git://git.onelab.eu
/
sfa.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
verbose in case if the trusted_roots directory is missing
[sfa.git]
/
sfa
/
trust
/
auth.py
diff --git
a/sfa/trust/auth.py
b/sfa/trust/auth.py
index
c6e0d9d
..
4e5a31c
100644
(file)
--- a/
sfa/trust/auth.py
+++ b/
sfa/trust/auth.py
@@
-12,7
+12,6
@@
from sfa.trust.trustedroot import TrustedRootList
from sfa.trust.rights import RightList
from sfa.util.faults import *
from sfa.trust.hierarchy import Hierarchy
from sfa.trust.rights import RightList
from sfa.util.faults import *
from sfa.trust.hierarchy import Hierarchy
-from sfa.util.genitable import GeniTable
from sfa.util.config import *
from sfa.util.misc import *
from sfa.trust.gid import GID
from sfa.util.config import *
from sfa.util.misc import *
from sfa.trust.gid import GID
@@
-61,6
+60,8
@@
class Auth:
self.client_gid.verify_chain(self.trusted_cert_list)
if self.object_gid:
self.object_gid.verify_chain(self.trusted_cert_list)
self.client_gid.verify_chain(self.trusted_cert_list)
if self.object_gid:
self.object_gid.verify_chain(self.trusted_cert_list)
+ else:
+ raise MissingTrustedRoots(self.config.get_trustedroots_dir())
return True
return True
@@
-203,34
+204,21
@@
class Auth:
raise PermissionError(name)
raise PermissionError(name)
- def determine_user_rights(self,
src_cred
, record):
+ def determine_user_rights(self,
caller_hrn
, record):
"""
Given a user credential and a record, determine what set of rights the
user should have to that record.
"""
Given a user credential and a record, determine what set of rights the
user should have to that record.
-
- Src_cred can be None when obtaining a user credential, but should be
- set to a valid user credential when obtaining a slice or authority
- credential.
-
+
This is intended to replace determine_rights() and
verify_cancreate_credential()
"""
This is intended to replace determine_rights() and
verify_cancreate_credential()
"""
- type = record['type']
- if src_cred:
- cred_object_hrn = src_cred.get_gid_object().get_hrn()
- else:
- # supplying src_cred==None is only valid when obtaining user
- # credentials.
- #assert(type == "user")
-
- cred_object_hrn = None
-
rl = RightList()
rl = RightList()
+ type = record['type']
if type=="slice":
researchers = record.get("researcher", [])
if type=="slice":
researchers = record.get("researcher", [])
- if (c
red_object
_hrn in researchers):
+ if (c
aller
_hrn in researchers):
rl.add("refresh")
rl.add("embed")
rl.add("bind")
rl.add("refresh")
rl.add("embed")
rl.add("bind")
@@
-238,12
+226,13
@@
class Auth:
rl.add("info")
elif type == "authority":
rl.add("info")
elif type == "authority":
- rl.add("authority")
- pis = record.get("pi", [])
+ pis = record.get("PI", [])
operators = record.get("operator", [])
operators = record.get("operator", [])
- if (cred_object_hrn in pis):
+ if (caller_hrn == self.config.SFA_INTERFACE_HRN):
+ rl.add("authority,sa,ma",)
+ if (caller_hrn in pis):
rl.add("authority,sa")
rl.add("authority,sa")
- if (c
red_object
_hrn in operators):
+ if (c
aller
_hrn in operators):
rl.add("authority,ma")
elif type == "user":
rl.add("authority,ma")
elif type == "user":
@@
-251,6
+240,9
@@
class Auth:
rl.add("resolve")
rl.add("info")
rl.add("resolve")
rl.add("info")
+ elif type == "component":
+ r1.add("operator")
+
return rl
def verify_cancreate_credential(self, src_cred, record):
return rl
def verify_cancreate_credential(self, src_cred, record):