+ +
+ +In Files
+-
+
+
- lib/mcollective/security/base.rb + +
Parent
+ + + +Methods
+-
+
+
- ::inherited + +
- ::new + +
- #callerid + +
- #create_reply + +
- #create_request + +
- #decodemsg + +
- #encodereply + +
- #encoderequest + +
- #should_process_msg? + +
- #valid_callerid? + +
- #validate_filter? + +
- #validrequest? + +
Files
+-
+
+
- COPYING + +
- Gemfile + +
- README + +
- Rakefile + +
- client.cfg.dist + +
- data-help.erb + +
- discovery-help.erb + +
- facts.yaml.dist + +
- metadata-help.erb + +
- msg-help.erb + +
- rpc-help.erb + +
- server.cfg.dist + +
- PLACEHOLDER + +
- PLACEHOLDER + +
- action_snippet.erb + +
- data_input_snippet.erb + +
- ddl.erb + +
- plugin.erb + +
- en.yml + +
- mcollective.init + +
Class Index
+ ![[+]](../../images/find.png "show/hide quicksearch")
+
+
+ -
+
+
- MCollective + +
- MCollective::Agent + +
- MCollective::Agents + +
- MCollective::Aggregate + +
- MCollective::Aggregate::Base + +
- MCollective::Aggregate::Result + +
- MCollective::Aggregate::Result::Base + +
- MCollective::Aggregate::Result::CollectionResult + +
- MCollective::Aggregate::Result::NumericResult + +
- MCollective::Application + +
- MCollective::Applications + +
- MCollective::Cache + +
- MCollective::Client + +
- MCollective::CodedError + +
- MCollective::Config + +
- MCollective::Connector + +
- MCollective::Connector::Base + +
- MCollective::DDL + +
- MCollective::DDL::AgentDDL + +
- MCollective::DDL::Base + +
- MCollective::DDL::DataDDL + +
- MCollective::DDL::DiscoveryDDL + +
- MCollective::DDL::ValidatorDDL + +
- MCollective::DDLValidationError + +
- MCollective::Data + +
- MCollective::Data::Base + +
- MCollective::Data::Result + +
- MCollective::Discovery + +
- MCollective::Facts + +
- MCollective::Facts::Base + +
- MCollective::Generators + +
- MCollective::Generators::AgentGenerator + +
- MCollective::Generators::Base + +
- MCollective::Generators::DataGenerator + +
- MCollective::InvalidRPCData + +
- MCollective::Log + +
- MCollective::Logger + +
- MCollective::Logger::Base + +
- MCollective::Logger::Console_logger + +
- MCollective::Logger::File_logger + +
- MCollective::Logger::Syslog_logger + +
- MCollective::Matcher + +
- MCollective::Matcher::Parser + +
- MCollective::Matcher::Scanner + +
- MCollective::Message + +
- MCollective::MissingRPCData + +
- MCollective::MsgDoesNotMatchRequestID + +
- MCollective::MsgTTLExpired + +
- MCollective::NotTargettedAtUs + +
- MCollective::Optionparser + +
- MCollective::PluginManager + +
- MCollective::PluginPackager + +
- MCollective::PluginPackager::AgentDefinition + +
- MCollective::PluginPackager::StandardDefinition + +
- MCollective::RPC + +
- MCollective::RPC::ActionRunner + +
- MCollective::RPC::Agent + +
- MCollective::RPC::Audit + +
- MCollective::RPC::Client + +
- MCollective::RPC::Helpers + +
- MCollective::RPC::Progress + +
- MCollective::RPC::Reply + +
- MCollective::RPC::Request + +
- MCollective::RPC::Result + +
- MCollective::RPC::Stats + +
- MCollective::RPCAborted + +
- MCollective::RPCError + +
- MCollective::Registration + +
- MCollective::Registration::Base + +
- MCollective::Runner + +
- MCollective::RunnerStats + +
- MCollective::SSL + +
- MCollective::Security + +
- MCollective::Security::Base + +
- MCollective::SecurityValidationFailed + +
- MCollective::Shell + +
- MCollective::Translatable + +
- MCollective::UnixDaemon + +
- MCollective::UnknownRPCAction + +
- MCollective::UnknownRPCError + +
- MCollective::Util + +
- MCollective::Validator + +
- MCollective::ValidatorError + +
- MCollective::WindowsDaemon + +
- Array + +
- Dir + +
- Object + +
- String + +
- Symbol + +
MCollective::Security::Base
+ +This is a base class the other security modules should inherit from it handles statistics and validation of messages that should in most cases apply to all security models. @@ -89,25 +357,22 @@ To create your own security plugin you should provide a plugin that inherits from this and provides the following methods:
-decodemsg - Decodes a message that was -received from the middleware encodereply - -Encodes a reply message to a previous request message encoderequest - Encodes a new request message validrequest? - Validates a request received -from the middleware +decodemsg - Decodes a message that was received from the middleware +encodereply - Encodes a reply message to a previous request message +encoderequest - Encodes a new request message validrequest? - Validates a +request received from the middleware
Optionally if you are identifying users by some other means like -certificate name you can provide your own callerid method that can provide the rest of -the system with an id, and you would see this id being usable in SimpleRPC -authorization methods +certificate name you can provide your own callerid method that can provide +the rest of the system with an id, and you would see this id being usable +in SimpleRPC authorization methods
-The @initiated_by variable will be set to either :client or :node depending -on who is using this plugin. This is to help security providers that -operate in an asymetric mode like public/private key based systems. +The @initiated_by variable will be set +to either :client or :node depending on who is using this plugin. This is +to help security providers that operate in an asymetric mode like +public/private key based systems.
Specifics of each of these are a bit fluid and the interfaces for this is @@ -117,164 +382,190 @@ to see how security works is by looking at the provided MCollective::Security::PSK plugin.
-Methods
- -Attributes
- -| initiated_by | -[RW] | -- |
| stats | -[R] | -- |
Public Class methods
- -+
Attributes
+ + + + + + +Public Class Methods
+ + +Register plugins that inherits base
- -
# File lib/mcollective/security/base.rb, line 32
32: def self.inherited(klass)
33: PluginManager << {:type => "security_plugin", :class => klass.to_s}
-34: end
-
- -Initializes configuration and logging as well as prepare a zero‘d +34: end +
+Initializes configuration and logging as well as prepare a zero’d hash of stats various security methods and filter validators should increment stats, see MCollective::Security::Psk for a sample
- -
# File lib/mcollective/security/base.rb, line 38
38: def initialize
39: @config = Config.instance
40: @log = Log
41: @stats = PluginManager["global_stats"]
-42: end
-
- Public Instance methods
- - + + +Public Instance Methods
+ + +Returns a unique id for the caller, by default we just use the unix user id, security plugins can provide their own means of doing ids.
- -
# File lib/mcollective/security/base.rb, line 219
219: def callerid
220: "uid=#{Process.uid}"
-221: end
-
- (Not documented)
+ + + +
# File lib/mcollective/security/base.rb, line 167
167: def create_reply(reqid, agent, body)
@@ -285,25 +576,34 @@ id, security plugins can provide their own means of doing ids.
172: :senderagent => agent,
173: :msgtime => Time.now.utc.to_i,
174: :body => body}
-175: end
-
- (Not documented)
+ + + +
# File lib/mcollective/security/base.rb, line 177
177: def create_request(reqid, filter, msg, initiated_by, target_agent, target_collective, ttl=60)
@@ -318,104 +618,134 @@ id, security plugins can provide their own means of doing ids.
186: :callerid => callerid,
187: :ttl => ttl,
188: :msgtime => Time.now.utc.to_i}
-189: end
-
- Security providers should provide this, see MCollective::Security::Psk
- -
# File lib/mcollective/security/base.rb, line 239
239: def decodemsg(msg)
240: Log.error("decodemsg is not implemented in #{self.class}")
-241: end
-
- Security providers should provide this, see MCollective::Security::Psk
- -
# File lib/mcollective/security/base.rb, line 234
234: def encodereply(sender, msg, requestcallerid=nil)
235: Log.error("encodereply is not implemented in #{self.class}")
-236: end
-
- Security providers should provide this, see MCollective::Security::Psk
- -
# File lib/mcollective/security/base.rb, line 229
229: def encoderequest(sender, msg, filter={})
230: Log.error("encoderequest is not implemented in #{self.class}")
-231: end
-
- Give a MC::Message instance and a message id this will figure out if you the incoming message id matches the one the Message object is expecting and raise if its not @@ -424,9 +754,11 @@ href="../Message.html">Message object is expecting and raise if its not Mostly used by security plugins to figure out if they should do the hard work of decrypting etc messages that would only later on be ignored
- -
# File lib/mcollective/security/base.rb, line 196
196: def should_process_msg?(msg, msgid)
@@ -439,55 +771,68 @@ work of decrypting etc messages that would only later on be ignored
203: end
204:
205: true
-206: end
-
- -Validates a callerid. We do not want to -allow things like \ and / in callerids since other plugins make assumptions -that these are safe strings. +206: end +
+Validates a callerid. We do not want to allow things like \ and / in +callerids since other plugins make assumptions that these are safe strings.
callerids are generally in the form uid=123 or cert=foo etc so we do that here but security plugins could override this for some complex uses
- -
# File lib/mcollective/security/base.rb, line 213
213: def valid_callerid?(id)
214: !!id.match(/^[\w]+=[\w\.\-]+$/)
-215: end
-
- Takes a Hash with a filter in it and validates it against host information.
@@ -512,11 +857,13 @@ agent with a supplied name
-TODO: Support REGEX and/or multiple filter keys to be AND‘d +TODO: Support REGEX and/or multiple filter keys to be AND’d
- -
# File lib/mcollective/security/base.rb, line 55
55: def validate_filter?(filter)
@@ -629,49 +976,68 @@ TODO: Support REGEX and/or multiple filter keys to be AND‘d
162:
163: return false
164: end
-165: end
-
- Security providers should provide this, see MCollective::Security::Psk
- -
# File lib/mcollective/security/base.rb, line 224
224: def validrequest?(req)
225: Log.error("validrequest? is not implemented in #{self.class}")
-226: end
-
-