diff options
author | Michael DeHaan <mdehaan@redhat.com> | 2008-03-26 12:49:35 -0400 |
---|---|---|
committer | Michael DeHaan <mdehaan@redhat.com> | 2008-03-26 12:49:35 -0400 |
commit | a6a82750ac3cab01fbafdd689a7ea1f5f6dc0bf7 (patch) | |
tree | a7807216eb748704facc493065095c9abcdf701e /cobbler | |
parent | 297805a2c498e57556348f3bb28e8f054c2556aa (diff) | |
download | third_party-cobbler-a6a82750ac3cab01fbafdd689a7ea1f5f6dc0bf7.tar.gz third_party-cobbler-a6a82750ac3cab01fbafdd689a7ea1f5f6dc0bf7.tar.xz third_party-cobbler-a6a82750ac3cab01fbafdd689a7ea1f5f6dc0bf7.zip |
Updated LDAP and authorization code, plus packaging
Diffstat (limited to 'cobbler')
-rw-r--r-- | cobbler/cobblerd.py | 4 | ||||
-rw-r--r-- | cobbler/demo_connect.py | 16 | ||||
-rw-r--r-- | cobbler/modules/authn_ldap.py | 1 | ||||
-rw-r--r-- | cobbler/modules/authz_configfile.py | 32 | ||||
-rw-r--r-- | cobbler/remote.py | 29 |
5 files changed, 58 insertions, 24 deletions
diff --git a/cobbler/cobblerd.py b/cobbler/cobblerd.py index 3c06723..5640aec 100644 --- a/cobbler/cobblerd.py +++ b/cobbler/cobblerd.py @@ -108,7 +108,7 @@ def do_xmlrpc(bootapi, settings, port, logger): # This is the simple XMLRPC API we provide to koan and other # apps that do not need to manage Cobbler's config - xinterface = remote.ProxiedXMLRPCInterface(bootapi,logger,remote.CobblerXMLRPCInterface,True) + xinterface = remote.ProxiedXMLRPCInterface(bootapi,logger,remote.CobblerXMLRPCInterface,False) server = remote.CobblerXMLRPCServer(('', port)) server.logRequests = 0 # don't print stuff @@ -124,7 +124,7 @@ def do_xmlrpc(bootapi, settings, port, logger): def do_xmlrpc_rw(bootapi,settings,port,logger): - xinterface = remote.ProxiedXMLRPCInterface(bootapi,logger,remote.CobblerReadWriteXMLRPCInterface,False) + xinterface = remote.ProxiedXMLRPCInterface(bootapi,logger,remote.CobblerReadWriteXMLRPCInterface,True) server = remote.CobblerReadWriteXMLRPCServer(('127.0.0.1', port)) server.logRequests = 0 # don't print stuff logger.debug("XMLRPC (read-write variant) running on %s" % port) diff --git a/cobbler/demo_connect.py b/cobbler/demo_connect.py index 0fa058b..6397a6b 100644 --- a/cobbler/demo_connect.py +++ b/cobbler/demo_connect.py @@ -11,12 +11,20 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. """ -from server.xmlrpcclient import ServerProxy +from xmlrpclib import ServerProxy +import optparse if __name__ == "__main__": - sp = ServerProxy("httpu:///var/lib/cobbler/sock") - print sp.login("<system>","") - + p = optparse.OptionParser() + p.add_option("-u","--user",dest="user",default="test") + p.add_option("-p","--pass",dest="password",default="test") + sp = ServerProxy("http://127.0.0.1/cobbler_api_rw") + (options, args) = p.parse_args() + print "- trying to login with user=%s" % options.user + token = sp.login(options.user,options.password) + print "- token: %s" % token + check = sp.check_access(token,"imaginary_method_name") + print "- access ok? %s" % check diff --git a/cobbler/modules/authn_ldap.py b/cobbler/modules/authn_ldap.py index 4597f3c..6d190bd 100644 --- a/cobbler/modules/authn_ldap.py +++ b/cobbler/modules/authn_ldap.py @@ -90,7 +90,6 @@ def authenticate(api_handle,username,password): # attempt to bind as the user dir.simple_bind_s(dn,password) dir.unbind() - print "FAIL 1" return True except: traceback.print_exc() diff --git a/cobbler/modules/authz_configfile.py b/cobbler/modules/authz_configfile.py index 0d41cce..c183721 100644 --- a/cobbler/modules/authz_configfile.py +++ b/cobbler/modules/authz_configfile.py @@ -1,6 +1,8 @@ """ Authorization module that allow users listed in -the auth_ldap.conf config file +/etc/cobbler/users.conf to be permitted to access resources. +For instance, when using authz_ldap, you want to use authn_configfile, +not authz_allowall, which will most likely NOT do what you want. This software may be freely redistributed under the terms of the GNU general public license. @@ -23,7 +25,7 @@ sys.path.insert(0, mod_path) import cexceptions import utils -CONFIG_FILE='/etc/cobbler/auth_ldap.conf' +CONFIG_FILE='/etc/cobbler/users.conf' def register(): """ @@ -31,12 +33,32 @@ def register(): """ return "authz" +def __parse_config(): + if not os.path.exists(CONFIG_FILE): + return [] + config = ConfigParser.SafeConfigParser() + config.read(CONFIG_FILE) + alldata = {} + groups = config.sections() + for g in groups: + alldata[str(g)] = {} + opts = config.options(g) + for o in opts: + alldata[g][o] = 1 + return alldata + + def authorize(api_handle,user,resource,arg1=None,arg2=None): """ Validate a user against a resource. + All users in the file are permitted by this module. """ - # FIXME: implement this, only users in /etc/cobbler/users.conf - # will return 1. Later we'll do authz_ownership.py - + data = __parse_config() + for g in data: + if user in data[g]: + return 1 return 0 + +if __name__ == "__main__": + print __parse_config() diff --git a/cobbler/remote.py b/cobbler/remote.py index 5131323..4b04fcb 100644 --- a/cobbler/remote.py +++ b/cobbler/remote.py @@ -561,10 +561,6 @@ class CobblerReadWriteXMLRPCInterface(CobblerXMLRPCInterface): FIXME: currently looks for users in /etc/cobbler/auth.conf Would be very nice to allow for PAM and/or just Kerberos. """ - if not self.auth_enabled and input_user == "<system>": - return True - if self.auth_enabled and input_user == "<system>": - return False return self.api.authenticate(input_user,input_password) def __validate_token(self,token): @@ -579,11 +575,12 @@ class CobblerReadWriteXMLRPCInterface(CobblerXMLRPCInterface): self.__invalidate_expired_tokens() self.__invalidate_expired_objects() - if not self.auth_enabled: - user = self.get_user_from_token(token) - if user == "<system>": - self.token_cache[token] = (time.time(), user) # update to prevent timeout - return True + #if not self.auth_enabled: + # user = self.get_user_from_token(token) + # # old stuff, preserving for future usage + # # if user == "<system>": + # # self.token_cache[token] = (time.time(), user) # update to prevent timeout + # # return True if self.token_cache.has_key(token): user = self.get_user_from_token(token) @@ -598,10 +595,16 @@ class CobblerReadWriteXMLRPCInterface(CobblerXMLRPCInterface): def check_access(self,token,resource,arg1=None,arg2=None): validated = self.__validate_token(token) + user = self.get_user_from_token(token) if not self.auth_enabled: + # for public read-only XMLRPC, permit access + self.log("permitting read-only access") return True - return self.__authorize(token,resource,arg1,arg2) - + rc = self.__authorize(token,resource,arg1,arg2) + self.log("authorization result: %s" % rc) + if not rc: + raise CX(_("authorization failure for user %s" % user)) + return rc def login(self,login_user,login_password): """ @@ -621,7 +624,9 @@ class CobblerReadWriteXMLRPCInterface(CobblerXMLRPCInterface): def __authorize(self,token,resource,arg1=None,arg2=None): user = self.get_user_from_token(token) - if self.api.authorize(user,resource,arg1,arg2): + self.log("calling authorize for resource %s" % resource, user=user) + rc = self.api.authorize(user,resource,arg1,arg2) + if rc: return True else: raise CX(_("user does not have access to resource: %s") % resource) |