X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-base.git/blobdiff_plain/b31ba02d01b54a230ccb879e16b0d6145d9ff027..67373557bab0e5d5eab33abd422915e1a2ebe648:/python/invirt/authz/locker.py

diff --git a/python/invirt/authz/locker.py b/python/invirt/authz/locker.py
index a564e10..cbfc28a 100644
--- a/python/invirt/authz/locker.py
+++ b/python/invirt/authz/locker.py
@@ -58,7 +58,7 @@ def expandAdmin(name, owner):
     administrator is always interpreted as an AFS entry (either a user
     or a group) in the home cell (athena.mit.edu for XVM).
     """
-    cell = config.authz.cells[0].cell
+    cell = config.authz.afs.cells[0].cell
     auth = _authenticate(cell)
     return _expandGroup(name, cell=cell, auth=auth)
 
@@ -69,29 +69,22 @@ def expandAdmin(name, owner):
 
 
 def _authenticate(cell):
-    """Acquire credentials if possible for a particular cell.
-
-    This function returns True if an authenticated connection to the
-    cell should be established; False otherwise.
-
-    If a cell isn't explicitly listed in the configuration file,
-    _authenticate will assume that it /should/ authenticate to the
-    cell.
-
-    The assumption is that choosing to authenticate to a cell will
-    fail in two cases: (a) the cell authenticates against the
-    machine's home realm and there is no PTS ID in the cell, or (b)
-    the cell doesn't authenticate against the machine's home realm and
-    doesn't have cross-realm authentication setup.
-
-    In the former case, it should be possible for the sysadmins to
-    list all cells that authenticate against the home realm (including
-    those where attempting authentication would be problematic). In
-    the latter case, such a cell would be at best distantly connected
-    to the home cell, and we probably don't want to give it quota
-    anyway.
+    """Acquire AFS tokens for a cell if encryption is required by config.
+
+    If the Invirt configuration requires connections to this cell to
+    be encrypted, acquires tokens and returns True. Otherwise, returns
+    False. Consumers of this function must still be sure to encrypt
+    their own connections if necessary.
+
+    Cells not listed in the Invirt configuration default to requiring
+    encryption in order to maintain security by default.
+
+    Due to AFS's cross-realm auto-PTS-creation mechanism, using
+    authenticated connections by default should only fail for cells
+    which authenticate directly against the machine's home realm and
+    cells distantly related to the machine's home realm.
     """
-    for c in config.authz.cells:
+    for c in config.authz.afs.cells:
         if c.cell == cell and not c.auth:
             return False
 
@@ -117,7 +110,8 @@ def _expandGroup(name, cell=None, auth=False):
     to retrieve its membership, we assume it's empty.
     """
     try:
-        ent = pts.PTS(cell, 3 if auth else 0).getEntry(name)
+        ent = pts.PTS(cell, pts.PTS_ENCRYPT if auth else pts.PTS_UNAUTH).\
+            getEntry(name)
         if ent.id > 0:
             return set([ent.name])
         else: