diff options
| author | Seth Vidal <skvidal@fedoraproject.org> | 2007-10-08 14:59:28 -0400 |
|---|---|---|
| committer | Seth Vidal <skvidal@fedoraproject.org> | 2007-10-08 14:59:28 -0400 |
| commit | 9033fe7cc3c6a59bd90c4742a47536699dee612d (patch) | |
| tree | 7464fb9f366e121d86947f2f900755d681612e14 /func/minion/server.py | |
| parent | ce379bdb3d6ade0a6326d5d7cf9446389cf4d94b (diff) | |
| download | third_party-func-9033fe7cc3c6a59bd90c4742a47536699dee612d.tar.gz third_party-func-9033fe7cc3c6a59bd90c4742a47536699dee612d.tar.xz third_party-func-9033fe7cc3c6a59bd90c4742a47536699dee612d.zip | |
fine-grained acls per minion
- adds minion-acl.conf
Diffstat (limited to 'func/minion/server.py')
| -rwxr-xr-x | func/minion/server.py | 32 |
1 files changed, 21 insertions, 11 deletions
diff --git a/func/minion/server.py b/func/minion/server.py index 39a78cb..921aa03 100755 --- a/func/minion/server.py +++ b/func/minion/server.py @@ -20,6 +20,7 @@ import string import sys import traceback import socket +import fnmatch from gettext import textdomain I18N_DOMAIN = "func" @@ -51,7 +52,7 @@ class XmlRpcInterface(object): self.logger = logger.Logger().logger self.audit_logger = logger.AuditLogger() self.__setup_handlers() - + # need a reference so we can log ip's, certs, etc # self.server = server @@ -213,18 +214,27 @@ class FuncSSLXMLRPCServer(AuthedXMLRPCServer.AuthedSSLXMLRPCServer, return peer_cert.get_subject().CN def _check_acl(self, cert, ip, method, params): - cn = cert.get_subject().CN - sub_hash = cert.subject_name_hash() - # FIXME - make this be more useful, obviously :) - # until we figure out the right config - just say - if the cert - # is not the cert of our ca (which is where overlord/func/certmaster - # runs then return False + acls = utils.get_acls_from_config(fn=self.config.acl_config) + # certmaster always gets to run things ca_cn = self._our_ca.get_subject().CN ca_hash = self._our_ca.subject_name_hash() - if cn == ca_cn and sub_hash == ca_hash: - return True - - # clearly other method/param checks here + ca_key = '%s-%s' % (ca_cn, ca_hash) + acls[ca_key] = ['*'] + + cn = cert.get_subject().CN + sub_hash = cert.subject_name_hash() + if acls: + allow_list = [] + hostkey = '%s-%s' % (cn, sub_hash) + # search all the keys, match to 'cn-subhash' + for hostmatch in acls.keys(): + if fnmatch.fnmatch(hostkey, hostmatch): + allow_list.extend(acls[hostmatch]) + # go through the allow_list and make sure this method is in there + for methodmatch in allow_list: + if fnmatch.fnmatch(method, methodmatch): + return True + return False def main(argv): |