Re: [Kimchi-devel] [PATCHv2 5/7] Split users and groups for permission query

On 10/28/2014 11:37 AM, lvroyce0210(a)gmail.com wrote: > From: Royce Lv <lvroyce(a)linux.vnet.ibm.com&gt; > > Put ldap validation in a single function to resue in authorization. > Tested: > 1. LDAP: > GET /host/users?_user_id=a_valid_user_id > GET /host/users?_user_id=invalid_user_id > GET /host/groups > 2. PAM: > GET /host/users > GET /host/groups As we will use the same API for LDAP and PAM, I suggest change the API /host/users to /users and /host/groups to /groups. Originally, /host/users and /host.groups were created because they are related to the host system which is not the case for LDAP config.

> > Signed-off-by: Royce Lv <lvroyce(a)linux.vnet.ibm.com&gt; > --- > src/kimchi/control/host.py | 7 +++++ > src/kimchi/i18n.py | 1 + > src/kimchi/model/host.py | 67 > ++++++++++++++++++++++++++++++++++++++++++++-- > 3 files changed, 73 insertions(+), 2 deletions(-) > > diff --git a/src/kimchi/control/host.py b/src/kimchi/control/host.py > index 7bcae72..20d4c2f 100644 > --- a/src/kimchi/control/host.py > +++ b/src/kimchi/control/host.py > @@ -20,6 +20,7 @@ > import cherrypy > > from kimchi.control.base import Collection, Resource, SimpleCollection > +from kimchi.control.utils import get_class_name, model_fn > from kimchi.control.utils import UrlSubNode, validate_method > from kimchi.exception import OperationFailed, NotFoundError > from kimchi.template import render > @@ -178,6 +179,12 @@ class Users(SimpleCollection): > super(Users, self).__init__(model) > self.role_key = 'guests' > > + def get(self, filter_params): > + res_list = [] > + get_list = getattr(self.model, model_fn(self, 'get_list')) > + res_list = get_list(*self.model_args, **filter_params) > + return render(get_class_name(self), res_list) > + > > class Groups(SimpleCollection): > def __init__(self, model): > diff --git a/src/kimchi/i18n.py b/src/kimchi/i18n.py > index 75fb076..27c0f44 100644 > --- a/src/kimchi/i18n.py > +++ b/src/kimchi/i18n.py > @@ -39,6 +39,7 @@ messages = { > "KCHAUTH0001E": _("Authentication failed for user '%(username)s'. > [Error code: %(code)s]"), > "KCHAUTH0002E": _("You are not authorized to access Kimchi"), > "KCHAUTH0003E": _("Specify %(item)s to login into Kimchi"), > + "KCHAUTH0004E": _("User %(user_id)s not found with given ldap > settings."), LDAP > "KCHDEVS0001E": _('Unknown "_cap" specified'), > "KCHDEVS0002E": _('"_passthrough" should be "true" or "false"'), > diff --git a/src/kimchi/model/host.py b/src/kimchi/model/host.py > index 5d31809..a2f0941 100644 > --- a/src/kimchi/model/host.py > +++ b/src/kimchi/model/host.py > @@ -18,6 +18,7 @@ > # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA > 02110-1301 USA > > import grp > +import ldap > import libvirt > import os > import time > @@ -32,6 +33,7 @@ from kimchi import disks > from kimchi import netinfo > from kimchi import xmlutils > from kimchi.basemodel import Singleton > +from kimchi.config import config > from kimchi.model import hostdev > from kimchi.exception import InvalidOperation, InvalidParameter > from kimchi.exception import NotFoundError, OperationFailed > @@ -459,17 +461,78 @@ class RepositoryModel(object): > > > class UsersModel(object): > + def __init__(self, **args): > + auth_type = config.get("authentication", "method") > + for klass in UsersModel.__subclasses__(): > + if auth_type == klass.auth_type: > + self.user = klass(**args) > + > + def get_list(self, **args): > + return self.user._get_list(**args) > + > + > +class PAMUsersModel(UsersModel): > + auth_type = 'pam' > def __init__(self, **kargs): > pass > > - def get_list(self): > + def _get_list(self): > return [user.pw_name for user in pwd.getpwall() > if user.pw_shell.rsplit("/")[-1] not in ["nologin", "false"]] > > > +class LDAPUsersModel(UsersModel): > + auth_type = 'ldap' > + def __init__(self, **kargs): > + pass > + > + def _get_list(self, _user_id=''): > + return self._get_user(_user_id) > + > + def _get_user(self, _user_id): > + ldap_server = config.get("authentication", "ldap_server").strip('"') > + ldap_search_base = config.get( > + "authentication", "ldap_search_base").strip('"') > + ldap_search_filter = config.get( > + "authentication", "ldap_search_filter", > + vars={"username": _user_id.encode("utf-8")}).strip('"') > + > + connect = ldap.open(ldap_server) > + try: > + result = connect.search_s( > + ldap_search_base, ldap.SCOPE_SUBTREE, ldap_search_filter) > + if len(result) == 0: > + raise NotFoundError("KCHAUTH0004E", {'user_id': _user_id}) > + return result[0][1] > + except ldap.NO_SUCH_OBJECT: > + raise NotFoundError("KCHAUTH0004E", {'user_id': _user_id}) > + > + > class GroupsModel(object): > + def __init__(self, **args): > + auth_type = config.get("authentication", "method") > + for klass in GroupsModel.__subclasses__(): > + if auth_type == klass.auth_type: > + self.grp = klass(**args) > + > + > + def get_list(self, **args): > + if hasattr(self.grp, '_get_list'): > + return self.grp._get_list(**args) > + else: > + return list() > + > + > +class PAMGroupsModel(GroupsModel): > + auth_type = 'pam' > def __init__(self, **kargs): > pass > > - def get_list(self): > + def _get_list(self): > return [group.gr_name for group in grp.getgrall()] > + > + > +class LDAPGroupsModel(GroupsModel): > + auth_type = 'ldap' > + def __init__(self, **kargs): > + pass _______________________________________________ Kimchi-devel mailing list Kimchi-devel(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel