Context Navigation

← Previous Change
Next Change →

Changeset 9973d57 for fedd/federation

Timestamp:

Dec 12, 2010 9:33:44 AM (14 years ago)

Author:

Ted Faber <faber@…>

Branches:

axis_example, compt_changes, info-ops, master

Children:

Parents:

Message:

Move common GetRequest/ReleaseAccess? implementations to the base class

Location:

fedd/federation

Files:

: 4 edited

access.py (modified) (1 diff)
deter_internal_access.py (modified) (1 diff)
dragon_access.py (modified) (1 diff)
skeleton_access.py (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

fedd/federation/access.py

-                      rc65b7e4
+                      r9973d57
         except EnvironmentError, e:
             self.log.error("Error deleting directory tree in %s" % e);
+    def RequestAccess(self, req, fid):
+        """
+        Handle an access request.  Success here maps the requester into the
+        local access control space and establishes state about that user keyed
+        to a fedid.  We also save a copy of the certificate underlying that
+        fedid so this allocation can access configuration information and
+        shared parameters on the experiment controller.
+        """
+        # The dance to get into the request body
+        if req.has_key('RequestAccessRequestBody'):
+            req = req['RequestAccessRequestBody']
+        else:
+            raise service_error(service_error.req, "No request!?")
+        # Base class lookup routine.  If this fails, it throws a service
+        # exception denying access that triggers a fault response back to the
+        # caller.
+        found, match, owners = self.lookup_access(req, fid)
+        self.log.info(
+                "[RequestAccess] Access granted to %s with local creds %s" % \
+                (match, found))
+        # Make a fedid for this allocation
+        allocID, alloc_cert = generate_fedid(subj="alloc", log=self.log)
+        aid = unicode(allocID)
+        # Store the data about this allocation:
+        self.state_lock.acquire()
+        self.state[aid] = { }
+        self.state[aid]['user'] = found
+        self.state[aid]['owners'] = owners
+        self.state[aid]['auth'] = set()
+        # Authorize the creating fedid and the principal representing the
+        # allocation to manipulate it.
+        self.append_allocation_authorization(aid,
+                ((fid, allocID), (allocID, allocID)))
+        self.write_state()
+        self.state_lock.release()
+        # Create a directory to stash the certificate in, ans stash it.
+        try:
+            f = open("%s/%s.pem" % (self.certdir, aid), "w")
+            print >>f, alloc_cert
+            f.close()
+        except EnvironmentError, e:
+            raise service_error(service_error.internal,
+                    "Can't open %s/%s : %s" % (self.certdir, aid, e))
+        self.log.debug('[RequestAccess] Returning allocation ID: %s' % allocID)
+        return { 'allocID': { 'fedid': allocID } }
+    def ReleaseAccess(self, req, fid):
+        """
+        Release the allocation granted earlier.  Access to the allocation is
+        checked and if valid, the state and cached certificate are destroyed.
+        """
+        # The dance to get into the request body
+        if req.has_key('ReleaseAccessRequestBody'):
+            req = req['ReleaseAccessRequestBody']
+        else:
+            raise service_error(service_error.req, "No request!?")
+        # Pull a key out of the request.  One can request to delete an
+        # allocation by a local human readable name or by a fedid.  This finds
+        # both choices.
+        try:
+            if 'localname' in req['allocID']:
+                auth_attr = aid = req['allocID']['localname']
+            elif 'fedid' in req['allocID']:
+                aid = unicode(req['allocID']['fedid'])
+                auth_attr = req['allocID']['fedid']
+            else:
+                raise service_error(service_error.req,
+                        "Only localnames and fedids are understood")
+        except KeyError:
+            raise service_error(service_error.req, "Badly formed request")
+        self.log.debug("[ReleaseAccess] deallocation requested for %s", aid)
+        #  Confirm access
+        if not self.auth.check_attribute(fid, auth_attr):
+            self.log.debug("[ReleaseAccess] deallocation denied for %s", aid)
+            raise service_error(service_error.access, "Access Denied")
+        # If there is an allocation in the state, delete it.  Note the locking.
+        self.state_lock.acquire()
+        if aid in self.state:
+            self.log.debug("[ReleaseAccess] Found allocation for %s" %aid)
+            self.clear_allocation_authorization(aid)
+            del self.state[aid]
+            self.write_state()
+            self.state_lock.release()
+            # And remove the access cert
+            cf = "%s/%s.pem" % (self.certdir, aid)
+            self.log.debug("[ReleaseAccess] Removing %s" % cf)
+            os.remove(cf)
+            return { 'allocID': req['allocID'] }
+        else:
+            self.state_lock.release()
+            raise service_error(service_error.req, "No such allocation")

fedd/federation/deter_internal_access.py

-                      rc65b7e4
+                      r9973d57
+            }
+    def RequestAccess(self, req, fid):
+        """
+        Handle the access request.  Proxy if not for us.
+        Parse out the fields and make the allocations or rejections if for us,
+        otherwise, assuming we're willing to proxy, proxy the request out.
+        """
+        # The dance to get into the request body
+        if req.has_key('RequestAccessRequestBody'):
+            req = req['RequestAccessRequestBody']
+        else:
+            raise service_error(service_error.req, "No request!?")
+        found, match, owners = self.lookup_access(req, fid)
+        # keep track of what's been added
+        allocID, alloc_cert = generate_fedid(subj="alloc", log=self.log)
+        aid = unicode(allocID)
+        self.state_lock.acquire()
+        self.state[aid] = { }
+        self.state[aid]['user'] = found
+        self.state[aid]['owners'] = owners
+        self.state[aid]['vlan'] = None
+        self.state[aid]['auth'] = set()
+        self.append_allocation_authorization(aid,
+                ((fid, allocID),(allocID, allocID)))
+        self.write_state()
+        self.state_lock.release()
+        try:
+            f = open("%s/%s.pem" % (self.certdir, aid), "w")
+            print >>f, alloc_cert
+            f.close()
+        except EnvironmentError, e:
+            raise service_error(service_error.internal,
+                    "Can't open %s/%s : %s" % (self.certdir, aid, e))
+        return { 'allocID': { 'fedid': allocID } }
+    def ReleaseAccess(self, req, fid):
+        # The dance to get into the request body
+        if req.has_key('ReleaseAccessRequestBody'):
+            req = req['ReleaseAccessRequestBody']
+        else:
+            raise service_error(service_error.req, "No request!?")
+        # Local request
+        try:
+            if req['allocID'].has_key('localname'):
+                auth_attr = aid = req['allocID']['localname']
+            elif req['allocID'].has_key('fedid'):
+                aid = unicode(req['allocID']['fedid'])
+                auth_attr = req['allocID']['fedid']
+            else:
+                raise service_error(service_error.req,
+                        "Only localnames and fedids are understood")
+        except KeyError:
+            raise service_error(service_error.req, "Badly formed request")
+        self.log.debug("[access] deallocation requested for %s", aid)
+        if not self.auth.check_attribute(fid, auth_attr):
+            self.log.debug("[access] deallocation denied for %s", aid)
+            raise service_error(service_error.access, "Access Denied")
+        self.state_lock.acquire()
+        if self.state.has_key(aid):
+            self.log.debug("Found allocation for %s" %aid)
+            self.clear_allocation_authorization(aid)
+            del self.state[aid]
+            self.write_state()
+            self.state_lock.release()
+            # And remove the access cert
+            cf = "%s/%s.pem" % (self.certdir, aid)
+            self.log.debug("Removing %s" % cf)
+            os.remove(cf)
+            return { 'allocID': req['allocID'] }
+        else:
+            self.state_lock.release()
+            raise service_error(service_error.req, "No such allocation")
+    # RequestAccess and ReleaseAccess come from the base
     def extract_parameters(self, top):

fedd/federation/dragon_access.py

-                      rc65b7e4
+                      r9973d57
         else: raise self.parse_error("Repo should be in parens");
+    def RequestAccess(self, req, fid):
+        """
+        Handle the access request.
+        Parse out the fields and make the allocations or rejections if for us,
+        otherwise, assuming we're willing to proxy, proxy the request out.
+        """
+        # The dance to get into the request body
+        if req.has_key('RequestAccessRequestBody'):
+            req = req['RequestAccessRequestBody']
+        else:
+            raise service_error(service_error.req, "No request!?")
+        if req.has_key('destinationTestbed'):
+            dt = unpack_id(req['destinationTestbed'])
+        # Request for this fedd
+        found, match, owners = self.lookup_access(req, fid)
+        # keep track of what's been added
+        allocID, alloc_cert = generate_fedid(subj="alloc", log=self.log)
+        aid = unicode(allocID)
+        self.state_lock.acquire()
+        self.state[aid] = { }
+        self.state[aid]['user'] = found
+        self.state[aid]['owners'] = owners
+        self.state[aid]['auth'] = set()
+        self.append_allocation_authorization(aid,
+                ((fid, allocID),(allocID, allocID)))
+        self.write_state()
+        self.state_lock.release()
+        try:
+            f = open("%s/%s.pem" % (self.certdir, aid), "w")
+            print >>f, alloc_cert
+            f.close()
+        except EnvironmentError, e:
+            raise service_error(service_error.internal,
+                    "Can't open %s/%s : %s" % (self.certdir, aid, e))
+        return { 'allocID': { 'fedid': allocID } }
+    def ReleaseAccess(self, req, fid):
+        # The dance to get into the request body
+        if req.has_key('ReleaseAccessRequestBody'):
+            req = req['ReleaseAccessRequestBody']
+        else:
+            raise service_error(service_error.req, "No request!?")
+        try:
+            if req['allocID'].has_key('localname'):
+                auth_attr = aid = req['allocID']['localname']
+            elif req['allocID'].has_key('fedid'):
+                aid = unicode(req['allocID']['fedid'])
+                auth_attr = req['allocID']['fedid']
+            else:
+                raise service_error(service_error.req,
+                        "Only localnames and fedids are understood")
+        except KeyError:
+            raise service_error(service_error.req, "Badly formed request")
+        self.log.debug("[access] deallocation requested for %s", aid)
+        if not self.auth.check_attribute(fid, auth_attr):
+            self.log.debug("[access] deallocation denied for %s", aid)
+            raise service_error(service_error.access, "Access Denied")
+        self.state_lock.acquire()
+        if self.state.has_key(aid):
+            self.log.debug("Found allocation for %s" %aid)
+            self.clear_allocation_authorization(aid)
+            del self.state[aid]
+            self.write_state()
+            self.state_lock.release()
+            # And remove the access cert
+            cf = "%s/%s.pem" % (self.certdir, aid)
+            self.log.debug("Removing %s" % cf)
+            os.remove(cf)
+            return { 'allocID': req['allocID'] }
+        else:
+            self.state_lock.release()
+            raise service_error(service_error.req, "No such allocation")
+    # RequestAccess and ReleaseAccess come from the base class
     def extract_parameters(self, top):

fedd/federation/skeleton_access.py

-                      rc65b7e4
+                      r9973d57
+            }
+    def RequestAccess(self, req, fid):
+        """
+        Handle an access request.  Success here maps the requester into the
+        local access control space and establishes state about that user keyed
+        to a fedid.  We also save a copy of the certificate underlying that
+        fedid so this allocation can access configuration information and
+        shared parameters on the experiment controller.
+        """
+        # The dance to get into the request body
+        if req.has_key('RequestAccessRequestBody'):
+            req = req['RequestAccessRequestBody']
+        else:
+            raise service_error(service_error.req, "No request!?")
+        # Base class lookup routine.  If this fails, it throws a service
+        # exception denying access that triggers a fault response back to the
+        # caller.
+        found, match, owners = self.lookup_access(req, fid)
+        self.log.info(
+                "[RequestAccess] Access granted to %s with local creds %s" % \
+                (match, found))
+        # Make a fedid for this allocation
+        allocID, alloc_cert = generate_fedid(subj="alloc", log=self.log)
+        aid = unicode(allocID)
+        # Store the data about this allocation:
+        self.state_lock.acquire()
+        self.state[aid] = { }
+        self.state[aid]['user'] = found
+        self.state[aid]['owners'] = owners
+        self.state[aid]['auth'] = set()
+        # Authorize the creating fedid and the principal representing the
+        # allocation to manipulate it.
+        self.append_allocation_authorization(aid,
+                ((fid, allocID), (allocID, allocID)))
+        self.write_state()
+        self.state_lock.release()
+        # Create a directory to stash the certificate in, ans stash it.
+        try:
+            f = open("%s/%s.pem" % (self.certdir, aid), "w")
+            print >>f, alloc_cert
+            f.close()
+        except EnvironmentError, e:
+            raise service_error(service_error.internal,
+                    "Can't open %s/%s : %s" % (self.certdir, aid, e))
+        self.log.debug('[RequestAccess] Returning allocation ID: %s' % allocID)
+        return { 'allocID': { 'fedid': allocID } }
+    def ReleaseAccess(self, req, fid):
+        """
+        Release the allocation granted earlier.  Access to the allocation is
+        checked and if valid, the state and cached certificate are destroyed.
+        """
+        # The dance to get into the request body
+        if req.has_key('ReleaseAccessRequestBody'):
+            req = req['ReleaseAccessRequestBody']
+        else:
+            raise service_error(service_error.req, "No request!?")
+        # Pull a key out of the request.  One can request to delete an
+        # allocation by a local human readable name or by a fedid.  This finds
+        # both choices.
+        try:
+            if 'localname' in req['allocID']:
+                auth_attr = aid = req['allocID']['localname']
+            elif 'fedid' in req['allocID']:
+                aid = unicode(req['allocID']['fedid'])
+                auth_attr = req['allocID']['fedid']
+            else:
+                raise service_error(service_error.req,
+                        "Only localnames and fedids are understood")
+        except KeyError:
+            raise service_error(service_error.req, "Badly formed request")
+        self.log.debug("[ReleaseAccess] deallocation requested for %s", aid)
+        #  Confirm access
+        if not self.auth.check_attribute(fid, auth_attr):
+            self.log.debug("[ReleaseAccess] deallocation denied for %s", aid)
+            raise service_error(service_error.access, "Access Denied")
+        # If there is an allocation in the state, delete it.  Note the locking.
+        self.state_lock.acquire()
+        if aid in self.state:
+            self.log.debug("[ReleaseAccess] Found allocation for %s" %aid)
+            self.clear_allocation_authorization(aid)
+            del self.state[aid]
+            self.write_state()
+            self.state_lock.release()
+            # And remove the access cert
+            cf = "%s/%s.pem" % (self.certdir, aid)
+            self.log.debug("[ReleaseAccess] Removing %s" % cf)
+            os.remove(cf)
+            return { 'allocID': req['allocID'] }
+        else:
+            self.state_lock.release()
+            raise service_error(service_error.req, "No such allocation")
+    # RequestAccess and ReleaseAccess come from the base class
     def StartSegment(self, req, fid):

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats: