Package ganeti :: Package rapi :: Package auth :: Module pam

Module pam

Module interacting with PAM performing authorization and authentication

This module authenticates and authorizes RAPI users based on their credintials. Both actions are performed by interaction with PAM as a 'ganeti-rapi' service.

Classes

[hide private]

PamHandleT
Wrapper for PamHandleT

PamMessage
Wrapper for PamMessage

PamResponse
Wrapper for PamResponse

PamConv
Wrapper for PamConv

CFunctions

PamAuthenticator
Class providing an Authenticate method based on interaction with PAM.

Functions

[hide private]

Authenticate(cf, pam_handle, authtok=None)
Performs authentication via PAM.

source code

PutPamEnvVariable(cf, pam_handle, name, value)
Wrapper over pam_setenv.

source code

Authorize(cf, pam_handle, uri_access_rights, uri=None, method=None, body=None)
Performs authorization via PAM.

source code

ValidateParams(username, _uri_access_rights, password, service, authtok, _uri, _method, _body)
Checks whether ValidateRequest has been called with a correct params.

source code

ValidateRequest(cf, username, uri_access_rights, password=None, service=DEFAULT_SERVICE_NAME, authtok=None, uri=None, method=None, body=None)
Checks whether it's permitted to execute an rapi request.

source code

MakeStringC(string)
Converts a string to a valid C string.

source code

Variables

[hide private]

c = None
hash(x)

DEFAULT_SERVICE_NAME = 'ganeti-rapi'

MAX_STR_LENGTH = 100000

MAX_MSG_COUNT = 100

PAM_ENV_URI = 'GANETI_RAPI_URI'

PAM_ENV_BODY = 'GANETI_REQUEST_BODY'

PAM_ENV_METHOD = 'GANETI_REQUEST_METHOD'

PAM_ENV_ACCESS = 'GANETI_RESOURCE_ACCESS'

PAM_ABORT = 26

PAM_BUF_ERR = 5

PAM_CONV_ERR = 19

PAM_SILENT = 32768

PAM_SUCCESS = 0

PAM_PROMPT_ECHO_OFF = 1

PAM_AUTHTOK = 6

PAM_USER = 2

CONV_FUNC = c.CFUNCTYPE(c.c_int, c.c_int, c.POINTER(c.POINTER(...

Imports: logging, util, constants, PamRapiAuthError, http, HttpServerRequestAuthentication, auth

Function Details

[hide private]

Authenticate(cf, pam_handle, authtok=None)

source code

Performs authentication via PAM.

Perfroms two steps:

if authtok is provided then set it with pam_set_item
call pam_authenticate

Authorize(cf, pam_handle, uri_access_rights, uri=None, method=None, body=None)

source code

Performs authorization via PAM.

Performs two steps:

initialize environmental variables
call pam_acct_mgmt

ValidateParams(username, _uri_access_rights, password, service, authtok, _uri, _method, _body)

source code

Checks whether ValidateRequest has been called with a correct params.

These checks includes:

username is an obligatory parameter
either password or authtok is an obligatory parameter

ValidateRequest(cf, username, uri_access_rights, password=None, service=DEFAULT_SERVICE_NAME, authtok=None, uri=None, method=None, body=None)

source code

Checks whether it's permitted to execute an rapi request.

Calls pam_authenticate and then pam_acct_mgmt in order to check whether a request should be executed.

Parameters:

cf - An instance of CFunctions class containing necessary imports
username - username
uri_access_rights - handler access rights
password - password
service - a service name that will be used for the interaction with PAM
authtok - user's authentication token (e.g. some kind of signature)
uri - an uri of a target resource obtained from an http header
method - http method trying to access the uri
body - a body of an RAPI request

Returns:

On success - authenticated user name. Throws an exception otherwise.

MakeStringC(string)

source code

Converts a string to a valid C string.

As a C side treats non-unicode strings, encode unicode string with 'ascii'. Also ensure that C string will not be longer than MAX_STR_LENGTH in order to prevent attacs based on too long buffers.

Variables Details

[hide private]

CONV_FUNC

Value:

c.CFUNCTYPE(c.c_int, c.c_int, c.POINTER(c.POINTER(PamMessage)), c.POIN
TER(c.POINTER(PamResponse)), c.c_void_p)