2014-02-04 01:38:45 +00:00
|
|
|
/*
|
|
|
|
* Copyright (c) 2014 Intel, Inc. All rights reserved.
|
2014-11-11 17:00:42 -08:00
|
|
|
* Copyright (c) 2014 Research Organization for Information Science
|
|
|
|
* and Technology (RIST). All rights reserved.
|
2014-02-04 01:38:45 +00:00
|
|
|
* $COPYRIGHT$
|
|
|
|
*
|
|
|
|
* Additional copyrights may follow
|
|
|
|
*
|
|
|
|
* $HEADER$
|
|
|
|
*/
|
|
|
|
/** @file:
|
|
|
|
*
|
|
|
|
* The Security Framework
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef OPAL_SEC_H
|
|
|
|
#define OPAL_SEC_H
|
|
|
|
|
|
|
|
#include "opal_config.h"
|
|
|
|
#include "opal/types.h"
|
2014-11-11 17:00:42 -08:00
|
|
|
#include "opal/util/proc.h"
|
2014-02-04 01:38:45 +00:00
|
|
|
|
|
|
|
#include "opal/mca/mca.h"
|
|
|
|
#include "opal/dss/dss_types.h"
|
|
|
|
|
|
|
|
|
|
|
|
/* The security framework is a single-select one - i.e.,
|
|
|
|
* only one plugin is active at any time, though multiple
|
|
|
|
* plugins may build. When init is called, each plugin that
|
|
|
|
* built should check to see if it can connect to its
|
|
|
|
* respective server - if it can, then it should return
|
|
|
|
* success to indicate it is ready to be used.
|
2014-02-04 14:47:04 +00:00
|
|
|
*
|
|
|
|
* For scalability, it is important that each process only
|
|
|
|
* contact the security server once, and only when requested
|
|
|
|
* to do so. Thus, the plugin should not get credentials for
|
|
|
|
* the process until the first call to "get_my_credentials",
|
|
|
|
* and should then cache the results for future use.
|
2014-02-04 01:38:45 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
BEGIN_C_DECLS
|
|
|
|
|
2014-02-04 14:47:04 +00:00
|
|
|
typedef struct {
|
|
|
|
char *credential;
|
|
|
|
size_t size;
|
|
|
|
} opal_sec_cred_t;
|
2014-02-04 01:38:45 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Initialize the module
|
|
|
|
*/
|
|
|
|
typedef int (*opal_sec_base_module_init_fn_t)(void);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Finalize the module
|
|
|
|
*/
|
|
|
|
typedef void (*opal_sec_base_module_finalize_fn_t)(void);
|
|
|
|
|
|
|
|
/*
|
2014-02-04 14:47:04 +00:00
|
|
|
* Get a security credential for this process - return pointer to
|
|
|
|
* a "credential" that I can use for authenticating myself to another process.
|
|
|
|
* The value must be returned in a network-byte-ordered form suitable
|
2014-02-04 01:38:45 +00:00
|
|
|
* for sending across the network.
|
|
|
|
*
|
2014-02-04 14:47:04 +00:00
|
|
|
* It isn't expected that the identifier will be used to obtain a
|
|
|
|
* certificate as external security systems will have no idea what
|
|
|
|
* it means. However, some modules may use it, and there is no way
|
|
|
|
* for the opal layer to know a process identifier without being told,
|
2014-04-29 21:49:23 +00:00
|
|
|
* so provide it here
|
|
|
|
*
|
|
|
|
* Likewise, the security framework isn't going to house its own datastore
|
|
|
|
* handle, and some modules may want to check to see if a credential
|
|
|
|
* was stored in the data store, so provide a means for passing in the
|
|
|
|
* handle where such data might be stored
|
2014-02-04 14:47:04 +00:00
|
|
|
*
|
|
|
|
* Function returns OPAL_SUCCESS if a credential was assigned, or an error
|
2014-02-04 01:38:45 +00:00
|
|
|
* code indicating why it failed
|
|
|
|
*/
|
2014-04-29 21:49:23 +00:00
|
|
|
typedef int (*opal_sec_base_module_get_my_cred_fn_t)(int dstorehandle,
|
2014-11-11 17:00:42 -08:00
|
|
|
opal_process_name_t *my_id,
|
2014-02-04 14:47:04 +00:00
|
|
|
opal_sec_cred_t **cred);
|
2014-02-04 01:38:45 +00:00
|
|
|
|
|
|
|
/*
|
2014-02-04 14:47:04 +00:00
|
|
|
* Authenticate a security credential - given a security credential,
|
|
|
|
* determine if the credential is valid. The credential is passed in
|
|
|
|
* a network-byte-ordered form as it came across the network.
|
2014-02-04 01:38:45 +00:00
|
|
|
*
|
|
|
|
* Function returns OPAL_SUCCESS if the token is authenticated, or an
|
|
|
|
* error code indicating why it failed
|
|
|
|
*/
|
2014-02-04 14:47:04 +00:00
|
|
|
typedef int (*opal_sec_base_module_auth_fn_t)(opal_sec_cred_t *cred);
|
2014-02-04 01:38:45 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* the standard module data structure
|
|
|
|
*/
|
|
|
|
struct opal_sec_base_module_1_0_0_t {
|
|
|
|
opal_sec_base_module_init_fn_t init;
|
|
|
|
opal_sec_base_module_finalize_fn_t finalize;
|
2014-02-04 14:47:04 +00:00
|
|
|
opal_sec_base_module_get_my_cred_fn_t get_my_credential;
|
2014-02-04 01:38:45 +00:00
|
|
|
opal_sec_base_module_auth_fn_t authenticate;
|
|
|
|
};
|
|
|
|
typedef struct opal_sec_base_module_1_0_0_t opal_sec_base_module_1_0_0_t;
|
|
|
|
typedef struct opal_sec_base_module_1_0_0_t opal_sec_base_module_t;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* the standard component data structure
|
|
|
|
*/
|
|
|
|
struct opal_sec_base_component_1_0_0_t {
|
|
|
|
mca_base_component_t base_version;
|
|
|
|
mca_base_component_data_t base_data;
|
|
|
|
};
|
|
|
|
typedef struct opal_sec_base_component_1_0_0_t opal_sec_base_component_1_0_0_t;
|
|
|
|
typedef struct opal_sec_base_component_1_0_0_t opal_sec_base_component_t;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Macro for use in components that are of type sec
|
|
|
|
*/
|
|
|
|
#define OPAL_SEC_BASE_VERSION_1_0_0 \
|
|
|
|
MCA_BASE_VERSION_2_0_0, \
|
|
|
|
"sec", 1, 0, 0
|
|
|
|
|
|
|
|
/* Global structure for accessing SEC functions */
|
|
|
|
OPAL_DECLSPEC extern opal_sec_base_module_t opal_sec; /* holds base function pointers */
|
|
|
|
|
|
|
|
END_C_DECLS
|
|
|
|
|
|
|
|
#endif
|