Changeset 1f6a573

Timestamp:

Nov 30, 2010 4:45:00 PM (13 years ago)

Author:

Ted Faber <faber@…>

Branches:

axis_example, compt_changes, info-ops, master

Children:

4692a16

Parents:

c002cb2

Message:

Support for priorities and export projects

Location:

fedd/federation

Files:

• access.py (modified) (4 diffs)
• emulab_access.py (modified) (3 diffs)

fedd/federation/access.py

@@ -53 +53 @@
             self.value = value
             self.priority = pri
+        def __str__(self):
+            return "%s: %s (%d)" % (self.attr, self.value, self.priority)
 
     def __init__(self, config=None, auth=None):
@@ -140 +142 @@
         """
 
-        map_re = re.compile("(\S+)\s+->\s+(.*)");
+        map_re = re.compile("(\S+)\s+->\s+(.*)")
+        priority_re = re.compile("([^,]+),\s*(\d+)")
+
         if access_obj is None:
             access_obj = lambda(x): "%s" % x
 
         self.access = []
+        priorities = { }
 
         f = open(fn, 'r')
@@ -160 +165 @@
                     continue
 
+                # If a priority is found, collect them
+                m = priority_re.match(line)
+                if m:
+                    try:
+                        priorities[m.group(1)] = int(m.group(2))
+                    except ValueError, e:
+                        if self.log:
+                            self.log.debug("Bad priority in %s line %d" % \
+                                    (fn, lineno))
+                    continue
+
                 # Nothing matched to here: unknown line - raise exception
                 # (finally will close f)
@@ -167 +183 @@
         finally:
             if f: f.close()
+
+        # Set priorities
+        for a in self.access:
+            if a.attr in priorities:
+                a.priority = priorities[a.attr]
 
     def write_state(self):

fedd/federation/emulab_access.py

@@ -488 +488 @@
                         s.get('visibility', '') == 'export':
                     if not rv: 
-                        for a in s.get('feddAttr', []):
+                        for a in s.get('fedAttr', []):
                             if a.get('attribute', '') == 'project' \
                                     and 'value' in a:
@@ -504 +504 @@
             raise service_error(service_error.req, "No request!?")
 
-        alog = open("./auth.log", 'w')
-        print >>alog, self.auth
-        print >> alog, "after"
+        # if this includes a project export request, construct a filter such
+        # that only the ABAC attributes mapped to that project are checked for
+        # access.
+        if 'service' in req:
+            ep = get_export_project(req['service'])
+            pf = lambda(a): a.value[0] == ep
+        else:
+            ep = None
+            pf = None
+
         if self.auth.import_credentials(
                 data_list=req.get('abac_credential', [])):
             self.auth.save()
-        print >>alog, self.auth
-        alog.close()
 
         if self.auth_type == "legacy":
             found, dyn, owners = self.legacy_lookup_access(req, fid)
         elif self.auth_type == 'abac':
-            found, dyn, owners = self.lookup_access(req, fid)
+            found, dyn, owners = self.lookup_access(req, fid, filter=pf)
         else:
             raise service_error(service_error.internal, 
@@ -522 +527 @@
         ap = None
 
-        # if this includes a project export request and the exported
-        # project is not the access project, access denied.
-        if 'service' in req:
-            ep = get_export_project(req['service'])
-            if ep and ep != found[0]:
-                raise service_error(service_error.access,
-                        "Cannot export %s" % ep)
+        # This only happens in legacy lookups, but if this user has access to
+        # the testbed but not the project to be exported, raise the error.
+        if ep and ep != found[0]:
+            raise service_error(service_error.access,
+                    "Cannot export %s" % ep)
 
         if self.ssh_pubkey_file: