Author: tmckay Date: 2012-03-22 20:18:49 +0000 (Thu, 22 Mar 2012) New Revision: 5266
Added: branches/roles/cumin/model/access/ Removed: branches/roles/cumin/metadata/access/ Modified: branches/roles/cumin/Makefile branches/roles/cumin/bin/cumin-web branches/roles/cumin/instance/etc/cumin.conf branches/roles/cumin/model/access/usergrid.xml branches/roles/cumin/python/cumin/authorize.py branches/roles/cumin/python/cumin/config.py branches/roles/cumin/python/cumin/main.py Log: Multiple changes surrounding config and location of access mapping files.
* Removed cumin/metadata directory. This is old and hasn't been used for years. It's presence causes confusion. * Moved standard access directory under cumin/model/access * Fixed up make files for install, so that access dir will be installed by rpm * Made authorize fully configurable. Default is $CUMIN_HOME/model/access/usergrid.xml. May be a single file or a directory, or "None" to turn off the feature. * Made absence of mapping information fatal on start if the feature is on.
Modified: branches/roles/cumin/Makefile =================================================================== --- branches/roles/cumin/Makefile 2012-03-22 19:33:54 UTC (rev 5265) +++ branches/roles/cumin/Makefile 2012-03-22 20:18:49 UTC (rev 5266) @@ -27,8 +27,10 @@ install -pm 0644 ../wooly/LICENSE-for-wsgiserver ${CUMIN_HOME}/doc install -pm 0644 ../wooly/COPYING-for-wsgiserver ${CUMIN_HOME}/doc install -d ${CUMIN_HOME}/model/upgrades + install -d ${CUMIN_HOME}/model/access install -pm 0644 model/*.xml ${CUMIN_HOME}/model - install -pm 0755 model/upgrades/* ${CUMIN_HOME}/model/upgrades/ + install -pm 0644 model/access/* ${CUMIN_HOME}/model/access/ install -d ${CUMIN_HOME}/resources install -pm 0644 ../wooly/resources/*.css ${CUMIN_HOME}/resources install -pm 0644 ../wooly/resources/*.js ${CUMIN_HOME}/resources
Modified: branches/roles/cumin/bin/cumin-web =================================================================== --- branches/roles/cumin/bin/cumin-web 2012-03-22 19:33:54 UTC (rev 5265) +++ branches/roles/cumin/bin/cumin-web 2012-03-22 20:18:49 UTC (rev 5266) @@ -41,7 +41,19 @@ cumin.wallaby_refresh = values.wallaby_refresh if cumin.wallaby_refresh == 0: cumin.wallaby_refresh = None - + +def set_authorize_config(cumin, values, access_root): + # Allow this to be disabled via "None" + if values.authorize == "None": + cumin.access_path = None + else: + # If there is no initial dir, prepend home + dir_name = os.path.split(values.authorize)[0] + if len(dir_name) == 0: + cumin.access_path = os.path.join(access_root, values.authorize) + else: + cumin.access_path = values.authorize + def adjust_return(passed_init, ret): # Shift non-zer0 return codes left 1 bit # and OR in whether or not init passed @@ -140,7 +152,8 @@
cumin.auth_create_ondemand = values.auth_create_ondemand cumin.auth_proxy = values.auth_proxy - + set_authorize_config(cumin, values, config.get_access_root()) + cumin.debug = opts.debug cumin.user = values.user cumin.update_interval = values.update_interval
Modified: branches/roles/cumin/instance/etc/cumin.conf =================================================================== --- branches/roles/cumin/instance/etc/cumin.conf 2012-03-22 19:33:54 UTC (rev 5265) +++ branches/roles/cumin/instance/etc/cumin.conf 2012-03-22 20:18:49 UTC (rev 5266) @@ -8,7 +8,7 @@ # host: localhost host: 0.0.0.0 #user: guest -authorize: usergrid.xml +# authorize: usergrid.xml authz-mech: persona: default auth-proxy: true
Modified: branches/roles/cumin/model/access/usergrid.xml =================================================================== --- branches/roles/cumin/metadata/access/usergrid.xml 2012-03-21 20:10:53 UTC (rev 5262) +++ branches/roles/cumin/model/access/usergrid.xml 2012-03-22 20:18:49 UTC (rev 5266) @@ -1,9 +1,10 @@ <AccessMap> -<GroupAccess name="nogroup"> - <WidgetAccess reg="cumin.account.widgets.LoginForm"/> - <WidgetAccess reg="cumin.account.widgets.LoginPage"/> - <WidgetAccess reg="cumin.account.widgets.Submit"/> -</GroupAccess> + <GroupAccess name="nogroup"> + <WidgetAccess reg="cumin.account.widgets.LoginForm"/> + <WidgetAccess reg="cumin.account.widgets.LoginPage"/> + <WidgetAccess reg="cumin.account.widgets.Submit"/> + <FallbackPage name="login.html"/> + </GroupAccess> <GroupAccess name="user"> <SubGroupAccess name="nogroup"/> <WidgetAccess reg="cumin.usergrid.*" /> @@ -15,9 +16,10 @@ <WidgetAccess reg="cumin.widgets.About*" /> <WidgetAccess reg="cumin.widgets.CuminFormPage" /> <WidgetAccess reg="cumin.grid.submission.*" /> -</GroupAccess> + <FallbackPage name="usergrid.html"/> + </GroupAccess> <GroupAccess name="admin"> - <WidgetAccess reg=".*"/> + <WidgetAccess reg=".*"/> </GroupAccess> <GroupAccess name="genericadmin"> <SubGroupAccess name="user"/>
Modified: branches/roles/cumin/python/cumin/authorize.py =================================================================== --- branches/roles/cumin/python/cumin/authorize.py 2012-03-22 19:33:54 UTC (rev 5265) +++ branches/roles/cumin/python/cumin/authorize.py 2012-03-22 20:18:49 UTC (rev 5266) @@ -61,23 +61,39 @@ except KeyError: return None
+ def map_is_empty(self): + return len(self.mapping) == 0 + class CuminAuthorizator(object): - def __init__(self, app): + def __init__(self, app, access_path): self.app = app + self.access_path = access_path log.info("Initializing %s", self) self.accmap = CuminAuthorizeMap() modules = app.modules - #TODO: this should be configurable - access_path = app.home + "/metadata/access" - log.debug("Access file path is %s", access_path) - if os.path.isdir(access_path): - for accfile in os.listdir(access_path): - if os.path.isfile(access_path + "/" + accfile): - self.accmap.parse_accessfile(access_path + "/" + accfile) - else: - log.error("Path for access files does not exist!") - log.info("NODULES %s", modules)
+ if access_path is not None: + log.debug("Access file path is %s", access_path) + if os.path.isdir(access_path): + files = [os.path.join(access_path, x) \ + for x in os.listdir(access_path)] + elif os.path.isfile(access_path): + files = [access_path] + else: + files = [] + log.error("Path '%s' for access files does not exist!" % access_path) + + for accfile in files: + if os.path.isfile(accfile): + try: + self.accmap.parse_accessfile(accfile) + except: + log.error("Access file '%s' does not parse!" % accfile) + log.info("MODULES %s", modules) + + def map_is_empty(self): + return self.accmap.map_is_empty() + def find_fallback(self, web_session): # Find a fallback page for the current login session. # If the user is part of multiple groups, just pick the @@ -92,6 +108,9 @@ return self.accmap.find_fallback(group)
def authorize(self,web_session, widget_name): + if self.access_path is None: + # The feature is disabled, everything is allowed + return True try: group = web_session.client_session.attributes['login_session'].group except KeyError:
Modified: branches/roles/cumin/python/cumin/config.py =================================================================== --- branches/roles/cumin/python/cumin/config.py 2012-03-22 19:33:54 UTC (rev 5265) +++ branches/roles/cumin/python/cumin/config.py 2012-03-22 20:18:49 UTC (rev 5266) @@ -65,7 +65,7 @@ param.default = False
param = ConfigParameter(web, "authorize", str) - param.default = None + param.default = os.path.join(self.get_access_root(), "usergrid.xml")
param = ConfigParameter(web, "authz-provider", str) param.default = "internal" @@ -116,6 +116,9 @@ def get_home(self): return self.home
+ def get_access_root(self): + return os.path.join(self.home, "model/access/") + def parse(self): paths = list()
Modified: branches/roles/cumin/python/cumin/main.py =================================================================== --- branches/roles/cumin/python/cumin/main.py 2012-03-22 19:33:54 UTC (rev 5265) +++ branches/roles/cumin/python/cumin/main.py 2012-03-22 20:18:49 UTC (rev 5266) @@ -60,9 +60,8 @@ self.modules = list() self.modules_by_name = dict()
- self.authorizator = CuminAuthorizator(self) - self.authorize_cb = self.authorizator.authorize - self.fallback_cb = self.authorizator.find_fallback + # This is an argument to CuminAuthorizator in init() + self.access_path = None
self.tasks = list()
@@ -177,6 +176,16 @@ def init(self, schema_version_check=True): log.info("Initializing %s", self)
+ # Do this initialization as late as possible so that + # the application can set a value for self.access_path. + # Alternatively, it can be an argument to the constructor. + self.authorizator = CuminAuthorizator(self, self.access_path) + if self.access_path is not None and self.authorizator.map_is_empty(): + msg = "Access map does not exit or does not parse '%s'" + raise Exception(msg % self.access_path) + + self.authorize_cb = self.authorizator.authorize + self.fallback_cb = self.authorizator.find_fallback
# Create RPC interfaces for QMF and aviary. # These service have overlapping functionality,
cumin-developers@lists.fedorahosted.org