Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access control #324

Draft
wants to merge 8 commits into
base: main
Choose a base branch
from
Draft

Access control #324

wants to merge 8 commits into from

Conversation

mhasself
Copy link
Member

@mhasself mhasself commented Apr 4, 2023

Draft for inspection. Right now you can:

  • Change agents to require different access levels (1,2,3) for a each op.
  • Specify the level2 and level3 access passwords as cmdline args to the instance.
  • Pass passwords through manually from clients (as in c1 below).
  • Have clients try to figure out what password to use based on a password config file and a requested access level (as in c2 below).

To demo, set up FakeDataAgent with additional argument:

    'arguments': [['--access-policy', 'override:fake-pw-2,fake-pw-3']]},

Consider these clients:

  c0 = ocs_client.OCSClient('faker4')
  c1 = ocs_client.OCSClient('faker4', privs='fake-pw-2')
  c2 = ocs_client.OCSClient('faker4', privs=2)

Try to start or stop delay_task on each ... :

   r = c.delay_task.start(delay=1)

The c0 should fail; c1 should work; c2 will raise an error because it can't find your ~/ocs-passwords.yaml file. Create it with just this inside:

- agent-class: FakeDataAgent
  password-2: fake-pw-2

It doesn't have to be at ~/ocs-passwords.yaml ... override with envvar OCS_PASSWORDS_FILE=whatever.yaml

mhasself and others added 8 commits March 25, 2023 22:23
@mhasself
Access Control (AC): basic integration into ocs_agent
f107697
@mhasself
AC: documentation stubs
049dfa4
@mhasself
AC: clients can specify passwords
d2072a6 
These are passed to the OCSClient constructor as privs=plaintext, or
else as a simple access level request, e.g. privs=2.  In the latter
case a configuration file is parsed to determine the right password to
use.
@mhasself
AC: agent arg --access-policy for enabling Access Control
7dd3c87 
This can be used to set level2/3 passwords, or to tell an agent to
listen to "the director", coming soon ...
@mhasself
AC: update unit tests (not integtest) for API changes
b4566d4
@mhasself
AC: access unit test and integration test using FakeData
738d4a9 
This includes some modifications to util / fixture support for
specifiying Access Control features (client privs, agent policy).
@mhasself
AC: decide to say "password" instead of "credentials"
ac6b334
@pre-commit-ci
[pre-commit.ci] auto fixes from pre-commit.com hooks
bff46f9 
for more information, see https://pre-commit.ci
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mhasself