Ignore:
Timestamp:
Nov 30, 2010 4:45:00 PM (13 years ago)
Author:
Ted Faber <faber@…>
Branches:
axis_example, compt_changes, info-ops, master
Children:
4692a16
Parents:
c002cb2
Message:

Support for priorities and export projects

File:
1 edited

Legend:

Unmodified
Added
Removed

  • fedd/federation/emulab_access.py

    rc002cb2 r1f6a573  
    488488                        s.get('visibility', '') == 'export':
    489489                    if not rv:
    490                         for a in s.get('feddAttr', []):
     490                        for a in s.get('fedAttr', []):
    491491                            if a.get('attribute', '') == 'project' \
    492492                                    and 'value' in a:
     
    504504            raise service_error(service_error.req, "No request!?")
    505505
    506         alog = open("./auth.log", 'w')
    507         print >>alog, self.auth
    508         print >> alog, "after"
     506        # if this includes a project export request, construct a filter such
     507        # that only the ABAC attributes mapped to that project are checked for
     508        # access.
     509        if 'service' in req:
     510            ep = get_export_project(req['service'])
     511            pf = lambda(a): a.value[0] == ep
     512        else:
     513            ep = None
     514            pf = None
     515
    509516        if self.auth.import_credentials(
    510517                data_list=req.get('abac_credential', [])):
    511518            self.auth.save()
    512         print >>alog, self.auth
    513         alog.close()
    514519
    515520        if self.auth_type == "legacy":
    516521            found, dyn, owners = self.legacy_lookup_access(req, fid)
    517522        elif self.auth_type == 'abac':
    518             found, dyn, owners = self.lookup_access(req, fid)
     523            found, dyn, owners = self.lookup_access(req, fid, filter=pf)
    519524        else:
    520525            raise service_error(service_error.internal,
     
    522527        ap = None
    523528
    524         # if this includes a project export request and the exported
    525         # project is not the access project, access denied.
    526         if 'service' in req:
    527             ep = get_export_project(req['service'])
    528             if ep and ep != found[0]:
    529                 raise service_error(service_error.access,
    530                         "Cannot export %s" % ep)
     529        # This only happens in legacy lookups, but if this user has access to
     530        # the testbed but not the project to be exported, raise the error.
     531        if ep and ep != found[0]:
     532            raise service_error(service_error.access,
     533                    "Cannot export %s" % ep)
    531534
    532535        if self.ssh_pubkey_file:
Note: See TracChangeset for help on using the changeset viewer.