Changeset 2562
- Timestamp:
- Nov 23, 2009, 1:37:40 AM (15 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/packages/invirt-base/python/invirt/authz/locker.py
r2559 r2562 5 5 from afs import pts 6 6 7 from invirt import common 7 8 from invirt.config import structs as config 9 from invirt import remctl 10 8 11 9 12 # … … 12 15 # 13 16 14 # TODO: Make expandOwner and expandAdmin deal with acquiring tokens 15 # and encrypting the connection to the prdb as necessary/requested by 16 # the configuration. 17 17 18 def expandOwner(name): 18 19 """Expand an owner to a list of authorized users. … … 29 30 path = _lockerPath(name) 30 31 cell = fs.whichcell(path) 32 auth = _authenticate(cell) 31 33 a = acl.ACL.retrieve(path) 32 34 … … 34 36 for ent in a.pos: 35 37 if a.pos[ent] & acl.ADMINISTER: 36 allowed.update(_expandGroup(ent, cell ))38 allowed.update(_expandGroup(ent, cell=cell, auth=auth)) 37 39 for ent in a.neg: 38 40 if a.neg[ent] & acl.ADMINISTER: 39 allowed.difference_update(_expandGroup(ent, cell ))41 allowed.difference_update(_expandGroup(ent, cell=cell, auth=auth)) 40 42 41 43 return allowed … … 57 59 or a group) in the home cell (athena.mit.edu for XVM). 58 60 """ 59 return _expandGroup(name) 61 cell = config.authz.cells[0].cell 62 auth = _authenticate(cell) 63 return _expandGroup(name, cell=cell, auth=auth) 60 64 61 65 … … 64 68 # 65 69 66 def _expandGroup(name, cell=None): 70 71 def _authenticate(cell): 72 """Acquire credentials if possible for a particular cell. 73 74 This function returns True if an authenticated connection to the 75 cell should be established; False otherwise. 76 77 If a cell isn't explicitly listed in the configuration file, 78 _authenticate will assume that it /should/ authenticate to the 79 cell. 80 81 The assumption is that choosing to authenticate to a cell will 82 fail in two cases: (a) the cell authenticates against the 83 machine's home realm and there is no PTS ID in the cell, or (b) 84 the cell doesn't authenticate against the machine's home realm and 85 doesn't have cross-realm authentication setup. 86 87 In the former case, it should be possible for the sysadmins to 88 list all cells that authenticate against the home realm (including 89 those where attempting authentication would be problematic). In 90 the latter case, such a cell would be at best distantly connected 91 to the home cell, and we probably don't want to give it quota 92 anyway. 93 """ 94 for c in config.authz.cells: 95 if c.cell == cell and not c.auth: 96 return False 97 98 remctl.checkKinit() 99 common.captureOutput(['aklog', '-c', cell]) 100 return True 101 102 103 def _expandGroup(name, cell=None, auth=False): 67 104 """Expand an AFS group into a list of its members. 68 105 … … 81 118 """ 82 119 try: 83 ent = pts.PTS(cell ).getEntry(name)120 ent = pts.PTS(cell, 3 if auth else 0).getEntry(name) 84 121 if ent.id > 0: 85 122 return set([ent.name])
Note: See TracChangeset
for help on using the changeset viewer.