Changeset b7a61ac for fedd/federation
- Timestamp:
- Dec 3, 2010 10:20:08 AM (14 years ago)
- Branches:
- axis_example, compt_changes, info-ops, master
- Children:
- 262328f
- Parents:
- a0e20ac
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
fedd/federation/skeleton_access.py
ra0e20ac rb7a61ac 11 11 from util import * 12 12 from fedid import fedid, generate_fedid 13 from authorizer import authorizer 13 from authorizer import authorizer, abac_authorizer 14 14 from service_error import service_error 15 15 from remote_service import xmlrpc_handler, soap_handler, service_caller … … 64 64 here. 65 65 66 The access database maps users to a simple string. Use the sample at.66 The access database maps users to a simple string. 67 67 """ 68 68 … … 74 74 # The available integers 75 75 self.available_ints = set(range(0,self.maxint)) 76 # This will contain the local data from a successful access request. 77 # Keys are the valid three-names, and values are the locally 78 # interpreted data. 79 self.access = { } 80 # Read the access values. We read the accessDB in the derived class so 81 # that the derived class can specialize the reading of access info. In 82 # this case, we gather the strings in the access db into self.access 83 # using the translator above. 84 if config.has_option("access", "accessdb"): 85 try: 86 self.read_access(config.get("access", "accessdb"), 87 self.parse_access_string) 88 except EnvironmentError, e: 89 self.log.error("Cannot read %s: %s" % \ 90 (config.get("access", "accessdb"), e)) 91 raise e 92 93 # The base class initializer has read the state dictionary from the 94 # state file, if there is one. The state variable includes information 95 # about each active allocation, keyed by the allocation identifier. 96 # This loop extracts the owners stored with each allocation and 97 # associates an access attribute with them. Each owner is allowed to 98 # access each thing they own. This is a specialization of the state 99 # handling. 76 77 # authorization information 78 self.auth_type = config.get('access', 'auth_type') \ 79 or 'legacy' 80 self.auth_dir = config.get('access', 'auth_dir') 81 accessdb = config.get("access", "accessdb") 82 # initialize the authorization system. In each case we make a call to 83 # read the access database that maps from authorization information 84 # into local information. The local information is parsed by the 85 # translator above. 86 if self.auth_type == 'legacy': 87 self.access = { } 88 if accessdb: 89 try: 90 self.legacy_read_access(accessdb, self.parse_access_string) 91 except EnvironmentError, e: 92 self.log.error("Cannot read %s: %s" % \ 93 (config.get("access", "accessdb"), e)) 94 raise e 95 # The base class initializer has read the state dictionary from the 96 # state file, if there is one. The state variable includes 97 # information about each active allocation, keyed by the allocation 98 # identifier. This loop extracts the owners stored with each 99 # allocation and associates an access attribute with them. Each 100 # owner is allowed to access each thing they own. This is a 101 # specialization of the state handling. ABAC records this 102 # information explicitly so this loop only executes for legacy 103 # code. 104 self.state_lock.acquire() 105 for k in self.state.keys(): 106 # Add the owners 107 for o in self.state[k].get('owners', []): 108 self.auth.set_attribute(o, fedid(hexstr=k)) 109 # The principal represented by the allocation itself is also 110 # allowed to make accesses. 111 self.auth.set_attribute(fedid(hexstr=k),fedid(hexstr=k)) 112 self.state_lock.release() 113 # This access controller does not specialize the process of looking 114 # up local information. This aliases the lookup_access method to 115 # be easier to read. 116 self.lookup_access = self.legacy_lookup_access_base 117 elif self.auth_type == 'abac': 118 # Load the current authorization state 119 self.auth = abac_authorizer(load=self.auth_dir) 120 self.access = [ ] 121 if accessdb: 122 try: 123 self.read_access(accessdb, self.parse_access_string) 124 except EnvironmentError, e: 125 self.log.error("Cannot read %s: %s" % \ 126 (config.get("access", "accessdb"), e)) 127 raise e 128 else: 129 raise service_error(service_error.internal, 130 "Unknown auth_type: %s" % self.auth_type) 131 132 # Clean the state 100 133 self.state_lock.acquire() 101 134 for k in self.state.keys(): 102 # Add the owners103 for o in self.state[k].get('owners', []):104 self.auth.set_attribute(o, fedid(hexstr=k))105 # The principal represented by the allocation itself is also106 # allowed to make accesses.107 self.auth.set_attribute(fedid(hexstr=k),fedid(hexstr=k))108 135 # Remove any allocated integers from the available ones 109 136 if 'integer' in self.state[k]: 110 137 self.available_ints.discard(self.state[k]['integer']) 111 138 self.state_lock.release() 112 113 # This access controller does not specialize the process of looking up114 # local information. This aliases the lookup_access method to be115 # easier to read.116 self.lookup_access = self.lookup_access_base117 139 118 140 # These dictionaries register the plug-in's local routines for handline … … 158 180 # exception denying access that triggers a fault response back to the 159 181 # caller. 160 found, match = self.lookup_access(req, fid)182 found, match, owners = self.lookup_access(req, fid) 161 183 self.log.info( 162 184 "[RequestAccess] Access granted to %s with local creds %s" % \ … … 170 192 self.state[aid] = { } 171 193 self.state[aid]['user'] = found 172 self.state[aid]['owners'] = [ fid ]194 self.state[aid]['owners'] = owners 173 195 self.write_state() 174 196 self.state_lock.release() … … 177 199 self.auth.set_attribute(fid, allocID) 178 200 self.auth.set_attribute(allocID, allocID) 201 self.auth.save() 179 202 180 203 # Create a directory to stash the certificate in, ans stash it.
Note: See TracChangeset
for help on using the changeset viewer.