Xen project Mailing List

[Xen-changelog] [xen-unstable] Added configuration for authentication through Xen-API -- it can now be set

From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>

Date: Tue, 28 Nov 2006 13:40:33 +0000

Delivery-date: Tue, 28 Nov 2006 05:42:23 -0800

List-id: BK change log <xen-changelog.lists.xensource.com>

# HG changeset patch # User Ewan Mellor <ewan@xxxxxxxxxxxxx> # Node ID ee70bf177981280e5363ec8cd583c8a6223663f8 # Parent 018af1c94a5e12b73cb689f564a4b1b2d3108137 Added configuration for authentication through Xen-API -- it can now be set to use PAM, or to be turned off entirely, on a listener by listener basis. Listen on a different unix domain socket for the Xen-API server, so that it can co-exist with the others. Signed-off-by: Ewan Mellor <ewan@xxxxxxxxxxxxx> --- tools/examples/xend-config.sxp | 38 ++++++++++++++++---------- tools/python/xen/xend/XendAPI.py | 12 ++++++-- tools/python/xen/xend/XendAuthSessions.py | 14 +++++++-- tools/python/xen/xend/XendClient.py | 1 tools/python/xen/xend/server/SrvServer.py | 39 +++++++++++++++++---------- tools/python/xen/xend/server/XMLRPCServer.py | 21 +++++++++----- 6 files changed, 83 insertions(+), 42 deletions(-) diff -r 018af1c94a5e -r ee70bf177981 tools/examples/xend-config.sxp --- a/tools/examples/xend-config.sxp Tue Nov 28 10:24:52 2006 +0000 +++ b/tools/examples/xend-config.sxp Tue Nov 28 11:31:46 2006 +0000 @@ -14,31 +14,41 @@ #(logfile /var/log/xen/xend.log) #(loglevel DEBUG) -# The Xen-API server configuration. (Please note that this server is available -# as an UNSUPPORTED PREVIEW in Xen 3.0.4, and should not be relied upon). + +# The Xen-API server configuration. (Please note that this server is +# available as an UNSUPPORTED PREVIEW in Xen 3.0.4, and should not be relied +# upon). # # This value configures the ports, interfaces, and access controls for the # Xen-API server. Each entry in the list starts with either unix, a port # number, or an address:port pair. If this is "unix", then a UDP socket is # opened, and this entry applies to that. If it is a port, then Xend will -# listen on all interfaces on that TCP port, and if it is an address:port pair, -# then Xend will listen on the specified port, using the interface with the -# specified address. +# listen on all interfaces on that TCP port, and if it is an address:port +# pair, then Xend will listen on the specified port, using the interface with +# the specified address. # -# The subsequent string gives the access control for the listener in question. -# If this is missing or empty, then all connections are accepted. -# Otherwise, this should be a space-separated sequence of regular expressions; -# any host with a fully-qualified domain name or an IP address that matches one -# of these regular expressions will be accepted. +# The subsequent string configures the user-based access control for the +# listener in question. This can be one of "none" or "pam", indicating either +# that users should be allowed access unconditionally, or that the local +# Pluggable Authentication Modules configuration should be used. If this +# string is missing or empty, then "pam" is used. # -# Example: +# The final string gives the host-based access control for that listener. If +# this is missing or empty, then all connections are accepted. Otherwise, +# this should be a space-separated sequence of regular expressions; any host +# with a fully-qualified domain name or an IP address that matches one of +# these regular expressions will be accepted. # -# Listen on TCP port 9363 on all interfaces, accepting connections only from -# machines in example.com or localhost. -# (xen-api-server ((9363 '^localhost$ example\\.com$'))) +# Example: listen on TCP port 9363 on all interfaces, accepting connections +# only from machines in example.com or localhost, and allow access through +# the unix domain socket unconditionally: +# +# (xen-api-server ((9363 pam '^localhost$ example\\.com$') +# (unix none))) # # Default: # (xen-api-server ((unix))) + #(xend-http-server no) #(xend-unix-server no) diff -r 018af1c94a5e -r ee70bf177981 tools/python/xen/xend/XendAPI.py --- a/tools/python/xen/xend/XendAPI.py Tue Nov 28 10:24:52 2006 +0000 +++ b/tools/python/xen/xend/XendAPI.py Tue Nov 28 11:31:46 2006 +0000 @@ -26,6 +26,9 @@ from xen.xend.XendLogging import log from xen.xend.XendAPIConstants import * from xen.util.xmlrpclib2 import stringify + +AUTH_NONE = 'none' +AUTH_PAM = 'pam' # ------------------------------------------ # Utility Methods for Xen API Implementation @@ -275,12 +278,13 @@ class XendAPI: is set to the XMLRPC function name which the method implements. """ - def __init__(self): + def __init__(self, auth): """Initialised Xen API wrapper by making sure all functions have the correct validation decorators such as L{valid_host} and L{session_required}. """ - + self.auth = auth + classes = { 'session': (session_required,), 'host': (valid_host, session_required), @@ -388,7 +392,9 @@ class XendAPI: def session_login_with_password(self, username, password): try: - session = auth_manager().login_with_password(username, password) + session = (self.auth == AUTH_NONE and + auth_manager().login_unconditionally(username) or + auth_manager().login_with_password(username, password)) return xen_api_success(session) except XendError, e: return xen_api_error(XEND_ERROR_AUTHENTICATION_FAILED) diff -r 018af1c94a5e -r ee70bf177981 tools/python/xen/xend/XendAuthSessions.py --- a/tools/python/xen/xend/XendAuthSessions.py Tue Nov 28 10:24:52 2006 +0000 +++ b/tools/python/xen/xend/XendAuthSessions.py Tue Nov 28 11:31:46 2006 +0000 @@ -37,6 +37,16 @@ class XendAuthSessions: def init(self): pass + def login_unconditionally(self, username): + """Returns a session UUID if valid. + + @rtype: string + @return: Session UUID + """ + new_session = uuid.createString() + self.sessions[new_session] = (username, time.time()) + return new_session + def login_with_password(self, username, password): """Returns a session UUID if valid, otherwise raises an error. @@ -45,9 +55,7 @@ class XendAuthSessions: @return: Session UUID """ if self.is_authorized(username, password): - new_session = uuid.createString() - self.sessions[new_session] = (username, time.time()) - return new_session + return login_unconditionally(username) raise XendError("Login failed") diff -r 018af1c94a5e -r ee70bf177981 tools/python/xen/xend/XendClient.py --- a/tools/python/xen/xend/XendClient.py Tue Nov 28 10:24:52 2006 +0000 +++ b/tools/python/xen/xend/XendClient.py Tue Nov 28 11:31:46 2006 +0000 @@ -22,6 +22,7 @@ import sys import sys XML_RPC_SOCKET = "/var/run/xend/xmlrpc.sock" +XEN_API_SOCKET = "/var/run/xend/xen-api.sock" ERROR_INTERNAL = 1 ERROR_GENERIC = 2 diff -r 018af1c94a5e -r ee70bf177981 tools/python/xen/xend/server/SrvServer.py --- a/tools/python/xen/xend/server/SrvServer.py Tue Nov 28 10:24:52 2006 +0000 +++ b/tools/python/xen/xend/server/SrvServer.py Tue Nov 28 11:31:46 2006 +0000 @@ -48,9 +48,10 @@ from threading import Thread from xen.web.httpserver import HttpServer, UnixHttpServer -from xen.xend import XendRoot +from xen.xend import XendRoot, XendAPI from xen.xend import Vifctl from xen.xend.XendLogging import log +from xen.xend.XendClient import XEN_API_SOCKET from xen.web.SrvDir import SrvDir from SrvRoot import SrvRoot @@ -153,28 +154,38 @@ def create(): if api_cfg: try: addrs = [(str(x[0]).split(':'), - len(x) > 1 and x[1] and map(re.compile, x[1].split(" ")) + len(x) > 1 and x[1] or XendAPI.AUTH_NONE, + len(x) > 2 and x[2] and map(re.compile, x[2].split(" ")) or None) for x in api_cfg] - for addrport, allowed in addrs: + for addrport, auth, allowed in addrs: + if auth not in [XendAPI.AUTH_PAM, XendAPI.AUTH_NONE]: + log.error('Xen-API server configuration %s is invalid, ' + + 'as %s is not a valid authentication type.', + api_cfg, auth) + break + if len(addrport) == 1: if addrport[0] == 'unix': - servers.add(XMLRPCServer(allowed = allowed)) + servers.add(XMLRPCServer(auth, + path = XEN_API_SOCKET, + hosts_allowed = allowed)) else: - servers.add(XMLRPCServer(True, '', int(addrport[0]), - allowed = allowed)) + servers.add( + XMLRPCServer(auth, True, '', int(addrport[0]), + hosts_allowed = allowed)) else: addr, port = addrport - servers.add(XMLRPCServer(True, addr, int(port), - allowed = allowed)) - except ValueError: - log.error('Xen-API server configuration %s is invalid' % api_cfg) - except TypeError: - log.error('Xen-API server configuration %s is invalid' % api_cfg) + servers.add(XMLRPCServer(auth, True, addr, int(port), + hosts_allowed = allowed)) + except ValueError, exn: + log.error('Xen-API server configuration %s is invalid.', api_cfg) + except TypeError, exn: + log.error('Xen-API server configuration %s is invalid.', api_cfg) if xroot.get_xend_tcp_xmlrpc_server(): - servers.add(XMLRPCServer(True)) + servers.add(XMLRPCServer(XendAPI.AUTH_PAM, True)) if xroot.get_xend_unix_xmlrpc_server(): - servers.add(XMLRPCServer()) + servers.add(XMLRPCServer(XendAPI.AUTH_PAM)) return servers diff -r 018af1c94a5e -r ee70bf177981 tools/python/xen/xend/server/XMLRPCServer.py --- a/tools/python/xen/xend/server/XMLRPCServer.py Tue Nov 28 10:24:52 2006 +0000 +++ b/tools/python/xen/xend/server/XMLRPCServer.py Tue Nov 28 11:31:46 2006 +0000 @@ -20,11 +20,10 @@ import xmlrpclib import xmlrpclib from xen.util.xmlrpclib2 import UnixXMLRPCServer, TCPXMLRPCServer -from xen.xend import XendDomain, XendDomainInfo, XendNode +from xen.xend import XendAPI, XendDomain, XendDomainInfo, XendNode from xen.xend import XendLogging, XendDmesg from xen.xend.XendClient import XML_RPC_SOCKET from xen.xend.XendLogging import log -from xen.xend.XendAPI import XendAPI from xen.xend.XendError import XendInvalidDomain # vcpu_avail is a long and is not needed by the clients. It's far easier @@ -84,7 +83,7 @@ exclude = ['domain_create', 'domain_rest exclude = ['domain_create', 'domain_restore'] class XMLRPCServer: - def __init__(self, use_tcp=False, host = "localhost", port = 8006, + def __init__(self, auth, use_tcp=False, host = "localhost", port = 8006, path = XML_RPC_SOCKET, hosts_allowed = None): self.use_tcp = use_tcp self.port = port @@ -94,22 +93,28 @@ class XMLRPCServer: self.ready = False self.running = True - self.xenapi = XendAPI() + self.auth = auth + self.xenapi = XendAPI.XendAPI(auth) def run(self): + authmsg = (self.auth == XendAPI.AUTH_NONE and + "; authentication has been disabled for this server." or + ".") + if self.use_tcp: - log.info("Opening TCP XML-RPC server on %s%d.", + log.info("Opening TCP XML-RPC server on %s%d%s", self.host and '%s:' % self.host or 'all interfaces, port ', - self.port) + self.port, authmsg) self.server = TCPXMLRPCServer((self.host, self.port), self.hosts_allowed, logRequests = False) else: - log.info("Opening Unix domain socket XML-RPC server on %s.", - self.path) + log.info("Opening Unix domain socket XML-RPC server on %s%s", + self.path, authmsg) self.server = UnixXMLRPCServer(self.path, self.hosts_allowed, logRequests = False) + # Register Xen API Functions # ------------------------------------------------------------------- _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-changelog

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.