Ignore:
Timestamp:
Dec 12, 2010 9:33:44 AM (13 years ago)
Author:
Ted Faber <faber@…>
Branches:
axis_example, compt_changes, info-ops, master
Children:
2627eb3
Parents:
c65b7e4
Message:

Move common GetRequest/ReleaseAccess? implementations to the base class

File:
1 edited

Legend:

Unmodified
Added
Removed

  • fedd/federation/skeleton_access.py

    rc65b7e4 r9973d57  
    163163            }
    164164
    165     def RequestAccess(self, req, fid):
    166         """
    167         Handle an access request.  Success here maps the requester into the
    168         local access control space and establishes state about that user keyed
    169         to a fedid.  We also save a copy of the certificate underlying that
    170         fedid so this allocation can access configuration information and
    171         shared parameters on the experiment controller.
    172         """
    173 
    174         # The dance to get into the request body
    175         if req.has_key('RequestAccessRequestBody'):
    176             req = req['RequestAccessRequestBody']
    177         else:
    178             raise service_error(service_error.req, "No request!?")
    179 
    180         # Base class lookup routine.  If this fails, it throws a service
    181         # exception denying access that triggers a fault response back to the
    182         # caller.
    183         found, match, owners = self.lookup_access(req, fid)
    184         self.log.info(
    185                 "[RequestAccess] Access granted to %s with local creds %s" % \
    186                 (match, found))
    187         # Make a fedid for this allocation
    188         allocID, alloc_cert = generate_fedid(subj="alloc", log=self.log)
    189         aid = unicode(allocID)
    190 
    191         # Store the data about this allocation:
    192         self.state_lock.acquire()
    193         self.state[aid] = { }
    194         self.state[aid]['user'] = found
    195         self.state[aid]['owners'] = owners
    196         self.state[aid]['auth'] = set()
    197         # Authorize the creating fedid and the principal representing the
    198         # allocation to manipulate it.
    199         self.append_allocation_authorization(aid,
    200                 ((fid, allocID), (allocID, allocID)))
    201         self.write_state()
    202         self.state_lock.release()
    203 
    204         # Create a directory to stash the certificate in, ans stash it.
    205         try:
    206             f = open("%s/%s.pem" % (self.certdir, aid), "w")
    207             print >>f, alloc_cert
    208             f.close()
    209         except EnvironmentError, e:
    210             raise service_error(service_error.internal,
    211                     "Can't open %s/%s : %s" % (self.certdir, aid, e))
    212         self.log.debug('[RequestAccess] Returning allocation ID: %s' % allocID)
    213         return { 'allocID': { 'fedid': allocID } }
    214 
    215     def ReleaseAccess(self, req, fid):
    216         """
    217         Release the allocation granted earlier.  Access to the allocation is
    218         checked and if valid, the state and cached certificate are destroyed.
    219         """
    220         # The dance to get into the request body
    221         if req.has_key('ReleaseAccessRequestBody'):
    222             req = req['ReleaseAccessRequestBody']
    223         else:
    224             raise service_error(service_error.req, "No request!?")
    225 
    226         # Pull a key out of the request.  One can request to delete an
    227         # allocation by a local human readable name or by a fedid.  This finds
    228         # both choices.
    229         try:
    230             if 'localname' in req['allocID']:
    231                 auth_attr = aid = req['allocID']['localname']
    232             elif 'fedid' in req['allocID']:
    233                 aid = unicode(req['allocID']['fedid'])
    234                 auth_attr = req['allocID']['fedid']
    235             else:
    236                 raise service_error(service_error.req,
    237                         "Only localnames and fedids are understood")
    238         except KeyError:
    239             raise service_error(service_error.req, "Badly formed request")
    240 
    241         self.log.debug("[ReleaseAccess] deallocation requested for %s", aid)
    242         #  Confirm access
    243         if not self.auth.check_attribute(fid, auth_attr):
    244             self.log.debug("[ReleaseAccess] deallocation denied for %s", aid)
    245             raise service_error(service_error.access, "Access Denied")
    246 
    247         # If there is an allocation in the state, delete it.  Note the locking.
    248         self.state_lock.acquire()
    249         if aid in self.state:
    250             self.log.debug("[ReleaseAccess] Found allocation for %s" %aid)
    251             self.clear_allocation_authorization(aid)
    252             del self.state[aid]
    253             self.write_state()
    254             self.state_lock.release()
    255             # And remove the access cert
    256             cf = "%s/%s.pem" % (self.certdir, aid)
    257             self.log.debug("[ReleaseAccess] Removing %s" % cf)
    258             os.remove(cf)
    259             return { 'allocID': req['allocID'] }
    260         else:
    261             self.state_lock.release()
    262             raise service_error(service_error.req, "No such allocation")
     165    # RequestAccess and ReleaseAccess come from the base class
    263166
    264167    def StartSegment(self, req, fid):
Note: See TracChangeset for help on using the changeset viewer.