Changeset c002cb2

Timestamp:

Nov 30, 2010 1:57:05 PM (13 years ago)

Author:

Ted Faber <faber@…>

Branches:

axis_example, compt_changes, info-ops, master

Children:

1f6a573

Parents:

822d31b

Message:

Structure for priority and filtering of ABAC attributes at access check time

Location:

fedd/federation

Files:

• access.py (modified) (3 diffs)
• emulab_access.py (modified) (4 diffs)

fedd/federation/access.py

@@ -47 +47 @@
 
     class parse_error(RuntimeError): pass
+
+    class access_attribute:
+        def __init__(self, attr, value, pri=1):
+            self.attr = attr
+            self.value = value
+            self.priority = pri
 
     def __init__(self, config=None, auth=None):
@@ -138 +144 @@
             access_obj = lambda(x): "%s" % x
 
+        self.access = []
+
         f = open(fn, 'r')
         try:
@@ -148 +156 @@
                 m = map_re.match(line)
                 if m != None:
-                    self.access[m.group(1)] = access_obj(m.group(2))
+                    self.access.append(access_base.access_attribute(m.group(1),
+                        access_obj(m.group(2))))
                     continue
 

fedd/federation/emulab_access.py

@@ -104 +104 @@
 
         self.restricted = [ ]
-        self.access = { }
         # XXX: this should go?
         #if config.has_option("access", "accessdb"):
@@ -119 +118 @@
         # initialize the authorization system
         if self.auth_type == 'legacy':
+            self.access = { }
             if accessdb:
                 self.legacy_read_access(accessdb, self.legacy_access_tuple)
         elif self.auth_type == 'abac':
             self.auth = abac_authorizer(load=self.auth_dir)
+            self.access = [ ]
             if accessdb:
                 self.read_access(accessdb, self.access_tuple)
@@ -327 +328 @@
                 [ fid ]
 
-    def lookup_access(self, req, fid): 
+    def lookup_access(self, req, fid, filter=None, compare=None): 
         """
         Check all the attributes that this controller knows how to map and see
         if the requester is allowed to use any of them.  If so return one.
-        """
+        Filter defined the objects to check - it's a function that returns true
+        for the objects to check - and cmp defines the order to check them in
+        as the cmp field of sorted().  If filter is None, all possibilities are
+        checked.  If cmp is None, the choices are sorted by priority.
+        """
+        # NB: comparison order reversed so numerically larger priorities are
+        # checked first.
+        def prio_cmp(a, b):
+            return cmp(b.priority, a.priority)
+
+
         # Import request credentials into this (clone later??)
         if self.auth.import_credentials(
@@ -337 +348 @@
             self.auth.save()
 
+        c = compare or prio_cmp
+        if filter: f = filter
+        else: f = lambda(x): True
+
+        check = sorted([ a for a in self.access if f(a)], cmp=c)
+
         # Check every attribute that we know how to map and take the first
         # success.
-        for attr in (self.access.keys()):
-            if self.auth.check_attribute(fid, attr):
+        for attr in check:
+            if self.auth.check_attribute(fid, attr.attr):
+                self.log.debug("Access succeeded for %s %s" % (attr.attr, fid))
                 # XXX: needs to deal with dynamics
-                return copy.copy(self.access[attr]), (False, False, False), \
+                return copy.copy(attr.value), (False, False, False), \
                         [ fid ]
             else:
-                self.log.debug("Access failed for %s %s" % (attr, fid))
+                self.log.debug("Access failed for %s %s" % (attr.attr, fid))
         else:
             raise service_error(service_error.access, "Access denied")