![]() |
CernVM-FS
2.12.0
|
#include <authz_session.h>
Classes | |
struct | PidKey |
struct | SessionKey |
Public Member Functions | |
~AuthzSessionManager () | |
AuthzToken * | GetTokenCopy (const pid_t pid, const std::string &membership) |
bool | IsMemberOf (const pid_t pid, const std::string &membership) |
void | ClearSessionCache () |
Static Public Member Functions | |
static AuthzSessionManager * | Create (AuthzFetcher *authz_fetcher, perf::Statistics *statistics) |
Private Member Functions | |
FRIEND_TEST (T_AuthzSession, GetPidInfo) | |
FRIEND_TEST (T_AuthzSession, LookupAuthzData) | |
FRIEND_TEST (T_AuthzSession, LookupSessionKey) | |
AuthzSessionManager () | |
bool | GetPidInfo (pid_t pid, PidKey *pid_key) |
bool | LookupSessionKey (pid_t pid, PidKey *pid_key, SessionKey *session_key) |
void | MaySweepPids () |
void | SweepPids (uint64_t now) |
bool | LookupAuthzData (const PidKey &pid_key, const SessionKey &session_key, const std::string &membership, AuthzData *authz_data) |
void | MaySweepCreds () |
void | SweepCreds (uint64_t now) |
![]() | |
SingleCopy () | |
Static Private Member Functions | |
static uint32_t | HashPidKey (const PidKey &key) |
static uint32_t | HashSessionKey (const SessionKey &key) |
Private Attributes | |
SmallHashDynamic< PidKey, SessionKey > | pid2session_ |
pthread_mutex_t | lock_pid2session_ |
uint64_t | deadline_sweep_pids_ |
SmallHashDynamic< SessionKey, AuthzData > | session2cred_ |
pthread_mutex_t | lock_session2cred_ |
uint64_t | deadline_sweep_creds_ |
AuthzFetcher * | authz_fetcher_ |
perf::Counter * | no_pid_ |
perf::Counter * | no_session_ |
perf::Counter * | n_fetch_ |
perf::Counter * | n_grant_ |
perf::Counter * | n_deny_ |
Static Private Attributes | |
static const unsigned | kSweepInterval = 5 |
static const unsigned | kPidLifetime = 120 |
The authorization manager maintains a list of sessions (sid and its birthday) and their associated credentials. It is used to pass the credentials to the download module and to control access to the repository. Every credential has a membership (a string) associated with it. The credential is thereby confirmed to be a member of the specified group. The group/membership can be anything, for instance a role in a certificate. It is stored in the cvmfs root file catalog.
An AuthzFetcher is used to gather credentials that are not cached. Note that the credentials are fetched using original pid/uid/gid but cached under the session.
Definition at line 38 of file authz_session.h.
AuthzSessionManager::~AuthzSessionManager | ( | ) |
|
private |
Definition at line 29 of file authz_session.cc.
Referenced by Create().
void AuthzSessionManager::ClearSessionCache | ( | ) |
When the membership string in the root file catalog changes, all entries in the cache become invalid because they only vouch for the previous membership entry. This function is called by MountPoint::ReEvaluateAuthz.
Definition at line 65 of file authz_session.cc.
Referenced by MountPoint::ReEvaluateAuthz().
|
static |
Definition at line 72 of file authz_session.cc.
Referenced by MountPoint::CreateAuthz().
|
private |
|
private |
|
private |
|
private |
Gathers SID, birthday, uid, and gid from given PID.
Definition at line 96 of file authz_session.cc.
Referenced by LookupSessionKey().
AuthzToken * AuthzSessionManager::GetTokenCopy | ( | const pid_t | pid, |
const std::string & | membership | ||
) |
Caller is responsible for freeing the returned token.
Definition at line 178 of file authz_session.cc.
Referenced by AuthzAttachment::ConfigureCurlHandle().
|
inlinestaticprivate |
Definition at line 109 of file authz_session.h.
Referenced by AuthzSessionManager().
|
inlinestaticprivate |
Definition at line 119 of file authz_session.h.
Referenced by AuthzSessionManager().
bool AuthzSessionManager::IsMemberOf | ( | const pid_t | pid, |
const std::string & | membership | ||
) |
Definition at line 197 of file authz_session.cc.
Referenced by cvmfs::CheckVoms().
|
private |
Calls out to the AuthzFetcher if the data is not cached. Verifies the membership.
Definition at line 216 of file authz_session.cc.
Referenced by GetTokenCopy(), and IsMemberOf().
|
private |
Translate a PID and its birthday into an SID and its birthday. The Session ID and its birthday together with UID and GID make the Session Key. The translation result is cached in pid2session_.
Definition at line 276 of file authz_session.cc.
Referenced by GetTokenCopy(), and IsMemberOf().
|
private |
Scan through old sessions only every so often.
Definition at line 331 of file authz_session.cc.
Referenced by LookupAuthzData().
|
private |
Scan through old PIDs only every so often.
Definition at line 343 of file authz_session.cc.
Referenced by LookupSessionKey().
|
private |
Remove cache PIDs with expired cache life time. TODO(jblomer): a generalized sweeping can become part of smallhash
Definition at line 356 of file authz_session.cc.
Referenced by MaySweepCreds().
|
private |
Remove cache PIDs with expired cache life time. TODO(jblomer): a generalized sweeping can become part of smallhash
Definition at line 378 of file authz_session.cc.
Referenced by MaySweepPids().
|
private |
The helper that takes care of bringing in credentials from the client context.
Definition at line 161 of file authz_session.h.
Referenced by Create(), and LookupAuthzData().
|
private |
Definition at line 155 of file authz_session.h.
Referenced by MaySweepCreds().
|
private |
Definition at line 148 of file authz_session.h.
Referenced by MaySweepPids().
|
staticprivate |
Pid to session information is cached for 2 minutes.
Definition at line 67 of file authz_session.h.
Referenced by LookupSessionKey().
|
staticprivate |
Sweep caches from old entries not more often than every 5 seconds.
Definition at line 62 of file authz_session.h.
Referenced by MaySweepCreds(), and MaySweepPids().
|
private |
Definition at line 147 of file authz_session.h.
Referenced by AuthzSessionManager(), LookupSessionKey(), and ~AuthzSessionManager().
|
private |
Definition at line 154 of file authz_session.h.
Referenced by AuthzSessionManager(), ClearSessionCache(), LookupAuthzData(), and ~AuthzSessionManager().
|
private |
Definition at line 167 of file authz_session.h.
Referenced by Create(), and LookupAuthzData().
|
private |
Definition at line 165 of file authz_session.h.
Referenced by Create(), and LookupAuthzData().
|
private |
Definition at line 166 of file authz_session.h.
Referenced by Create(), and LookupAuthzData().
|
private |
Definition at line 163 of file authz_session.h.
Referenced by Create(), LookupSessionKey(), and SweepPids().
|
private |
Definition at line 164 of file authz_session.h.
Referenced by ClearSessionCache(), Create(), LookupAuthzData(), and SweepCreds().
|
private |
Caches (extended) session information for an (extended) pid.
Definition at line 146 of file authz_session.h.
Referenced by AuthzSessionManager(), LookupSessionKey(), and SweepPids().
|
private |
Caches credentials corresponding to a session.
Definition at line 153 of file authz_session.h.
Referenced by AuthzSessionManager(), ClearSessionCache(), LookupAuthzData(), SweepCreds(), and ~AuthzSessionManager().