Changeset d03c991 for fedd/federation


Ignore:
Timestamp:
Dec 2, 2010 10:33:23 AM (14 years ago)
Author:
Ted Faber <faber@…>
Branches:
axis_example, compt_changes, info-ops, master
Children:
61a634d
Parents:
de86b35
Message:

Dragon works under ABAC

File:
1 edited

Legend:

Unmodified
Added
Removed
  • fedd/federation/dragon_access.py

    rde86b35 rd03c991  
    1212from subprocess import Popen, call, PIPE, STDOUT
    1313from access import access_base
     14from legacy_access import legacy_access
    1415
    1516from util import *
    1617from allocate_project import allocate_project_local, allocate_project_remote
    1718from fedid import fedid, generate_fedid
    18 from authorizer import authorizer
     19from authorizer import authorizer, abac_authorizer
    1920from service_error import service_error
    2021from remote_service import xmlrpc_handler, soap_handler, service_caller
     
    3738fl.addHandler(nullHandler())
    3839
    39 class access(access_base):
     40class access(access_base, legacy_access):
    4041    """
    4142    The implementation of access control based on mapping users to projects.
     
    6566            self.read_access(config.get("access", "accessdb"), self.make_repo)
    6667
    67         # Add the ownership attributes to the authorizer.  Note that the
    68         # indices of the allocation dict are strings, but the attributes are
    69         # fedids, so there is a conversion.
    70         self.state_lock.acquire()
    71         for k in self.state.keys():
    72             for o in self.state[k].get('owners', []):
    73                 self.auth.set_attribute(o, fedid(hexstr=k))
    74             self.auth.set_attribute(fedid(hexstr=k),fedid(hexstr=k))
    75         self.state_lock.release()
    76 
    77         self.lookup_access = self.lookup_access_base
     68
     69        # authorization information
     70        self.auth_type = config.get('access', 'auth_type') \
     71                or 'legacy'
     72        self.auth_dir = config.get('access', 'auth_dir')
     73        accessdb = config.get("access", "accessdb")
     74        # initialize the authorization system
     75        if self.auth_type == 'legacy':
     76            self.access = { }
     77            if accessdb:
     78                self.legacy_read_access(accessdb, self.make_repo)
     79            # Add the ownership attributes to the authorizer.  Note that the
     80            # indices of the allocation dict are strings, but the attributes are
     81            # fedids, so there is a conversion.
     82            self.state_lock.acquire()
     83            for k in self.state.keys():
     84                for o in self.state[k].get('owners', []):
     85                    self.auth.set_attribute(o, fedid(hexstr=k))
     86                self.auth.set_attribute(fedid(hexstr=k),fedid(hexstr=k))
     87            self.state_lock.release()
     88            self.lookup_access = self.legacy_lookup_access_base
     89        elif self.auth_type == 'abac':
     90            self.auth = abac_authorizer(load=self.auth_dir)
     91            self.access = [ ]
     92            if accessdb:
     93                self.read_access(accessdb, self.make_repo)
     94        else:
     95            raise service_error(service_error.internal,
     96                    "Unknown auth_type: %s" % self.auth_type)
    7897
    7998        self.call_GetValue= service_caller('GetValue')
     
    125144
    126145        # Request for this fedd
    127         found, match = self.lookup_access(req, fid)
     146        found, match, owners = self.lookup_access(req, fid)
    128147        # keep track of what's been added
    129148        allocID, alloc_cert = generate_fedid(subj="alloc", log=self.log)
     
    133152        self.state[aid] = { }
    134153        self.state[aid]['user'] = found
    135         self.state[aid]['owners'] = [ fid ]
     154        self.state[aid]['owners'] = owners
    136155        self.write_state()
    137156        self.state_lock.release()
    138157        self.auth.set_attribute(fid, allocID)
    139158        self.auth.set_attribute(allocID, allocID)
     159        self.auth.save()
    140160
    141161        try:
Note: See TracChangeset for help on using the changeset viewer.