Changeset 2571
- Timestamp:
- Nov 29, 2009, 8:48:43 AM (15 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/packages/invirt-base/python/invirt/authz/locker.py
r2562 r2571 70 70 71 71 def _authenticate(cell): 72 """Acquire credentials if possible for a particular cell.72 """Acquire AFS tokens for a cell if encryption is required by config. 73 73 74 This function returns True if an authenticated connection to the 75 cell should be established; False otherwise. 74 If the Invirt configuration requires connections to this cell to 75 be encrypted, acquires tokens and returns True. Otherwise, returns 76 False. Consumers of this function must still be sure to encrypt 77 their own connections if necessary. 76 78 77 If a cell isn't explicitly listed in the configuration file, 78 _authenticate will assume that it /should/ authenticate to the 79 cell. 79 Cells not listed in the Invirt configuration default to requiring 80 encryption in order to maintain security by default. 80 81 81 The assumption is that choosing to authenticate to a cell will 82 fail in two cases: (a) the cell authenticates against the 83 machine's home realm and there is no PTS ID in the cell, or (b) 84 the cell doesn't authenticate against the machine's home realm and 85 doesn't have cross-realm authentication setup. 86 87 In the former case, it should be possible for the sysadmins to 88 list all cells that authenticate against the home realm (including 89 those where attempting authentication would be problematic). In 90 the latter case, such a cell would be at best distantly connected 91 to the home cell, and we probably don't want to give it quota 92 anyway. 82 Due to AFS's cross-realm auto-PTS-creation mechanism, using 83 authenticated connections by default should only fail for cells 84 which authenticate directly against the machine's home realm and 85 cells distantly related to the machine's home realm. 93 86 """ 94 87 for c in config.authz.cells:
Note: See TracChangeset
for help on using the changeset viewer.
