WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-changelog

[Xen-changelog] [xen-unstable] Added configuration for authentication th

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-unstable] Added configuration for authentication through Xen-API -- it can now be set
From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 28 Nov 2006 13:40:33 +0000
Delivery-date: Tue, 28 Nov 2006 05:42:23 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User Ewan Mellor <ewan@xxxxxxxxxxxxx>
# Node ID ee70bf177981280e5363ec8cd583c8a6223663f8
# Parent  018af1c94a5e12b73cb689f564a4b1b2d3108137
Added configuration for authentication through Xen-API -- it can now be set
to use PAM, or to be turned off entirely, on a listener by listener basis.

Listen on a different unix domain socket for the Xen-API server, so that it
can co-exist with the others.

Signed-off-by: Ewan Mellor <ewan@xxxxxxxxxxxxx>
---
 tools/examples/xend-config.sxp               |   38 ++++++++++++++++----------
 tools/python/xen/xend/XendAPI.py             |   12 ++++++--
 tools/python/xen/xend/XendAuthSessions.py    |   14 +++++++--
 tools/python/xen/xend/XendClient.py          |    1 
 tools/python/xen/xend/server/SrvServer.py    |   39 +++++++++++++++++----------
 tools/python/xen/xend/server/XMLRPCServer.py |   21 +++++++++-----
 6 files changed, 83 insertions(+), 42 deletions(-)

diff -r 018af1c94a5e -r ee70bf177981 tools/examples/xend-config.sxp
--- a/tools/examples/xend-config.sxp    Tue Nov 28 10:24:52 2006 +0000
+++ b/tools/examples/xend-config.sxp    Tue Nov 28 11:31:46 2006 +0000
@@ -14,31 +14,41 @@
 #(logfile /var/log/xen/xend.log)
 #(loglevel DEBUG)
 
-# The Xen-API server configuration.  (Please note that this server is available
-# as an UNSUPPORTED PREVIEW in Xen 3.0.4, and should not be relied upon).
+
+# The Xen-API server configuration.  (Please note that this server is
+# available as an UNSUPPORTED PREVIEW in Xen 3.0.4, and should not be relied
+# upon).
 #
 # This value configures the ports, interfaces, and access controls for the
 # Xen-API server.  Each entry in the list starts with either unix, a port
 # number, or an address:port pair.  If this is "unix", then a UDP socket is
 # opened, and this entry applies to that.  If it is a port, then Xend will
-# listen on all interfaces on that TCP port, and if it is an address:port pair,
-# then Xend will listen on the specified port, using the interface with the
-# specified address.
+# listen on all interfaces on that TCP port, and if it is an address:port
+# pair, then Xend will listen on the specified port, using the interface with
+# the specified address.
 #
-# The subsequent string gives the access control for the listener in question. 
-# If this is missing or empty, then all connections are accepted.
-# Otherwise, this should be a space-separated sequence of regular expressions;
-# any host with a fully-qualified domain name or an IP address that matches one
-# of these regular expressions will be accepted.
+# The subsequent string configures the user-based access control for the
+# listener in question.  This can be one of "none" or "pam", indicating either
+# that users should be allowed access unconditionally, or that the local
+# Pluggable Authentication Modules configuration should be used.  If this
+# string is missing or empty, then "pam" is used.
 #
-# Example:
+# The final string gives the host-based access control for that listener. If
+# this is missing or empty, then all connections are accepted.  Otherwise,
+# this should be a space-separated sequence of regular expressions; any host
+# with a fully-qualified domain name or an IP address that matches one of
+# these regular expressions will be accepted.
 #
-#  Listen on TCP port 9363 on all interfaces, accepting connections only from
-#  machines in example.com or localhost.
-#  (xen-api-server ((9363 '^localhost$ example\\.com$')))
+# Example: listen on TCP port 9363 on all interfaces, accepting connections
+# only from machines in example.com or localhost, and allow access through
+# the unix domain socket unconditionally:
+#
+#   (xen-api-server ((9363 pam '^localhost$ example\\.com$')
+#                    (unix none)))
 #
 # Default:
 #   (xen-api-server ((unix)))
+
 
 #(xend-http-server no)
 #(xend-unix-server no)
diff -r 018af1c94a5e -r ee70bf177981 tools/python/xen/xend/XendAPI.py
--- a/tools/python/xen/xend/XendAPI.py  Tue Nov 28 10:24:52 2006 +0000
+++ b/tools/python/xen/xend/XendAPI.py  Tue Nov 28 11:31:46 2006 +0000
@@ -26,6 +26,9 @@ from xen.xend.XendLogging import log
 
 from xen.xend.XendAPIConstants import *
 from xen.util.xmlrpclib2 import stringify
+
+AUTH_NONE = 'none'
+AUTH_PAM = 'pam'
 
 # ------------------------------------------
 # Utility Methods for Xen API Implementation
@@ -275,12 +278,13 @@ class XendAPI:
     is set to the XMLRPC function name which the method implements.
     """
 
-    def __init__(self):
+    def __init__(self, auth):
         """Initialised Xen API wrapper by making sure all functions
         have the correct validation decorators such as L{valid_host}
         and L{session_required}.
         """
-        
+        self.auth = auth
+
         classes = {
             'session': (session_required,),
             'host': (valid_host, session_required),
@@ -388,7 +392,9 @@ class XendAPI:
 
     def session_login_with_password(self, username, password):
         try:
-            session = auth_manager().login_with_password(username, password)
+            session = (self.auth == AUTH_NONE and
+                       auth_manager().login_unconditionally(username) or
+                       auth_manager().login_with_password(username, password))
             return xen_api_success(session)
         except XendError, e:
             return xen_api_error(XEND_ERROR_AUTHENTICATION_FAILED)
diff -r 018af1c94a5e -r ee70bf177981 tools/python/xen/xend/XendAuthSessions.py
--- a/tools/python/xen/xend/XendAuthSessions.py Tue Nov 28 10:24:52 2006 +0000
+++ b/tools/python/xen/xend/XendAuthSessions.py Tue Nov 28 11:31:46 2006 +0000
@@ -37,6 +37,16 @@ class XendAuthSessions:
     def init(self):
         pass
 
+    def login_unconditionally(self, username):
+        """Returns a session UUID if valid.
+
+        @rtype: string
+        @return: Session UUID
+        """
+        new_session = uuid.createString()
+        self.sessions[new_session] = (username, time.time())
+        return new_session
+
     def login_with_password(self, username, password):
         """Returns a session UUID if valid, otherwise raises an error.
 
@@ -45,9 +55,7 @@ class XendAuthSessions:
         @return: Session UUID
         """
         if self.is_authorized(username, password):
-            new_session = uuid.createString()
-            self.sessions[new_session] = (username, time.time())
-            return new_session
+            return login_unconditionally(username)
 
         raise XendError("Login failed")
 
diff -r 018af1c94a5e -r ee70bf177981 tools/python/xen/xend/XendClient.py
--- a/tools/python/xen/xend/XendClient.py       Tue Nov 28 10:24:52 2006 +0000
+++ b/tools/python/xen/xend/XendClient.py       Tue Nov 28 11:31:46 2006 +0000
@@ -22,6 +22,7 @@ import sys
 import sys
 
 XML_RPC_SOCKET = "/var/run/xend/xmlrpc.sock"
+XEN_API_SOCKET = "/var/run/xend/xen-api.sock"
 
 ERROR_INTERNAL = 1
 ERROR_GENERIC = 2
diff -r 018af1c94a5e -r ee70bf177981 tools/python/xen/xend/server/SrvServer.py
--- a/tools/python/xen/xend/server/SrvServer.py Tue Nov 28 10:24:52 2006 +0000
+++ b/tools/python/xen/xend/server/SrvServer.py Tue Nov 28 11:31:46 2006 +0000
@@ -48,9 +48,10 @@ from threading import Thread
 
 from xen.web.httpserver import HttpServer, UnixHttpServer
 
-from xen.xend import XendRoot
+from xen.xend import XendRoot, XendAPI
 from xen.xend import Vifctl
 from xen.xend.XendLogging import log
+from xen.xend.XendClient import XEN_API_SOCKET
 from xen.web.SrvDir import SrvDir
 
 from SrvRoot import SrvRoot
@@ -153,28 +154,38 @@ def create():
     if api_cfg:
         try:
             addrs = [(str(x[0]).split(':'),
-                      len(x) > 1 and x[1] and map(re.compile, x[1].split(" "))
+                      len(x) > 1 and x[1] or XendAPI.AUTH_NONE,
+                      len(x) > 2 and x[2] and map(re.compile, x[2].split(" "))
                       or None)
                      for x in api_cfg]
-            for addrport, allowed in addrs:
+            for addrport, auth, allowed in addrs:
+                if auth not in [XendAPI.AUTH_PAM, XendAPI.AUTH_NONE]:
+                    log.error('Xen-API server configuration %s is invalid, ' +
+                              'as %s is not a valid authentication type.',
+                              api_cfg, auth)
+                    break
+
                 if len(addrport) == 1:
                     if addrport[0] == 'unix':
-                        servers.add(XMLRPCServer(allowed = allowed))
+                        servers.add(XMLRPCServer(auth,
+                                                 path = XEN_API_SOCKET,
+                                                 hosts_allowed = allowed))
                     else:
-                        servers.add(XMLRPCServer(True, '', int(addrport[0]),
-                                                 allowed = allowed))
+                        servers.add(
+                            XMLRPCServer(auth, True, '', int(addrport[0]),
+                                         hosts_allowed = allowed))
                 else:
                     addr, port = addrport
-                    servers.add(XMLRPCServer(True, addr, int(port),
-                                             allowed = allowed))
-        except ValueError:
-            log.error('Xen-API server configuration %s is invalid' % api_cfg)
-        except TypeError:
-            log.error('Xen-API server configuration %s is invalid' % api_cfg)
+                    servers.add(XMLRPCServer(auth, True, addr, int(port),
+                                             hosts_allowed = allowed))
+        except ValueError, exn:
+            log.error('Xen-API server configuration %s is invalid.', api_cfg)
+        except TypeError, exn:
+            log.error('Xen-API server configuration %s is invalid.', api_cfg)
 
     if xroot.get_xend_tcp_xmlrpc_server():
-        servers.add(XMLRPCServer(True))
+        servers.add(XMLRPCServer(XendAPI.AUTH_PAM, True))
 
     if xroot.get_xend_unix_xmlrpc_server():
-        servers.add(XMLRPCServer())
+        servers.add(XMLRPCServer(XendAPI.AUTH_PAM))
     return servers
diff -r 018af1c94a5e -r ee70bf177981 
tools/python/xen/xend/server/XMLRPCServer.py
--- a/tools/python/xen/xend/server/XMLRPCServer.py      Tue Nov 28 10:24:52 
2006 +0000
+++ b/tools/python/xen/xend/server/XMLRPCServer.py      Tue Nov 28 11:31:46 
2006 +0000
@@ -20,11 +20,10 @@ import xmlrpclib
 import xmlrpclib
 from xen.util.xmlrpclib2 import UnixXMLRPCServer, TCPXMLRPCServer
 
-from xen.xend import XendDomain, XendDomainInfo, XendNode
+from xen.xend import XendAPI, XendDomain, XendDomainInfo, XendNode
 from xen.xend import XendLogging, XendDmesg
 from xen.xend.XendClient import XML_RPC_SOCKET
 from xen.xend.XendLogging import log
-from xen.xend.XendAPI import XendAPI
 from xen.xend.XendError import XendInvalidDomain
 
 # vcpu_avail is a long and is not needed by the clients.  It's far easier
@@ -84,7 +83,7 @@ exclude = ['domain_create', 'domain_rest
 exclude = ['domain_create', 'domain_restore']
 
 class XMLRPCServer:
-    def __init__(self, use_tcp=False, host = "localhost", port = 8006,
+    def __init__(self, auth, use_tcp=False, host = "localhost", port = 8006,
                  path = XML_RPC_SOCKET, hosts_allowed = None):
         self.use_tcp = use_tcp
         self.port = port
@@ -94,22 +93,28 @@ class XMLRPCServer:
         
         self.ready = False        
         self.running = True
-        self.xenapi = XendAPI()
+        self.auth = auth
+        self.xenapi = XendAPI.XendAPI(auth)
         
     def run(self):
+        authmsg = (self.auth == XendAPI.AUTH_NONE and 
+                   "; authentication has been disabled for this server." or
+                   ".")
+
         if self.use_tcp:
-            log.info("Opening TCP XML-RPC server on %s%d.",
+            log.info("Opening TCP XML-RPC server on %s%d%s",
                      self.host and '%s:' % self.host or
                      'all interfaces, port ',
-                     self.port)
+                     self.port, authmsg)
             self.server = TCPXMLRPCServer((self.host, self.port),
                                           self.hosts_allowed,
                                           logRequests = False)
         else:
-            log.info("Opening Unix domain socket XML-RPC server on %s.",
-                     self.path)
+            log.info("Opening Unix domain socket XML-RPC server on %s%s",
+                     self.path, authmsg)
             self.server = UnixXMLRPCServer(self.path, self.hosts_allowed,
                                            logRequests = False)
+
 
         # Register Xen API Functions
         # -------------------------------------------------------------------

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-unstable] Added configuration for authentication through Xen-API -- it can now be set, Xen patchbot-unstable <=