Commit c2a4acd4 authored by Leigh B. Stoller's avatar Leigh B. Stoller

Some rather crude privledge level hacks to allow admin people (real

shells on boss) to use the rpc server without an agent running.
Using the no-passphrase key, these changes allow us to use the server
from ops in a very restricted manner. This change is temporary, until
I have something better in place. In the meantime, admin people change
their auth keys files on *boss* as such:

command="/usr/testbed/sbin/sshxmlrpc_server.py -ro",from="ops.emulab.net" ... rest of emulab generated key ...

Note the -ro argument; very important!
parent 6ad13f71
......@@ -201,15 +201,20 @@ def CheckExptPermission(pid, eid):
# For example experiment.swapexp(...).
#
class EmulabServer:
def __init__(self):
def __init__(self, readonly=0):
self.readonly = readonly;
self.instances = {};
self.instances["emulab"] = emulab();
self.instances["user"] = user();
self.instances["fs"] = fs();
self.instances["imageid"] = imageid();
self.instances["osid"] = osid();
self.instances["experiment"] = experiment();
self.instances["node"] = node();
self.instances["experiment"] = experiment(readonly=self.readonly);
if readonly:
return
self.instances["emulab"] = emulab(readonly=self.readonly);
self.instances["user"] = user(readonly=self.readonly);
self.instances["fs"] = fs(readonly=self.readonly);
self.instances["imageid"] = imageid(readonly=self.readonly);
self.instances["osid"] = osid(readonly=self.readonly);
self.instances["node"] = node(readonly=self.readonly);
return
def __getattr__(self, name):
......@@ -217,7 +222,7 @@ class EmulabServer:
if len(dotted) != 2:
raise AttributeError("Bad name '%s'" % name)
if not self.instances.has_key(dotted[0]):
raise AttributeError("unknown subclass '%s'" % name)
raise AttributeError("unknown method '%s'" % name)
return getattr(self.instances[dotted[0]], dotted[1]);
pass
......@@ -227,8 +232,9 @@ class EmulabServer:
# whole.
#
class emulab:
def __init__(self):
self.VERSION = VERSION
def __init__(self, readonly=0):
self.readonly = readonly;
self.VERSION = VERSION
return
#
......@@ -321,8 +327,9 @@ class emulab:
# specific information.
#
class user:
def __init__(self):
self.VERSION = VERSION
def __init__(self, readonly=0):
self.readonly = readonly;
self.VERSION = VERSION
return
#
......@@ -426,8 +433,9 @@ class user:
# NFS exports.
#
class fs:
def __init__(self):
self.VERSION = VERSION
def __init__(self, readonly=0):
self.readonly = readonly;
self.VERSION = VERSION
return
#
......@@ -603,8 +611,9 @@ class fs:
# This class implements the server side of the XMLRPC interface to image IDs.
#
class imageid:
def __init__(self):
self.VERSION = VERSION
def __init__(self, readonly=0):
self.readonly = readonly;
self.VERSION = VERSION
return
def getlist(self, version, argdict):
......@@ -650,8 +659,9 @@ class imageid:
# This class implements the server side of the XMLRPC interface to OS IDs.
#
class osid:
def __init__(self):
self.VERSION = VERSION
def __init__(self, readonly=0):
self.readonly = readonly;
self.VERSION = VERSION
return
def getlist(self, version, argdict):
......@@ -703,8 +713,9 @@ class experiment:
##
# Initialize the object. Currently only sets the objects 'VERSION' value.
#
def __init__(self):
self.VERSION = VERSION
def __init__(self, readonly=0):
self.readonly = readonly;
self.VERSION = VERSION
return
##
......@@ -730,6 +741,10 @@ class experiment:
return EmulabResponse(RESPONSE_BADVERSION,
output="Client version mismatch!")
if self.readonly:
return EmulabResponse(RESPONSE_FORBIDDEN,
output="Insufficient privledge to invoke method")
try:
checknologins()
pass
......@@ -753,6 +768,10 @@ class experiment:
return EmulabResponse(RESPONSE_BADVERSION,
output="Client version mismatch!")
if self.readonly:
return EmulabResponse(RESPONSE_FORBIDDEN,
output="Insufficient privledge to invoke method")
try:
checknologins()
pass
......@@ -828,6 +847,10 @@ class experiment:
return EmulabResponse(RESPONSE_BADVERSION,
output="Client version mismatch!")
if self.readonly:
return EmulabResponse(RESPONSE_FORBIDDEN,
output="Insufficient privledge to invoke method")
try:
checknologins()
pass
......@@ -945,6 +968,10 @@ class experiment:
return EmulabResponse(RESPONSE_BADVERSION,
output="Client version mismatch!")
if self.readonly:
return EmulabResponse(RESPONSE_FORBIDDEN,
output="Insufficient privledge to invoke method")
try:
checknologins()
pass
......@@ -995,6 +1022,10 @@ class experiment:
return EmulabResponse(RESPONSE_BADVERSION,
output="Client version mismatch!")
if self.readonly:
return EmulabResponse(RESPONSE_FORBIDDEN,
output="Insufficient privledge to invoke method")
try:
checknologins()
pass
......@@ -1071,6 +1102,10 @@ class experiment:
return EmulabResponse(RESPONSE_BADVERSION,
output="Client version mismatch!")
if self.readonly:
return EmulabResponse(RESPONSE_FORBIDDEN,
output="Insufficient privledge to invoke method")
try:
checknologins()
pass
......@@ -1114,6 +1149,10 @@ class experiment:
return EmulabResponse(RESPONSE_BADVERSION,
output="Client version mismatch!")
if self.readonly:
return EmulabResponse(RESPONSE_FORBIDDEN,
output="Insufficient privledge to invoke method")
try:
checknologins()
pass
......@@ -1165,6 +1204,10 @@ class experiment:
return EmulabResponse(RESPONSE_BADVERSION,
output="Client version mismatch!")
if self.readonly:
return EmulabResponse(RESPONSE_FORBIDDEN,
output="Insufficient privledge to invoke method")
try:
checknologins()
pass
......@@ -1351,6 +1394,10 @@ class experiment:
return EmulabResponse(RESPONSE_BADVERSION,
output="Client version mismatch!")
if self.readonly:
return EmulabResponse(RESPONSE_FORBIDDEN,
output="Insufficient privledge to invoke method")
try:
checknologins()
pass
......@@ -1489,6 +1536,10 @@ class experiment:
return EmulabResponse(RESPONSE_BADVERSION,
output="Client version mismatch!")
if self.readonly:
return EmulabResponse(RESPONSE_FORBIDDEN,
output="Insufficient privledge to invoke method")
try:
checknologins()
pass
......@@ -1533,6 +1584,10 @@ class experiment:
return EmulabResponse(RESPONSE_BADVERSION,
output="Client version mismatch!")
if self.readonly:
return EmulabResponse(RESPONSE_FORBIDDEN,
output="Insufficient privledge to invoke method")
try:
checknologins()
pass
......@@ -1586,6 +1641,10 @@ class experiment:
return EmulabResponse(RESPONSE_BADVERSION,
output="Client version mismatch!")
if self.readonly:
return EmulabResponse(RESPONSE_FORBIDDEN,
output="Insufficient privledge to invoke method")
try:
checknologins()
pass
......@@ -1645,6 +1704,10 @@ class experiment:
return EmulabResponse(RESPONSE_BADVERSION,
output="Client version mismatch!")
if self.readonly:
return EmulabResponse(RESPONSE_FORBIDDEN,
output="Insufficient privledge to invoke method")
try:
checknologins()
pass
......@@ -1698,6 +1761,10 @@ class experiment:
return EmulabResponse(RESPONSE_BADVERSION,
output="Client version mismatch!")
if self.readonly:
return EmulabResponse(RESPONSE_FORBIDDEN,
output="Insufficient privledge to invoke method")
try:
checknologins()
pass
......@@ -1760,6 +1827,10 @@ class experiment:
output="Client version mismatch!");
pass
if self.readonly:
return EmulabResponse(RESPONSE_FORBIDDEN,
output="Insufficient privledge to invoke method")
try:
checknologins()
pass
......@@ -1841,6 +1912,10 @@ class experiment:
output="Client version mismatch!");
pass
if self.readonly:
return EmulabResponse(RESPONSE_FORBIDDEN,
output="Insufficient privledge to invoke method")
try:
checknologins()
pass
......@@ -1881,6 +1956,10 @@ class experiment:
return EmulabResponse(RESPONSE_BADVERSION,
output="Client version mismatch!")
if self.readonly:
return EmulabResponse(RESPONSE_FORBIDDEN,
output="Insufficient privledge to invoke method")
try:
checknologins()
pass
......@@ -1933,6 +2012,10 @@ class experiment:
return EmulabResponse(RESPONSE_BADVERSION,
output="Client version mismatch!")
if self.readonly:
return EmulabResponse(RESPONSE_FORBIDDEN,
output="Insufficient privledge to invoke method")
try:
checknologins()
pass
......@@ -1987,6 +2070,10 @@ class experiment:
return EmulabResponse(RESPONSE_BADVERSION,
output="Client version mismatch!")
if self.readonly:
return EmulabResponse(RESPONSE_FORBIDDEN,
output="Insufficient privledge to invoke method")
try:
checknologins()
pass
......@@ -2037,6 +2124,10 @@ class experiment:
output="Client version mismatch!");
pass
if self.readonly:
return EmulabResponse(RESPONSE_FORBIDDEN,
output="Insufficient privledge to invoke method")
try:
checknologins()
pass
......@@ -2078,6 +2169,10 @@ class experiment:
output="Client version mismatch!");
pass
if self.readonly:
return EmulabResponse(RESPONSE_FORBIDDEN,
output="Insufficient privledge to invoke method")
try:
checknologins()
pass
......@@ -2157,6 +2252,10 @@ class experiment:
output="Client version mismatch!");
pass
if self.readonly:
return EmulabResponse(RESPONSE_FORBIDDEN,
output="Insufficient privledge to invoke method")
try:
checknologins()
pass
......@@ -2393,8 +2492,9 @@ class node:
##
# Initialize the object. Currently only sets the objects 'VERSION' value.
#
def __init__(self):
self.VERSION = VERSION
def __init__(self, readonly=0):
self.readonly = readonly;
self.VERSION = VERSION
return
#
......
......@@ -18,6 +18,15 @@ from emulabserver import *
#
DEFAULT_MODULE = "EmulabServer"
module = DEFAULT_MODULE
ReadOnly = 0;
#
# Optional argument indicating read-only privs.
#
if len(sys.argv) > 1 and sys.argv[1] == "-ro":
ReadOnly = 1;
sys.argv = sys.argv[1:]
pass
#
# Optional argument indicates the specific module the server wants to use.
......@@ -33,7 +42,7 @@ if len(sys.argv) > 1:
# just a single request this way, and then exit.
#
# Construct and wrap our object.
server = eval(module + "()")
server = eval(module + "(readonly=" + str(ReadOnly) + ")")
wrapper = sshxmlrpc.SSHServerWrapper(server)
# Handle the request on stdin and send the response to stdout.
wrapper.serve_forever((sys.stdin, sys.stdout))
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment