# HG changeset patch
# User Ewan Mellor <ewan@xxxxxxxxxxxxx>
# Node ID ee70bf177981280e5363ec8cd583c8a6223663f8
# Parent 018af1c94a5e12b73cb689f564a4b1b2d3108137
Added configuration for authentication through Xen-API -- it can now be set
to use PAM, or to be turned off entirely, on a listener by listener basis.
Listen on a different unix domain socket for the Xen-API server, so that it
can co-exist with the others.
Signed-off-by: Ewan Mellor <ewan@xxxxxxxxxxxxx>
---
tools/examples/xend-config.sxp | 38 ++++++++++++++++----------
tools/python/xen/xend/XendAPI.py | 12 ++++++--
tools/python/xen/xend/XendAuthSessions.py | 14 +++++++--
tools/python/xen/xend/XendClient.py | 1
tools/python/xen/xend/server/SrvServer.py | 39 +++++++++++++++++----------
tools/python/xen/xend/server/XMLRPCServer.py | 21 +++++++++-----
6 files changed, 83 insertions(+), 42 deletions(-)
diff -r 018af1c94a5e -r ee70bf177981 tools/examples/xend-config.sxp
--- a/tools/examples/xend-config.sxp Tue Nov 28 10:24:52 2006 +0000
+++ b/tools/examples/xend-config.sxp Tue Nov 28 11:31:46 2006 +0000
@@ -14,31 +14,41 @@
#(logfile /var/log/xen/xend.log)
#(loglevel DEBUG)
-# The Xen-API server configuration. (Please note that this server is available
-# as an UNSUPPORTED PREVIEW in Xen 3.0.4, and should not be relied upon).
+
+# The Xen-API server configuration. (Please note that this server is
+# available as an UNSUPPORTED PREVIEW in Xen 3.0.4, and should not be relied
+# upon).
#
# This value configures the ports, interfaces, and access controls for the
# Xen-API server. Each entry in the list starts with either unix, a port
# number, or an address:port pair. If this is "unix", then a UDP socket is
# opened, and this entry applies to that. If it is a port, then Xend will
-# listen on all interfaces on that TCP port, and if it is an address:port pair,
-# then Xend will listen on the specified port, using the interface with the
-# specified address.
+# listen on all interfaces on that TCP port, and if it is an address:port
+# pair, then Xend will listen on the specified port, using the interface with
+# the specified address.
#
-# The subsequent string gives the access control for the listener in question.
-# If this is missing or empty, then all connections are accepted.
-# Otherwise, this should be a space-separated sequence of regular expressions;
-# any host with a fully-qualified domain name or an IP address that matches one
-# of these regular expressions will be accepted.
+# The subsequent string configures the user-based access control for the
+# listener in question. This can be one of "none" or "pam", indicating either
+# that users should be allowed access unconditionally, or that the local
+# Pluggable Authentication Modules configuration should be used. If this
+# string is missing or empty, then "pam" is used.
#
-# Example:
+# The final string gives the host-based access control for that listener. If
+# this is missing or empty, then all connections are accepted. Otherwise,
+# this should be a space-separated sequence of regular expressions; any host
+# with a fully-qualified domain name or an IP address that matches one of
+# these regular expressions will be accepted.
#
-# Listen on TCP port 9363 on all interfaces, accepting connections only from
-# machines in example.com or localhost.
-# (xen-api-server ((9363 '^localhost$ example\\.com$')))
+# Example: listen on TCP port 9363 on all interfaces, accepting connections
+# only from machines in example.com or localhost, and allow access through
+# the unix domain socket unconditionally:
+#
+# (xen-api-server ((9363 pam '^localhost$ example\\.com$')
+# (unix none)))
#
# Default:
# (xen-api-server ((unix)))
+
#(xend-http-server no)
#(xend-unix-server no)
diff -r 018af1c94a5e -r ee70bf177981 tools/python/xen/xend/XendAPI.py
--- a/tools/python/xen/xend/XendAPI.py Tue Nov 28 10:24:52 2006 +0000
+++ b/tools/python/xen/xend/XendAPI.py Tue Nov 28 11:31:46 2006 +0000
@@ -26,6 +26,9 @@ from xen.xend.XendLogging import log
from xen.xend.XendAPIConstants import *
from xen.util.xmlrpclib2 import stringify
+
+AUTH_NONE = 'none'
+AUTH_PAM = 'pam'
# ------------------------------------------
# Utility Methods for Xen API Implementation
@@ -275,12 +278,13 @@ class XendAPI:
is set to the XMLRPC function name which the method implements.
"""
- def __init__(self):
+ def __init__(self, auth):
"""Initialised Xen API wrapper by making sure all functions
have the correct validation decorators such as L{valid_host}
and L{session_required}.
"""
-
+ self.auth = auth
+
classes = {
'session': (session_required,),
'host': (valid_host, session_required),
@@ -388,7 +392,9 @@ class XendAPI:
def session_login_with_password(self, username, password):
try:
- session = auth_manager().login_with_password(username, password)
+ session = (self.auth == AUTH_NONE and
+ auth_manager().login_unconditionally(username) or
+ auth_manager().login_with_password(username, password))
return xen_api_success(session)
except XendError, e:
return xen_api_error(XEND_ERROR_AUTHENTICATION_FAILED)
diff -r 018af1c94a5e -r ee70bf177981 tools/python/xen/xend/XendAuthSessions.py
--- a/tools/python/xen/xend/XendAuthSessions.py Tue Nov 28 10:24:52 2006 +0000
+++ b/tools/python/xen/xend/XendAuthSessions.py Tue Nov 28 11:31:46 2006 +0000
@@ -37,6 +37,16 @@ class XendAuthSessions:
def init(self):
pass
+ def login_unconditionally(self, username):
+ """Returns a session UUID if valid.
+
+ @rtype: string
+ @return: Session UUID
+ """
+ new_session = uuid.createString()
+ self.sessions[new_session] = (username, time.time())
+ return new_session
+
def login_with_password(self, username, password):
"""Returns a session UUID if valid, otherwise raises an error.
@@ -45,9 +55,7 @@ class XendAuthSessions:
@return: Session UUID
"""
if self.is_authorized(username, password):
- new_session = uuid.createString()
- self.sessions[new_session] = (username, time.time())
- return new_session
+ return login_unconditionally(username)
raise XendError("Login failed")
diff -r 018af1c94a5e -r ee70bf177981 tools/python/xen/xend/XendClient.py
--- a/tools/python/xen/xend/XendClient.py Tue Nov 28 10:24:52 2006 +0000
+++ b/tools/python/xen/xend/XendClient.py Tue Nov 28 11:31:46 2006 +0000
@@ -22,6 +22,7 @@ import sys
import sys
XML_RPC_SOCKET = "/var/run/xend/xmlrpc.sock"
+XEN_API_SOCKET = "/var/run/xend/xen-api.sock"
ERROR_INTERNAL = 1
ERROR_GENERIC = 2
diff -r 018af1c94a5e -r ee70bf177981 tools/python/xen/xend/server/SrvServer.py
--- a/tools/python/xen/xend/server/SrvServer.py Tue Nov 28 10:24:52 2006 +0000
+++ b/tools/python/xen/xend/server/SrvServer.py Tue Nov 28 11:31:46 2006 +0000
@@ -48,9 +48,10 @@ from threading import Thread
from xen.web.httpserver import HttpServer, UnixHttpServer
-from xen.xend import XendRoot
+from xen.xend import XendRoot, XendAPI
from xen.xend import Vifctl
from xen.xend.XendLogging import log
+from xen.xend.XendClient import XEN_API_SOCKET
from xen.web.SrvDir import SrvDir
from SrvRoot import SrvRoot
@@ -153,28 +154,38 @@ def create():
if api_cfg:
try:
addrs = [(str(x[0]).split(':'),
- len(x) > 1 and x[1] and map(re.compile, x[1].split(" "))
+ len(x) > 1 and x[1] or XendAPI.AUTH_NONE,
+ len(x) > 2 and x[2] and map(re.compile, x[2].split(" "))
or None)
for x in api_cfg]
- for addrport, allowed in addrs:
+ for addrport, auth, allowed in addrs:
+ if auth not in [XendAPI.AUTH_PAM, XendAPI.AUTH_NONE]:
+ log.error('Xen-API server configuration %s is invalid, ' +
+ 'as %s is not a valid authentication type.',
+ api_cfg, auth)
+ break
+
if len(addrport) == 1:
if addrport[0] == 'unix':
- servers.add(XMLRPCServer(allowed = allowed))
+ servers.add(XMLRPCServer(auth,
+ path = XEN_API_SOCKET,
+ hosts_allowed = allowed))
else:
- servers.add(XMLRPCServer(True, '', int(addrport[0]),
- allowed = allowed))
+ servers.add(
+ XMLRPCServer(auth, True, '', int(addrport[0]),
+ hosts_allowed = allowed))
else:
addr, port = addrport
- servers.add(XMLRPCServer(True, addr, int(port),
- allowed = allowed))
- except ValueError:
- log.error('Xen-API server configuration %s is invalid' % api_cfg)
- except TypeError:
- log.error('Xen-API server configuration %s is invalid' % api_cfg)
+ servers.add(XMLRPCServer(auth, True, addr, int(port),
+ hosts_allowed = allowed))
+ except ValueError, exn:
+ log.error('Xen-API server configuration %s is invalid.', api_cfg)
+ except TypeError, exn:
+ log.error('Xen-API server configuration %s is invalid.', api_cfg)
if xroot.get_xend_tcp_xmlrpc_server():
- servers.add(XMLRPCServer(True))
+ servers.add(XMLRPCServer(XendAPI.AUTH_PAM, True))
if xroot.get_xend_unix_xmlrpc_server():
- servers.add(XMLRPCServer())
+ servers.add(XMLRPCServer(XendAPI.AUTH_PAM))
return servers
diff -r 018af1c94a5e -r ee70bf177981
tools/python/xen/xend/server/XMLRPCServer.py
--- a/tools/python/xen/xend/server/XMLRPCServer.py Tue Nov 28 10:24:52
2006 +0000
+++ b/tools/python/xen/xend/server/XMLRPCServer.py Tue Nov 28 11:31:46
2006 +0000
@@ -20,11 +20,10 @@ import xmlrpclib
import xmlrpclib
from xen.util.xmlrpclib2 import UnixXMLRPCServer, TCPXMLRPCServer
-from xen.xend import XendDomain, XendDomainInfo, XendNode
+from xen.xend import XendAPI, XendDomain, XendDomainInfo, XendNode
from xen.xend import XendLogging, XendDmesg
from xen.xend.XendClient import XML_RPC_SOCKET
from xen.xend.XendLogging import log
-from xen.xend.XendAPI import XendAPI
from xen.xend.XendError import XendInvalidDomain
# vcpu_avail is a long and is not needed by the clients. It's far easier
@@ -84,7 +83,7 @@ exclude = ['domain_create', 'domain_rest
exclude = ['domain_create', 'domain_restore']
class XMLRPCServer:
- def __init__(self, use_tcp=False, host = "localhost", port = 8006,
+ def __init__(self, auth, use_tcp=False, host = "localhost", port = 8006,
path = XML_RPC_SOCKET, hosts_allowed = None):
self.use_tcp = use_tcp
self.port = port
@@ -94,22 +93,28 @@ class XMLRPCServer:
self.ready = False
self.running = True
- self.xenapi = XendAPI()
+ self.auth = auth
+ self.xenapi = XendAPI.XendAPI(auth)
def run(self):
+ authmsg = (self.auth == XendAPI.AUTH_NONE and
+ "; authentication has been disabled for this server." or
+ ".")
+
if self.use_tcp:
- log.info("Opening TCP XML-RPC server on %s%d.",
+ log.info("Opening TCP XML-RPC server on %s%d%s",
self.host and '%s:' % self.host or
'all interfaces, port ',
- self.port)
+ self.port, authmsg)
self.server = TCPXMLRPCServer((self.host, self.port),
self.hosts_allowed,
logRequests = False)
else:
- log.info("Opening Unix domain socket XML-RPC server on %s.",
- self.path)
+ log.info("Opening Unix domain socket XML-RPC server on %s%s",
+ self.path, authmsg)
self.server = UnixXMLRPCServer(self.path, self.hosts_allowed,
logRequests = False)
+
# Register Xen API Functions
# -------------------------------------------------------------------
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
Home