diff options
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | MANIFEST.in | 1 | ||||
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | cobbler.spec | 9 | ||||
| -rw-r--r-- | cobbler/cobblerd.py | 4 | ||||
| -rw-r--r-- | cobbler/demo_connect.py | 16 | ||||
| -rw-r--r-- | cobbler/modules/authn_ldap.py | 1 | ||||
| -rw-r--r-- | cobbler/modules/authz_configfile.py | 32 | ||||
| -rw-r--r-- | cobbler/remote.py | 29 | ||||
| -rw-r--r-- | config/modules.conf | 2 | ||||
| -rw-r--r-- | setup.py | 1 |
11 files changed, 69 insertions, 29 deletions
@@ -8,6 +8,7 @@ Cobbler CHANGELOG - added patch to allow --kopts/--ksmeta items to be cleared with --kopts=delete - tftpboot location is now inferred from xinetd config (added for F9 compat) - added authn_ldap and stub for authz_configfile +- authz_configfile allows filtering ldap/other users by config file - ??? - 0.8.3 - fix WebUI documentation URL diff --git a/MANIFEST.in b/MANIFEST.in index ed1d412..4c8ed20 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -10,6 +10,7 @@ include config/modules.conf include config/auth.conf include config/settings include config/users.digest +include config/users.conf recursive-include templates *.template recursive-include kickstarts *.ks include docs/cobbler.1.gz @@ -38,10 +38,12 @@ install: clean manpage devinstall: cp /var/lib/cobbler/settings /tmp/cobbler_settings cp /etc/cobbler/modules.conf /tmp/cobbler_modules.conf + cp /etc/cobbler/users.conf /tmp/cobbler_users.conf -cp /etc/cobbler/users.digest /tmp/cobbler_users.digest make install cp /tmp/cobbler_settings /var/lib/cobbler/settings cp /tmp/cobbler_modules.conf /etc/cobbler/modules.conf + cp /tmp/cobbler_users.conf /etc/cobbler/users.conf -cp /tmp/cobbler_users.digest /etc/cobbler/users.digest find /var/lib/cobbler/triggers | xargs chmod +x chown -R apache /var/www/cobbler diff --git a/cobbler.spec b/cobbler.spec index aa61bd9..c4cc5a0 100644 --- a/cobbler.spec +++ b/cobbler.spec @@ -128,6 +128,7 @@ test "x$RPM_BUILD_ROOT" != "x" && rm -rf $RPM_BUILD_ROOT %config(noreplace) /etc/cobbler/rsync.exclude %config(noreplace) /etc/logrotate.d/cobblerd_rotate %config(noreplace) /etc/cobbler/modules.conf +%config(noreplace) /etc/cobbler/users.conf %dir %{python_sitelib}/cobbler %dir %{python_sitelib}/cobbler/yaml %dir %{python_sitelib}/cobbler/modules @@ -190,14 +191,14 @@ test "x$RPM_BUILD_ROOT" != "x" && rm -rf $RPM_BUILD_ROOT %changelog -<<<<<<< HEAD:cobbler.spec -* Fri Mar 07 2008 Michael DeHaan <mdehaan@redhat.com> - 0.9.0-1 -======= +* Wed Mar 26 2008 Michael DeHaan <mdehaan@redhat.com> - 0.9.0-1 +- Upstream changes (see CHANGELOG) +- packaged /etc/cobbler/users.conf + * Mon Mar 10 2008 Michael DeHaan <mdehaan@redhat.com> - 0.8.3-1 - Upstream changes (see CHANGELOG) * Fri Mar 07 2008 Michael DeHaan <mdehaan@redhat.com> - 0.8.2-1 ->>>>>>> master:cobbler.spec - Upstream changes (see CHANGELOG) * Wed Feb 20 2008 Michael DeHaan <mdehaan@redhat.com> - 0.8.1-1 diff --git a/cobbler/cobblerd.py b/cobbler/cobblerd.py index 3c06723..5640aec 100644 --- a/cobbler/cobblerd.py +++ b/cobbler/cobblerd.py @@ -108,7 +108,7 @@ def do_xmlrpc(bootapi, settings, port, logger): # This is the simple XMLRPC API we provide to koan and other # apps that do not need to manage Cobbler's config - xinterface = remote.ProxiedXMLRPCInterface(bootapi,logger,remote.CobblerXMLRPCInterface,True) + xinterface = remote.ProxiedXMLRPCInterface(bootapi,logger,remote.CobblerXMLRPCInterface,False) server = remote.CobblerXMLRPCServer(('', port)) server.logRequests = 0 # don't print stuff @@ -124,7 +124,7 @@ def do_xmlrpc(bootapi, settings, port, logger): def do_xmlrpc_rw(bootapi,settings,port,logger): - xinterface = remote.ProxiedXMLRPCInterface(bootapi,logger,remote.CobblerReadWriteXMLRPCInterface,False) + xinterface = remote.ProxiedXMLRPCInterface(bootapi,logger,remote.CobblerReadWriteXMLRPCInterface,True) server = remote.CobblerReadWriteXMLRPCServer(('127.0.0.1', port)) server.logRequests = 0 # don't print stuff logger.debug("XMLRPC (read-write variant) running on %s" % port) diff --git a/cobbler/demo_connect.py b/cobbler/demo_connect.py index 0fa058b..6397a6b 100644 --- a/cobbler/demo_connect.py +++ b/cobbler/demo_connect.py @@ -11,12 +11,20 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. """ -from server.xmlrpcclient import ServerProxy +from xmlrpclib import ServerProxy +import optparse if __name__ == "__main__": - sp = ServerProxy("httpu:///var/lib/cobbler/sock") - print sp.login("<system>","") - + p = optparse.OptionParser() + p.add_option("-u","--user",dest="user",default="test") + p.add_option("-p","--pass",dest="password",default="test") + sp = ServerProxy("http://127.0.0.1/cobbler_api_rw") + (options, args) = p.parse_args() + print "- trying to login with user=%s" % options.user + token = sp.login(options.user,options.password) + print "- token: %s" % token + check = sp.check_access(token,"imaginary_method_name") + print "- access ok? %s" % check diff --git a/cobbler/modules/authn_ldap.py b/cobbler/modules/authn_ldap.py index 4597f3c..6d190bd 100644 --- a/cobbler/modules/authn_ldap.py +++ b/cobbler/modules/authn_ldap.py @@ -90,7 +90,6 @@ def authenticate(api_handle,username,password): # attempt to bind as the user dir.simple_bind_s(dn,password) dir.unbind() - print "FAIL 1" return True except: traceback.print_exc() diff --git a/cobbler/modules/authz_configfile.py b/cobbler/modules/authz_configfile.py index 0d41cce..c183721 100644 --- a/cobbler/modules/authz_configfile.py +++ b/cobbler/modules/authz_configfile.py @@ -1,6 +1,8 @@ """ Authorization module that allow users listed in -the auth_ldap.conf config file +/etc/cobbler/users.conf to be permitted to access resources. +For instance, when using authz_ldap, you want to use authn_configfile, +not authz_allowall, which will most likely NOT do what you want. This software may be freely redistributed under the terms of the GNU general public license. @@ -23,7 +25,7 @@ sys.path.insert(0, mod_path) import cexceptions import utils -CONFIG_FILE='/etc/cobbler/auth_ldap.conf' +CONFIG_FILE='/etc/cobbler/users.conf' def register(): """ @@ -31,12 +33,32 @@ def register(): """ return "authz" +def __parse_config(): + if not os.path.exists(CONFIG_FILE): + return [] + config = ConfigParser.SafeConfigParser() + config.read(CONFIG_FILE) + alldata = {} + groups = config.sections() + for g in groups: + alldata[str(g)] = {} + opts = config.options(g) + for o in opts: + alldata[g][o] = 1 + return alldata + + def authorize(api_handle,user,resource,arg1=None,arg2=None): """ Validate a user against a resource. + All users in the file are permitted by this module. """ - # FIXME: implement this, only users in /etc/cobbler/users.conf - # will return 1. Later we'll do authz_ownership.py - + data = __parse_config() + for g in data: + if user in data[g]: + return 1 return 0 + +if __name__ == "__main__": + print __parse_config() diff --git a/cobbler/remote.py b/cobbler/remote.py index 5131323..4b04fcb 100644 --- a/cobbler/remote.py +++ b/cobbler/remote.py @@ -561,10 +561,6 @@ class CobblerReadWriteXMLRPCInterface(CobblerXMLRPCInterface): FIXME: currently looks for users in /etc/cobbler/auth.conf Would be very nice to allow for PAM and/or just Kerberos. """ - if not self.auth_enabled and input_user == "<system>": - return True - if self.auth_enabled and input_user == "<system>": - return False return self.api.authenticate(input_user,input_password) def __validate_token(self,token): @@ -579,11 +575,12 @@ class CobblerReadWriteXMLRPCInterface(CobblerXMLRPCInterface): self.__invalidate_expired_tokens() self.__invalidate_expired_objects() - if not self.auth_enabled: - user = self.get_user_from_token(token) - if user == "<system>": - self.token_cache[token] = (time.time(), user) # update to prevent timeout - return True + #if not self.auth_enabled: + # user = self.get_user_from_token(token) + # # old stuff, preserving for future usage + # # if user == "<system>": + # # self.token_cache[token] = (time.time(), user) # update to prevent timeout + # # return True if self.token_cache.has_key(token): user = self.get_user_from_token(token) @@ -598,10 +595,16 @@ class CobblerReadWriteXMLRPCInterface(CobblerXMLRPCInterface): def check_access(self,token,resource,arg1=None,arg2=None): validated = self.__validate_token(token) + user = self.get_user_from_token(token) if not self.auth_enabled: + # for public read-only XMLRPC, permit access + self.log("permitting read-only access") return True - return self.__authorize(token,resource,arg1,arg2) - + rc = self.__authorize(token,resource,arg1,arg2) + self.log("authorization result: %s" % rc) + if not rc: + raise CX(_("authorization failure for user %s" % user)) + return rc def login(self,login_user,login_password): """ @@ -621,7 +624,9 @@ class CobblerReadWriteXMLRPCInterface(CobblerXMLRPCInterface): def __authorize(self,token,resource,arg1=None,arg2=None): user = self.get_user_from_token(token) - if self.api.authorize(user,resource,arg1,arg2): + self.log("calling authorize for resource %s" % resource, user=user) + rc = self.api.authorize(user,resource,arg1,arg2) + if rc: return True else: raise CX(_("user does not have access to resource: %s") % resource) diff --git a/config/modules.conf b/config/modules.conf index 2d60d21..2daf0e4 100644 --- a/config/modules.conf +++ b/config/modules.conf @@ -9,4 +9,4 @@ repo = serializer_yaml module = authn_configfile [authorization] -module = authn_allowall +module = authz_allowall @@ -74,6 +74,7 @@ if __name__ == "__main__": (etcpath, ['config/modules.conf']), (etcpath, ['config/users.digest']), (etcpath, ['config/rsync.exclude']), + (etcpath, ['config/users.conf']), (initpath, ['config/cobblerd']), (cobpath, ['config/settings']), |