![]() |
CernVM-FS
2.13.0
|
#include <authz_session.h>
Classes | |
struct | PidKey |
struct | SessionKey |
Public Member Functions | |
~AuthzSessionManager () | |
AuthzToken * | GetTokenCopy (const pid_t pid, const std::string &membership) |
bool | IsMemberOf (const pid_t pid, const std::string &membership) |
void | ClearSessionCache () |
Static Public Member Functions | |
static AuthzSessionManager * | Create (AuthzFetcher *authz_fetcher, perf::Statistics *statistics) |
Private Member Functions | |
FRIEND_TEST (T_AuthzSession, GetPidInfo) | |
FRIEND_TEST (T_AuthzSession, LookupAuthzData) | |
FRIEND_TEST (T_AuthzSession, LookupSessionKey) | |
AuthzSessionManager () | |
bool | GetPidInfo (pid_t pid, PidKey *pid_key) |
bool | LookupSessionKey (pid_t pid, PidKey *pid_key, SessionKey *session_key) |
void | MaySweepPids () |
void | SweepPids (uint64_t now) |
bool | LookupAuthzData (const PidKey &pid_key, const SessionKey &session_key, const std::string &membership, AuthzData *authz_data) |
void | MaySweepCreds () |
void | SweepCreds (uint64_t now) |
![]() | |
SingleCopy () | |
Static Private Member Functions | |
static uint32_t | HashPidKey (const PidKey &key) |
static uint32_t | HashSessionKey (const SessionKey &key) |
Private Attributes | |
SmallHashDynamic< PidKey, SessionKey > | pid2session_ |
pthread_mutex_t | lock_pid2session_ |
uint64_t | deadline_sweep_pids_ |
SmallHashDynamic< SessionKey, AuthzData > | session2cred_ |
pthread_mutex_t | lock_session2cred_ |
uint64_t | deadline_sweep_creds_ |
AuthzFetcher * | authz_fetcher_ |
perf::Counter * | no_pid_ |
perf::Counter * | no_session_ |
perf::Counter * | n_fetch_ |
perf::Counter * | n_grant_ |
perf::Counter * | n_deny_ |
Static Private Attributes | |
static const unsigned | kSweepInterval = 5 |
static const unsigned | kPidLifetime = 120 |
The authorization manager maintains a list of sessions (sid and its birthday) and their associated credentials. It is used to pass the credentials to the download module and to control access to the repository. Every credential has a membership (a string) associated with it. The credential is thereby confirmed to be a member of the specified group. The group/membership can be anything, for instance a role in a certificate. It is stored in the cvmfs root file catalog.
An AuthzFetcher is used to gather credentials that are not cached. Note that the credentials are fetched using original pid/uid/gid but cached under the session.
Definition at line 38 of file authz_session.h.
AuthzSessionManager::~AuthzSessionManager | ( | ) |
|
private |
Definition at line 29 of file authz_session.cc.
Referenced by Create().
void AuthzSessionManager::ClearSessionCache | ( | ) |
When the membership string in the root file catalog changes, all entries in the cache become invalid because they only vouch for the previous membership entry. This function is called by MountPoint::ReEvaluateAuthz.
Definition at line 64 of file authz_session.cc.
Referenced by MountPoint::ReEvaluateAuthz().
|
static |
Definition at line 71 of file authz_session.cc.
Referenced by MountPoint::CreateAuthz().
|
private |
|
private |
|
private |
|
private |
Gathers SID, birthday, uid, and gid from given PID.
Definition at line 93 of file authz_session.cc.
Referenced by LookupSessionKey().
AuthzToken * AuthzSessionManager::GetTokenCopy | ( | const pid_t | pid, |
const std::string & | membership | ||
) |
Caller is responsible for freeing the returned token.
Definition at line 177 of file authz_session.cc.
Referenced by AuthzAttachment::ConfigureCurlHandle().
|
inlinestaticprivate |
Definition at line 103 of file authz_session.h.
Referenced by AuthzSessionManager().
|
inlinestaticprivate |
Definition at line 113 of file authz_session.h.
Referenced by AuthzSessionManager().
bool AuthzSessionManager::IsMemberOf | ( | const pid_t | pid, |
const std::string & | membership | ||
) |
Definition at line 194 of file authz_session.cc.
Referenced by cvmfs::CheckVoms().
|
private |
Calls out to the AuthzFetcher if the data is not cached. Verifies the membership.
Definition at line 211 of file authz_session.cc.
Referenced by GetTokenCopy(), and IsMemberOf().
|
private |
Translate a PID and its birthday into an SID and its birthday. The Session ID and its birthday together with UID and GID make the Session Key. The translation result is cached in pid2session_.
Definition at line 272 of file authz_session.cc.
Referenced by GetTokenCopy(), and IsMemberOf().
|
private |
Scan through old sessions only every so often.
Definition at line 326 of file authz_session.cc.
Referenced by LookupAuthzData().
|
private |
Scan through old PIDs only every so often.
Definition at line 338 of file authz_session.cc.
Referenced by LookupSessionKey().
|
private |
Remove cache PIDs with expired cache life time. TODO(jblomer): a generalized sweeping can become part of smallhash
Definition at line 351 of file authz_session.cc.
Referenced by MaySweepCreds().
|
private |
Remove cache PIDs with expired cache life time. TODO(jblomer): a generalized sweeping can become part of smallhash
Definition at line 373 of file authz_session.cc.
Referenced by MaySweepPids().
|
private |
The helper that takes care of bringing in credentials from the client context.
Definition at line 155 of file authz_session.h.
Referenced by Create(), and LookupAuthzData().
|
private |
Definition at line 149 of file authz_session.h.
Referenced by MaySweepCreds().
|
private |
Definition at line 142 of file authz_session.h.
Referenced by MaySweepPids().
|
staticprivate |
Pid to session information is cached for 2 minutes.
Definition at line 67 of file authz_session.h.
Referenced by LookupSessionKey().
|
staticprivate |
Sweep caches from old entries not more often than every 5 seconds.
Definition at line 62 of file authz_session.h.
Referenced by MaySweepCreds(), and MaySweepPids().
|
private |
Definition at line 141 of file authz_session.h.
Referenced by AuthzSessionManager(), LookupSessionKey(), and ~AuthzSessionManager().
|
private |
Definition at line 148 of file authz_session.h.
Referenced by AuthzSessionManager(), ClearSessionCache(), LookupAuthzData(), and ~AuthzSessionManager().
|
private |
Definition at line 161 of file authz_session.h.
Referenced by Create(), and LookupAuthzData().
|
private |
Definition at line 159 of file authz_session.h.
Referenced by Create(), and LookupAuthzData().
|
private |
Definition at line 160 of file authz_session.h.
Referenced by Create(), and LookupAuthzData().
|
private |
Definition at line 157 of file authz_session.h.
Referenced by Create(), LookupSessionKey(), and SweepPids().
|
private |
Definition at line 158 of file authz_session.h.
Referenced by ClearSessionCache(), Create(), LookupAuthzData(), and SweepCreds().
|
private |
Caches (extended) session information for an (extended) pid.
Definition at line 140 of file authz_session.h.
Referenced by AuthzSessionManager(), LookupSessionKey(), and SweepPids().
|
private |
Caches credentials corresponding to a session.
Definition at line 147 of file authz_session.h.
Referenced by AuthzSessionManager(), ClearSessionCache(), LookupAuthzData(), SweepCreds(), and ~AuthzSessionManager().