aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSergey Poznyakoff <gray@gnu.org.ua>2015-01-19 22:26:04 +0200
committerSergey Poznyakoff <gray@gnu.org.ua>2015-01-19 22:26:04 +0200
commit17627658ac616fcbb7d76977b3efacb14884a784 (patch)
tree9458d00f2a65669923b6e861a46e8dda3a2a5657
parent9342c2d779b78b55e7e3b555930c5d3d0423ec40 (diff)
downloadeclat-17627658ac616fcbb7d76977b3efacb14884a784.tar.gz
eclat-17627658ac616fcbb7d76977b3efacb14884a784.tar.bz2
New configuration statement authentication-provide
* NEWS: Update. * src/config.c: New statement "authentication-provider" * src/eclat.c (authentication_provider): New variable. (main): Select credentials depending on the value of authentication_provider. * src/eclat.h (authentication_provider): New enum and extern.
-rw-r--r--NEWS36
-rw-r--r--src/cmdline.opt2
-rw-r--r--src/config.c78
-rw-r--r--src/eclat.c33
-rw-r--r--src/eclat.h8
5 files changed, 139 insertions, 18 deletions
diff --git a/NEWS b/NEWS
index aebbc83..529df1e 100644
--- a/NEWS
+++ b/NEWS
@@ -21,12 +21,40 @@ following statement in the eclat configuration file:
* If availability region is not supplied, it is read from the instance store.
+* Authentication providers
+
+Support for different authentication providers is introduced.
+Authentication provider is a service that supplies AWS access key ID and
+secret key. It is configured by the "authentication-provider"
+statement in the configuration file. The syntax is:
+
+ authentication-provider TYPE ARG;
+
+TYPE cane be one of:
+
+- file
+Credentials are obtained from a disk file named by the second
+argument. The statement
+
+ authentication-provider file NAME
+
+is equivalent to
+
+ access-file NAME
+
+of eclat 1.0 and prior. The "access-file" statement is retained for
+backward compatibility.
+
+- instance-store
+Credentials are obtained from the instance store. Second argument
+supplies the name of the IAM role to use.
+
* IAM support
-If access key is not found in the access file, it is assumed to be a
-IAM role name. The authentication credentials are then taken from the
-instance store.
-
+If authentication provider is set to "instance-store", its argument
+specifies IAM role name. The authentication credentials are then
+taken from the instance store.
+
Version 1.0, 2013-12-20
diff --git a/src/cmdline.opt b/src/cmdline.opt
index 665ec0e..6da23c2 100644
--- a/src/cmdline.opt
+++ b/src/cmdline.opt
@@ -328,7 +328,7 @@ parse_options(int *pargc, char **pargv[])
grecs_preprocessor = cmd;
free(pp_cmd_buffer);
}
-
+
*pargc = argc - index;
*pargv = argv + index;
}
diff --git a/src/config.c b/src/config.c
index 1d3f1b7..d3c8a66 100644
--- a/src/config.c
+++ b/src/config.c
@@ -254,6 +254,72 @@ cb_ssl(enum grecs_callback_command cmd,
return 0;
}
+static int
+cb_authentication_provider(enum grecs_callback_command cmd,
+ grecs_locus_t *locus,
+ void *varptr,
+ grecs_value_t *value,
+ void *cb_data)
+{
+ char *s;
+
+ if (cmd != grecs_callback_set_value) {
+ grecs_error(locus, 0, "Unexpected block statement");
+ return 1;
+ }
+ if (!value || value->type != GRECS_TYPE_ARRAY || value->v.arg.c != 2) {
+ grecs_error(locus, 0, "expected two values");
+ return 1;
+ }
+ if (value->v.arg.v[0]->type != GRECS_TYPE_STRING) {
+ grecs_error(&value->v.arg.v[0]->locus, 0,
+ "first argument not a string");
+ return 1;
+ }
+ if (value->v.arg.v[1]->type != GRECS_TYPE_STRING) {
+ grecs_error(&value->v.arg.v[1]->locus, 0,
+ "second argument not a string");
+ return 1;
+ }
+
+ s = value->v.arg.v[0]->v.string;
+
+ if (strcmp(s, "file") == 0) {
+ authentication_provider = authp_file;
+ free(access_file_name);
+ access_file_name = grecs_strdup(value->v.arg.v[1]->v.string);
+ } else if (strcmp(s, "instance-store") == 0) {
+ authentication_provider = authp_instance;
+ free(access_key);
+ access_key = grecs_strdup(value->v.arg.v[1]->v.string);
+ } else {
+ grecs_error(&value->locus, 0, "unknown provider");
+ }
+ return 0;
+}
+
+static int
+cb_access_file(enum grecs_callback_command cmd,
+ grecs_locus_t *locus,
+ void *varptr,
+ grecs_value_t *value,
+ void *cb_data)
+{
+ if (cmd != grecs_callback_set_value) {
+ grecs_error(locus, 0, "Unexpected block statement");
+ return 1;
+ }
+ if (!value || value->type != GRECS_TYPE_STRING) {
+ grecs_error(locus, 0, "expected string value");
+ return 1;
+ }
+
+ authentication_provider = authp_file;
+ free(*(char**)varptr);
+ *(char**)varptr = grecs_strdup(value->v.string);
+ return 0;
+}
+
static struct grecs_keyword eclat_kw[] = {
{ "default-endpoint", "hostname",
"Set default EC2 endpoint",
@@ -264,9 +330,15 @@ static struct grecs_keyword eclat_kw[] = {
{ "signature-version", "version",
"Signature version",
grecs_type_string, GRECS_DFLT, &signature_version },
- { "access-file", "file",
- "Specify a file containing `accessID:accessKey' pairs",
- grecs_type_string, GRECS_DFLT, &access_file_name },
+ { "authentication-provider", "<type: file|instance-store> <arg: string>",
+ "Define authentication provider.",
+ grecs_type_string, GRECS_DFLT, NULL, 0, cb_authentication_provider },
+ { "access-file", "name",
+ "A shorthand for\n"
+ " authentication-provider file <name>\n"
+ "Specifies a file containing `accessID:accessKey' pairs.",
+ grecs_type_string, GRECS_DFLT, &access_file_name, 0,
+ cb_access_file },
{ "default-region", "name",
"Define default AWS region",
grecs_type_string, GRECS_DFLT, &region_name },
diff --git a/src/eclat.c b/src/eclat.c
index 5bbe7c4..67b20dd 100644
--- a/src/eclat.c
+++ b/src/eclat.c
@@ -24,6 +24,8 @@ int preprocess_only = 0;
char *endpoint = "ec2.amazonaws.com";
char *signature_version = "2";
+
+enum authentication_provider authentication_provider = authp_undefined;
char *access_key;
char *secret_key;
char *security_token;
@@ -769,18 +771,29 @@ main(int argc, char **argv)
if (!endpoint)
die(EX_USAGE,
"cannot find endpoint for region %s", region_name);
-
- if (!secret_key) {
+
+ if (access_key && secret_key)
+ authentication_provider = authp_immediate;
+
+ switch (authentication_provider) {
+ case authp_undefined:
+ die(EX_USAGE, "cannot find authentication credentials");
+
+ case authp_immediate:
+ break;
+
+ case authp_file:
if (get_access_creds(access_key, &access_key, &secret_key)) {
- if (!access_key)
- die(EX_UNAVAILABLE,
- "cannot find authentication credentials");
- else
- eclat_get_instance_creds(access_key,
- &access_key,
- &secret_key,
- &security_token);
+ die(EX_UNAVAILABLE,
+ "cannot find authentication credentials");
}
+ break;
+
+ case authp_instance:
+ eclat_get_instance_creds(access_key,
+ &access_key,
+ &secret_key,
+ &security_token);
}
debug(ECLAT_DEBCAT_MAIN, 1, ("using access key %s", access_key));
diff --git a/src/eclat.h b/src/eclat.h
index d3c0e8d..e5a2c21 100644
--- a/src/eclat.h
+++ b/src/eclat.h
@@ -39,6 +39,13 @@
#define ECLAT_DEBCAT_CURL 4
#define ECLAT_DEBCAT_FORLAN 5
+enum authentication_provider {
+ authp_undefined,
+ authp_immediate,
+ authp_file,
+ authp_instance
+};
+
extern char *endpoint;
extern char *signature_version;
extern int use_ssl;
@@ -47,6 +54,7 @@ extern char *ssl_ca_file;
extern char *ssl_ca_path;
extern int dry_run_mode;
extern char *region_name;
+extern enum authentication_provider authentication_provider;
extern char *access_file_name;
extern char *access_key;
extern char *secret_key;

Return to:

Send suggestions and report system problems to the System administrator.