- Timestamp:
- Nov 21, 2008 4:39:47 PM (16 years ago)
- Branches:
- axis_example, compt_changes, info-ops, master, version-1.30, version-2.00, version-3.01, version-3.02
- Children:
- ac54ef3
- Parents:
- c971895
- Location:
- fedd
- Files:
-
- 1 added
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
fedd/fedd_access.py
rc971895 r3f6bc5f 15 15 from fedd_access_project import access_project 16 16 from fedid import fedid, generate_fedid 17 from authorizer import authorizer 17 18 import parse_detail 18 19 from service_error import * … … 50 51 'RequestAccessRequestBody') 51 52 52 def __init__(self, config=None ):53 def __init__(self, config=None, auth=None): 53 54 """ 54 55 Initializer. Pulls parameters out of the ConfigParser's access section. … … 63 64 else: 64 65 raise RunTimeError("No config to fedd_access") 65 66 66 67 67 # Create instance attributes from the static lists … … 90 90 'keys' : self.keys 91 91 } 92 self.log = logging.getLogger("fedd.access") 93 set_log_level(config, "access", self.log) 92 94 self.state_lock = Lock() 95 96 if auth: self.auth = auth 97 else: 98 self.log.error(\ 99 "[access]: No authorizer initialized, creating local one.") 100 auth = authorizer() 101 93 102 self.fedid_default = "testbed" 94 103 if config.has_option("access", "accessdb"): 95 104 self.read_access(config.get("access", "accessdb")) 96 if config.has_option("access", "trustdb"):97 self.read_trust(config.get("access", "trustdb"))98 105 99 106 self.state_filename = config.get("access", "access_state", "") 100 self.log = logging.getLogger("fedd.access")101 set_log_level(config, "access", self.log)102 107 self.read_state() 103 104 105 108 # Certs are promoted from the generic to the specific, so without a 106 109 # specific proxy certificate, the main certificates are used for … … 166 169 if not config.has_option("access", "dynamic_projects_url"): 167 170 self.allocate_project = \ 168 fedd_allocate_project_local(config )171 fedd_allocate_project_local(config, auth) 169 172 else: 170 173 self.allocate_project = \ 171 fedd_allocate_project_remote(config )174 fedd_allocate_project_remote(config, auth) 172 175 173 176 # If the project allocator exports services, put them in this object's … … 176 179 self.xmlrpc_services.update(self.allocate_project.xmlrpc_services) 177 180 178 def read_trust(self, trust):179 """180 Read a trust file that splits fedids into testbeds, users or projects181 182 Format is:183 184 [type]185 fedid186 fedid187 default: type188 """189 lineno = 0;190 cat = None191 cat_re = re.compile("\[(user|testbed|project)\]$", re.IGNORECASE)192 fedid_re = re.compile("[" + string.hexdigits + "]+$")193 default_re = re.compile("default:\s*(user|testbed|project)$",194 re.IGNORECASE)195 196 f = open(trust, "r")197 for line in f:198 lineno += 1199 line = line.strip()200 if len(line) == 0 or line.startswith("#"):201 continue202 # Category line203 m = cat_re.match(line)204 if m != None:205 cat = m.group(1).lower()206 continue207 # Fedid line208 m = fedid_re.match(line)209 if m != None:210 if cat != None:211 self.fedid_category[fedid(hexstr=m.string)] = cat212 else:213 raise self.parse_error(\214 "Bad fedid in trust file (%s) line: %d" % \215 (trust, lineno))216 continue217 # default line218 m = default_re.match(line)219 if m != None:220 self.fedid_default = m.group(1).lower()221 continue222 # Nothing matched - bad line, raise exception223 f.close()224 raise self.parse_error(\225 "Unparsable line in trustfile %s line %d" % (trust, lineno))226 f.close()227 181 228 182 def read_access(self, config): … … 270 224 271 225 def parse_name(n): 272 if n.startswith('fedid:'): return fedid( n[len('fedid:'):])226 if n.startswith('fedid:'): return fedid(hexstr=n[len('fedid:'):]) 273 227 else: return n 228 229 def auth_name(n): 230 if isinstance(n, basestring): 231 if n =='<any>' or n =='<none>': return None 232 else: return unicode(n) 233 else: 234 return n 274 235 275 236 f = open(config, "r"); … … 298 259 if m != None: 299 260 access_key = tuple([ parse_name(x) for x in m.group(1,2,3)]) 261 auth_key = tuple([ auth_name(x) for x in access_key]) 300 262 aps = m.group(4).split(":"); 301 263 if aps[0] == 'fedid:': … … 310 272 311 273 self.access[access_key] = access_val 274 self.auth.set_attribute(auth_key, "access") 312 275 continue 313 276 … … 386 349 "Unpickling failed: %s") % e) 387 350 351 for k in self.allocation.keys(): 352 for o in self.allocation[k].get('owners', []): 353 self.auth.set_attribute(o, fedid(hexstr=k)) 354 355 388 356 def permute_wildcards(self, a, p): 389 357 """Return a copy of a with various fields wildcarded. … … 440 408 ru = None 441 409 442 443 principal_type = self.fedid_category.get(fid, self.fedid_default)444 445 if principal_type == "testbed": tb = fid446 447 410 if req.has_key('project'): 448 411 p = req['project'] … … 453 416 user = self.get_users(req) 454 417 455 # Now filter by prinicpal type 456 if principal_type == "user": 457 if user != None: 458 fedids = [ u for u in user if isinstance(u, type(fid))] 418 user_fedids = [ u for u in user if isinstance(u, fedid)] 419 # Determine how the caller is representing itself. If its fedid shows 420 # up as a project or a singleton user, let that stand. If neither the 421 # usernames nor the project name is a fedid, the caller is a testbed. 422 if project and isinstance(project, fedid): 423 if project == fid: 424 # The caller is the project (which is already in the tuple 425 # passed in to the authorizer) 426 owners = user_fedids 427 owners.append(project) 428 else: 429 raise service_error(service_error.req, 430 "Project asserting different fedid") 431 else: 432 if fid not in user_fedids: 433 tb = fid 434 owners = user_fedids 435 owners.append(fid) 436 else: 459 437 if len(fedids) > 1: 460 438 raise service_error(service_error.req, 461 "User asserting multiple fedids")462 elif len(fedids) == 1 and fedids[0] != fid:463 raise service_error(service_error.req,464 439 "User asserting different fedid") 465 project = None 466 tb = None 467 elif principal_type == "project": 468 if isinstance(project, type(fid)) and fid != project: 469 raise service_error(service_error.req, 470 "Project asserting different fedid") 471 tb = None 472 473 # Ready to look up access 440 else: 441 # Which is a singleton 442 owners = user_fedids 443 # Confirm authorization 444 for u in user: 445 if self.auth.check_attribute((tb, project, u), 'access'): 446 print "Access OK" 447 break 448 else: 449 print "Access failed" 450 raise service_error(service_error.access, "Access denied") 451 452 # This maps a valid user to the Emulab projects and users to use 474 453 found, user_match = self.find_access((tb, project, user)) 475 454 476 455 if found == None: 477 456 raise service_error(service_error.access, 478 "Access denied ")457 "Access denied - cannot map access") 479 458 480 459 # resolve <dynamic> and <same> in found … … 521 500 dyn_service_user = True 522 501 523 return (rp, rcu, rsu), (dyn_create_user, dyn_service_user, dyn_proj) 502 return (rp, rcu, rsu), (dyn_create_user, dyn_service_user, dyn_proj),\ 503 owners 524 504 525 505 def build_response(self, alloc_id, ap): … … 571 551 if dt == None or dt == self.testbed: 572 552 # Request for this fedd 573 found, dyn = self.lookup_access(req, fid)553 found, dyn, owners = self.lookup_access(req, fid) 574 554 restricted = None 575 555 ap = None … … 687 667 "Misformed allocation response?") 688 668 669 self.allocation[aid]['owners'] = owners 689 670 self.write_state() 690 671 self.state_lock.release() 672 for o in owners: 673 self.auth.set_attribute(o, allocID) 691 674 resp = self.build_response({ 'fedid': allocID } , ap) 692 675 return resp … … 709 692 try: 710 693 if req['allocID'].has_key('localname'): 711 a id = req['allocID']['localname']694 auth_attr = aid = req['allocID']['localname'] 712 695 elif req['allocID'].has_key('fedid'): 713 696 aid = unicode(req['allocID']['fedid']) 697 auth_attr = req['allocID']['fedid'] 714 698 else: 715 699 raise service_error(service_error.req, … … 717 701 except KeyError: 718 702 raise service_error(service_error.req, "Badly formed request") 703 704 print "Checking for %s %s" % (fid, auth_attr) 705 if not self.auth.check_attribute(fid, auth_attr): 706 raise service_error(service_error.access, "Access Denied") 719 707 720 708 # If we know this allocation, reduce the reference counts and remove … … 724 712 # duplicates. del_project is just the name of any dynamic project to 725 713 # delete. 714 # We're somewhat lazy about deleting authorization attributes. Having 715 # access to something that doesn't exist isn't harmful. 726 716 del_users = { } 727 717 del_project = None -
fedd/fedd_allocate_project.py
rc971895 r3f6bc5f 33 33 Allocate projects on this machine in response to an access request. 34 34 """ 35 def __init__(self, config ):35 def __init__(self, config, auth=None): 36 36 """ 37 37 Initializer. Parses a configuration if one is given. … … 387 387 388 388 # back to defining the fedd_allocate_project_remote class 389 def __init__(self, config ):389 def __init__(self, config, auth=None): 390 390 """ 391 391 Initializer. Parses a configuration if one is given. -
fedd/fedd_deter_impl.py
rc971895 r3f6bc5f 4 4 from fedd_experiment_control import fedd_experiment_control_local 5 5 from fedd_split import fedd_split_local 6 7 from authorizer import authorizer 6 8 7 9 class fedd_deter_impl: … … 22 24 self.soap_services = { } 23 25 self.xmlrpc_services = { } 26 self.auth = authorizer() 24 27 25 28 if config: … … 29 32 30 33 if config.has_section("access"): 31 self.access = fedd_access(config )34 self.access = fedd_access(config, self.auth) 32 35 self.soap_services.update(self.access.soap_services) 33 36 self.xmlrpc_services.update(self.access.xmlrpc_services) 34 37 35 38 if config.has_section("experiment_control"): 36 self.experiment = fedd_experiment_control_local(config) 39 self.experiment = \ 40 fedd_experiment_control_local(config, self.auth) 37 41 self.soap_services.update(self.experiment.soap_services) 38 42 self.xmlrpc_services.update(self.experiment.xmlrpc_services) 39 43 40 44 if config.has_section("splitter"): 41 self.splitter = fedd_split_local(config )45 self.splitter = fedd_split_local(config, self.auth) 42 46 self.soap_services.update(self.splitter.soap_services) 43 47 self.xmlrpc_services.update(self.splitter.xmlrpc_services) -
fedd/fedd_experiment_control.py
rc971895 r3f6bc5f 154 154 Ns2SplitRequestMessage, 'Ns2SplitRequestBody') 155 155 156 def __init__(self, config=None ):156 def __init__(self, config=None, auth=None): 157 157 """ 158 158 Intialize the various attributes, most from the config object -
fedd/fedd_split.py
rc971895 r3f6bc5f 22 22 23 23 class fedd_split_local: 24 def __init__(self, config=None ):24 def __init__(self, config=None, auth=None): 25 25 """ 26 26 Intialize the various attributes, most from the config object
Note: See TracChangeset
for help on using the changeset viewer.