administrator is always interpreted as an AFS entry (either a user
or a group) in the home cell (athena.mit.edu for XVM).
"""
- cell = config.authz.cells[0].cell
+ cell = config.authz.afs.cells[0].cell
auth = _authenticate(cell)
return _expandGroup(name, cell=cell, auth=auth)
def _authenticate(cell):
- """Acquire credentials if possible for a particular cell.
-
- This function returns True if an authenticated connection to the
- cell should be established; False otherwise.
-
- If a cell isn't explicitly listed in the configuration file,
- _authenticate will assume that it /should/ authenticate to the
- cell.
-
- The assumption is that choosing to authenticate to a cell will
- fail in two cases: (a) the cell authenticates against the
- machine's home realm and there is no PTS ID in the cell, or (b)
- the cell doesn't authenticate against the machine's home realm and
- doesn't have cross-realm authentication setup.
-
- In the former case, it should be possible for the sysadmins to
- list all cells that authenticate against the home realm (including
- those where attempting authentication would be problematic). In
- the latter case, such a cell would be at best distantly connected
- to the home cell, and we probably don't want to give it quota
- anyway.
+ """Acquire AFS tokens for a cell if encryption is required by config.
+
+ If the Invirt configuration requires connections to this cell to
+ be encrypted, acquires tokens and returns True. Otherwise, returns
+ False. Consumers of this function must still be sure to encrypt
+ their own connections if necessary.
+
+ Cells not listed in the Invirt configuration default to requiring
+ encryption in order to maintain security by default.
+
+ Due to AFS's cross-realm auto-PTS-creation mechanism, using
+ authenticated connections by default should only fail for cells
+ which authenticate directly against the machine's home realm and
+ cells distantly related to the machine's home realm.
"""
- for c in config.authz.cells:
+ for c in config.authz.afs.cells:
if c.cell == cell and not c.auth:
return False
to retrieve its membership, we assume it's empty.
"""
try:
- ent = pts.PTS(cell, 3 if auth else 0).getEntry(name)
+ ent = pts.PTS(cell, pts.PTS_ENCRYPT if auth else pts.PTS_UNAUTH).\
+ getEntry(name)
if ent.id > 0:
return set([ent.name])
else: