Changeset b7a61ac for fedd


Ignore:
Timestamp:
Dec 3, 2010 10:20:08 AM (14 years ago)
Author:
Ted Faber <faber@…>
Branches:
axis_example, compt_changes, info-ops, master
Children:
262328f
Parents:
a0e20ac
Message:

ABAC into the skeleton

File:
1 edited

Legend:

Unmodified
Added
Removed
  • fedd/federation/skeleton_access.py

    ra0e20ac rb7a61ac  
    1111from util import *
    1212from fedid import fedid, generate_fedid
    13 from authorizer import authorizer
     13from authorizer import authorizer, abac_authorizer
    1414from service_error import service_error
    1515from remote_service import xmlrpc_handler, soap_handler, service_caller
     
    6464        here.
    6565
    66         The access database maps users to a simple string.  Use the sample at.
     66        The access database maps users to a simple string.
    6767        """
    6868
     
    7474        # The available integers
    7575        self.available_ints = set(range(0,self.maxint))
    76         # This will contain the local data from a successful access request.
    77         # Keys are the valid three-names, and values are the locally
    78         # interpreted data.
    79         self.access = { }
    80         # Read the access values.  We read the accessDB in the derived class so
    81         # that the derived class can specialize the reading of access info.  In
    82         # this case, we gather the strings in the access db into self.access
    83         # using the translator above.
    84         if config.has_option("access", "accessdb"):
    85             try:
    86                 self.read_access(config.get("access", "accessdb"),
    87                         self.parse_access_string)
    88             except EnvironmentError, e:
    89                 self.log.error("Cannot read %s: %s" % \
    90                         (config.get("access", "accessdb"), e))
    91                 raise e
    92 
    93         # The base class initializer has read the state dictionary from the
    94         # state file, if there is one.  The state variable includes information
    95         # about each active allocation, keyed by the allocation identifier.
    96         # This loop extracts the owners stored with each allocation and
    97         # associates an access attribute with them.  Each owner is allowed to
    98         # access each thing they own.  This is a specialization of the state
    99         # handling.
     76
     77        # authorization information
     78        self.auth_type = config.get('access', 'auth_type') \
     79                or 'legacy'
     80        self.auth_dir = config.get('access', 'auth_dir')
     81        accessdb = config.get("access", "accessdb")
     82        # initialize the authorization system.  In each case we make a call to
     83        # read the access database that maps from authorization information
     84        # into local information.  The local information is parsed by the
     85        # translator above.
     86        if self.auth_type == 'legacy':
     87            self.access = { }
     88            if accessdb:
     89                try:
     90                    self.legacy_read_access(accessdb, self.parse_access_string)
     91                except EnvironmentError, e:
     92                    self.log.error("Cannot read %s: %s" % \
     93                            (config.get("access", "accessdb"), e))
     94                    raise e
     95            # The base class initializer has read the state dictionary from the
     96            # state file, if there is one.  The state variable includes
     97            # information about each active allocation, keyed by the allocation
     98            # identifier.  This loop extracts the owners stored with each
     99            # allocation and associates an access attribute with them.  Each
     100            # owner is allowed to access each thing they own.  This is a
     101            # specialization of the state handling.  ABAC records this
     102            # information explicitly so this loop only executes for legacy
     103            # code.
     104            self.state_lock.acquire()
     105            for k in self.state.keys():
     106                # Add the owners
     107                for o in self.state[k].get('owners', []):
     108                    self.auth.set_attribute(o, fedid(hexstr=k))
     109                # The principal represented by the allocation itself is also
     110                # allowed to make accesses.
     111                self.auth.set_attribute(fedid(hexstr=k),fedid(hexstr=k))
     112            self.state_lock.release()
     113            # This access controller does not specialize the process of looking
     114            # up local information.  This aliases the lookup_access method to
     115            # be easier to read.
     116            self.lookup_access = self.legacy_lookup_access_base
     117        elif self.auth_type == 'abac':
     118            #  Load the current authorization state
     119            self.auth = abac_authorizer(load=self.auth_dir)
     120            self.access = [ ]
     121            if accessdb:
     122                try:
     123                    self.read_access(accessdb, self.parse_access_string)
     124                except EnvironmentError, e:
     125                    self.log.error("Cannot read %s: %s" % \
     126                            (config.get("access", "accessdb"), e))
     127                    raise e
     128        else:
     129            raise service_error(service_error.internal,
     130                    "Unknown auth_type: %s" % self.auth_type)
     131
     132        # Clean the state
    100133        self.state_lock.acquire()
    101134        for k in self.state.keys():
    102             # Add the owners
    103             for o in self.state[k].get('owners', []):
    104                 self.auth.set_attribute(o, fedid(hexstr=k))
    105             # The principal represented by the allocation itself is also
    106             # allowed to make accesses.
    107             self.auth.set_attribute(fedid(hexstr=k),fedid(hexstr=k))
    108135            # Remove any allocated integers from the available ones
    109136            if 'integer' in self.state[k]:
    110137                self.available_ints.discard(self.state[k]['integer'])
    111138        self.state_lock.release()
    112 
    113         # This access controller does not specialize the process of looking up
    114         # local information.  This aliases the lookup_access method to be
    115         # easier to read.
    116         self.lookup_access = self.lookup_access_base
    117139
    118140        # These dictionaries register the plug-in's local routines for handline
     
    158180        # exception denying access that triggers a fault response back to the
    159181        # caller.
    160         found, match = self.lookup_access(req, fid)
     182        found, match, owners = self.lookup_access(req, fid)
    161183        self.log.info(
    162184                "[RequestAccess] Access granted to %s with local creds %s" % \
     
    170192        self.state[aid] = { }
    171193        self.state[aid]['user'] = found
    172         self.state[aid]['owners'] = [ fid ]
     194        self.state[aid]['owners'] = owners
    173195        self.write_state()
    174196        self.state_lock.release()
     
    177199        self.auth.set_attribute(fid, allocID)
    178200        self.auth.set_attribute(allocID, allocID)
     201        self.auth.save()
    179202
    180203        # Create a directory to stash the certificate in, ans stash it.
Note: See TracChangeset for help on using the changeset viewer.