Ignore:
Timestamp:
Aug 21, 2012 1:40:40 PM (12 years ago)
Author:
ABDULLA ALWABEL <abdullaalwabel@…>
Branches:
master
Children:
d070d9f, d4946da
Parents:
8222e09
Message:

Adding Starbed ABAC mapping

File:
1 edited

Legend:

Unmodified
Added
Removed
  • fedd/access_to_abac.py

    r8222e09 r794325b  
    6969# attributes mapping and the global one creates the access policy credentials.
    7070
    71 #  All the local parsing functions get
    72 #    * the unparsed remainder of the line in l.  This is everything on the
    73 #       input line from the first comma after the -> to the end of the line.
    74 #    * the current list of credentials to be issued.  This is a list of
    75 #      credential objects assigned from this principal (me) to principals
    76 #      making requests.  They are derived from the three-name and delegation
    77 #      credentials.  This routine adds any credentials that will be mapped to
    78 #      local access control information to creds.
    79 #    * me is this princpal - the access controller
    80 #    * to_id is a dict that maps the local name access control information into
    81 #      a list of credentials that imply the principal should be mapped to them.
    82 #      For example, parse_emulab is assigning (project, user, cert, key) to
    83 #      principals.  The key of to_id is that tuple and it maps to a list of
    84 #      ABAC attributes.  If an access controller wants to see if a caller can
    85 #      use a 4-tuple of credentials, it tries to prove that the caller has one
    86 #      of those attributes.
    87 #    * p is the principal that assigned the project and group.  It is the name
    88 #       of an external experiment controller.
    89 #    * gp is the group asserted by the experiment controller
    90 #    * gu is the user asserted by the experiment controller
    91 #    * lr is the linking role used for delegation.  If present credentials
    92 #    should be created with it.  If it is None the credential construator will
    93 #    ignore it.  It is hard to go wrong just passing it to the credential
    94 #    constructor.
    95 #
    96 # These functions map an assertion of (testbed, project, user) into the
    97 # local parameters (local project, password, etc.) that triple gives the caller
    98 # the caller to.  These local parameters are parsed out of l.  Those
    99 # credentials are the keys to the to_id dict that will become the abac map.
    100 # The c = credential... and creds.add(c)  lines
    101 # in parse_emulab can be taken as boilerplate for creating ABAC credentials.
    102 # Each ABAC credential created by that boilerplate should be added to to_id,
    103 # keyed by the local credentials.
     71#  All the local parsing functions get the unparsed remainder of the line
     72#  (after the three-name and the attribute it maps to), the credential list to
     73#  add the new ABAC credential(s) that will be mapped into the local
     74#  credentials, the fedid of this entity, a dict mapping the local credentials
     75#  to ABAC credentials that are required to exercise those local rights and the
     76#  three-name (p, gp, gu) that is being mapped.
    10477def parse_emulab(l, creds, me, to_id, p, gp, gu, lr):
    10578    '''
     
    207180    else:
    208181        raise parse_error("Badly formatted local mapping: %s" % l)
    209 
     182def parse_starbed(l,creds,me, to_id,p,gp, gu, lr):
     183        '''
     184        Parse the starbed credientials
     185        '''
     186        right_side_str = '\s*,\s*\(\s*(%s)\s*,\s*(%s)\s*,\s*(%s)\s*\)' % \
     187                (id_str,id_str,id_str)
     188        m = re.match(right_side_str,l)
     189        if m:
     190                user,passwd,project = m.group(1,2,3)
     191                if gp and gu:
     192                        a = 'project_%s_user_%s' % (gp, gu)
     193                elif gp:
     194                        a = 'project_%s' % gp
     195                elif gu:
     196                         a = 'user_%s' % gu
     197                else:
     198                        raise parse_error("No mapping for %s/%s!?" % (gp, gu))
     199                c = credential(me, a,
     200                        [attribute(p, x, lr) for x in (gp, gu) if x is not None])
     201                creds.add(c)
     202                if (user,passwd,project) in to_id: to_id[(user,passwd,project)].append(c)
     203                else: to_id[(user,passwd,project)] = [ c ]
     204        else:
     205                raise parse_error("Badly formatted local mapping: %s" % l)     
    210206# internal plug-ins have no local attributes.
    211207def parse_internal(l, creds, me, to_id, p, gp, gu, lr): pass
     
    263259            'skel': parse_skel,
    264260            'protogeni': parse_protogeni,
     261            'starbed' : parse_starbed,
    265262            }
    266263
Note: See TracChangeset for help on using the changeset viewer.