Пример #1
0
def authorize(name,
              element,
              tenant=False,
              operation='create',
              skipuserobj=False):
    #TODO: actually use the element to ascertain if this user is good enough
    """Determine whether the given authenticated name is authorized.

    :param name: The shortname authenticated by the authentication scheme
    :param element: The path being examined.
    :param tenant: The tenant under which the account exists (defaults to
                    detect from name)
    :param operation: Defaults to checking for 'create' level access

    returns None if authorization fails or a tuple of the user object
            and the relevant ConfigManager object for the context of the
            request.
    """
    if operation not in ('create', 'start', 'update', 'retrieve', 'delete'):
        return None
    user, tenant = _get_usertenant(name, tenant)
    if tenant is not None and not configmanager.is_tenant(tenant):
        return None
    manager = configmanager.ConfigManager(tenant, username=user)
    if skipuserobj:
        return None, manager, user, tenant, skipuserobj
    userobj = manager.get_user(user)
    if userobj:  # returning
        return userobj, manager, user, tenant, skipuserobj
    return None
Пример #2
0
def _get_usertenant(name, tenant=False):
    """_get_usertenant

    Convenience function to parse name into username and tenant.
    If tenant is explicitly passed in, then name must be the username
    tenant name with '/' is forbidden.  If '/' is seen in name, tenant
    is assumed to preface the /.
    If the username is a tenant name, then it is to be the implied
    administrator account a tenant gets.
    Otherwise, just assume a user in the default tenant
    """
    if not isinstance(tenant, bool):
        # if not boolean, it must be explicit tenant
        user = name
    elif '/' in name:  # tenant scoped name
        tenant, user = name.split('/', 1)
    elif configmanager.is_tenant(name):
        # the account is the implicit tenant owner account
        user = name
        tenant = name
    else:  # assume it is a non-tenant user account
        user = name
        tenant = None
    yield user
    yield tenant
Пример #3
0
def authorize(name, element, tenant=False, operation='create',
              skipuserobj=False):
    #TODO: actually use the element to ascertain if this user is good enough
    """Determine whether the given authenticated name is authorized.

    :param name: The shortname authenticated by the authentication scheme
    :param element: The path being examined.
    :param tenant: The tenant under which the account exists (defaults to
                    detect from name)
    :param operation: Defaults to checking for 'create' level access

    returns None if authorization fails or a tuple of the user object
            and the relevant ConfigManager object for the context of the
            request.
    """
    if operation not in ('create', 'start', 'update', 'retrieve', 'delete'):
        return None
    user, tenant = _get_usertenant(name, tenant)
    if tenant is not None and not configmanager.is_tenant(tenant):
        return None
    manager = configmanager.ConfigManager(tenant)
    if skipuserobj:
        return None, manager, user, tenant, skipuserobj
    userobj = manager.get_user(user)
    if userobj:  # returning
        return userobj, manager, user, tenant, skipuserobj
    return None
Пример #4
0
def _get_usertenant(name, tenant=False):
    """_get_usertenant

    Convenience function to parse name into username and tenant.
    If tenant is explicitly passed in, then name must be the username
    tenant name with '/' is forbidden.  If '/' is seen in name, tenant
    is assumed to preface the /.
    If the username is a tenant name, then it is to be the implied
    administrator account a tenant gets.
    Otherwise, just assume a user in the default tenant
    """
    if not isinstance(tenant, bool):
        # if not boolean, it must be explicit tenant
        user = name
    elif '/' in name:  # tenant scoped name
        tenant, user = name.split('/', 1)
    elif configmanager.is_tenant(name):
        # the account is the implicit tenant owner account
        user = name
        tenant = name
    else:  # assume it is a non-tenant user account
        user = name
        tenant = None
    yield user
    yield tenant
Пример #5
0
def authorize(name,
              element,
              tenant=False,
              operation='create',
              skipuserobj=False):
    #TODO: actually use the element to ascertain if this user is good enough
    """Determine whether the given authenticated name is authorized.

    :param name: The shortname authenticated by the authentication scheme
    :param element: The path being examined.
    :param tenant: The tenant under which the account exists (defaults to
                    detect from name)
    :param operation: Defaults to checking for 'create' level access

    returns None if authorization fails or a tuple of the user object
            and the relevant ConfigManager object for the context of the
            request.
    """
    # skipuserobj is a leftover from the now abandoned plan to use pam session
    # to do authorization and authentication.  Now confluent always does authorization
    # even if pam does authentication.
    if operation not in ('create', 'start', 'update', 'retrieve', 'delete',
                         None):
        return False
    user, tenant = _get_usertenant(name, tenant)
    if tenant is not None and not configmanager.is_tenant(tenant):
        return False
    manager = configmanager.ConfigManager(tenant, username=user)
    userobj = manager.get_user(user)
    if not userobj:
        for group in userutil.grouplist(user):
            userobj = manager.get_usergroup(group)
            if userobj:
                break
    if userobj:  # returning
        role = userobj.get('role', 'Administrator')
        if element and role != 'Administrator':
            for rule in _allowedbyrole.get(role, {}).get(operation, []):
                if fnmatch(element, rule):
                    break
            else:
                return False
            for rule in _deniedbyrole.get(role, {}).get(operation, []):
                if fnmatch(element, rule):
                    return False
        return userobj, manager, user, tenant, skipuserobj
    return False