Changeset 9973d57


Ignore:
Timestamp:
Dec 12, 2010 9:33:44 AM (13 years ago)
Author:
Ted Faber <faber@…>
Branches:
axis_example, compt_changes, info-ops, master
Children:
2627eb3
Parents:
c65b7e4
Message:

Move common GetRequest/ReleaseAccess? implementations to the base class

Location:
fedd/federation
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • fedd/federation/access.py

    rc65b7e4 r9973d57  
    770770        except EnvironmentError, e:
    771771            self.log.error("Error deleting directory tree in %s" % e);
     772
     773    def RequestAccess(self, req, fid):
     774        """
     775        Handle an access request.  Success here maps the requester into the
     776        local access control space and establishes state about that user keyed
     777        to a fedid.  We also save a copy of the certificate underlying that
     778        fedid so this allocation can access configuration information and
     779        shared parameters on the experiment controller.
     780        """
     781
     782        # The dance to get into the request body
     783        if req.has_key('RequestAccessRequestBody'):
     784            req = req['RequestAccessRequestBody']
     785        else:
     786            raise service_error(service_error.req, "No request!?")
     787
     788        # Base class lookup routine.  If this fails, it throws a service
     789        # exception denying access that triggers a fault response back to the
     790        # caller.
     791        found, match, owners = self.lookup_access(req, fid)
     792        self.log.info(
     793                "[RequestAccess] Access granted to %s with local creds %s" % \
     794                (match, found))
     795        # Make a fedid for this allocation
     796        allocID, alloc_cert = generate_fedid(subj="alloc", log=self.log)
     797        aid = unicode(allocID)
     798
     799        # Store the data about this allocation:
     800        self.state_lock.acquire()
     801        self.state[aid] = { }
     802        self.state[aid]['user'] = found
     803        self.state[aid]['owners'] = owners
     804        self.state[aid]['auth'] = set()
     805        # Authorize the creating fedid and the principal representing the
     806        # allocation to manipulate it.
     807        self.append_allocation_authorization(aid,
     808                ((fid, allocID), (allocID, allocID)))
     809        self.write_state()
     810        self.state_lock.release()
     811
     812        # Create a directory to stash the certificate in, ans stash it.
     813        try:
     814            f = open("%s/%s.pem" % (self.certdir, aid), "w")
     815            print >>f, alloc_cert
     816            f.close()
     817        except EnvironmentError, e:
     818            raise service_error(service_error.internal,
     819                    "Can't open %s/%s : %s" % (self.certdir, aid, e))
     820        self.log.debug('[RequestAccess] Returning allocation ID: %s' % allocID)
     821        return { 'allocID': { 'fedid': allocID } }
     822
     823    def ReleaseAccess(self, req, fid):
     824        """
     825        Release the allocation granted earlier.  Access to the allocation is
     826        checked and if valid, the state and cached certificate are destroyed.
     827        """
     828        # The dance to get into the request body
     829        if req.has_key('ReleaseAccessRequestBody'):
     830            req = req['ReleaseAccessRequestBody']
     831        else:
     832            raise service_error(service_error.req, "No request!?")
     833
     834        # Pull a key out of the request.  One can request to delete an
     835        # allocation by a local human readable name or by a fedid.  This finds
     836        # both choices.
     837        try:
     838            if 'localname' in req['allocID']:
     839                auth_attr = aid = req['allocID']['localname']
     840            elif 'fedid' in req['allocID']:
     841                aid = unicode(req['allocID']['fedid'])
     842                auth_attr = req['allocID']['fedid']
     843            else:
     844                raise service_error(service_error.req,
     845                        "Only localnames and fedids are understood")
     846        except KeyError:
     847            raise service_error(service_error.req, "Badly formed request")
     848
     849        self.log.debug("[ReleaseAccess] deallocation requested for %s", aid)
     850        #  Confirm access
     851        if not self.auth.check_attribute(fid, auth_attr):
     852            self.log.debug("[ReleaseAccess] deallocation denied for %s", aid)
     853            raise service_error(service_error.access, "Access Denied")
     854
     855        # If there is an allocation in the state, delete it.  Note the locking.
     856        self.state_lock.acquire()
     857        if aid in self.state:
     858            self.log.debug("[ReleaseAccess] Found allocation for %s" %aid)
     859            self.clear_allocation_authorization(aid)
     860            del self.state[aid]
     861            self.write_state()
     862            self.state_lock.release()
     863            # And remove the access cert
     864            cf = "%s/%s.pem" % (self.certdir, aid)
     865            self.log.debug("[ReleaseAccess] Removing %s" % cf)
     866            os.remove(cf)
     867            return { 'allocID': req['allocID'] }
     868        else:
     869            self.state_lock.release()
     870            raise service_error(service_error.req, "No such allocation")
  • fedd/federation/deter_internal_access.py

    rc65b7e4 r9973d57  
    142142            }
    143143
    144     def RequestAccess(self, req, fid):
    145         """
    146         Handle the access request.  Proxy if not for us.
    147 
    148         Parse out the fields and make the allocations or rejections if for us,
    149         otherwise, assuming we're willing to proxy, proxy the request out.
    150         """
    151 
    152         # The dance to get into the request body
    153         if req.has_key('RequestAccessRequestBody'):
    154             req = req['RequestAccessRequestBody']
    155         else:
    156             raise service_error(service_error.req, "No request!?")
    157 
    158         found, match, owners = self.lookup_access(req, fid)
    159         # keep track of what's been added
    160         allocID, alloc_cert = generate_fedid(subj="alloc", log=self.log)
    161         aid = unicode(allocID)
    162 
    163         self.state_lock.acquire()
    164         self.state[aid] = { }
    165         self.state[aid]['user'] = found
    166         self.state[aid]['owners'] = owners
    167         self.state[aid]['vlan'] = None
    168         self.state[aid]['auth'] = set()
    169         self.append_allocation_authorization(aid,
    170                 ((fid, allocID),(allocID, allocID)))
    171         self.write_state()
    172         self.state_lock.release()
    173 
    174         try:
    175             f = open("%s/%s.pem" % (self.certdir, aid), "w")
    176             print >>f, alloc_cert
    177             f.close()
    178         except EnvironmentError, e:
    179             raise service_error(service_error.internal,
    180                     "Can't open %s/%s : %s" % (self.certdir, aid, e))
    181         return { 'allocID': { 'fedid': allocID } }
    182 
    183     def ReleaseAccess(self, req, fid):
    184         # The dance to get into the request body
    185         if req.has_key('ReleaseAccessRequestBody'):
    186             req = req['ReleaseAccessRequestBody']
    187         else:
    188             raise service_error(service_error.req, "No request!?")
    189 
    190         # Local request
    191         try:
    192             if req['allocID'].has_key('localname'):
    193                 auth_attr = aid = req['allocID']['localname']
    194             elif req['allocID'].has_key('fedid'):
    195                 aid = unicode(req['allocID']['fedid'])
    196                 auth_attr = req['allocID']['fedid']
    197             else:
    198                 raise service_error(service_error.req,
    199                         "Only localnames and fedids are understood")
    200         except KeyError:
    201             raise service_error(service_error.req, "Badly formed request")
    202 
    203         self.log.debug("[access] deallocation requested for %s", aid)
    204         if not self.auth.check_attribute(fid, auth_attr):
    205             self.log.debug("[access] deallocation denied for %s", aid)
    206             raise service_error(service_error.access, "Access Denied")
    207 
    208         self.state_lock.acquire()
    209         if self.state.has_key(aid):
    210             self.log.debug("Found allocation for %s" %aid)
    211             self.clear_allocation_authorization(aid)
    212             del self.state[aid]
    213             self.write_state()
    214             self.state_lock.release()
    215             # And remove the access cert
    216             cf = "%s/%s.pem" % (self.certdir, aid)
    217             self.log.debug("Removing %s" % cf)
    218             os.remove(cf)
    219             return { 'allocID': req['allocID'] }
    220         else:
    221             self.state_lock.release()
    222             raise service_error(service_error.req, "No such allocation")
     144    # RequestAccess and ReleaseAccess come from the base
    223145
    224146    def extract_parameters(self, top):
  • fedd/federation/dragon_access.py

    rc65b7e4 r9973d57  
    122122        else: raise self.parse_error("Repo should be in parens");
    123123
    124     def RequestAccess(self, req, fid):
    125         """
    126         Handle the access request.
    127 
    128         Parse out the fields and make the allocations or rejections if for us,
    129         otherwise, assuming we're willing to proxy, proxy the request out.
    130         """
    131 
    132         # The dance to get into the request body
    133         if req.has_key('RequestAccessRequestBody'):
    134             req = req['RequestAccessRequestBody']
    135         else:
    136             raise service_error(service_error.req, "No request!?")
    137 
    138         if req.has_key('destinationTestbed'):
    139             dt = unpack_id(req['destinationTestbed'])
    140 
    141         # Request for this fedd
    142         found, match, owners = self.lookup_access(req, fid)
    143         # keep track of what's been added
    144         allocID, alloc_cert = generate_fedid(subj="alloc", log=self.log)
    145         aid = unicode(allocID)
    146 
    147         self.state_lock.acquire()
    148         self.state[aid] = { }
    149         self.state[aid]['user'] = found
    150         self.state[aid]['owners'] = owners
    151         self.state[aid]['auth'] = set()
    152         self.append_allocation_authorization(aid,
    153                 ((fid, allocID),(allocID, allocID)))
    154         self.write_state()
    155         self.state_lock.release()
    156 
    157         try:
    158             f = open("%s/%s.pem" % (self.certdir, aid), "w")
    159             print >>f, alloc_cert
    160             f.close()
    161         except EnvironmentError, e:
    162             raise service_error(service_error.internal,
    163                     "Can't open %s/%s : %s" % (self.certdir, aid, e))
    164         return { 'allocID': { 'fedid': allocID } }
    165 
    166     def ReleaseAccess(self, req, fid):
    167         # The dance to get into the request body
    168         if req.has_key('ReleaseAccessRequestBody'):
    169             req = req['ReleaseAccessRequestBody']
    170         else:
    171             raise service_error(service_error.req, "No request!?")
    172 
    173         try:
    174             if req['allocID'].has_key('localname'):
    175                 auth_attr = aid = req['allocID']['localname']
    176             elif req['allocID'].has_key('fedid'):
    177                 aid = unicode(req['allocID']['fedid'])
    178                 auth_attr = req['allocID']['fedid']
    179             else:
    180                 raise service_error(service_error.req,
    181                         "Only localnames and fedids are understood")
    182         except KeyError:
    183             raise service_error(service_error.req, "Badly formed request")
    184 
    185         self.log.debug("[access] deallocation requested for %s", aid)
    186         if not self.auth.check_attribute(fid, auth_attr):
    187             self.log.debug("[access] deallocation denied for %s", aid)
    188             raise service_error(service_error.access, "Access Denied")
    189 
    190         self.state_lock.acquire()
    191         if self.state.has_key(aid):
    192             self.log.debug("Found allocation for %s" %aid)
    193             self.clear_allocation_authorization(aid)
    194             del self.state[aid]
    195             self.write_state()
    196             self.state_lock.release()
    197             # And remove the access cert
    198             cf = "%s/%s.pem" % (self.certdir, aid)
    199             self.log.debug("Removing %s" % cf)
    200             os.remove(cf)
    201             return { 'allocID': req['allocID'] }
    202         else:
    203             self.state_lock.release()
    204             raise service_error(service_error.req, "No such allocation")
     124    # RequestAccess and ReleaseAccess come from the base class
    205125
    206126    def extract_parameters(self, top):
  • fedd/federation/skeleton_access.py

    rc65b7e4 r9973d57  
    163163            }
    164164
    165     def RequestAccess(self, req, fid):
    166         """
    167         Handle an access request.  Success here maps the requester into the
    168         local access control space and establishes state about that user keyed
    169         to a fedid.  We also save a copy of the certificate underlying that
    170         fedid so this allocation can access configuration information and
    171         shared parameters on the experiment controller.
    172         """
    173 
    174         # The dance to get into the request body
    175         if req.has_key('RequestAccessRequestBody'):
    176             req = req['RequestAccessRequestBody']
    177         else:
    178             raise service_error(service_error.req, "No request!?")
    179 
    180         # Base class lookup routine.  If this fails, it throws a service
    181         # exception denying access that triggers a fault response back to the
    182         # caller.
    183         found, match, owners = self.lookup_access(req, fid)
    184         self.log.info(
    185                 "[RequestAccess] Access granted to %s with local creds %s" % \
    186                 (match, found))
    187         # Make a fedid for this allocation
    188         allocID, alloc_cert = generate_fedid(subj="alloc", log=self.log)
    189         aid = unicode(allocID)
    190 
    191         # Store the data about this allocation:
    192         self.state_lock.acquire()
    193         self.state[aid] = { }
    194         self.state[aid]['user'] = found
    195         self.state[aid]['owners'] = owners
    196         self.state[aid]['auth'] = set()
    197         # Authorize the creating fedid and the principal representing the
    198         # allocation to manipulate it.
    199         self.append_allocation_authorization(aid,
    200                 ((fid, allocID), (allocID, allocID)))
    201         self.write_state()
    202         self.state_lock.release()
    203 
    204         # Create a directory to stash the certificate in, ans stash it.
    205         try:
    206             f = open("%s/%s.pem" % (self.certdir, aid), "w")
    207             print >>f, alloc_cert
    208             f.close()
    209         except EnvironmentError, e:
    210             raise service_error(service_error.internal,
    211                     "Can't open %s/%s : %s" % (self.certdir, aid, e))
    212         self.log.debug('[RequestAccess] Returning allocation ID: %s' % allocID)
    213         return { 'allocID': { 'fedid': allocID } }
    214 
    215     def ReleaseAccess(self, req, fid):
    216         """
    217         Release the allocation granted earlier.  Access to the allocation is
    218         checked and if valid, the state and cached certificate are destroyed.
    219         """
    220         # The dance to get into the request body
    221         if req.has_key('ReleaseAccessRequestBody'):
    222             req = req['ReleaseAccessRequestBody']
    223         else:
    224             raise service_error(service_error.req, "No request!?")
    225 
    226         # Pull a key out of the request.  One can request to delete an
    227         # allocation by a local human readable name or by a fedid.  This finds
    228         # both choices.
    229         try:
    230             if 'localname' in req['allocID']:
    231                 auth_attr = aid = req['allocID']['localname']
    232             elif 'fedid' in req['allocID']:
    233                 aid = unicode(req['allocID']['fedid'])
    234                 auth_attr = req['allocID']['fedid']
    235             else:
    236                 raise service_error(service_error.req,
    237                         "Only localnames and fedids are understood")
    238         except KeyError:
    239             raise service_error(service_error.req, "Badly formed request")
    240 
    241         self.log.debug("[ReleaseAccess] deallocation requested for %s", aid)
    242         #  Confirm access
    243         if not self.auth.check_attribute(fid, auth_attr):
    244             self.log.debug("[ReleaseAccess] deallocation denied for %s", aid)
    245             raise service_error(service_error.access, "Access Denied")
    246 
    247         # If there is an allocation in the state, delete it.  Note the locking.
    248         self.state_lock.acquire()
    249         if aid in self.state:
    250             self.log.debug("[ReleaseAccess] Found allocation for %s" %aid)
    251             self.clear_allocation_authorization(aid)
    252             del self.state[aid]
    253             self.write_state()
    254             self.state_lock.release()
    255             # And remove the access cert
    256             cf = "%s/%s.pem" % (self.certdir, aid)
    257             self.log.debug("[ReleaseAccess] Removing %s" % cf)
    258             os.remove(cf)
    259             return { 'allocID': req['allocID'] }
    260         else:
    261             self.state_lock.release()
    262             raise service_error(service_error.req, "No such allocation")
     165    # RequestAccess and ReleaseAccess come from the base class
    263166
    264167    def StartSegment(self, req, fid):
Note: See TracChangeset for help on using the changeset viewer.