Changeset 3cec20c

Timestamp:

Dec 2, 2010 5:48:01 PM (14 years ago)

Author:

Ted Faber <faber@…>

Branches:

axis_example, compt_changes, info-ops, master

Children:

5d7f1e8

Parents:

4c65f67

Message:

ABAC integration and some minor fixes discovered along the 'create_debug' paths.

File:

• fedd/federation/protogeni_access.py (modified) (9 diffs)

fedd/federation/protogeni_access.py

@@ -18 +18 @@
 from util import *
 from fedid import fedid, generate_fedid
-from authorizer import authorizer
+from authorizer import authorizer, abac_authorizer
 from service_error import service_error
 from remote_service import xmlrpc_handler, soap_handler, service_caller
@@ -106 +106 @@
         self.keys = self.state['keys']
         self.types = self.state['types']
-        # Add the ownership attributes to the authorizer.  Note that the
-        # indices of the allocation dict are strings, but the attributes are
-        # fedids, so there is a conversion.
-        for k in self.state.get('allocation', {}).keys():
-            for o in self.state['allocation'][k].get('owners', []):
-                self.auth.set_attribute(o, fedid(hexstr=k))
-            self.auth.set_attribute(fedid(hexstr=k),fedid(hexstr=k))
-
         self.state_lock.release()
 
@@ -120 +112 @@
         set_log_level(config, "access", self.log)
 
-        self.access = { }
-        if config.has_option("access", "accessdb"):
-            self.read_access(config.get("access", "accessdb"), 
-                    access_obj=self.make_access_info)
-
-        self.lookup_access = self.lookup_access_base
-
+        # authorization information
+        self.auth_type = config.get('access', 'auth_type') \
+                or 'legacy'
+        self.auth_dir = config.get('access', 'auth_dir')
+        accessdb = config.get("access", "accessdb")
+        # initialize the authorization system
+        if self.auth_type == 'legacy':
+            self.access = { }
+            if accessdb:
+                self.legacy_read_access(accessdb, self.make_access_info)
+            # Add the ownership attributes to the authorizer.  Note that the
+            # indices of the allocation dict are strings, but the attributes are
+            # fedids, so there is a conversion.
+            self.state_lock.acquire()
+            for k in self.state.get('allocation', {}).keys():
+                for o in self.state['allocation'][k].get('owners', []):
+                    self.auth.set_attribute(o, fedid(hexstr=k))
+                self.auth.set_attribute(fedid(hexstr=k),fedid(hexstr=k))
+
+            self.state_lock.release()
+            self.lookup_access = self.legacy_lookup_access_base
+        elif self.auth_type == 'abac':
+            self.auth = abac_authorizer(load=self.auth_dir)
+            self.access = [ ]
+            if accessdb:
+                self.read_access(accessdb, self.make_access_info)
+        else:
+            raise service_error(service_error.internal, 
+                    "Unknown auth_type: %s" % self.auth_type)
         api = config.get("access", "api") or "protogeni"
         if api == "protogeni":
@@ -247 +261 @@
 
         # Request for this fedd
-        found, match = self.lookup_access(req, fid)
+        found, match, owners = self.lookup_access(req, fid)
         services, svc_state = self.export_services(req.get('service',[]),
                 None, None)
@@ -259 +273 @@
         self.allocation[aid]['credentials'] = found
         # The list of owner FIDs
-        self.allocation[aid]['owners'] = [ fid ]
+        self.allocation[aid]['owners'] = owners
         self.write_state()
         self.state_lock.release()
         self.auth.set_attribute(fid, allocID)
         self.auth.set_attribute(allocID, allocID)
+        self.auth.save()
 
         try:
@@ -673 +688 @@
             for i in [ i for i in elem.interface \
                     if not i.get_attribute('portal')]:
-                pinf = node['interfaces'].get(i.name, None)
-                pmac = node['mac'].get(i.name, None)
+                if 'interfaces' in node:
+                    pinf = node['interfaces'].get(i.name, None)
+                else:
+                    pinf = None
+
+                if 'mac' in node:
+                    pmac = node['mac'].get(i.name, None)
+                else:
+                    pmac = None
                 addr = i.get_attribute('ip4_address') 
                 netmask = i.get_attribute('ip4_netmask') or '255.255.255.0'
@@ -871 +893 @@
                         'type': 'Slice'
                         }
-                segment_commands.slice_authority_call('Resolve', param, ctxt)
+
+                if not self.create_debug:
+                    segment_commands.slice_authority_call('Resolve', param, 
+                            ctxt)
+                else:
+                    raise segment_commands.ProtoGENIError(0,0,'Debug')
             except segment_commands.ProtoGENIError, e:
                 print e
@@ -905 +932 @@
             else:
                 raise service_error(service_error.federant, 
-                        "No URN returned for slice %s" % hrn)
+                        "No URN returned for slice %s" % slicename)
 
             if 'creator_urn' in data:
@@ -911 +938 @@
             else:
                 raise service_error(service_error.federant, 
-                        "No creator URN returned for slice %s" % hrn)
+                        "No creator URN returned for slice %s" % slicename)
             # Populate the ssh keys (let PG format them)
             param = {