Changeset d03c991

Timestamp:

Dec 2, 2010 10:33:23 AM (13 years ago)

Author:

Ted Faber <faber@…>

Branches:

axis_example, compt_changes, info-ops, master

Children:

61a634d

Parents:

de86b35

Message:

Dragon works under ABAC

File:

• fedd/federation/dragon_access.py (modified) (5 diffs)

fedd/federation/dragon_access.py

@@ -12 +12 @@
 from subprocess import Popen, call, PIPE, STDOUT
 from access import access_base
+from legacy_access import legacy_access
 
 from util import *
 from allocate_project import allocate_project_local, allocate_project_remote
 from fedid import fedid, generate_fedid
-from authorizer import authorizer
+from authorizer import authorizer, abac_authorizer
 from service_error import service_error
 from remote_service import xmlrpc_handler, soap_handler, service_caller
@@ -37 +38 @@
 fl.addHandler(nullHandler())
 
-class access(access_base):
+class access(access_base, legacy_access):
     """
     The implementation of access control based on mapping users to projects.
@@ -65 +66 @@
             self.read_access(config.get("access", "accessdb"), self.make_repo)
 
-        # Add the ownership attributes to the authorizer.  Note that the
-        # indices of the allocation dict are strings, but the attributes are
-        # fedids, so there is a conversion.
-        self.state_lock.acquire()
-        for k in self.state.keys():
-            for o in self.state[k].get('owners', []):
-                self.auth.set_attribute(o, fedid(hexstr=k))
-            self.auth.set_attribute(fedid(hexstr=k),fedid(hexstr=k))
-        self.state_lock.release()
-
-        self.lookup_access = self.lookup_access_base
+
+        # authorization information
+        self.auth_type = config.get('access', 'auth_type') \
+                or 'legacy'
+        self.auth_dir = config.get('access', 'auth_dir')
+        accessdb = config.get("access", "accessdb")
+        # initialize the authorization system
+        if self.auth_type == 'legacy':
+            self.access = { }
+            if accessdb:
+                self.legacy_read_access(accessdb, self.make_repo)
+            # Add the ownership attributes to the authorizer.  Note that the
+            # indices of the allocation dict are strings, but the attributes are
+            # fedids, so there is a conversion.
+            self.state_lock.acquire()
+            for k in self.state.keys():
+                for o in self.state[k].get('owners', []):
+                    self.auth.set_attribute(o, fedid(hexstr=k))
+                self.auth.set_attribute(fedid(hexstr=k),fedid(hexstr=k))
+            self.state_lock.release()
+            self.lookup_access = self.legacy_lookup_access_base
+        elif self.auth_type == 'abac':
+            self.auth = abac_authorizer(load=self.auth_dir)
+            self.access = [ ]
+            if accessdb:
+                self.read_access(accessdb, self.make_repo)
+        else:
+            raise service_error(service_error.internal, 
+                    "Unknown auth_type: %s" % self.auth_type)
 
         self.call_GetValue= service_caller('GetValue')
@@ -125 +144 @@
 
         # Request for this fedd
-        found, match = self.lookup_access(req, fid)
+        found, match, owners = self.lookup_access(req, fid)
         # keep track of what's been added
         allocID, alloc_cert = generate_fedid(subj="alloc", log=self.log)
@@ -133 +152 @@
         self.state[aid] = { }
         self.state[aid]['user'] = found
-        self.state[aid]['owners'] = [ fid ]
+        self.state[aid]['owners'] = owners
         self.write_state()
         self.state_lock.release()
         self.auth.set_attribute(fid, allocID)
         self.auth.set_attribute(allocID, allocID)
+        self.auth.save()
 
         try: