Changeset 9973d57
- Timestamp:
- Dec 12, 2010 9:33:44 AM (14 years ago)
- Branches:
- axis_example, compt_changes, info-ops, master
- Children:
- 2627eb3
- Parents:
- c65b7e4
- Location:
- fedd/federation
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
fedd/federation/access.py
rc65b7e4 r9973d57 770 770 except EnvironmentError, e: 771 771 self.log.error("Error deleting directory tree in %s" % e); 772 773 def RequestAccess(self, req, fid): 774 """ 775 Handle an access request. Success here maps the requester into the 776 local access control space and establishes state about that user keyed 777 to a fedid. We also save a copy of the certificate underlying that 778 fedid so this allocation can access configuration information and 779 shared parameters on the experiment controller. 780 """ 781 782 # The dance to get into the request body 783 if req.has_key('RequestAccessRequestBody'): 784 req = req['RequestAccessRequestBody'] 785 else: 786 raise service_error(service_error.req, "No request!?") 787 788 # Base class lookup routine. If this fails, it throws a service 789 # exception denying access that triggers a fault response back to the 790 # caller. 791 found, match, owners = self.lookup_access(req, fid) 792 self.log.info( 793 "[RequestAccess] Access granted to %s with local creds %s" % \ 794 (match, found)) 795 # Make a fedid for this allocation 796 allocID, alloc_cert = generate_fedid(subj="alloc", log=self.log) 797 aid = unicode(allocID) 798 799 # Store the data about this allocation: 800 self.state_lock.acquire() 801 self.state[aid] = { } 802 self.state[aid]['user'] = found 803 self.state[aid]['owners'] = owners 804 self.state[aid]['auth'] = set() 805 # Authorize the creating fedid and the principal representing the 806 # allocation to manipulate it. 807 self.append_allocation_authorization(aid, 808 ((fid, allocID), (allocID, allocID))) 809 self.write_state() 810 self.state_lock.release() 811 812 # Create a directory to stash the certificate in, ans stash it. 813 try: 814 f = open("%s/%s.pem" % (self.certdir, aid), "w") 815 print >>f, alloc_cert 816 f.close() 817 except EnvironmentError, e: 818 raise service_error(service_error.internal, 819 "Can't open %s/%s : %s" % (self.certdir, aid, e)) 820 self.log.debug('[RequestAccess] Returning allocation ID: %s' % allocID) 821 return { 'allocID': { 'fedid': allocID } } 822 823 def ReleaseAccess(self, req, fid): 824 """ 825 Release the allocation granted earlier. Access to the allocation is 826 checked and if valid, the state and cached certificate are destroyed. 827 """ 828 # The dance to get into the request body 829 if req.has_key('ReleaseAccessRequestBody'): 830 req = req['ReleaseAccessRequestBody'] 831 else: 832 raise service_error(service_error.req, "No request!?") 833 834 # Pull a key out of the request. One can request to delete an 835 # allocation by a local human readable name or by a fedid. This finds 836 # both choices. 837 try: 838 if 'localname' in req['allocID']: 839 auth_attr = aid = req['allocID']['localname'] 840 elif 'fedid' in req['allocID']: 841 aid = unicode(req['allocID']['fedid']) 842 auth_attr = req['allocID']['fedid'] 843 else: 844 raise service_error(service_error.req, 845 "Only localnames and fedids are understood") 846 except KeyError: 847 raise service_error(service_error.req, "Badly formed request") 848 849 self.log.debug("[ReleaseAccess] deallocation requested for %s", aid) 850 # Confirm access 851 if not self.auth.check_attribute(fid, auth_attr): 852 self.log.debug("[ReleaseAccess] deallocation denied for %s", aid) 853 raise service_error(service_error.access, "Access Denied") 854 855 # If there is an allocation in the state, delete it. Note the locking. 856 self.state_lock.acquire() 857 if aid in self.state: 858 self.log.debug("[ReleaseAccess] Found allocation for %s" %aid) 859 self.clear_allocation_authorization(aid) 860 del self.state[aid] 861 self.write_state() 862 self.state_lock.release() 863 # And remove the access cert 864 cf = "%s/%s.pem" % (self.certdir, aid) 865 self.log.debug("[ReleaseAccess] Removing %s" % cf) 866 os.remove(cf) 867 return { 'allocID': req['allocID'] } 868 else: 869 self.state_lock.release() 870 raise service_error(service_error.req, "No such allocation") -
fedd/federation/deter_internal_access.py
rc65b7e4 r9973d57 142 142 } 143 143 144 def RequestAccess(self, req, fid): 145 """ 146 Handle the access request. Proxy if not for us. 147 148 Parse out the fields and make the allocations or rejections if for us, 149 otherwise, assuming we're willing to proxy, proxy the request out. 150 """ 151 152 # The dance to get into the request body 153 if req.has_key('RequestAccessRequestBody'): 154 req = req['RequestAccessRequestBody'] 155 else: 156 raise service_error(service_error.req, "No request!?") 157 158 found, match, owners = self.lookup_access(req, fid) 159 # keep track of what's been added 160 allocID, alloc_cert = generate_fedid(subj="alloc", log=self.log) 161 aid = unicode(allocID) 162 163 self.state_lock.acquire() 164 self.state[aid] = { } 165 self.state[aid]['user'] = found 166 self.state[aid]['owners'] = owners 167 self.state[aid]['vlan'] = None 168 self.state[aid]['auth'] = set() 169 self.append_allocation_authorization(aid, 170 ((fid, allocID),(allocID, allocID))) 171 self.write_state() 172 self.state_lock.release() 173 174 try: 175 f = open("%s/%s.pem" % (self.certdir, aid), "w") 176 print >>f, alloc_cert 177 f.close() 178 except EnvironmentError, e: 179 raise service_error(service_error.internal, 180 "Can't open %s/%s : %s" % (self.certdir, aid, e)) 181 return { 'allocID': { 'fedid': allocID } } 182 183 def ReleaseAccess(self, req, fid): 184 # The dance to get into the request body 185 if req.has_key('ReleaseAccessRequestBody'): 186 req = req['ReleaseAccessRequestBody'] 187 else: 188 raise service_error(service_error.req, "No request!?") 189 190 # Local request 191 try: 192 if req['allocID'].has_key('localname'): 193 auth_attr = aid = req['allocID']['localname'] 194 elif req['allocID'].has_key('fedid'): 195 aid = unicode(req['allocID']['fedid']) 196 auth_attr = req['allocID']['fedid'] 197 else: 198 raise service_error(service_error.req, 199 "Only localnames and fedids are understood") 200 except KeyError: 201 raise service_error(service_error.req, "Badly formed request") 202 203 self.log.debug("[access] deallocation requested for %s", aid) 204 if not self.auth.check_attribute(fid, auth_attr): 205 self.log.debug("[access] deallocation denied for %s", aid) 206 raise service_error(service_error.access, "Access Denied") 207 208 self.state_lock.acquire() 209 if self.state.has_key(aid): 210 self.log.debug("Found allocation for %s" %aid) 211 self.clear_allocation_authorization(aid) 212 del self.state[aid] 213 self.write_state() 214 self.state_lock.release() 215 # And remove the access cert 216 cf = "%s/%s.pem" % (self.certdir, aid) 217 self.log.debug("Removing %s" % cf) 218 os.remove(cf) 219 return { 'allocID': req['allocID'] } 220 else: 221 self.state_lock.release() 222 raise service_error(service_error.req, "No such allocation") 144 # RequestAccess and ReleaseAccess come from the base 223 145 224 146 def extract_parameters(self, top): -
fedd/federation/dragon_access.py
rc65b7e4 r9973d57 122 122 else: raise self.parse_error("Repo should be in parens"); 123 123 124 def RequestAccess(self, req, fid): 125 """ 126 Handle the access request. 127 128 Parse out the fields and make the allocations or rejections if for us, 129 otherwise, assuming we're willing to proxy, proxy the request out. 130 """ 131 132 # The dance to get into the request body 133 if req.has_key('RequestAccessRequestBody'): 134 req = req['RequestAccessRequestBody'] 135 else: 136 raise service_error(service_error.req, "No request!?") 137 138 if req.has_key('destinationTestbed'): 139 dt = unpack_id(req['destinationTestbed']) 140 141 # Request for this fedd 142 found, match, owners = self.lookup_access(req, fid) 143 # keep track of what's been added 144 allocID, alloc_cert = generate_fedid(subj="alloc", log=self.log) 145 aid = unicode(allocID) 146 147 self.state_lock.acquire() 148 self.state[aid] = { } 149 self.state[aid]['user'] = found 150 self.state[aid]['owners'] = owners 151 self.state[aid]['auth'] = set() 152 self.append_allocation_authorization(aid, 153 ((fid, allocID),(allocID, allocID))) 154 self.write_state() 155 self.state_lock.release() 156 157 try: 158 f = open("%s/%s.pem" % (self.certdir, aid), "w") 159 print >>f, alloc_cert 160 f.close() 161 except EnvironmentError, e: 162 raise service_error(service_error.internal, 163 "Can't open %s/%s : %s" % (self.certdir, aid, e)) 164 return { 'allocID': { 'fedid': allocID } } 165 166 def ReleaseAccess(self, req, fid): 167 # The dance to get into the request body 168 if req.has_key('ReleaseAccessRequestBody'): 169 req = req['ReleaseAccessRequestBody'] 170 else: 171 raise service_error(service_error.req, "No request!?") 172 173 try: 174 if req['allocID'].has_key('localname'): 175 auth_attr = aid = req['allocID']['localname'] 176 elif req['allocID'].has_key('fedid'): 177 aid = unicode(req['allocID']['fedid']) 178 auth_attr = req['allocID']['fedid'] 179 else: 180 raise service_error(service_error.req, 181 "Only localnames and fedids are understood") 182 except KeyError: 183 raise service_error(service_error.req, "Badly formed request") 184 185 self.log.debug("[access] deallocation requested for %s", aid) 186 if not self.auth.check_attribute(fid, auth_attr): 187 self.log.debug("[access] deallocation denied for %s", aid) 188 raise service_error(service_error.access, "Access Denied") 189 190 self.state_lock.acquire() 191 if self.state.has_key(aid): 192 self.log.debug("Found allocation for %s" %aid) 193 self.clear_allocation_authorization(aid) 194 del self.state[aid] 195 self.write_state() 196 self.state_lock.release() 197 # And remove the access cert 198 cf = "%s/%s.pem" % (self.certdir, aid) 199 self.log.debug("Removing %s" % cf) 200 os.remove(cf) 201 return { 'allocID': req['allocID'] } 202 else: 203 self.state_lock.release() 204 raise service_error(service_error.req, "No such allocation") 124 # RequestAccess and ReleaseAccess come from the base class 205 125 206 126 def extract_parameters(self, top): -
fedd/federation/skeleton_access.py
rc65b7e4 r9973d57 163 163 } 164 164 165 def RequestAccess(self, req, fid): 166 """ 167 Handle an access request. Success here maps the requester into the 168 local access control space and establishes state about that user keyed 169 to a fedid. We also save a copy of the certificate underlying that 170 fedid so this allocation can access configuration information and 171 shared parameters on the experiment controller. 172 """ 173 174 # The dance to get into the request body 175 if req.has_key('RequestAccessRequestBody'): 176 req = req['RequestAccessRequestBody'] 177 else: 178 raise service_error(service_error.req, "No request!?") 179 180 # Base class lookup routine. If this fails, it throws a service 181 # exception denying access that triggers a fault response back to the 182 # caller. 183 found, match, owners = self.lookup_access(req, fid) 184 self.log.info( 185 "[RequestAccess] Access granted to %s with local creds %s" % \ 186 (match, found)) 187 # Make a fedid for this allocation 188 allocID, alloc_cert = generate_fedid(subj="alloc", log=self.log) 189 aid = unicode(allocID) 190 191 # Store the data about this allocation: 192 self.state_lock.acquire() 193 self.state[aid] = { } 194 self.state[aid]['user'] = found 195 self.state[aid]['owners'] = owners 196 self.state[aid]['auth'] = set() 197 # Authorize the creating fedid and the principal representing the 198 # allocation to manipulate it. 199 self.append_allocation_authorization(aid, 200 ((fid, allocID), (allocID, allocID))) 201 self.write_state() 202 self.state_lock.release() 203 204 # Create a directory to stash the certificate in, ans stash it. 205 try: 206 f = open("%s/%s.pem" % (self.certdir, aid), "w") 207 print >>f, alloc_cert 208 f.close() 209 except EnvironmentError, e: 210 raise service_error(service_error.internal, 211 "Can't open %s/%s : %s" % (self.certdir, aid, e)) 212 self.log.debug('[RequestAccess] Returning allocation ID: %s' % allocID) 213 return { 'allocID': { 'fedid': allocID } } 214 215 def ReleaseAccess(self, req, fid): 216 """ 217 Release the allocation granted earlier. Access to the allocation is 218 checked and if valid, the state and cached certificate are destroyed. 219 """ 220 # The dance to get into the request body 221 if req.has_key('ReleaseAccessRequestBody'): 222 req = req['ReleaseAccessRequestBody'] 223 else: 224 raise service_error(service_error.req, "No request!?") 225 226 # Pull a key out of the request. One can request to delete an 227 # allocation by a local human readable name or by a fedid. This finds 228 # both choices. 229 try: 230 if 'localname' in req['allocID']: 231 auth_attr = aid = req['allocID']['localname'] 232 elif 'fedid' in req['allocID']: 233 aid = unicode(req['allocID']['fedid']) 234 auth_attr = req['allocID']['fedid'] 235 else: 236 raise service_error(service_error.req, 237 "Only localnames and fedids are understood") 238 except KeyError: 239 raise service_error(service_error.req, "Badly formed request") 240 241 self.log.debug("[ReleaseAccess] deallocation requested for %s", aid) 242 # Confirm access 243 if not self.auth.check_attribute(fid, auth_attr): 244 self.log.debug("[ReleaseAccess] deallocation denied for %s", aid) 245 raise service_error(service_error.access, "Access Denied") 246 247 # If there is an allocation in the state, delete it. Note the locking. 248 self.state_lock.acquire() 249 if aid in self.state: 250 self.log.debug("[ReleaseAccess] Found allocation for %s" %aid) 251 self.clear_allocation_authorization(aid) 252 del self.state[aid] 253 self.write_state() 254 self.state_lock.release() 255 # And remove the access cert 256 cf = "%s/%s.pem" % (self.certdir, aid) 257 self.log.debug("[ReleaseAccess] Removing %s" % cf) 258 os.remove(cf) 259 return { 'allocID': req['allocID'] } 260 else: 261 self.state_lock.release() 262 raise service_error(service_error.req, "No such allocation") 165 # RequestAccess and ReleaseAccess come from the base class 263 166 264 167 def StartSegment(self, req, fid):
Note: See TracChangeset
for help on using the changeset viewer.