Changeset 2571


Ignore:
Timestamp:
Nov 29, 2009, 8:48:43 AM (14 years ago)
Author:
broder
Message:

Rephrase the invirt.authz.locker._authenticate docstring for clarity.

(Based on comments from price)

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/packages/invirt-base/python/invirt/authz/locker.py

    r2562 r2571  
    7070
    7171def _authenticate(cell):
    72     """Acquire credentials if possible for a particular cell.
     72    """Acquire AFS tokens for a cell if encryption is required by config.
    7373
    74     This function returns True if an authenticated connection to the
    75     cell should be established; False otherwise.
     74    If the Invirt configuration requires connections to this cell to
     75    be encrypted, acquires tokens and returns True. Otherwise, returns
     76    False. Consumers of this function must still be sure to encrypt
     77    their own connections if necessary.
    7678
    77     If a cell isn't explicitly listed in the configuration file,
    78     _authenticate will assume that it /should/ authenticate to the
    79     cell.
     79    Cells not listed in the Invirt configuration default to requiring
     80    encryption in order to maintain security by default.
    8081
    81     The assumption is that choosing to authenticate to a cell will
    82     fail in two cases: (a) the cell authenticates against the
    83     machine's home realm and there is no PTS ID in the cell, or (b)
    84     the cell doesn't authenticate against the machine's home realm and
    85     doesn't have cross-realm authentication setup.
    86 
    87     In the former case, it should be possible for the sysadmins to
    88     list all cells that authenticate against the home realm (including
    89     those where attempting authentication would be problematic). In
    90     the latter case, such a cell would be at best distantly connected
    91     to the home cell, and we probably don't want to give it quota
    92     anyway.
     82    Due to AFS's cross-realm auto-PTS-creation mechanism, using
     83    authenticated connections by default should only fail for cells
     84    which authenticate directly against the machine's home realm and
     85    cells distantly related to the machine's home realm.
    9386    """
    9487    for c in config.authz.cells:
Note: See TracChangeset for help on using the changeset viewer.