Changeset 2562 for trunk


Ignore:
Timestamp:
Nov 23, 2009, 1:37:40 AM (15 years ago)
Author:
broder
Message:

In invirt.authz.locker, deal with getting tokens and
authenticating/encrypting connections when necessary.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/packages/invirt-base/python/invirt/authz/locker.py

    r2559 r2562  
    55from afs import pts
    66
     7from invirt import common
    78from invirt.config import structs as config
     9from invirt import remctl
     10
    811
    912#
     
    1215#
    1316
    14 # TODO: Make expandOwner and expandAdmin deal with acquiring tokens
    15 # and encrypting the connection to the prdb as necessary/requested by
    16 # the configuration.
     17
    1718def expandOwner(name):
    1819    """Expand an owner to a list of authorized users.
     
    2930        path = _lockerPath(name)
    3031        cell = fs.whichcell(path)
     32        auth = _authenticate(cell)
    3133        a = acl.ACL.retrieve(path)
    3234
     
    3436        for ent in a.pos:
    3537            if a.pos[ent] & acl.ADMINISTER:
    36                 allowed.update(_expandGroup(ent, cell))
     38                allowed.update(_expandGroup(ent, cell=cell, auth=auth))
    3739        for ent in a.neg:
    3840            if a.neg[ent] & acl.ADMINISTER:
    39                 allowed.difference_update(_expandGroup(ent, cell))
     41                allowed.difference_update(_expandGroup(ent, cell=cell, auth=auth))
    4042
    4143        return allowed
     
    5759    or a group) in the home cell (athena.mit.edu for XVM).
    5860    """
    59     return _expandGroup(name)
     61    cell = config.authz.cells[0].cell
     62    auth = _authenticate(cell)
     63    return _expandGroup(name, cell=cell, auth=auth)
    6064
    6165
     
    6468#
    6569
    66 def _expandGroup(name, cell=None):
     70
     71def _authenticate(cell):
     72    """Acquire credentials if possible for a particular cell.
     73
     74    This function returns True if an authenticated connection to the
     75    cell should be established; False otherwise.
     76
     77    If a cell isn't explicitly listed in the configuration file,
     78    _authenticate will assume that it /should/ authenticate to the
     79    cell.
     80
     81    The assumption is that choosing to authenticate to a cell will
     82    fail in two cases: (a) the cell authenticates against the
     83    machine's home realm and there is no PTS ID in the cell, or (b)
     84    the cell doesn't authenticate against the machine's home realm and
     85    doesn't have cross-realm authentication setup.
     86
     87    In the former case, it should be possible for the sysadmins to
     88    list all cells that authenticate against the home realm (including
     89    those where attempting authentication would be problematic). In
     90    the latter case, such a cell would be at best distantly connected
     91    to the home cell, and we probably don't want to give it quota
     92    anyway.
     93    """
     94    for c in config.authz.cells:
     95        if c.cell == cell and not c.auth:
     96            return False
     97
     98    remctl.checkKinit()
     99    common.captureOutput(['aklog', '-c', cell])
     100    return True
     101
     102
     103def _expandGroup(name, cell=None, auth=False):
    67104    """Expand an AFS group into a list of its members.
    68105
     
    81118    """
    82119    try:
    83         ent = pts.PTS(cell).getEntry(name)
     120        ent = pts.PTS(cell, 3 if auth else 0).getEntry(name)
    84121        if ent.id > 0:
    85122            return set([ent.name])
Note: See TracChangeset for help on using the changeset viewer.