diff options
author | Sergey Poznyakoff <gray@gnu.org.ua> | 2015-01-19 22:26:04 +0200 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org.ua> | 2015-01-19 22:26:04 +0200 |
commit | 17627658ac616fcbb7d76977b3efacb14884a784 (patch) | |
tree | 9458d00f2a65669923b6e861a46e8dda3a2a5657 | |
parent | 9342c2d779b78b55e7e3b555930c5d3d0423ec40 (diff) | |
download | eclat-17627658ac616fcbb7d76977b3efacb14884a784.tar.gz eclat-17627658ac616fcbb7d76977b3efacb14884a784.tar.bz2 |
New configuration statement authentication-provide
* NEWS: Update.
* src/config.c: New statement "authentication-provider"
* src/eclat.c (authentication_provider): New variable.
(main): Select credentials depending on the value of
authentication_provider.
* src/eclat.h (authentication_provider): New enum and extern.
-rw-r--r-- | NEWS | 36 | ||||
-rw-r--r-- | src/cmdline.opt | 2 | ||||
-rw-r--r-- | src/config.c | 78 | ||||
-rw-r--r-- | src/eclat.c | 33 | ||||
-rw-r--r-- | src/eclat.h | 8 |
5 files changed, 139 insertions, 18 deletions
@@ -21,12 +21,40 @@ following statement in the eclat configuration file: * If availability region is not supplied, it is read from the instance store. +* Authentication providers + +Support for different authentication providers is introduced. +Authentication provider is a service that supplies AWS access key ID and +secret key. It is configured by the "authentication-provider" +statement in the configuration file. The syntax is: + + authentication-provider TYPE ARG; + +TYPE cane be one of: + +- file +Credentials are obtained from a disk file named by the second +argument. The statement + + authentication-provider file NAME + +is equivalent to + + access-file NAME + +of eclat 1.0 and prior. The "access-file" statement is retained for +backward compatibility. + +- instance-store +Credentials are obtained from the instance store. Second argument +supplies the name of the IAM role to use. + * IAM support -If access key is not found in the access file, it is assumed to be a -IAM role name. The authentication credentials are then taken from the -instance store. - +If authentication provider is set to "instance-store", its argument +specifies IAM role name. The authentication credentials are then +taken from the instance store. + Version 1.0, 2013-12-20 diff --git a/src/cmdline.opt b/src/cmdline.opt index 665ec0e..6da23c2 100644 --- a/src/cmdline.opt +++ b/src/cmdline.opt @@ -328,7 +328,7 @@ parse_options(int *pargc, char **pargv[]) grecs_preprocessor = cmd; free(pp_cmd_buffer); } - + *pargc = argc - index; *pargv = argv + index; } diff --git a/src/config.c b/src/config.c index 1d3f1b7..d3c8a66 100644 --- a/src/config.c +++ b/src/config.c @@ -254,6 +254,72 @@ cb_ssl(enum grecs_callback_command cmd, return 0; } +static int +cb_authentication_provider(enum grecs_callback_command cmd, + grecs_locus_t *locus, + void *varptr, + grecs_value_t *value, + void *cb_data) +{ + char *s; + + if (cmd != grecs_callback_set_value) { + grecs_error(locus, 0, "Unexpected block statement"); + return 1; + } + if (!value || value->type != GRECS_TYPE_ARRAY || value->v.arg.c != 2) { + grecs_error(locus, 0, "expected two values"); + return 1; + } + if (value->v.arg.v[0]->type != GRECS_TYPE_STRING) { + grecs_error(&value->v.arg.v[0]->locus, 0, + "first argument not a string"); + return 1; + } + if (value->v.arg.v[1]->type != GRECS_TYPE_STRING) { + grecs_error(&value->v.arg.v[1]->locus, 0, + "second argument not a string"); + return 1; + } + + s = value->v.arg.v[0]->v.string; + + if (strcmp(s, "file") == 0) { + authentication_provider = authp_file; + free(access_file_name); + access_file_name = grecs_strdup(value->v.arg.v[1]->v.string); + } else if (strcmp(s, "instance-store") == 0) { + authentication_provider = authp_instance; + free(access_key); + access_key = grecs_strdup(value->v.arg.v[1]->v.string); + } else { + grecs_error(&value->locus, 0, "unknown provider"); + } + return 0; +} + +static int +cb_access_file(enum grecs_callback_command cmd, + grecs_locus_t *locus, + void *varptr, + grecs_value_t *value, + void *cb_data) +{ + if (cmd != grecs_callback_set_value) { + grecs_error(locus, 0, "Unexpected block statement"); + return 1; + } + if (!value || value->type != GRECS_TYPE_STRING) { + grecs_error(locus, 0, "expected string value"); + return 1; + } + + authentication_provider = authp_file; + free(*(char**)varptr); + *(char**)varptr = grecs_strdup(value->v.string); + return 0; +} + static struct grecs_keyword eclat_kw[] = { { "default-endpoint", "hostname", "Set default EC2 endpoint", @@ -264,9 +330,15 @@ static struct grecs_keyword eclat_kw[] = { { "signature-version", "version", "Signature version", grecs_type_string, GRECS_DFLT, &signature_version }, - { "access-file", "file", - "Specify a file containing `accessID:accessKey' pairs", - grecs_type_string, GRECS_DFLT, &access_file_name }, + { "authentication-provider", "<type: file|instance-store> <arg: string>", + "Define authentication provider.", + grecs_type_string, GRECS_DFLT, NULL, 0, cb_authentication_provider }, + { "access-file", "name", + "A shorthand for\n" + " authentication-provider file <name>\n" + "Specifies a file containing `accessID:accessKey' pairs.", + grecs_type_string, GRECS_DFLT, &access_file_name, 0, + cb_access_file }, { "default-region", "name", "Define default AWS region", grecs_type_string, GRECS_DFLT, ®ion_name }, diff --git a/src/eclat.c b/src/eclat.c index 5bbe7c4..67b20dd 100644 --- a/src/eclat.c +++ b/src/eclat.c @@ -24,6 +24,8 @@ int preprocess_only = 0; char *endpoint = "ec2.amazonaws.com"; char *signature_version = "2"; + +enum authentication_provider authentication_provider = authp_undefined; char *access_key; char *secret_key; char *security_token; @@ -769,18 +771,29 @@ main(int argc, char **argv) if (!endpoint) die(EX_USAGE, "cannot find endpoint for region %s", region_name); - - if (!secret_key) { + + if (access_key && secret_key) + authentication_provider = authp_immediate; + + switch (authentication_provider) { + case authp_undefined: + die(EX_USAGE, "cannot find authentication credentials"); + + case authp_immediate: + break; + + case authp_file: if (get_access_creds(access_key, &access_key, &secret_key)) { - if (!access_key) - die(EX_UNAVAILABLE, - "cannot find authentication credentials"); - else - eclat_get_instance_creds(access_key, - &access_key, - &secret_key, - &security_token); + die(EX_UNAVAILABLE, + "cannot find authentication credentials"); } + break; + + case authp_instance: + eclat_get_instance_creds(access_key, + &access_key, + &secret_key, + &security_token); } debug(ECLAT_DEBCAT_MAIN, 1, ("using access key %s", access_key)); diff --git a/src/eclat.h b/src/eclat.h index d3c0e8d..e5a2c21 100644 --- a/src/eclat.h +++ b/src/eclat.h @@ -39,6 +39,13 @@ #define ECLAT_DEBCAT_CURL 4 #define ECLAT_DEBCAT_FORLAN 5 +enum authentication_provider { + authp_undefined, + authp_immediate, + authp_file, + authp_instance +}; + extern char *endpoint; extern char *signature_version; extern int use_ssl; @@ -47,6 +54,7 @@ extern char *ssl_ca_file; extern char *ssl_ca_path; extern int dry_run_mode; extern char *region_name; +extern enum authentication_provider authentication_provider; extern char *access_file_name; extern char *access_key; extern char *secret_key; |