record_list = table.resolve(type, hrn)
if not record_list:
- raise RecordNotFound(name)
+ raise RecordNotFound(hrn)
record = record_list[0]
# TODO: sa, ma
rl.add("resolve")
rl.add("info")
elif type == "sa":
- rl.add("authority")
+ rl.add("authority,sa")
elif type == "ma":
- rl.add("authority")
+ rl.add("authority,ma")
elif type == "slice":
rl.add("refresh")
rl.add("embed")
rl = self.determine_rights(type, name)
cred.set_privileges(rl)
- cred.set_parent(self.hierarchy.get_auth_cred(auth_hrn))
+ # determine the type of credential that we want to use as a parent for
+ # this credential.
+
+ if (type == "ma") or (type == "node"):
+ auth_kind = "authority,ma"
+ else: # user, slice, sa
+ auth_kind = "authority,sa"
+
+ cred.set_parent(self.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
cred.encode()
cred.sign()
rl = self.determine_rights(type, name)
new_cred.set_privileges(rl)
- new_cred.set_parent(self.hierarchy.get_auth_cred(auth_hrn))
+ # determine the type of credential that we want to use as a parent for
+ # this credential.
+
+ if (type == "ma") or (type == "node"):
+ auth_kind = "authority,ma"
+ else: # user, slice, sa
+ auth_kind = "authority,sa"
+
+ new_cred.set_parent(self.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
new_cred.encode()
new_cred.sign()
# make sure the rights given to the child are a subset of the
# parents rights
if not self.parent.get_privileges().is_superset(self.get_privileges()):
- raise ChildRightsNotSubsetOfParent(self.get_subject())
+ raise ChildRightsNotSubsetOfParent(self.get_subject() + " " + self.parent.get_privileges().save_to_string() + " " + self.get_privileges().save_to_string())
return
# the authority's parent.
#
# @param hrn the human readable name of the authority
+ # @param authority type of credential to return (authority | sa | ma)
- def get_auth_cred(self, hrn):
+ def get_auth_cred(self, hrn, kind="authority"):
auth_info = self.get_auth_info(hrn)
gid = auth_info.get_gid_object()
cred = Credential(subject=hrn)
cred.set_gid_caller(gid)
cred.set_gid_object(gid)
- cred.set_privileges("authority")
+ cred.set_privileges(kind)
cred.set_delegate(True)
cred.set_pubkey(auth_info.get_gid_object().get_pubkey())
# we need the parent's private key in order to sign this GID
parent_auth_info = self.get_auth_info(parent_hrn)
cred.set_issuer(parent_auth_info.get_pkey_object(), parent_auth_info.hrn)
- cred.set_parent(self.get_auth_cred(parent_hrn))
+ cred.set_parent(self.get_auth_cred(parent_hrn, kind))
cred.encode()
cred.sign()
# privilege_table is a list of priviliges and what operations are allowed
# per privilege.
-privilege_table = {"authority": ["remove", "update", "resolve", "list", "getcredential"],
+privilege_table = {"authority": ["register", "remove", "update", "resolve", "list", "getcredential"],
"refresh": ["remove", "update"],
"resolve": ["resolve", "list", "getcredential"],
"sa": ["getticket", "redeemslice", "createslice", "deleteslice", "updateslice", "getsliceresources", "getticket", "loanresources", "stopslice", "startslice", "deleteslice", "resetslice", "listslices", "listnodes", "getpolicy"],
git://git.onelab.eu / sfa.git / commitdiff