1 <!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'>
4 <meta http-equiv='Content-Type' content='text/html; charset=us-ascii' />
5 <title>The credential Module</title>
8 <h1>The credential Module</h1>
9 <p>Implements Geni Credentials
11 Credentials are layered on top of certificates, and are essentially a
12 certificate that stores a tuple of parameters.</p>
14 <dt><b>Credential(create=False, subject=None, string=None, filename=None)</b> (class) [<a href='#credential.Credential-class'>#</a>]</dt>
16 <p>Credential is a tuple:
17 (GIDCaller, GIDObject, LifeTime, Privileges, Delegate)
19 These fields are encoded using xmlrpc into the subjectAltName field of the
21 <p>For more information about this class, see <a href='#credential.Credential-class'><i>The Credential Class</i></a>.</p>
24 <h2><a id='credential.Credential-class' name='credential.Credential-class'>The Credential Class</a></h2>
26 <dt><b>Credential(create=False, subject=None, string=None, filename=None)</b> (class) [<a href='#credential.Credential-class'>#</a>]</dt>
28 <p>Credential is a tuple:
29 (GIDCaller, GIDObject, LifeTime, Privileges, Delegate)
31 These fields are encoded using xmlrpc into the subjectAltName field of the
32 x509 certificate. Note: Call encode() once the fields have been filled in
33 to perform this encoding.</p>
35 <dt><a id='credential.Credential.__init__-method' name='credential.Credential.__init__-method'><b>__init__(create=False, subject=None, string=None, filename=None)</b></a> [<a href='#credential.Credential.__init__-method'>#</a>]</dt>
37 <p>Create a Credential object</p>
39 <dt><i>create</i></dt>
41 If true, create a blank x509 certificate</dd>
42 <dt><i>subject</i></dt>
44 If subject!=None, create an x509 cert with the subject name</dd>
45 <dt><i>string</i></dt>
47 If string!=None, load the credential from the string</dd>
48 <dt><i>filename</i></dt>
50 If filename!=None, load the credential from the file</dd>
53 <dt><a id='credential.Credential.can_perform-method' name='credential.Credential.can_perform-method'><b>can_perform(op_name)</b></a> [<a href='#credential.Credential.can_perform-method'>#</a>]</dt>
55 <p>determine whether the credential allows a particular operation to be
58 <dt><i>op_name</i></dt>
60 string specifying name of operation ("lookup", "update", etc)</dd>
63 <dt><a id='credential.Credential.decode-method' name='credential.Credential.decode-method'><b>decode()</b></a> [<a href='#credential.Credential.decode-method'>#</a>]</dt>
65 <p>Retrieve the attributes of the credential from the alt-subject-name field
66 of the X509 certificate. This is automatically done by the various
67 get_* methods of this class and should not need to be called explicitly.</p>
69 <dt><a id='credential.Credential.dump-method' name='credential.Credential.dump-method'><b>dump(dump_parents=False)</b></a> [<a href='#credential.Credential.dump-method'>#</a>]</dt>
71 <p>Dump the contents of a credential to stdout in human-readable format</p>
73 <dt><i>dump_parents</i></dt>
75 If true, also dump the parent certificates</dd>
78 <dt><a id='credential.Credential.encode-method' name='credential.Credential.encode-method'><b>encode()</b></a> [<a href='#credential.Credential.encode-method'>#</a>]</dt>
80 <p>Encode the attributes of the credential into a string and store that
81 string in the alt-subject-name field of the X509 object. This should be
82 done immediately before signing the credential.</p>
84 <dt><a id='credential.Credential.get_delegate-method' name='credential.Credential.get_delegate-method'><b>get_delegate()</b></a> [<a href='#credential.Credential.get_delegate-method'>#</a>]</dt>
86 <p>get the delegate bit</p>
88 <dt><a id='credential.Credential.get_gid_caller-method' name='credential.Credential.get_gid_caller-method'><b>get_gid_caller()</b></a> [<a href='#credential.Credential.get_gid_caller-method'>#</a>]</dt>
90 <p>get the GID of the object</p>
92 <dt><a id='credential.Credential.get_gid_object-method' name='credential.Credential.get_gid_object-method'><b>get_gid_object()</b></a> [<a href='#credential.Credential.get_gid_object-method'>#</a>]</dt>
94 <p>get the GID of the object</p>
96 <dt><a id='credential.Credential.get_lifetime-method' name='credential.Credential.get_lifetime-method'><b>get_lifetime()</b></a> [<a href='#credential.Credential.get_lifetime-method'>#</a>]</dt>
98 <p>get the lifetime of the credential</p>
100 <dt><a id='credential.Credential.get_privileges-method' name='credential.Credential.get_privileges-method'><b>get_privileges()</b></a> [<a href='#credential.Credential.get_privileges-method'>#</a>]</dt>
102 <p>return the privileges as a RightList object</p>
104 <dt><a id='credential.Credential.set_delegate-method' name='credential.Credential.set_delegate-method'><b>set_delegate(delegate)</b></a> [<a href='#credential.Credential.set_delegate-method'>#</a>]</dt>
106 <p>set the delegate bit</p>
108 <dt><i>delegate</i></dt>
110 boolean (True or False)</dd>
113 <dt><a id='credential.Credential.set_gid_caller-method' name='credential.Credential.set_gid_caller-method'><b>set_gid_caller(gid)</b></a> [<a href='#credential.Credential.set_gid_caller-method'>#</a>]</dt>
115 <p>set the GID of the caller</p>
119 GID object of the caller</dd>
122 <dt><a id='credential.Credential.set_gid_object-method' name='credential.Credential.set_gid_object-method'><b>set_gid_object(gid)</b></a> [<a href='#credential.Credential.set_gid_object-method'>#</a>]</dt>
124 <p>set the GID of the object</p>
128 GID object of the object</dd>
131 <dt><a id='credential.Credential.set_lifetime-method' name='credential.Credential.set_lifetime-method'><b>set_lifetime(lifeTime)</b></a> [<a href='#credential.Credential.set_lifetime-method'>#</a>]</dt>
133 <p>set the lifetime of this credential</p>
135 <dt><i>lifetime</i></dt>
137 lifetime of credential</dd>
140 <dt><a id='credential.Credential.set_privileges-method' name='credential.Credential.set_privileges-method'><b>set_privileges(privs)</b></a> [<a href='#credential.Credential.set_privileges-method'>#</a>]</dt>
142 <p>set the privileges</p>
144 <dt><i>privs</i></dt>
146 either a comma-separated list of privileges of a RightList object</dd>
149 <dt><a id='credential.Credential.verify_chain-method' name='credential.Credential.verify_chain-method'><b>verify_chain(trusted_certs=None)</b></a> [<a href='#credential.Credential.verify_chain-method'>#</a>]</dt>
151 <p>Verify that a chain of credentials is valid (see cert.py:verify). In
152 addition to the checks for ordinary certificates, verification also
153 ensures that the delegate bit was set by each parent in the chain. If
154 a delegate bit was not set, then an exception is thrown.
156 Each credential must be a subset of the rights of the parent.</p>