Changeset 794325b for fedd/access_to_abac.py
- Timestamp:
- Aug 21, 2012 1:40:40 PM (12 years ago)
- Branches:
- master
- Children:
- d070d9f, d4946da
- Parents:
- 8222e09
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
fedd/access_to_abac.py
r8222e09 r794325b 69 69 # attributes mapping and the global one creates the access policy credentials. 70 70 71 # All the local parsing functions get 72 # * the unparsed remainder of the line in l. This is everything on the 73 # input line from the first comma after the -> to the end of the line. 74 # * the current list of credentials to be issued. This is a list of 75 # credential objects assigned from this principal (me) to principals 76 # making requests. They are derived from the three-name and delegation 77 # credentials. This routine adds any credentials that will be mapped to 78 # local access control information to creds. 79 # * me is this princpal - the access controller 80 # * to_id is a dict that maps the local name access control information into 81 # a list of credentials that imply the principal should be mapped to them. 82 # For example, parse_emulab is assigning (project, user, cert, key) to 83 # principals. The key of to_id is that tuple and it maps to a list of 84 # ABAC attributes. If an access controller wants to see if a caller can 85 # use a 4-tuple of credentials, it tries to prove that the caller has one 86 # of those attributes. 87 # * p is the principal that assigned the project and group. It is the name 88 # of an external experiment controller. 89 # * gp is the group asserted by the experiment controller 90 # * gu is the user asserted by the experiment controller 91 # * lr is the linking role used for delegation. If present credentials 92 # should be created with it. If it is None the credential construator will 93 # ignore it. It is hard to go wrong just passing it to the credential 94 # constructor. 95 # 96 # These functions map an assertion of (testbed, project, user) into the 97 # local parameters (local project, password, etc.) that triple gives the caller 98 # the caller to. These local parameters are parsed out of l. Those 99 # credentials are the keys to the to_id dict that will become the abac map. 100 # The c = credential... and creds.add(c) lines 101 # in parse_emulab can be taken as boilerplate for creating ABAC credentials. 102 # Each ABAC credential created by that boilerplate should be added to to_id, 103 # keyed by the local credentials. 71 # All the local parsing functions get the unparsed remainder of the line 72 # (after the three-name and the attribute it maps to), the credential list to 73 # add the new ABAC credential(s) that will be mapped into the local 74 # credentials, the fedid of this entity, a dict mapping the local credentials 75 # to ABAC credentials that are required to exercise those local rights and the 76 # three-name (p, gp, gu) that is being mapped. 104 77 def parse_emulab(l, creds, me, to_id, p, gp, gu, lr): 105 78 ''' … … 207 180 else: 208 181 raise parse_error("Badly formatted local mapping: %s" % l) 209 182 def parse_starbed(l,creds,me, to_id,p,gp, gu, lr): 183 ''' 184 Parse the starbed credientials 185 ''' 186 right_side_str = '\s*,\s*\(\s*(%s)\s*,\s*(%s)\s*,\s*(%s)\s*\)' % \ 187 (id_str,id_str,id_str) 188 m = re.match(right_side_str,l) 189 if m: 190 user,passwd,project = m.group(1,2,3) 191 if gp and gu: 192 a = 'project_%s_user_%s' % (gp, gu) 193 elif gp: 194 a = 'project_%s' % gp 195 elif gu: 196 a = 'user_%s' % gu 197 else: 198 raise parse_error("No mapping for %s/%s!?" % (gp, gu)) 199 c = credential(me, a, 200 [attribute(p, x, lr) for x in (gp, gu) if x is not None]) 201 creds.add(c) 202 if (user,passwd,project) in to_id: to_id[(user,passwd,project)].append(c) 203 else: to_id[(user,passwd,project)] = [ c ] 204 else: 205 raise parse_error("Badly formatted local mapping: %s" % l) 210 206 # internal plug-ins have no local attributes. 211 207 def parse_internal(l, creds, me, to_id, p, gp, gu, lr): pass … … 263 259 'skel': parse_skel, 264 260 'protogeni': parse_protogeni, 261 'starbed' : parse_starbed, 265 262 } 266 263
Note: See TracChangeset
for help on using the changeset viewer.