Changeset 8222e09 for fedd


Ignore:
Timestamp:
Aug 21, 2012 11:02:35 AM (12 years ago)
Author:
Ted Faber <faber@…>
Branches:
master
Children:
794325b, b90c44d
Parents:
adf8517
Message:

Better comment???

File:
1 edited

Legend:

Unmodified
Added
Removed

  • fedd/access_to_abac.py

    radf8517 r8222e09  
    6969# attributes mapping and the global one creates the access policy credentials.
    7070
    71 #  All the local parsing functions get the unparsed remainder of the line
    72 #  (after the three-name and the attribute it maps to), the credential list to
    73 #  add the new ABAC credential(s) that will be mapped into the local
    74 #  credentials, the fedid of this entity, a dict mapping the local credentials
    75 #  to ABAC credentials that are required to exercise those local rights and the
    76 #  three-name (p, gp, gu) that is being mapped.
     71#  All the local parsing functions get
     72#    * the unparsed remainder of the line in l.  This is everything on the
     73#       input line from the first comma after the -> to the end of the line.
     74#    * the current list of credentials to be issued.  This is a list of
     75#      credential objects assigned from this principal (me) to principals
     76#      making requests.  They are derived from the three-name and delegation
     77#      credentials.  This routine adds any credentials that will be mapped to
     78#      local access control information to creds.
     79#    * me is this princpal - the access controller
     80#    * to_id is a dict that maps the local name access control information into
     81#      a list of credentials that imply the principal should be mapped to them.
     82#      For example, parse_emulab is assigning (project, user, cert, key) to
     83#      principals.  The key of to_id is that tuple and it maps to a list of
     84#      ABAC attributes.  If an access controller wants to see if a caller can
     85#      use a 4-tuple of credentials, it tries to prove that the caller has one
     86#      of those attributes.
     87#    * p is the principal that assigned the project and group.  It is the name
     88#       of an external experiment controller.
     89#    * gp is the group asserted by the experiment controller
     90#    * gu is the user asserted by the experiment controller
     91#    * lr is the linking role used for delegation.  If present credentials
     92#    should be created with it.  If it is None the credential construator will
     93#    ignore it.  It is hard to go wrong just passing it to the credential
     94#    constructor.
     95#
     96# These functions map an assertion of (testbed, project, user) into the
     97# local parameters (local project, password, etc.) that triple gives the caller
     98# the caller to.  These local parameters are parsed out of l.  Those
     99# credentials are the keys to the to_id dict that will become the abac map.
     100# The c = credential... and creds.add(c)  lines
     101# in parse_emulab can be taken as boilerplate for creating ABAC credentials.
     102# Each ABAC credential created by that boilerplate should be added to to_id,
     103# keyed by the local credentials.
    77104def parse_emulab(l, creds, me, to_id, p, gp, gu, lr):
    78105    '''
Note: See TracChangeset for help on using the changeset viewer.