Changeset 6e63513 for fedd/federation/emulab_access.py
- Timestamp:
- Nov 23, 2010 6:42:19 PM (13 years ago)
- Branches:
- axis_example, compt_changes, info-ops, master
- Children:
- 25f66c3
- Parents:
- 353db8c
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
fedd/federation/emulab_access.py
r353db8c r6e63513 21 21 from access_project import access_project 22 22 from fedid import fedid, generate_fedid 23 from authorizer import authorizer 23 from authorizer import authorizer, abac_authorizer 24 24 from service_error import service_error 25 25 from remote_service import xmlrpc_handler, soap_handler, service_caller … … 105 105 self.restricted = [ ] 106 106 self.access = { } 107 if config.has_option("access", "accessdb"): 108 self.read_access(config.get("access", "accessdb")) 107 # XXX: this should go? 108 #if config.has_option("access", "accessdb"): 109 # self.read_access(config.get("access", "accessdb")) 109 110 tb = config.get('access', 'testbed') 110 111 if tb: self.testbed = [ t.strip() for t in tb.split(',') ] 111 112 else: self.testbed = [ ] 112 113 113 if config.has_option("access", "accessdb"): 114 self.read_access(config.get("access", "accessdb"), 115 self.make_access_project) 114 # authorization information 115 self.auth_type = config.get('access', 'auth_type') \ 116 or 'legacy' 117 self.auth_dir = config.get('access', 'auth_dir') 118 accessdb = config.get("access", "accessdb") 119 # initialize the authorization system 120 if self.auth_type == 'legacy': 121 if accessdb: 122 self.read_access(accessdb, self.make_access_project) 123 elif self.auth_type == 'abac': 124 self.auth = abac_authorizer(load=self.auth_dir) 125 if accessdb: 126 self.read_abac_access(accessdb, self.make_abac_access_project) 127 else: 128 raise service_error(service_error.internal, 129 "Unknown auth_type: %s" % self.auth_type) 116 130 117 131 # read_state in the base_class … … 124 138 self.keys = self.state['keys'] 125 139 self.types = self.state['types'] 126 # Add the ownership attributes to the authorizer. Note that the 127 # indices of the allocation dict are strings, but the attributes are 128 # fedids, so there is a conversion. 129 for k in self.allocation.keys(): 130 for o in self.allocation[k].get('owners', []): 131 self.auth.set_attribute(o, fedid(hexstr=k)) 132 if self.allocation[k].has_key('userconfig'): 133 sfid = self.allocation[k]['userconfig'] 134 fid = fedid(hexstr=sfid) 135 self.auth.set_attribute(fid, "/%s" % sfid) 140 if self.auth_type == "legacy": 141 # Add the ownership attributes to the authorizer. Note that the 142 # indices of the allocation dict are strings, but the attributes are 143 # fedids, so there is a conversion. 144 for k in self.allocation.keys(): 145 for o in self.allocation[k].get('owners', []): 146 self.auth.set_attribute(o, fedid(hexstr=k)) 147 if self.allocation[k].has_key('userconfig'): 148 sfid = self.allocation[k]['userconfig'] 149 fid = fedid(hexstr=sfid) 150 self.auth.set_attribute(fid, "/%s" % sfid) 136 151 self.state_lock.release() 137 152 self.exports = { … … 220 235 else: 221 236 raise self.parse_error('Bad mapping (unbalanced parens)') 237 238 @staticmethod 239 def make_abac_access_project(str): 240 """ 241 Convert a string of the form (id, id) into an access_project. This is 242 called by read_abac_access to convert to local attributes. It returns 243 a tuple of the form (project, user, user) where the two users are 244 always the same. 245 """ 246 247 str = str.strip() 248 if str.startswith('(') and str.endswith(')') and str.count(',') == 1: 249 proj, user = str.split(',') 250 return ( proj.strip(), user.strip(), user.strip()) 251 else: 252 raise self.parse_error( 253 'Bad mapping (unbalanced parens or more than 1 comma)') 222 254 223 255 … … 296 328 [ fid ] 297 329 330 def lookup_abac_access(self, req, fid): 331 # Import request credentials into this (clone later??) 332 if self.auth.import_credentials(data_list=req.get('abac_credential', [])): 333 self.auth.save() 334 335 # Check every attribute that we know how to map and take the first 336 # success. 337 for attr in (self.access.keys()): 338 if self.auth.check_attribute(fid, attr): 339 # XXX: needs to deal with dynamics 340 return copy.copy(self.access[attr]), (False, False, False), \ 341 [ fid ] 342 else: 343 self.log.debug("Access failed for %s %s" % (attr, fid)) 344 else: 345 raise service_error(service_error.access, "Access denied") 346 347 298 348 def do_project_allocation(self, dyn, project, user): 299 349 """ … … 433 483 434 484 435 found, dyn, owners = self.lookup_access(req, fid) 485 if self.auth_type == "legacy": 486 found, dyn, owners = self.lookup_access(req, fid) 487 elif self.auth_type == 'abac': 488 found, dyn, owners = self.lookup_abac_access(req, fid) 489 else: 490 raise service_error(service_error.internal, 491 'Unknown auth_type: %s' % self.auth_type) 436 492 ap = None 437 493 … … 466 522 for o in owners: 467 523 self.auth.set_attribute(o, allocID) 524 self.auth.save() 468 525 try: 469 526 f = open("%s/%s.pem" % (self.certdir, aid), "w")
Note: See TracChangeset
for help on using the changeset viewer.