elif 'fedid' in req['allocID']: 233 aid = unicode(req['allocID']['fedid']) 234 auth_attr = req['allocID']['fedid'] 235 else: 236 raise service_error(service_error.req, 237 "Only localnames and fedids are understood") 238 except KeyError: 239 raise service_error(service_error.req, "Badly formed request") 240 241 self.log.debug("[ReleaseAccess] deallocation requested for %s", aid) 242 # Confirm access 243 if not self.auth.check_attribute(fid, auth_attr): 244 self.log.debug("[ReleaseAccess] deallocation denied for %s", aid) 245 raise service_error(service_error.access, "Access Denied") 246 247 # If there is an allocation in the state, delete it. Note the locking. 248 self.state_lock.acquire() 249 if aid in self.state: 250 self.log.debug("[ReleaseAccess] Found allocation for %s" %aid) 251 del self.state[aid] 252 self.write_state() 253 self.state_lock.release() 254 # And remove the access cert 255 cf = "%s/%s.pem" % (self.certdir, aid) 256 self.log.debug("[ReleaseAccess] Removing %s" % cf) 257 os.remove(cf) 258 return { 'allocID': req['allocID'] } 259 else: 260 self.state_lock.release() 261 raise service_error(service_error.req, "No such allocation") 165 # RequestAccess and ReleaseAccess come from the base class 262 166 263 167 def StartSegment(self, req, fid): … … 279 183 aid = "%s" % auth_attr 280 184 # Authorization check 281 if not self.auth.check_attribute(fid, auth_attr): 282 raise service_error(service_error.access, "Access denied") 185 access_ok, proof = self.auth.check_attribute(fid, auth_attr, 186 with_proof=True) 187 if not access_ok: 188 raise service_error(service_error.access, "Access denied", 189 proof=proof) 283 190 else: 284 191 # See if this is a replay of an earlier succeeded StartSegment - … … 338 245 'allocID': req['allocID'], 339 246 'allocationLog': "Allocatation complete", 340 'segmentdescription': { 'topdldescription': topo.to_dict() } 247 'segmentdescription': { 'topdldescription': topo.to_dict() }, 248 'proof': proof.to_dict(), 341 249 } 342 250 retval = copy.deepcopy(self.state[aid]['started']) … … 362 270 self.log.debug("Terminate request for %s" %aid) 363 271 # Check authorization 364 if not self.auth.check_attribute(fid, auth_attr): 365 raise service_error(service_error.access, "Access denied") 272 access_ok, proof = self.auth.check_attribute(fid, auth_attr, 273 with_proof=True) 274 if not access_ok: 275 raise service_error(service_error.access, "Access denied", 276 proof=proof) 366 277 367 278 # Authorized: remove the integer from the allocation. A more complex … … 377 288 self.state_lock.release() 378 289 379 return { 'allocID': req['allocID'] }290 return { 'allocID': req['allocID'], 'proof': proof.to_dict() }
Note: See TracChangeset
for help on using the changeset viewer.