From fbad47794183f896c08393b8b429096dd6a409c2 Mon Sep 17 00:00:00 2001
From: Tim Pillinger <26465611+wxtim@users.noreply.github.com>
Date: Wed, 30 Sep 2020 12:31:52 +0100
Subject: [PATCH 1/2] flow-cfg-update remove authentication config sectuion
---
cylc/flow/cfgspec/suite.py | 18 +----------------
cylc/flow/network/authorisation.py | 4 +++-
cylc/flow/network/server.py | 20 +------------------
.../functional/deprecations/01-cylc8-basic.t | 1 +
.../deprecations/01-cylc8-basic/flow.cylc | 1 +
5 files changed, 7 insertions(+), 37 deletions(-)
diff --git a/cylc/flow/cfgspec/suite.py b/cylc/flow/cfgspec/suite.py
index a8ada794f9a..2ec28986bde 100644
--- a/cylc/flow/cfgspec/suite.py
+++ b/cylc/flow/cfgspec/suite.py
@@ -21,7 +21,6 @@
from cylc.flow import LOG
from cylc.flow.parsec.exceptions import UpgradeError
-from cylc.flow.network.authorisation import Priv
from cylc.flow.parsec.config import ParsecConfig, ConfigNode as Conf
from cylc.flow.parsec.OrderedDict import OrderedDictWithDefaults
from cylc.flow.parsec.upgrade import upgrader
@@ -270,22 +269,6 @@
with Conf('reference test'):
Conf('expected task failures', VDR.V_STRING_LIST)
- with Conf('authentication'):
- # Allow owners to grant public shutdown rights at the most, not
- # full control.
- Conf(
- 'public',
- VDR.V_STRING,
- default=Priv.STATE_TOTALS.name.lower().replace('_', '-'),
- options=[
- level.name.lower().replace('_', '-')
- for level in [
- Priv.IDENTITY, Priv.DESCRIPTION,
- Priv.STATE_TOTALS, Priv.READ, Priv.SHUTDOWN
- ]
- ]
- )
-
with Conf('scheduling', desc='''
This section allows cylc to determine when tasks are ready to run.
'''):
@@ -1306,6 +1289,7 @@ def upg(cfg, descr):
u.obsolete('7.8.1', ['cylc', 'events', 'reset timer'])
u.obsolete('7.8.1', ['cylc', 'events', 'reset inactivity timer'])
u.obsolete('7.8.1', ['runtime', '__MANY__', 'events', 'reset timer'])
+ u.obsolete('8.0.0', ['cylc', 'authentication'])
u.obsolete('8.0.0', ['cylc', 'log resolved dependencies'])
u.obsolete('8.0.0', ['cylc', 'reference test', 'allow task failures'])
u.obsolete('8.0.0', ['cylc', 'reference test', 'live mode suite timeout'])
diff --git a/cylc/flow/network/authorisation.py b/cylc/flow/network/authorisation.py
index 61888b533d5..ac3917dd20d 100644
--- a/cylc/flow/network/authorisation.py
+++ b/cylc/flow/network/authorisation.py
@@ -86,7 +86,9 @@ def _authorise(self, *args, user='?', meta=None, **kwargs):
host = meta.get('host', '?')
prog = meta.get('prog', '?')
- usr_priv_level = self._get_priv_level(user)
+ # Hardcoded, for new - but much of this functionality can be
+ # removed more swingingly.
+ usr_priv_level = Priv.CONTROL
if usr_priv_level < req_priv_level:
LOG.warn(
"[client-connect] DENIED (privilege '%s' < '%s') %s@%s:%s",
diff --git a/cylc/flow/network/server.py b/cylc/flow/network/server.py
index 0c4235e1b91..01318d14a61 100644
--- a/cylc/flow/network/server.py
+++ b/cylc/flow/network/server.py
@@ -15,7 +15,7 @@
# along with this program. If not, see .
"""Server for suite runtime API."""
-import getpass
+import getpass # noqa: F401
from queue import Queue
from textwrap import dedent
from time import sleep
@@ -24,7 +24,6 @@
import zmq
from cylc.flow import LOG
-from cylc.flow.cfgspec.glbl_cfg import glbl_cfg
from cylc.flow.network import encode_, decode_, ZMQSocketBase
from cylc.flow.network.authorisation import Priv, authorise
from cylc.flow.network.graphql import (
@@ -254,23 +253,6 @@ def _receiver(self, message):
return {'data': response}
- def _get_public_priv(self):
- """Return the public privilege level of this suite."""
- if self.schd.config.cfg['cylc']['authentication']['public']:
- return Priv.parse(
- self.schd.config.cfg['cylc']['authentication']['public'])
- return Priv.parse(glbl_cfg().get(['authentication', 'public']))
-
- def _get_priv_level(self, user):
- """Return the privilege level for the given user for this suite."""
- if user == getpass.getuser():
- return Priv.CONTROL
- if self.public_priv is None:
- # cannot do this on initialisation as the suite configuration has
- # not yet been parsed
- self.public_priv = self._get_public_priv()
- return self.public_priv
-
def register_endpoints(self):
"""Register all exposed methods."""
self.endpoints = {name: obj
diff --git a/tests/functional/deprecations/01-cylc8-basic.t b/tests/functional/deprecations/01-cylc8-basic.t
index 0e75c56b26c..aab50a722f8 100755
--- a/tests/functional/deprecations/01-cylc8-basic.t
+++ b/tests/functional/deprecations/01-cylc8-basic.t
@@ -29,6 +29,7 @@ TEST_NAME=${TEST_NAME_BASE}-cmp
cylc validate -v "${SUITE_NAME}" 2>&1 \
| sed -n -e 's/^WARNING - \( \* (.*$\)/\1/p' > 'val.out'
cmp_ok val.out <<__END__
+ * (8.0.0) [cylc][authentication] - DELETED (OBSOLETE)
* (8.0.0) [cylc][log resolved dependencies] - DELETED (OBSOLETE)
* (8.0.0) [cylc][reference test][allow task failures] - DELETED (OBSOLETE)
* (8.0.0) [cylc][reference test][live mode suite timeout] - DELETED (OBSOLETE)
diff --git a/tests/functional/deprecations/01-cylc8-basic/flow.cylc b/tests/functional/deprecations/01-cylc8-basic/flow.cylc
index e941ff78ce1..fa4c8e1dcac 100644
--- a/tests/functional/deprecations/01-cylc8-basic/flow.cylc
+++ b/tests/functional/deprecations/01-cylc8-basic/flow.cylc
@@ -4,6 +4,7 @@
[cylc]
log resolved dependencies =
abort if any task fails =
+ authentication =
[[reference test]]
allow task failures =
live mode suite timeout =
From d7ba6a4a47e51fabfd0b5d4df400f49aab0b5439 Mon Sep 17 00:00:00 2001
From: Tim Pillinger <26465611+wxtim@users.noreply.github.com>
Date: Thu, 1 Oct 2020 13:39:43 +0100
Subject: [PATCH 2/2] remove Priv object
---
cylc/flow/cfgspec/globalcfg.py | 32 -----------------
cylc/flow/network/authorisation.py | 56 +-----------------------------
cylc/flow/network/server.py | 12 +++----
3 files changed, 7 insertions(+), 93 deletions(-)
diff --git a/cylc/flow/cfgspec/globalcfg.py b/cylc/flow/cfgspec/globalcfg.py
index 01b21bf915e..74fde0e4002 100644
--- a/cylc/flow/cfgspec/globalcfg.py
+++ b/cylc/flow/cfgspec/globalcfg.py
@@ -21,7 +21,6 @@
from cylc.flow import LOG
from cylc.flow import __version__ as CYLC_VERSION
from cylc.flow.hostuserutil import get_user_home
-from cylc.flow.network.authorisation import Priv
from cylc.flow.parsec.config import ParsecConfig, ConfigNode as Conf
from cylc.flow.parsec.exceptions import ParsecError
from cylc.flow.parsec.upgrade import upgrader
@@ -597,37 +596,6 @@
host if you have to use the *hardwired* self-identification method.
''')
- # suite
- with Conf('authentication', desc='''
- Authentication of client programs with suite server programs can be
- configured here, and overridden in suites if necessary with
- :cylc:conf:`flow.cylc[cylc][authentication]`.
-
- The suite-specific passphrase must be installed on a user's account to
- authorize full control privileges (see
- :ref:`ConnectionAuthentication`). In the future we plan to move to a
- more traditional user account model so that each authorized user can
- have their own password.
- '''):
- # Allow owners to grant public shutdown rights at the most, not full
- # control.
- Conf(
- 'public',
- VDR.V_STRING,
- default=Priv.STATE_TOTALS.name.lower().replace('_', '-'),
- options=[
- level.name.lower().replace('_', '-')
- for level in [
- Priv.IDENTITY, Priv.DESCRIPTION,
- Priv.STATE_TOTALS, Priv.READ, Priv.SHUTDOWN
- ]
- ],
- desc='''
- This sets the client privilege level for public access - i.e.
- no suite passphrase required.
- '''
- )
-
# suite
with Conf('suite servers', desc='''
Configure allowed suite hosts and ports for starting up (running or
diff --git a/cylc/flow/network/authorisation.py b/cylc/flow/network/authorisation.py
index ac3917dd20d..7369eb8e2ba 100644
--- a/cylc/flow/network/authorisation.py
+++ b/cylc/flow/network/authorisation.py
@@ -15,60 +15,17 @@
# along with this program. If not, see .
"""Network authorisation layer."""
-from enum import IntEnum
from functools import wraps
from cylc.flow import LOG
-class Priv(IntEnum):
- """Cylc privilege levels.
-
- In Cylc configurations use the lower-case form of each privilege level
- e.g. ``control`` for ``Priv.CONTROL``.
-
- These levels are ordered (by the integer associated with each) from 0.
- Each privilege level grants access to the levels below it.
-
- """
-
- CONTROL = 6
- """Provides full control of a suite."""
-
- SHUTDOWN = 5 # (Not used yet - for the post-passphrase era.)
- """Allows issuing of the shutdown command."""
-
- READ = 4
- """Permits read access to the suite's state."""
-
- STATE_TOTALS = 3
- """Provides access to the count of tasks in each state."""
-
- DESCRIPTION = 2
- """Permits reading of suite metadata."""
-
- IDENTITY = 1
- """Provides read access to the suite name, owner and Cylc version."""
-
- NONE = 0
- """No access."""
-
- @classmethod
- def parse(cls, key):
- """Obtain a privilege enumeration from a string."""
- return cls.__members__[key.upper().replace('-', '_')]
-
-
-def authorise(req_priv_level):
+def authorise():
"""Add authorisation to an endpoint.
This decorator extracts the `user` field from the incoming message to
determine the client's privilege level.
- Args:
- req_priv_level (cylc.flow.network.Priv): A privilege level for the
- method.
-
Wrapped function args:
user
The authenticated user (determined server side)
@@ -88,20 +45,9 @@ def _authorise(self, *args, user='?', meta=None, **kwargs):
# Hardcoded, for new - but much of this functionality can be
# removed more swingingly.
- usr_priv_level = Priv.CONTROL
- if usr_priv_level < req_priv_level:
- LOG.warn(
- "[client-connect] DENIED (privilege '%s' < '%s') %s@%s:%s",
- usr_priv_level, req_priv_level, user, host, prog)
- raise Exception('Authorisation failure')
LOG.info(
'[client-command] %s %s@%s:%s', fcn.__name__, user, host, prog)
return fcn(self, *args, **kwargs)
- # add authorisation level to docstring
- _authorise.__doc__ += (
- f'Authentication:\n{" " * 12}'
- f':py:obj:`{__loader__.name}.{str(req_priv_level)}`\n'
- )
return _authorise
return wrapper
diff --git a/cylc/flow/network/server.py b/cylc/flow/network/server.py
index 01318d14a61..e446bd4a51a 100644
--- a/cylc/flow/network/server.py
+++ b/cylc/flow/network/server.py
@@ -25,7 +25,7 @@
from cylc.flow import LOG
from cylc.flow.network import encode_, decode_, ZMQSocketBase
-from cylc.flow.network.authorisation import Priv, authorise
+from cylc.flow.network.authorisation import authorise
from cylc.flow.network.graphql import (
CylcGraphQLBackend, IgnoreFieldMiddleware, instantiate_middleware
)
@@ -259,7 +259,7 @@ def register_endpoints(self):
for name, obj in self.__class__.__dict__.items()
if hasattr(obj, 'exposed')}
- @authorise(Priv.IDENTITY)
+ @authorise()
@expose
def api(self, endpoint=None):
"""Return information about this API.
@@ -292,7 +292,7 @@ def api(self, endpoint=None):
return '%s\n%s' % (head, tail)
return 'No method by name "%s"' % endpoint
- @authorise(Priv.READ)
+ @authorise()
@expose
def graphql(self, request_string=None, variables=None):
"""Return the GraphQL scheme execution result.
@@ -335,7 +335,7 @@ def graphql(self, request_string=None, variables=None):
return errors
return executed.data
- @authorise(Priv.READ)
+ @authorise()
@expose
def get_graph_raw(self, start_point_string, stop_point_string,
group_nodes=None, ungroup_nodes=None,
@@ -400,7 +400,7 @@ def get_graph_raw(self, start_point_string, stop_point_string,
ungroup_all=ungroup_all)
# UIServer Data Commands
- @authorise(Priv.READ)
+ @authorise()
@expose
def pb_entire_workflow(self):
"""Send the entire data-store in a single Protobuf message.
@@ -413,7 +413,7 @@ def pb_entire_workflow(self):
pb_msg = self.schd.data_store_mgr.get_entire_workflow()
return pb_msg.SerializeToString()
- @authorise(Priv.READ)
+ @authorise()
@expose
def pb_data_elements(self, element_type):
"""Send the specified data elements in delta form.