Changeset bfbaa85


Ignore:
Timestamp:
Apr 6, 2012 9:56:22 AM (8 years ago)
Author:
Ted Faber <faber@…>
Branches:
compt_changes, master
Children:
effd4f6
Parents:
e1ede1ac
Message:

Allow update of access controller policy

File:
1 edited

Legend:

Unmodified
Added
Removed
  • fedd/access_to_abac.py

    re1ede1ac rbfbaa85  
    276276                type='str', action='callback', callback=self.expand_file,
    277277                help='File for the attribute to local authorization data')
     278        self.add_option('--update', action='store_const', const=True,
     279                dest='update_authorizer', default=False,
     280                help='Add the generated policy to an existing authorizer')
    278281        self.add_option('--no-delegate', action='store_false', dest='delegate',
    279282                default=True,
     
    292295        self.set_defaults(mapper=None)
    293296
    294 def create_creds(creds, cert, key, dir, debug=False,
    295         creddy='/usr/local/bin/creddy'):
     297def create_creds(creds, cert, key, dir, debug=False):
    296298    '''
    297299    Make the the attributes from the list of credential
    298300    objects in the creds parameter.
    299301    '''
     302    cfiles = []
    300303    for i, c in enumerate(creds):
    301304        cid = Creddy.ID(cert)
     
    312315                raise parse_error('Attribute without a principal?')
    313316        cattr.bake()
    314         cattr.write_name('%s/cred%d_attr.der' % (dir, i))
     317        fn = '%s/cred%d_attr.der' % (dir, i)
     318        cattr.write_name(fn)
     319        cfiles.append(fn)
     320    return cfiles
     321
    315322
    316323def clear_dir(dir):
     
    428435    fed_user_cred = None
    429436    fed_someuser_cred = None
     437
     438credfiles = []
    430439   
    431440# The try block makes sure that credentials split into tmp files are deleted
     
    451460            if all([cert, key, opts.dir]):
    452461                try:
    453                     create_creds([c for c in creds if c.principal == me],
     462                    credfiles = create_creds(
     463                            [c for c in creds if c.principal == me],
    454464                            cert, key, creds_dir, opts.debug)
    455465                except credential_error, e:
     
    480490        # Create an authorizer if requested.
    481491        if opts.create_auth:
    482             clear_dir(auth_dir)
    483492            try:
    484493                # Pass in the options rather than the potentially split key
     
    486495                # internally.  The opts.cert may get split twice, but we won't
    487496                # lose one.
    488                 a = abac_authorizer(key=opts.key, me=opts.cert,
    489                         certs=creds_dir, save=auth_dir)
    490                 a.save(auth_dir)
     497                if opts.update_authorizer:
     498                    operation = 'updat'
     499                    a = abac_authorizer(load=auth_dir)
     500                    a.import_credentials(file_list=credfiles)
     501                    a.save()
     502                else:
     503                    clear_dir(auth_dir)
     504                    operation = 'creat'
     505                    a = abac_authorizer(key=opts.key, me=opts.cert,
     506                            certs=creds_dir, save=auth_dir)
     507                    a.save(auth_dir)
    491508            except EnvironmentError, e:
    492509                sys.exit("Can't create or write %s: %s" % \
    493510                        (e.filename, e.strerror))
    494511            except abac_authorizer.bad_cert_error, e:
    495                 sys.exit("Error creating authorizer: %s" % e)
     512                sys.exit("Error %sing authorizer: %s" % (operation, e))
    496513
    497514finally:
Note: See TracChangeset for help on using the changeset viewer.