Access Control

[Robert Olson]

Attached is a fairly complete design doc for the access control stuff. This 
is now in place (in my copy of the code), and appears to work properly. The 
actual RBAC implementation is not complete, but it will work for 
user-list-based authorization:

from AccessGrid.hosting import access_control
from AccessGrid.hosting.pyGlobus import ServiceBase

class C(ServiceBase.ServiceBase):
     def meth(self, x):

         print "Got meth: ", x

         sm = access_control.GetSecurityManager()

         print "Executing as subject name: ", sm.GetSubject()

         ident = "/O=Grid/OU=Access Grid/OU=mcs.anl.gov/CN=Bob Olson"
         if not sm.ValidateUser(ident):
             raise Exception("Invalid user!")

         return ('you sent', x)


     meth.pass_connection_info = 0
     meth.soap_export_as = "method"

Note that pass_connection_info no longer needed - the user information is 
obtainable by calling sm.GetSubject().

Merging the new hosting code into CVS will require ensuring that we have a 
coherent view of what pyGlobus to be using; I had to install some patches 
into pyGlobus.io in order to make some of this work (the code relating to 
supporting different certificates). I need to work on that when I'm not 
tired :-). I worry about the latest LBL CVS verison of pyGlobus, as it 
still has some code in the GASS part of the library that will end up with 
corrupted data structures (pyGlobus bugzilla bug #4).

--bob

--bob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: access-control.doc
Type: application/msword
Size: 69120 bytes
Desc: not available
URL: <http://lists.mcs.anl.gov/pipermail/ag-dev/attachments/20030128/b5694599/attachment.doc>