Index: /trunk/packages/invirt-base/debian/changelog =================================================================== --- /trunk/packages/invirt-base/debian/changelog (revision 2601) +++ /trunk/packages/invirt-base/debian/changelog (revision 2602) @@ -1,2 +1,9 @@ +invirt-base (0.0.27) unstable; urgency=low + + * Move invirt.authz.locker to xvm.authz.locker, in the xvm-authz-locker + package. + + -- Evan Broder Tue, 15 Dec 2009 19:22:29 -0500 + invirt-base (0.0.26) unstable; urgency=low Index: /trunk/packages/invirt-base/debian/control =================================================================== --- /trunk/packages/invirt-base/debian/control (revision 2601) +++ /trunk/packages/invirt-base/debian/control (revision 2602) @@ -10,5 +10,5 @@ Depends: ${python:Depends}, ${misc:Depends}, python-json (>= 3.4-2), python-yaml (>= 3.05), python-mako (>= - 0.2.2), remctl-client, invirt-config, python-afs + 0.2.2), remctl-client, invirt-config Provides: ${python:Provides} XB-Python-Version: ${python:Versions} Index: unk/packages/invirt-base/python/invirt/authz/locker.py =================================================================== --- /trunk/packages/invirt-base/python/invirt/authz/locker.py (revision 2601) +++ (revision ) @@ -1,132 +1,0 @@ -import errno - -from afs import acl -from afs import fs -from afs import pts - -from invirt import common -from invirt.config import structs as config -from invirt import remctl - - -# -# expandOwner and expandAdmin form the API that needs to be exported -# for all authz modules. -# - - -def expandOwner(name): - """Expand an owner to a list of authorized users. - - For the locker authz module, an owner is an Athena locker. Those - users who have been given the administrator ('a') bit on the root - of a locker are given access to any VM owned by that locker, - unless they also have been given a negative administrator bit. - - If a locker doesn't exist, or we can't access the permissions, we - assume the ACL is empty. - """ - try: - path = _lockerPath(name) - cell = fs.whichcell(path) - auth = _authenticate(cell) - a = acl.ACL.retrieve(path) - - allowed = set() - for ent in a.pos: - if a.pos[ent] & acl.ADMINISTER: - allowed.update(_expandGroup(ent, cell=cell, auth=auth)) - for ent in a.neg: - if a.neg[ent] & acl.ADMINISTER: - allowed.difference_update(_expandGroup(ent, cell=cell, auth=auth)) - - return allowed - except OSError, e: - if e.errno in (errno.ENOENT, errno.EACCES): - return [] - else: - raise - - -def expandAdmin(name, owner): - """Expand an administrator to a list of authorized users. - - Because the interpretation of an administrator might depend on the - owner, the owner is passed in as an argument. - - However, in the case of locker-based authentication, the - administrator is always interpreted as an AFS entry (either a user - or a group) in the home cell (athena.mit.edu for XVM). - """ - cell = config.authz.afs.cells[0].cell - auth = _authenticate(cell) - return _expandGroup(name, cell=cell, auth=auth) - - -# -# These are helper functions, and aren't part of the authz API -# - - -def _authenticate(cell): - """Acquire AFS tokens for a cell if encryption is required by config. - - If the Invirt configuration requires connections to this cell to - be encrypted, acquires tokens and returns True. Otherwise, returns - False. Consumers of this function must still be sure to encrypt - their own connections if necessary. - - Cells not listed in the Invirt configuration default to requiring - encryption in order to maintain security by default. - - Due to AFS's cross-realm auto-PTS-creation mechanism, using - authenticated connections by default should only fail for cells - which authenticate directly against the machine's home realm and - cells distantly related to the machine's home realm. - """ - for c in config.authz.afs.cells: - if c.cell == cell and not c.auth: - return False - - remctl.checkKinit() - common.captureOutput(['aklog', '-c', cell]) - return True - - -def _expandGroup(name, cell=None, auth=False): - """Expand an AFS group into a list of its members. - - Because groups are not global, but can vary from cell to cell, - this function accepts as an optional argument the cell in which - this group should be resolved. - - If no cell is specified, it is assumed that the default cell (or - ThisCell) should be used. - - If the name is a user, not a group, then a single-element set with - the same name is returned. - - As with expandOwner, if a group doesn't exist or if we're unable - to retrieve its membership, we assume it's empty. - """ - try: - ent = pts.PTS(cell, pts.PTS_ENCRYPT if auth else pts.PTS_UNAUTH).\ - getEntry(name) - if ent.id > 0: - return set([ent.name]) - else: - return set([x.name for x in ent.members]) - except OSError, e: - if e.errno in (errno.ENOENT, errno.EACCESS): - return set() - else: - raise - - -def _lockerPath(owner): - """Given the name of a locker, return a path to that locker. - - This turns out to be pretty simple, thanks to the /mit - automounter. - """ - return '/mit/%s' % owner Index: /trunk/packages/xvm-authz-locker/debian/changelog =================================================================== --- /trunk/packages/xvm-authz-locker/debian/changelog (revision 2602) +++ /trunk/packages/xvm-authz-locker/debian/changelog (revision 2602) @@ -0,0 +1,5 @@ +xvm-authz-locker (0.0.1) unstable; urgency=low + + * Initial release. + + -- Evan Broder Tue, 15 Dec 2009 19:09:02 -0500 Index: /trunk/packages/xvm-authz-locker/debian/compat =================================================================== --- /trunk/packages/xvm-authz-locker/debian/compat (revision 2602) +++ /trunk/packages/xvm-authz-locker/debian/compat (revision 2602) @@ -0,0 +1,1 @@ +4 Index: /trunk/packages/xvm-authz-locker/debian/control =================================================================== --- /trunk/packages/xvm-authz-locker/debian/control (revision 2602) +++ /trunk/packages/xvm-authz-locker/debian/control (revision 2602) @@ -0,0 +1,15 @@ +Source: xvm-authz-locker +Section: base +Priority: extra +Maintainer: Invirt project +Build-Depends: cdbs (>= 0.4.23-1.1), debhelper (>= 4.1.0), python-all-dev, python-support, python-setuptools, python-debian, python-apt +Standards-Version: 3.8.0 + +Package: xvm-authz-locker +Architecture: all +Depends: ${python:Depends}, ${misc:Depends}, invirt-base, python-afs +Provides: ${python:Provides}, invirt-authz +XB-Python-Version: ${python:Versions} +Description: Authorization module for XVM + This package contains an authorization module for XVM. It supports + the locker authorization scheme. Index: /trunk/packages/xvm-authz-locker/debian/copyright =================================================================== --- /trunk/packages/xvm-authz-locker/debian/copyright (revision 2602) +++ /trunk/packages/xvm-authz-locker/debian/copyright (revision 2602) @@ -0,0 +1,16 @@ +This software was written as part of the Invirt project . + +Copyright : + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + +On Debian systems, the complete text of the GNU General Public License +can be found in the file /usr/share/common-licenses/GPL. Index: /trunk/packages/xvm-authz-locker/debian/pycompat =================================================================== --- /trunk/packages/xvm-authz-locker/debian/pycompat (revision 2602) +++ /trunk/packages/xvm-authz-locker/debian/pycompat (revision 2602) @@ -0,0 +1,1 @@ +2 Index: /trunk/packages/xvm-authz-locker/debian/pyversions =================================================================== --- /trunk/packages/xvm-authz-locker/debian/pyversions (revision 2602) +++ /trunk/packages/xvm-authz-locker/debian/pyversions (revision 2602) @@ -0,0 +1,1 @@ +2.5- Index: /trunk/packages/xvm-authz-locker/debian/rules =================================================================== --- /trunk/packages/xvm-authz-locker/debian/rules (revision 2602) +++ /trunk/packages/xvm-authz-locker/debian/rules (revision 2602) @@ -0,0 +1,9 @@ +#!/usr/bin/make -f + +DEB_PYTHON_SYSTEM=pysupport + +include /usr/share/cdbs/1/rules/debhelper.mk +include /usr/share/cdbs/1/class/python-distutils.mk + +clean:: + rm -rf python/xvm.authz.locker.egg-info Index: /trunk/packages/xvm-authz-locker/python/xvm/authz/locker.py =================================================================== --- /trunk/packages/xvm-authz-locker/python/xvm/authz/locker.py (revision 2602) +++ /trunk/packages/xvm-authz-locker/python/xvm/authz/locker.py (revision 2602) @@ -0,0 +1,132 @@ +import errno + +from afs import acl +from afs import fs +from afs import pts + +from invirt import common +from invirt.config import structs as config +from invirt import remctl + + +# +# expandOwner and expandAdmin form the API that needs to be exported +# for all authz modules. +# + + +def expandOwner(name): + """Expand an owner to a list of authorized users. + + For the locker authz module, an owner is an Athena locker. Those + users who have been given the administrator ('a') bit on the root + of a locker are given access to any VM owned by that locker, + unless they also have been given a negative administrator bit. + + If a locker doesn't exist, or we can't access the permissions, we + assume the ACL is empty. + """ + try: + path = _lockerPath(name) + cell = fs.whichcell(path) + auth = _authenticate(cell) + a = acl.ACL.retrieve(path) + + allowed = set() + for ent in a.pos: + if a.pos[ent] & acl.ADMINISTER: + allowed.update(_expandGroup(ent, cell=cell, auth=auth)) + for ent in a.neg: + if a.neg[ent] & acl.ADMINISTER: + allowed.difference_update(_expandGroup(ent, cell=cell, auth=auth)) + + return allowed + except OSError, e: + if e.errno in (errno.ENOENT, errno.EACCES): + return [] + else: + raise + + +def expandAdmin(name, owner): + """Expand an administrator to a list of authorized users. + + Because the interpretation of an administrator might depend on the + owner, the owner is passed in as an argument. + + However, in the case of locker-based authentication, the + administrator is always interpreted as an AFS entry (either a user + or a group) in the home cell (athena.mit.edu for XVM). + """ + cell = config.authz.afs.cells[0].cell + auth = _authenticate(cell) + return _expandGroup(name, cell=cell, auth=auth) + + +# +# These are helper functions, and aren't part of the authz API +# + + +def _authenticate(cell): + """Acquire AFS tokens for a cell if encryption is required by config. + + If the Invirt configuration requires connections to this cell to + be encrypted, acquires tokens and returns True. Otherwise, returns + False. Consumers of this function must still be sure to encrypt + their own connections if necessary. + + Cells not listed in the Invirt configuration default to requiring + encryption in order to maintain security by default. + + Due to AFS's cross-realm auto-PTS-creation mechanism, using + authenticated connections by default should only fail for cells + which authenticate directly against the machine's home realm and + cells distantly related to the machine's home realm. + """ + for c in config.authz.afs.cells: + if c.cell == cell and not c.auth: + return False + + remctl.checkKinit() + common.captureOutput(['aklog', '-c', cell]) + return True + + +def _expandGroup(name, cell=None, auth=False): + """Expand an AFS group into a list of its members. + + Because groups are not global, but can vary from cell to cell, + this function accepts as an optional argument the cell in which + this group should be resolved. + + If no cell is specified, it is assumed that the default cell (or + ThisCell) should be used. + + If the name is a user, not a group, then a single-element set with + the same name is returned. + + As with expandOwner, if a group doesn't exist or if we're unable + to retrieve its membership, we assume it's empty. + """ + try: + ent = pts.PTS(cell, pts.PTS_ENCRYPT if auth else pts.PTS_UNAUTH).\ + getEntry(name) + if ent.id > 0: + return set([ent.name]) + else: + return set([x.name for x in ent.members]) + except OSError, e: + if e.errno in (errno.ENOENT, errno.EACCESS): + return set() + else: + raise + + +def _lockerPath(owner): + """Given the name of a locker, return a path to that locker. + + This turns out to be pretty simple, thanks to the /mit + automounter. + """ + return '/mit/%s' % owner Index: /trunk/packages/xvm-authz-locker/setup.py =================================================================== --- /trunk/packages/xvm-authz-locker/setup.py (revision 2602) +++ /trunk/packages/xvm-authz-locker/setup.py (revision 2602) @@ -0,0 +1,28 @@ +#!/usr/bin/python + +from os import path +from email.utils import parseaddr +from glob import glob +from setuptools import setup, find_packages + +try: + from debian_bundle.changelog import Changelog + from debian_bundle.deb822 import Deb822 + version = Changelog(open(path.join(path.dirname(__file__), 'debian/changelog')).read()).\ + get_version().full_version + + maintainer_full = Deb822(open(path.join(path.dirname(__file__), 'debian/control')))['Maintainer'] + maintainer, maintainer_email = parseaddr(maintainer_full) +except: + version = '0.0.0' + maintainer, maintainer_email = parseaddr('Invirt project ') + +setup( + name='xvm.authz.locker', + version=version, + maintainer=maintainer, + maintainer_email=maintainer_email, + + packages=find_packages('python'), + package_dir = {'': 'python'}, +) Index: /trunk/packages/xvm-devconfig/debian/changelog =================================================================== --- /trunk/packages/xvm-devconfig/debian/changelog (revision 2601) +++ /trunk/packages/xvm-devconfig/debian/changelog (revision 2602) @@ -1,2 +1,8 @@ +xvm-devconfig (0.43) unstable; urgency=low + + * Update authz config for {invirt => xvm}.authz.locker move. + + -- Evan Broder Tue, 15 Dec 2009 19:24:15 -0500 + xvm-devconfig (0.42) unstable; urgency=low Index: /trunk/packages/xvm-devconfig/master.yaml =================================================================== --- /trunk/packages/xvm-devconfig/master.yaml (revision 2601) +++ /trunk/packages/xvm-devconfig/master.yaml (revision 2602) @@ -6,5 +6,5 @@ authz: - mech: invirt.authz.locker + mech: xvm.authz.locker afs: cells: Index: /trunk/packages/xvm-prodconfig/debian/changelog =================================================================== --- /trunk/packages/xvm-prodconfig/debian/changelog (revision 2601) +++ /trunk/packages/xvm-prodconfig/debian/changelog (revision 2602) @@ -1,2 +1,8 @@ +xvm-prodconfig (1.1.16) unstable; urgency=low + + * Update authz config for {invirt => xvm}.authz.locker move. + + -- Evan Broder Tue, 15 Dec 2009 19:24:27 -0500 + xvm-prodconfig (1.1.15) unstable; urgency=low Index: /trunk/packages/xvm-prodconfig/master.yaml =================================================================== --- /trunk/packages/xvm-prodconfig/master.yaml (revision 2601) +++ /trunk/packages/xvm-prodconfig/master.yaml (revision 2602) @@ -7,5 +7,5 @@ authz: - mech: invirt.authz.locker + mech: xvm.authz.locker afs: cells: