Changeset c002cb2 for fedd


Ignore:
Timestamp:
Nov 30, 2010 1:57:05 PM (14 years ago)
Author:
Ted Faber <faber@…>
Branches:
axis_example, compt_changes, info-ops, master
Children:
1f6a573
Parents:
822d31b
Message:

Structure for priority and filtering of ABAC attributes at access check time

Location:
fedd/federation
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • fedd/federation/access.py

    r822d31b rc002cb2  
    4747
    4848    class parse_error(RuntimeError): pass
     49
     50    class access_attribute:
     51        def __init__(self, attr, value, pri=1):
     52            self.attr = attr
     53            self.value = value
     54            self.priority = pri
    4955
    5056    def __init__(self, config=None, auth=None):
     
    138144            access_obj = lambda(x): "%s" % x
    139145
     146        self.access = []
     147
    140148        f = open(fn, 'r')
    141149        try:
     
    148156                m = map_re.match(line)
    149157                if m != None:
    150                     self.access[m.group(1)] = access_obj(m.group(2))
     158                    self.access.append(access_base.access_attribute(m.group(1),
     159                        access_obj(m.group(2))))
    151160                    continue
    152161
  • fedd/federation/emulab_access.py

    r822d31b rc002cb2  
    104104
    105105        self.restricted = [ ]
    106         self.access = { }
    107106        # XXX: this should go?
    108107        #if config.has_option("access", "accessdb"):
     
    119118        # initialize the authorization system
    120119        if self.auth_type == 'legacy':
     120            self.access = { }
    121121            if accessdb:
    122122                self.legacy_read_access(accessdb, self.legacy_access_tuple)
    123123        elif self.auth_type == 'abac':
    124124            self.auth = abac_authorizer(load=self.auth_dir)
     125            self.access = [ ]
    125126            if accessdb:
    126127                self.read_access(accessdb, self.access_tuple)
     
    327328                [ fid ]
    328329
    329     def lookup_access(self, req, fid):
     330    def lookup_access(self, req, fid, filter=None, compare=None):
    330331        """
    331332        Check all the attributes that this controller knows how to map and see
    332333        if the requester is allowed to use any of them.  If so return one.
    333         """
     334        Filter defined the objects to check - it's a function that returns true
     335        for the objects to check - and cmp defines the order to check them in
     336        as the cmp field of sorted().  If filter is None, all possibilities are
     337        checked.  If cmp is None, the choices are sorted by priority.
     338        """
     339        # NB: comparison order reversed so numerically larger priorities are
     340        # checked first.
     341        def prio_cmp(a, b):
     342            return cmp(b.priority, a.priority)
     343
     344
    334345        # Import request credentials into this (clone later??)
    335346        if self.auth.import_credentials(
     
    337348            self.auth.save()
    338349
     350        c = compare or prio_cmp
     351        if filter: f = filter
     352        else: f = lambda(x): True
     353
     354        check = sorted([ a for a in self.access if f(a)], cmp=c)
     355
    339356        # Check every attribute that we know how to map and take the first
    340357        # success.
    341         for attr in (self.access.keys()):
    342             if self.auth.check_attribute(fid, attr):
     358        for attr in check:
     359            if self.auth.check_attribute(fid, attr.attr):
     360                self.log.debug("Access succeeded for %s %s" % (attr.attr, fid))
    343361                # XXX: needs to deal with dynamics
    344                 return copy.copy(self.access[attr]), (False, False, False), \
     362                return copy.copy(attr.value), (False, False, False), \
    345363                        [ fid ]
    346364            else:
    347                 self.log.debug("Access failed for %s %s" % (attr, fid))
     365                self.log.debug("Access failed for %s %s" % (attr.attr, fid))
    348366        else:
    349367            raise service_error(service_error.access, "Access denied")
Note: See TracChangeset for help on using the changeset viewer.