def on_initial_bootstrap(self, process, config, **kwargs):
org_ms_client = OrgManagementServiceProcessClient(process=process)
ex_ms_client = ExchangeManagementServiceProcessClient(process=process)
system_actor = get_system_actor()
if not system_actor:
raise AbortBootstrap("Cannot find system actor")
system_actor_id = system_actor._id
# Create root Org: ION
root_orgname = config.system.root_org
org = Org(name=root_orgname, description="ION Root Org")
self.org_id = org_ms_client.create_org(org)
# Instantiate initial set of User Roles for this Org
superuser_role = UserRole(
governance_name=SUPERUSER_ROLE,
name='Superuser role',
description='Has all permissions system wide')
org_ms_client.add_org_role(self.org_id, superuser_role)
org_ms_client.grant_role(self.org_id, system_actor_id, SUPERUSER_ROLE)
# Make the ION system agent a manager for the ION Org
org_ms_client.grant_role(self.org_id, system_actor_id, MODERATOR_ROLE)
# Create root ExchangeSpace
system_xs_name = process.container.ex_manager.system_xs_name
xs = ExchangeSpace(name=system_xs_name, description="ION service XS")
self.xs_id = ex_ms_client.create_exchange_space(xs, self.org_id)
def on_init(self):
self.process = getattr(self, "process", None) or self
self.rr = self.container.resource_registry
self.idm_client = IdentityManagementServiceProcessClient(process=self.process)
self.org_client = OrgManagementServiceProcessClient(process=self.process)
self.scion_client = ScionManagementProcessClient(process=self.process)
self.op = self.CFG.get("op", "load")
if self.op == "auto":
self.do_auto_preload()
elif self.op == "init":
pass # Initialization only for explicit call
elif self.op == "load":
preload_master = CFG.get_safe("scion.preload.default_master")
if preload_master:
self.do_preload_master(preload_master)
else:
raise BadRequest("Unknown command")
def op_load_system_policies(cls, calling_process):
"""
Create the initial set of policy rules for the system.
To establish clear rule precedence, denying all anonymous access to Org services first
and then add rules which Permit access to specific operations based on conditions.
"""
orgms_client = OrgManagementServiceProcessClient(
process=calling_process)
policyms_client = PolicyManagementServiceProcessClient(
process=calling_process)
ion_org = orgms_client.find_org()
system_actor = get_system_actor()
log.info('System actor: %s', system_actor._id)
sa_user_header = get_system_actor_header(system_actor)
policy_rules_filename = calling_process.CFG.get_safe(
"bootstrap.initial_policy_rules")
if not policy_rules_filename:
raise ContainerConfigError("Policy rules file not configured")
if not os.path.exists(policy_rules_filename):
raise ContainerConfigError("Policy rules file does not exist")
with open(policy_rules_filename, "r") as f:
policy_rules_yml = f.read()
policy_rules_cfg = yaml.safe_load(policy_rules_yml)
if "type" not in policy_rules_cfg or policy_rules_cfg[
"type"] != "scioncc_policy_rules":
raise ContainerConfigError("Invalid policy rules file content")
log.info("Loading %s policy rules", len(policy_rules_cfg["rules"]))
for rule_cfg in policy_rules_cfg["rules"]:
rule_name, policy_type, rule_desc = rule_cfg["name"], rule_cfg[
"policy_type"], rule_cfg.get("description", "")
if rule_cfg.get("enable") is False:
log.info("Policy rule %s disabled", rule_name)
continue
log.info("Loading policy rule %s (%s)", rule_name, policy_type)
rule_filename = rule_cfg["rule_def"]
if not os.path.isabs(rule_filename):
rule_filename = os.path.join(
os.path.dirname(policy_rules_filename), rule_filename)
with open(rule_filename, "r") as f:
rule_def = f.read()
ordinal = rule_cfg.get("ordinal", 0)
# Create the policy
if policy_type == "common_service_access":
policyms_client.create_common_service_access_policy(
rule_name,
rule_desc,
rule_def,
ordinal=ordinal,
headers=sa_user_header)
elif policy_type == "service_access":
service_name = rule_cfg["service_name"]
policyms_client.create_service_access_policy(
service_name,
rule_name,
rule_desc,
rule_def,
ordinal=ordinal,
headers=sa_user_header)
elif policy_type == "resource_access":
resource_type, resource_name = rule_cfg[
"resource_type"], rule_cfg["resource_name"]
res_ids, _ = calling_process.container.resource_registry.find_resources(
restype=resource_type, name=resource_name, id_only=True)
if res_ids:
resource_id = res_ids[0]
policyms_client.create_resource_access_policy(
resource_id,
rule_name,
rule_desc,
rule_def,
ordinal=ordinal,
headers=sa_user_header)
else:
raise ContainerConfigError(
"Rule %s has invalid policy type: %s" %
(rule_name, policy_type))
def __init__(self, process, config, response_class):
global sg_instance
sg_instance = self
self.name = "service_gateway"
self.process = process
self.config = config
self.response_class = response_class
self.gateway_base_url = process.gateway_base_url
self.develop_mode = self.config.get_safe(CFG_PREFIX +
".develop_mode") is True
self.require_login = self.config.get_safe(CFG_PREFIX +
".require_login") is True
self.token_from_session = self.config.get_safe(
CFG_PREFIX + ".token_from_session") is True
# Optional list of trusted originators can be specified in config.
self.trusted_originators = self.config.get_safe(CFG_PREFIX +
".trusted_originators")
if not self.trusted_originators:
self.trusted_originators = None
log.info(
"Service Gateway will not check requests against trusted originators since none are configured."
)
# Service screening
self.service_blacklist = self.config.get_safe(
CFG_PREFIX + ".service_blacklist") or []
self.service_whitelist = self.config.get_safe(
CFG_PREFIX + ".service_whitelist") or []
self.no_login_whitelist = set(
self.config.get_safe(CFG_PREFIX + ".no_login_whitelist") or [])
self.set_cors_headers = self.config.get_safe(CFG_PREFIX +
".set_cors") is True
self.strict_types = self.config.get_safe(CFG_PREFIX +
".strict_types") is True
# Swagger spec generation support
self.swagger_cfg = self.config.get_safe(CFG_PREFIX +
".swagger_spec") or {}
self._swagger_gen = None
if self.swagger_cfg.get("enable", None) is True:
self._swagger_gen = SwaggerSpecGenerator(config=self.swagger_cfg)
# Get the user_cache_size
self.user_cache_size = self.config.get_safe(
CFG_PREFIX + ".user_cache_size", DEFAULT_USER_CACHE_SIZE)
# Initialize an LRU Cache to keep user roles cached for performance reasons
#maxSize = maximum number of elements to keep in cache
#maxAgeMs = oldest entry to keep
self.user_role_cache = LRUCache(self.user_cache_size, 0, 0)
self.request_callback = None
self.log_errors = self.config.get_safe(CFG_PREFIX + ".log_errors",
True)
self.rr_client = ResourceRegistryServiceProcessClient(
process=self.process)
self.idm_client = IdentityManagementServiceProcessClient(
process=self.process)
self.org_client = OrgManagementServiceProcessClient(
process=self.process)
