Re: [PATCH master 6/7] Add an authenticated user name to an opcode's reason trail

Tue, 12 Jan 2016 06:30:43 -0800 

On Fri, Jan 08, 2016 at 03:40:39PM +0100, 'Oleg Ponomarev' via ganeti-devel 
wrote:
> The entry will have the following format:
> ("gnt:library:rlib2", "RAPI-Auth:user", *time*).
> 
> This entry in the reason trail might be useful in order to detect
> malicious rapi users or restrict access for some operations by filters.
> Note, that in the last case it's necessary to restrict access to

replace by "Note that, in the last case, it's necessary..."

> filters modification first.
> 
> Signed-off-by: Oleg Ponomarev <oponoma...@google.com>
> ---
>  lib/rapi/auth/__init__.py   |  5 +++--
>  lib/rapi/auth/basic_auth.py |  4 ++--
>  lib/rapi/auth/pam.py        | 30 +++++++++++++++++++++++-------
>  lib/rapi/baserlib.py        | 12 ++++++++++++
>  lib/rapi/rlib2.py           |  4 ++++
>  lib/server/rapi.py          |  9 ++++++++-
>  src/Ganeti/Constants.hs     |  4 ++++
>  7 files changed, 56 insertions(+), 12 deletions(-)
> 
> diff --git a/lib/rapi/auth/__init__.py b/lib/rapi/auth/__init__.py
> index bb43f2e..a146436 100644
> --- a/lib/rapi/auth/__init__.py
> +++ b/lib/rapi/auth/__init__.py
> @@ -45,8 +45,9 @@ class RapiAuthenticator(object):
>      @param req: HTTP request context
>      @type handler_access: set of strings
>      @param handler_access: access rights required by the requested resourse
> -    @rtype: bool
> -    @return: Whether request execution is permitted
> +    @rtype: str

shouldn't this read

 @rtype: string or None

?

> +    @return: the authenticated user name if request execution is permitted 
> and
> +             None otherwise
>  
>      """
>      raise NotImplementedError()
> diff --git a/lib/server/rapi.py b/lib/server/rapi.py
> index 24b939f..45628f6 100644
> --- a/lib/server/rapi.py
> +++ b/lib/server/rapi.py
> @@ -87,6 +87,7 @@ class 
> RemoteApiHandler(http.auth.HttpServerRequestAuthentication,
>      # it seems pylint doesn't see the second parent class there
>      http.server.HttpServerHandler.__init__(self)
>      http.auth.HttpServerRequestAuthentication.__init__(self)
> +
>      self._client_cls = _client_cls
>      self._resmap = connector.Mapper()

Unrelated whitespace change?

>      self._authenticator = authenticator

-- 
Klaus Aehlig
Google Germany GmbH, Dienerstr. 12, 80331 Muenchen
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschaeftsfuehrer: Matthew Scott Sucherman, Paul Terence Manicle

Reply via email to