Integrating Python hooks and readers.conf

Erik Klavon erik at eriq.org
Tue Aug 6 15:44:50 UTC 2002


Greetings

I have been making modifications to the Python hooks in nnrpd in order
to integrate them with the functionality of readers.conf. Where I felt
it made sense to do so, I have tried to make the new behavior of the
Python hooks be the same as the integrated perl hooks in CURRENT. I
have also tried to change the interface as little as possible.

Three new auth group parameter/value pairs are added to readers.conf:
python_auth, python_access and python_dynamic. All three of these take
as their value a filename such as ldap_auth.py which is located in the
filter path (pathfilter) specified in inn.conf. Whenever one of them
is encountered in the processing of readers.conf, Python is loaded (if
it has yet to be), the specified module is loaded (if it has yet to
be), and the init method for the parameter is run (if it has yet to be).
Finally, the main method for the parameter is run. When nnrpd closes, all
of the close methods for any parameters encountered in the processing of
readers.conf are run. Each of the python modules must meet all
previous criteria with the exception of the naming of the methods and
some new return values which will be detailed below.

python_auth makes use of the following methods of the class
defined in its argument python module: authen_init, authenticate and
authen_close. authen_init is called once with no arguments when the
python_auth parameter is encountered for the first time with the
value of the given file. Values returned by authen_init are
ignored. authen_close is called with no arguments when nnrpd
closes. Values returned by authen_close are ignored. authenticate is
called with a dictionary as argument containing the hostname, ip
address, interface, username and password of the client. authenticate
returns a dictionary containing the nnrp response code for the
authentication session and an error string which will be passed to the
client if the error code indicates that the authentication attempt
failed. If other means to authenticate the client have not yet been
attempted, the error string will not be returned to the client.

Multiple, mixed use of python_auth with other auth statements is
permitted. auth statements are evaluated in the order they appear in
readers.conf.

python_access makes use of the following methods of the class
defined in its argument python module: access_init, access and
access_close. access_init is called once with no arguments when the
python_access parameter is encountered for the first time with the
value of the given file. Values returned by access_init are
ignored. access_close is called with no arguments when nnrpd
closes. Values returned by access_close are ignored. access is
called with a dictionary as argument containing the hostname, ip
address, interface, username and password of the client. access
should return a dictionary containing valid access group
parameter/value pairs. These pairs will be used to create an access
group that will then be used to determine the access rights of the
client. This feature overrides all access groups in readers.conf.

Only one python_access statement may be used in an auth group. Unlike
auth statements, only one python_access or perl_access statement is
allowed, not any combination of the two.

Dynamic access control on a per newsgroup basis rather then per
connection is preserved. The relevant methods of the class are
dynamic_init, dynamic_close and dynamic. dynamic_init and
dynamic_close behave in the same way as the corresponding functions in
authenticate and access. The dynamic method has the same domain and
range as the authorize method. I have chosen to rename authorize to
make clear its differences from authenticate and access.

Only one python_dynamic statement is allowed in any auth group.

The __init__ method is still called when the class is instantiated. If
any of the three functions of the class share resources that must all
be initialized at once, you might find it useful to use an __init__
method to do this.

If anyone else has been working on this, if any of these changes don't
make sense or if my explanation isn't clear, please let me know. I
don't have any experience with Python outside of this project, so I'm
not sure these modifications are correct with the Python way of doing
things.

Right now I've managed to put together a quick implementation of most
of these features. I'll post a patch once my code is cleaned up a
bit. I would like to hear of any thoughts anyone has on this so I can
integrate those ideas as I prepare a patch.

Thanks

Erik

-- 
erik         | "It is idle to think that, by means of words, | Maurice
  kl at von     | any real communication can ever pass | Maeterlinck
    eriq.org | from one [human] to another." | Silence


More information about the inn-workers mailing list