Changeset 3cec20c


Ignore:
Timestamp:
Dec 2, 2010 5:48:01 PM (13 years ago)
Author:
Ted Faber <faber@…>
Branches:
axis_example, compt_changes, info-ops, master
Children:
5d7f1e8
Parents:
4c65f67
Message:

ABAC integration and some minor fixes discovered along the 'create_debug' paths.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • fedd/federation/protogeni_access.py

    r4c65f67 r3cec20c  
    1818from util import *
    1919from fedid import fedid, generate_fedid
    20 from authorizer import authorizer
     20from authorizer import authorizer, abac_authorizer
    2121from service_error import service_error
    2222from remote_service import xmlrpc_handler, soap_handler, service_caller
     
    106106        self.keys = self.state['keys']
    107107        self.types = self.state['types']
    108         # Add the ownership attributes to the authorizer.  Note that the
    109         # indices of the allocation dict are strings, but the attributes are
    110         # fedids, so there is a conversion.
    111         for k in self.state.get('allocation', {}).keys():
    112             for o in self.state['allocation'][k].get('owners', []):
    113                 self.auth.set_attribute(o, fedid(hexstr=k))
    114             self.auth.set_attribute(fedid(hexstr=k),fedid(hexstr=k))
    115 
    116108        self.state_lock.release()
    117109
     
    120112        set_log_level(config, "access", self.log)
    121113
    122         self.access = { }
    123         if config.has_option("access", "accessdb"):
    124             self.read_access(config.get("access", "accessdb"),
    125                     access_obj=self.make_access_info)
    126 
    127         self.lookup_access = self.lookup_access_base
    128 
     114        # authorization information
     115        self.auth_type = config.get('access', 'auth_type') \
     116                or 'legacy'
     117        self.auth_dir = config.get('access', 'auth_dir')
     118        accessdb = config.get("access", "accessdb")
     119        # initialize the authorization system
     120        if self.auth_type == 'legacy':
     121            self.access = { }
     122            if accessdb:
     123                self.legacy_read_access(accessdb, self.make_access_info)
     124            # Add the ownership attributes to the authorizer.  Note that the
     125            # indices of the allocation dict are strings, but the attributes are
     126            # fedids, so there is a conversion.
     127            self.state_lock.acquire()
     128            for k in self.state.get('allocation', {}).keys():
     129                for o in self.state['allocation'][k].get('owners', []):
     130                    self.auth.set_attribute(o, fedid(hexstr=k))
     131                self.auth.set_attribute(fedid(hexstr=k),fedid(hexstr=k))
     132
     133            self.state_lock.release()
     134            self.lookup_access = self.legacy_lookup_access_base
     135        elif self.auth_type == 'abac':
     136            self.auth = abac_authorizer(load=self.auth_dir)
     137            self.access = [ ]
     138            if accessdb:
     139                self.read_access(accessdb, self.make_access_info)
     140        else:
     141            raise service_error(service_error.internal,
     142                    "Unknown auth_type: %s" % self.auth_type)
    129143        api = config.get("access", "api") or "protogeni"
    130144        if api == "protogeni":
     
    247261
    248262        # Request for this fedd
    249         found, match = self.lookup_access(req, fid)
     263        found, match, owners = self.lookup_access(req, fid)
    250264        services, svc_state = self.export_services(req.get('service',[]),
    251265                None, None)
     
    259273        self.allocation[aid]['credentials'] = found
    260274        # The list of owner FIDs
    261         self.allocation[aid]['owners'] = [ fid ]
     275        self.allocation[aid]['owners'] = owners
    262276        self.write_state()
    263277        self.state_lock.release()
    264278        self.auth.set_attribute(fid, allocID)
    265279        self.auth.set_attribute(allocID, allocID)
     280        self.auth.save()
    266281
    267282        try:
     
    673688            for i in [ i for i in elem.interface \
    674689                    if not i.get_attribute('portal')]:
    675                 pinf = node['interfaces'].get(i.name, None)
    676                 pmac = node['mac'].get(i.name, None)
     690                if 'interfaces' in node:
     691                    pinf = node['interfaces'].get(i.name, None)
     692                else:
     693                    pinf = None
     694
     695                if 'mac' in node:
     696                    pmac = node['mac'].get(i.name, None)
     697                else:
     698                    pmac = None
    677699                addr = i.get_attribute('ip4_address')
    678700                netmask = i.get_attribute('ip4_netmask') or '255.255.255.0'
     
    871893                        'type': 'Slice'
    872894                        }
    873                 segment_commands.slice_authority_call('Resolve', param, ctxt)
     895
     896                if not self.create_debug:
     897                    segment_commands.slice_authority_call('Resolve', param,
     898                            ctxt)
     899                else:
     900                    raise segment_commands.ProtoGENIError(0,0,'Debug')
    874901            except segment_commands.ProtoGENIError, e:
    875902                print e
     
    905932            else:
    906933                raise service_error(service_error.federant,
    907                         "No URN returned for slice %s" % hrn)
     934                        "No URN returned for slice %s" % slicename)
    908935
    909936            if 'creator_urn' in data:
     
    911938            else:
    912939                raise service_error(service_error.federant,
    913                         "No creator URN returned for slice %s" % hrn)
     940                        "No creator URN returned for slice %s" % slicename)
    914941            # Populate the ssh keys (let PG format them)
    915942            param = {
Note: See TracChangeset for help on using the changeset viewer.