[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] Added configuration for authentication through Xen-API -- it can now be set



# HG changeset patch
# User Ewan Mellor <ewan@xxxxxxxxxxxxx>
# Node ID ee70bf177981280e5363ec8cd583c8a6223663f8
# Parent  018af1c94a5e12b73cb689f564a4b1b2d3108137
Added configuration for authentication through Xen-API -- it can now be set
to use PAM, or to be turned off entirely, on a listener by listener basis.

Listen on a different unix domain socket for the Xen-API server, so that it
can co-exist with the others.

Signed-off-by: Ewan Mellor <ewan@xxxxxxxxxxxxx>
---
 tools/examples/xend-config.sxp               |   38 ++++++++++++++++----------
 tools/python/xen/xend/XendAPI.py             |   12 ++++++--
 tools/python/xen/xend/XendAuthSessions.py    |   14 +++++++--
 tools/python/xen/xend/XendClient.py          |    1 
 tools/python/xen/xend/server/SrvServer.py    |   39 +++++++++++++++++----------
 tools/python/xen/xend/server/XMLRPCServer.py |   21 +++++++++-----
 6 files changed, 83 insertions(+), 42 deletions(-)

diff -r 018af1c94a5e -r ee70bf177981 tools/examples/xend-config.sxp
--- a/tools/examples/xend-config.sxp    Tue Nov 28 10:24:52 2006 +0000
+++ b/tools/examples/xend-config.sxp    Tue Nov 28 11:31:46 2006 +0000
@@ -14,31 +14,41 @@
 #(logfile /var/log/xen/xend.log)
 #(loglevel DEBUG)
 
-# The Xen-API server configuration.  (Please note that this server is available
-# as an UNSUPPORTED PREVIEW in Xen 3.0.4, and should not be relied upon).
+
+# The Xen-API server configuration.  (Please note that this server is
+# available as an UNSUPPORTED PREVIEW in Xen 3.0.4, and should not be relied
+# upon).
 #
 # This value configures the ports, interfaces, and access controls for the
 # Xen-API server.  Each entry in the list starts with either unix, a port
 # number, or an address:port pair.  If this is "unix", then a UDP socket is
 # opened, and this entry applies to that.  If it is a port, then Xend will
-# listen on all interfaces on that TCP port, and if it is an address:port pair,
-# then Xend will listen on the specified port, using the interface with the
-# specified address.
+# listen on all interfaces on that TCP port, and if it is an address:port
+# pair, then Xend will listen on the specified port, using the interface with
+# the specified address.
 #
-# The subsequent string gives the access control for the listener in question. 
-# If this is missing or empty, then all connections are accepted.
-# Otherwise, this should be a space-separated sequence of regular expressions;
-# any host with a fully-qualified domain name or an IP address that matches one
-# of these regular expressions will be accepted.
+# The subsequent string configures the user-based access control for the
+# listener in question.  This can be one of "none" or "pam", indicating either
+# that users should be allowed access unconditionally, or that the local
+# Pluggable Authentication Modules configuration should be used.  If this
+# string is missing or empty, then "pam" is used.
 #
-# Example:
+# The final string gives the host-based access control for that listener. If
+# this is missing or empty, then all connections are accepted.  Otherwise,
+# this should be a space-separated sequence of regular expressions; any host
+# with a fully-qualified domain name or an IP address that matches one of
+# these regular expressions will be accepted.
 #
-#  Listen on TCP port 9363 on all interfaces, accepting connections only from
-#  machines in example.com or localhost.
-#  (xen-api-server ((9363 '^localhost$ example\\.com$')))
+# Example: listen on TCP port 9363 on all interfaces, accepting connections
+# only from machines in example.com or localhost, and allow access through
+# the unix domain socket unconditionally:
+#
+#   (xen-api-server ((9363 pam '^localhost$ example\\.com$')
+#                    (unix none)))
 #
 # Default:
 #   (xen-api-server ((unix)))
+
 
 #(xend-http-server no)
 #(xend-unix-server no)
diff -r 018af1c94a5e -r ee70bf177981 tools/python/xen/xend/XendAPI.py
--- a/tools/python/xen/xend/XendAPI.py  Tue Nov 28 10:24:52 2006 +0000
+++ b/tools/python/xen/xend/XendAPI.py  Tue Nov 28 11:31:46 2006 +0000
@@ -26,6 +26,9 @@ from xen.xend.XendLogging import log
 
 from xen.xend.XendAPIConstants import *
 from xen.util.xmlrpclib2 import stringify
+
+AUTH_NONE = 'none'
+AUTH_PAM = 'pam'
 
 # ------------------------------------------
 # Utility Methods for Xen API Implementation
@@ -275,12 +278,13 @@ class XendAPI:
     is set to the XMLRPC function name which the method implements.
     """
 
-    def __init__(self):
+    def __init__(self, auth):
         """Initialised Xen API wrapper by making sure all functions
         have the correct validation decorators such as L{valid_host}
         and L{session_required}.
         """
-        
+        self.auth = auth
+
         classes = {
             'session': (session_required,),
             'host': (valid_host, session_required),
@@ -388,7 +392,9 @@ class XendAPI:
 
     def session_login_with_password(self, username, password):
         try:
-            session = auth_manager().login_with_password(username, password)
+            session = (self.auth == AUTH_NONE and
+                       auth_manager().login_unconditionally(username) or
+                       auth_manager().login_with_password(username, password))
             return xen_api_success(session)
         except XendError, e:
             return xen_api_error(XEND_ERROR_AUTHENTICATION_FAILED)
diff -r 018af1c94a5e -r ee70bf177981 tools/python/xen/xend/XendAuthSessions.py
--- a/tools/python/xen/xend/XendAuthSessions.py Tue Nov 28 10:24:52 2006 +0000
+++ b/tools/python/xen/xend/XendAuthSessions.py Tue Nov 28 11:31:46 2006 +0000
@@ -37,6 +37,16 @@ class XendAuthSessions:
     def init(self):
         pass
 
+    def login_unconditionally(self, username):
+        """Returns a session UUID if valid.
+
+        @rtype: string
+        @return: Session UUID
+        """
+        new_session = uuid.createString()
+        self.sessions[new_session] = (username, time.time())
+        return new_session
+
     def login_with_password(self, username, password):
         """Returns a session UUID if valid, otherwise raises an error.
 
@@ -45,9 +55,7 @@ class XendAuthSessions:
         @return: Session UUID
         """
         if self.is_authorized(username, password):
-            new_session = uuid.createString()
-            self.sessions[new_session] = (username, time.time())
-            return new_session
+            return login_unconditionally(username)
 
         raise XendError("Login failed")
 
diff -r 018af1c94a5e -r ee70bf177981 tools/python/xen/xend/XendClient.py
--- a/tools/python/xen/xend/XendClient.py       Tue Nov 28 10:24:52 2006 +0000
+++ b/tools/python/xen/xend/XendClient.py       Tue Nov 28 11:31:46 2006 +0000
@@ -22,6 +22,7 @@ import sys
 import sys
 
 XML_RPC_SOCKET = "/var/run/xend/xmlrpc.sock"
+XEN_API_SOCKET = "/var/run/xend/xen-api.sock"
 
 ERROR_INTERNAL = 1
 ERROR_GENERIC = 2
diff -r 018af1c94a5e -r ee70bf177981 tools/python/xen/xend/server/SrvServer.py
--- a/tools/python/xen/xend/server/SrvServer.py Tue Nov 28 10:24:52 2006 +0000
+++ b/tools/python/xen/xend/server/SrvServer.py Tue Nov 28 11:31:46 2006 +0000
@@ -48,9 +48,10 @@ from threading import Thread
 
 from xen.web.httpserver import HttpServer, UnixHttpServer
 
-from xen.xend import XendRoot
+from xen.xend import XendRoot, XendAPI
 from xen.xend import Vifctl
 from xen.xend.XendLogging import log
+from xen.xend.XendClient import XEN_API_SOCKET
 from xen.web.SrvDir import SrvDir
 
 from SrvRoot import SrvRoot
@@ -153,28 +154,38 @@ def create():
     if api_cfg:
         try:
             addrs = [(str(x[0]).split(':'),
-                      len(x) > 1 and x[1] and map(re.compile, x[1].split(" "))
+                      len(x) > 1 and x[1] or XendAPI.AUTH_NONE,
+                      len(x) > 2 and x[2] and map(re.compile, x[2].split(" "))
                       or None)
                      for x in api_cfg]
-            for addrport, allowed in addrs:
+            for addrport, auth, allowed in addrs:
+                if auth not in [XendAPI.AUTH_PAM, XendAPI.AUTH_NONE]:
+                    log.error('Xen-API server configuration %s is invalid, ' +
+                              'as %s is not a valid authentication type.',
+                              api_cfg, auth)
+                    break
+
                 if len(addrport) == 1:
                     if addrport[0] == 'unix':
-                        servers.add(XMLRPCServer(allowed = allowed))
+                        servers.add(XMLRPCServer(auth,
+                                                 path = XEN_API_SOCKET,
+                                                 hosts_allowed = allowed))
                     else:
-                        servers.add(XMLRPCServer(True, '', int(addrport[0]),
-                                                 allowed = allowed))
+                        servers.add(
+                            XMLRPCServer(auth, True, '', int(addrport[0]),
+                                         hosts_allowed = allowed))
                 else:
                     addr, port = addrport
-                    servers.add(XMLRPCServer(True, addr, int(port),
-                                             allowed = allowed))
-        except ValueError:
-            log.error('Xen-API server configuration %s is invalid' % api_cfg)
-        except TypeError:
-            log.error('Xen-API server configuration %s is invalid' % api_cfg)
+                    servers.add(XMLRPCServer(auth, True, addr, int(port),
+                                             hosts_allowed = allowed))
+        except ValueError, exn:
+            log.error('Xen-API server configuration %s is invalid.', api_cfg)
+        except TypeError, exn:
+            log.error('Xen-API server configuration %s is invalid.', api_cfg)
 
     if xroot.get_xend_tcp_xmlrpc_server():
-        servers.add(XMLRPCServer(True))
+        servers.add(XMLRPCServer(XendAPI.AUTH_PAM, True))
 
     if xroot.get_xend_unix_xmlrpc_server():
-        servers.add(XMLRPCServer())
+        servers.add(XMLRPCServer(XendAPI.AUTH_PAM))
     return servers
diff -r 018af1c94a5e -r ee70bf177981 
tools/python/xen/xend/server/XMLRPCServer.py
--- a/tools/python/xen/xend/server/XMLRPCServer.py      Tue Nov 28 10:24:52 
2006 +0000
+++ b/tools/python/xen/xend/server/XMLRPCServer.py      Tue Nov 28 11:31:46 
2006 +0000
@@ -20,11 +20,10 @@ import xmlrpclib
 import xmlrpclib
 from xen.util.xmlrpclib2 import UnixXMLRPCServer, TCPXMLRPCServer
 
-from xen.xend import XendDomain, XendDomainInfo, XendNode
+from xen.xend import XendAPI, XendDomain, XendDomainInfo, XendNode
 from xen.xend import XendLogging, XendDmesg
 from xen.xend.XendClient import XML_RPC_SOCKET
 from xen.xend.XendLogging import log
-from xen.xend.XendAPI import XendAPI
 from xen.xend.XendError import XendInvalidDomain
 
 # vcpu_avail is a long and is not needed by the clients.  It's far easier
@@ -84,7 +83,7 @@ exclude = ['domain_create', 'domain_rest
 exclude = ['domain_create', 'domain_restore']
 
 class XMLRPCServer:
-    def __init__(self, use_tcp=False, host = "localhost", port = 8006,
+    def __init__(self, auth, use_tcp=False, host = "localhost", port = 8006,
                  path = XML_RPC_SOCKET, hosts_allowed = None):
         self.use_tcp = use_tcp
         self.port = port
@@ -94,22 +93,28 @@ class XMLRPCServer:
         
         self.ready = False        
         self.running = True
-        self.xenapi = XendAPI()
+        self.auth = auth
+        self.xenapi = XendAPI.XendAPI(auth)
         
     def run(self):
+        authmsg = (self.auth == XendAPI.AUTH_NONE and 
+                   "; authentication has been disabled for this server." or
+                   ".")
+
         if self.use_tcp:
-            log.info("Opening TCP XML-RPC server on %s%d.",
+            log.info("Opening TCP XML-RPC server on %s%d%s",
                      self.host and '%s:' % self.host or
                      'all interfaces, port ',
-                     self.port)
+                     self.port, authmsg)
             self.server = TCPXMLRPCServer((self.host, self.port),
                                           self.hosts_allowed,
                                           logRequests = False)
         else:
-            log.info("Opening Unix domain socket XML-RPC server on %s.",
-                     self.path)
+            log.info("Opening Unix domain socket XML-RPC server on %s%s",
+                     self.path, authmsg)
             self.server = UnixXMLRPCServer(self.path, self.hosts_allowed,
                                            logRequests = False)
+
 
         # Register Xen API Functions
         # -------------------------------------------------------------------

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.