Skip to content

Commit

Permalink
Fixed the authz and site_security check for check_resource command. (#…
Browse files Browse the repository at this point in the history 
…2462)

Co-authored-by: Yuan-Ting Hsieh (謝沅廷) <yuantingh@nvidia.com>
  • Loading branch information
@yhwen @YuanTingHsieh
yhwen and YuanTingHsieh authored Apr 3, 2024
1 parent cc7ce3e commit baae3d8
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 33 deletions.
65 changes: 33 additions & 32 deletions nvflare/private/fed/client/admin.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,39 +125,40 @@ def _dispatch_request(
try:
reply = None

# see whether pre-authorization is needed
authz_flag = req.get_header(RequestHeader.REQUIRE_AUTHZ)
require_authz = authz_flag == "true"
if require_authz:
# authorize this command!
cmd = req.get_header(RequestHeader.ADMIN_COMMAND, None)
if cmd:
user = Person(
name=req.get_header(RequestHeader.USER_NAME, ""),
org=req.get_header(RequestHeader.USER_ORG, ""),
role=req.get_header(RequestHeader.USER_ROLE, ""),
)
submitter = Person(
name=req.get_header(RequestHeader.SUBMITTER_NAME, ""),
org=req.get_header(RequestHeader.SUBMITTER_ORG, ""),
role=req.get_header(RequestHeader.SUBMITTER_ROLE, ""),
)

authz_ctx = AuthzContext(user=user, submitter=submitter, right=cmd)
authorized, err = AuthorizationService.authorize(authz_ctx)
if err:
reply = error_reply(err)
elif not authorized:
reply = error_reply("not authorized")

site_security = SiteSecurity()
self._set_security_data(req, fl_ctx)
authorized, messages = site_security.authorization_check(self.app_ctx, cmd, fl_ctx)
if not authorized:
reply = error_reply(messages)
cmd = req.get_header(RequestHeader.ADMIN_COMMAND, None)
if cmd:
site_security = SiteSecurity()
self._set_security_data(req, fl_ctx)
authorized, messages = site_security.authorization_check(self.app_ctx, cmd, fl_ctx)
if not authorized:
reply = error_reply(messages)

else:
reply = error_reply("requires authz but missing admin command")
if not reply:
# see whether pre-authorization is needed
authz_flag = req.get_header(RequestHeader.REQUIRE_AUTHZ)
require_authz = authz_flag == "true"
if require_authz:
# authorize this command!
if cmd:
user = Person(
name=req.get_header(RequestHeader.USER_NAME, ""),
org=req.get_header(RequestHeader.USER_ORG, ""),
role=req.get_header(RequestHeader.USER_ROLE, ""),
)
submitter = Person(
name=req.get_header(RequestHeader.SUBMITTER_NAME, ""),
org=req.get_header(RequestHeader.SUBMITTER_ORG, ""),
role=req.get_header(RequestHeader.SUBMITTER_ROLE, ""),
)

authz_ctx = AuthzContext(user=user, submitter=submitter, right=cmd)
authorized, err = AuthorizationService.authorize(authz_ctx)
if err:
reply = error_reply(err)
elif not authorized:
reply = error_reply("not authorized")
else:
reply = error_reply("requires authz but missing admin command")

if not reply:
reply = processor.process(req, self.app_ctx)
Expand Down
2 changes: 1 addition & 1 deletion nvflare/private/fed/server/server_engine.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -760,7 +760,7 @@ def check_client_resources(self, job: Job, resource_reqs, fl_ctx: FLContext) ->
def _make_message_for_check_resource(self, job, resource_requirements, fl_ctx):
request = Message(topic=TrainingTopic.CHECK_RESOURCE, body=resource_requirements)
request.set_header(RequestHeader.JOB_ID, job.job_id)
request.set_header(RequestHeader.REQUIRE_AUTHZ, "true")
request.set_header(RequestHeader.REQUIRE_AUTHZ, "false")
request.set_header(RequestHeader.ADMIN_COMMAND, AdminCommandNames.CHECK_RESOURCES)

set_message_security_data(request, job, fl_ctx)
Expand Down

0 comments on commit baae3d8

Please sign in to comment.