CERN Accelerating science

FireRole Internals

The "Firewall like role definition engine" (FireRole) is a tool for describing
formally sets of users and checking users against this description for their membership.

FireRole rules are strings defined as in the FireRole language description page.

In order to use FireRole rules with the engine you have to compile these strings with
the compile_role_definition function.

The compiled form could be serialized and stored into a database with the provided
function serialize and later loaded with deserialize.

To build a user description you have to use the collect_user_info from
the module webuser. This function, given a mod_python request object
or a id_user returns a dictionary with all the collectable user informations (when
using the request object these includes the ip address and the host
of the user, too).

Passing both the user_info dictionary and the compiled (deserialized) FireRole
definition to the acc_firerole_check_user function returns a
boolean value stating if the user belong to the set described by this
definition.

FireRole definitions are integrated with accROLEs, in fact, you can pass
a uid, a req_object or user_info a dictionary to acc_authorize_action.
If necessary collect_user_info will be implicitly called, and user authorizations
will be checked first against direct traditional uid membership and then against
FireRole definitions.

API

from webuser def collect_user_info(req): """Given the mod_python request object rec or a uid it returns a dictionary containing at least the keys uid, nickname, email, groups, plus any external keys in the user preferences (collected at login time and built by the different external authentication plugins) and if the mod_python request object is provided, also the remote_ip and remote_host fields. """ from access_control_firerole def compile_role_definition(FireRole_def_src): """ Given a text in which every row contains a rule it returns the compiled object definition. Rules have the following syntax: allow|deny [not] field {list of one or more (double)quoted string or regexp} or allow|deny any Every row may contain a # sign followed by a comment which are discarded. Field could be any key contained in a user_info dictionary. If the key does not exist in the dictionary, the rule is skipped. The first rule which matches return. """ def serialize(FireRole_def_obj): """ Serialize and compress a definition.""" def deserialize(FireRole_def_ser): """ Deserialize and decompress a definition.""" def acc_firerole_check_user(user_info, firerole_def_obj): """ Given a user_info dictionary, it matches the rules inside the deserializez compiled definition in order to discover if the current user match the roles corresponding to this definition. @param user_info a dict produced by collect_user_info which contains every info about a user @param firerole_def_obj a compiled deserialized definition produced by compile_role_defintion @return True if the user match the definition, False otherwise. """