From 2e6e77eb44d75a8f67e92b66eee336507dffffe6 Mon Sep 17 00:00:00 2001 From: Evan Broder Date: Tue, 15 Dec 2009 22:10:20 -0500 Subject: [PATCH] Move XVM's locker authorization code into a separate xvm-authz-locker package (and corresponding xvm.authz.locker Python package). This makes it possible to install invirt-base without needing the authz code installed as well, and also separates some very XVM-specific logic from the Invirt packages. svn path=/trunk/packages/invirt-base/; revision=2602 --- debian/changelog | 7 +++ debian/control | 2 +- python/invirt/authz/locker.py | 132 ----------------------------------------- 3 files changed, 8 insertions(+), 133 deletions(-) delete mode 100644 python/invirt/authz/locker.py diff --git a/debian/changelog b/debian/changelog index 875f2fb..191c4e4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +invirt-base (0.0.27) unstable; urgency=low + + * Move invirt.authz.locker to xvm.authz.locker, in the xvm-authz-locker + package. + + -- Evan Broder Tue, 15 Dec 2009 19:22:29 -0500 + invirt-base (0.0.26) unstable; urgency=low * Add a captureOutput function to invirt.common as a convenient wrapper diff --git a/debian/control b/debian/control index f300956..bab7571 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,7 @@ Package: invirt-base Architecture: all Depends: ${python:Depends}, ${misc:Depends}, python-json (>= 3.4-2), python-yaml (>= 3.05), python-mako (>= - 0.2.2), remctl-client, invirt-config, python-afs + 0.2.2), remctl-client, invirt-config Provides: ${python:Provides} XB-Python-Version: ${python:Versions} Description: Base configuration required for all Invirt servers diff --git a/python/invirt/authz/locker.py b/python/invirt/authz/locker.py deleted file mode 100644 index cbfc28a..0000000 --- a/python/invirt/authz/locker.py +++ /dev/null @@ -1,132 +0,0 @@ -import errno - -from afs import acl -from afs import fs -from afs import pts - -from invirt import common -from invirt.config import structs as config -from invirt import remctl - - -# -# expandOwner and expandAdmin form the API that needs to be exported -# for all authz modules. -# - - -def expandOwner(name): - """Expand an owner to a list of authorized users. - - For the locker authz module, an owner is an Athena locker. Those - users who have been given the administrator ('a') bit on the root - of a locker are given access to any VM owned by that locker, - unless they also have been given a negative administrator bit. - - If a locker doesn't exist, or we can't access the permissions, we - assume the ACL is empty. - """ - try: - path = _lockerPath(name) - cell = fs.whichcell(path) - auth = _authenticate(cell) - a = acl.ACL.retrieve(path) - - allowed = set() - for ent in a.pos: - if a.pos[ent] & acl.ADMINISTER: - allowed.update(_expandGroup(ent, cell=cell, auth=auth)) - for ent in a.neg: - if a.neg[ent] & acl.ADMINISTER: - allowed.difference_update(_expandGroup(ent, cell=cell, auth=auth)) - - return allowed - except OSError, e: - if e.errno in (errno.ENOENT, errno.EACCES): - return [] - else: - raise - - -def expandAdmin(name, owner): - """Expand an administrator to a list of authorized users. - - Because the interpretation of an administrator might depend on the - owner, the owner is passed in as an argument. - - However, in the case of locker-based authentication, the - administrator is always interpreted as an AFS entry (either a user - or a group) in the home cell (athena.mit.edu for XVM). - """ - cell = config.authz.afs.cells[0].cell - auth = _authenticate(cell) - return _expandGroup(name, cell=cell, auth=auth) - - -# -# These are helper functions, and aren't part of the authz API -# - - -def _authenticate(cell): - """Acquire AFS tokens for a cell if encryption is required by config. - - If the Invirt configuration requires connections to this cell to - be encrypted, acquires tokens and returns True. Otherwise, returns - False. Consumers of this function must still be sure to encrypt - their own connections if necessary. - - Cells not listed in the Invirt configuration default to requiring - encryption in order to maintain security by default. - - Due to AFS's cross-realm auto-PTS-creation mechanism, using - authenticated connections by default should only fail for cells - which authenticate directly against the machine's home realm and - cells distantly related to the machine's home realm. - """ - for c in config.authz.afs.cells: - if c.cell == cell and not c.auth: - return False - - remctl.checkKinit() - common.captureOutput(['aklog', '-c', cell]) - return True - - -def _expandGroup(name, cell=None, auth=False): - """Expand an AFS group into a list of its members. - - Because groups are not global, but can vary from cell to cell, - this function accepts as an optional argument the cell in which - this group should be resolved. - - If no cell is specified, it is assumed that the default cell (or - ThisCell) should be used. - - If the name is a user, not a group, then a single-element set with - the same name is returned. - - As with expandOwner, if a group doesn't exist or if we're unable - to retrieve its membership, we assume it's empty. - """ - try: - ent = pts.PTS(cell, pts.PTS_ENCRYPT if auth else pts.PTS_UNAUTH).\ - getEntry(name) - if ent.id > 0: - return set([ent.name]) - else: - return set([x.name for x in ent.members]) - except OSError, e: - if e.errno in (errno.ENOENT, errno.EACCESS): - return set() - else: - raise - - -def _lockerPath(owner): - """Given the name of a locker, return a path to that locker. - - This turns out to be pretty simple, thanks to the /mit - automounter. - """ - return '/mit/%s' % owner -- 1.7.9.5