crossbar.master.arealm¶

Submodules¶

crossbar.master.arealm.arealm

Classes¶

ApplicationRealmManager

Application realm manager. Application realms serve as isolated WAMP routing namespaces

Package Contents¶

class ApplicationRealmManager(session, globaldb: zlmdb.Database, globalschema: cfxdb.globalschema.GlobalSchema, db: zlmdb.Database, schema: cfxdb.mrealmschema.MrealmSchema, reactor=None)[source]¶

Bases: object

Application realm manager. Application realms serve as isolated WAMP routing namespaces together with client authentication and authorization configuration.

Application realms can have the following entities added:

application roles with permissions
application principals with credentials

An application realm can be started on a router worker group run on a router cluster.

_PUBOPTS¶

_monitors: Dict[uuid.UUID, ApplicationRealmMonitor]¶

_mrealm_oid¶

_personality¶

_prefix = None¶

_reactor¶

_session¶

_started = None¶

_worker¶

async add_arealm_role(arealm_oid: str, role_oid: str, config: dict | None = None, details: autobahn.wamp.types.CallDetails | None = None) → dict[source]¶

Add a role to an application realm.

Parameters:

arealm_oid – OID of the application realm to which to add the role.
role_oid – OID of the role to add to the application realm. A role can be added to more than one application realm.
config

Returns:

async add_principal(arealm_oid: str, principal: dict, details: autobahn.wamp.types.CallDetails | None = None) → dict[source]¶

Add a new principal to the given application realm.

Parameters:

arealm_oid – Object ID of application realm to add the principal to.
principal – Principal definition.

Returns:

Principal addition information.

add_principal_credential(arealm_oid: str, principal_oid: str, credential: dict, details: autobahn.wamp.types.CallDetails | None = None) → dict[source]¶

Add credentials to a principal.

Parameters:

arealm_oid – Object ID of application realm of the principal to add a credential for.
principal_oid – Object ID of the principal to add a credentials for.

credential –

Credential configuration. Examples:

WAMP-anonymous:

{
    "authmethod": "anonymous"
}

WAMP-ticket:

{
    "authmethod": "ticket",
    "secret": "secret123"
}

WAMP-wampcra:

{
    "authmethod": "wampcra",
    "secret": "secret123",
    "salt": "salt456",
    "iterations": 100,
    "keylen": 16
}

WAMP-scram:

{
    "authmethod": "scram",
    "kdf": "pbkdf2",
    "iterations": 100,
    "memory": 0,
    "stored-key": "",
    "server-key": ""
}

WAMP-cryptosign:

{
    "authmethod": "cryptosign",
    "authconfig": {
        "authorized_keys": [
            "92b450bb5fb168b396ad2bde633825662665b4cb73c1243ce5e834971c9354f5"
        ]
    }
}

WAMP-tls: NOT YET IMPLEMENTED

{
    "authmethod": "tls"
}

WAMP-cookie: NOT YET IMPLEMENTED

{
    "authmethod": "cookie"
}

Returns:

Credential addition information.

async add_role_permission(role_oid: str, uri: str, permission: dict, details: autobahn.wamp.types.CallDetails | None = None) → dict[source]¶

Add a permission to a role.

Parameters:

arealm_oid – OID of the application realm to which to add the role permission.
uri – WAMP URI (pattern) of the permission to add.
permission – Permission definition

Returns:

Permission addition information.

async create_arealm(arealm: dict, details: autobahn.wamp.types.CallDetails | None = None) → dict[source]¶

Create a new application realm definition.

Procedure:

crossbarfabriccenter.mrealm.arealm.create_arealm URI of WAMP procedure to call.

Event:

crossbarfabriccenter.mrealm.arealm.on_arealm_created WAMP event published once the application realm has been created.

Error:

wamp.error.invalid_configuration WAMP error returned when the application realm configuration provided has a problem.

Error:

wamp.error.not_authorized WAMP error returned when the user is currently not allowed to created (another) application realm.

Parameters:

arealm –

Application realm definition. For example:

{
    "name": "myrealm1",
    "enable_meta_api": true,
    "bridge_meta_api": true
}

Returns:

Application realm creation information.

async create_role(role: dict, details: autobahn.wamp.types.CallDetails | None = None) → dict[source]¶

Create a new Role definition.

Parameters:: role – Role definition.
Returns:: Role creation information.

db¶

async delete_arealm(arealm_oid: str, details: autobahn.wamp.types.CallDetails | None = None) → dict[source]¶

Delete an existing application realm definition.

Procedure:: crossbarfabriccenter.mrealm.arealm.delete_arealm URI of WAMP procedure to call.
Event:: crossbarfabriccenter.mrealm.arealm.on_arealm_deleted WAMP event published once the application realm has been deleted.
Error:: wamp.error.invalid_argument WAMP error returned when arealm_oid was invalid.
Error:: crossbar.error.no_such_object WAMP error returned when arealm_oid was not found.
Error:: crossbar.error.not_stopped WAMP error returned when application realm is not in status STOPPED.
Parameters:: arealm_oid – OID of the application realm to delete
Returns:: Application realm deletion information.

async delete_role(role_oid: str, details: autobahn.wamp.types.CallDetails | None = None)[source]¶

Delete an existing Role definition.

Procedure:: crossbarfabriccenter.mrealm.arealm.delete_role
Event:: crossbarfabriccenter.mrealm.arealm.on_role_deleted
Error:: wamp.error.invalid_argument
Error:: crossbar.error.no_such_object
Parameters:: role_oid – OID of the Role to delete
Returns:: Role deletin information.

gdb¶

get_arealm(arealm_oid: str, details: autobahn.wamp.types.CallDetails | None = None) → dict[source]¶

Return configuration and run-time status information for an application realm (by object ID).

Parameters:

arealm_oid – Object ID of the application realm to return.

Returns:

Application realm definition. For example, initially, after an application realm has been created:

{"bridge_meta_api": true,
 "changed": null,
 "description": null,
 "enable_meta_api": true,
 "label": null,
 "name": "myrealm1",
 "oid": "f1b58365-f936-4c4f-a820-9c5ed06eacfb",
 "owner": null,
 "status": "STOPPED",
 "tags": null,
 "webcluster_oid": null,
 "workergroup_oid": null}

Once the application realm has been started on a router worker group and web cluster, the status, webcluster_oid and workergroup_oid attributes will change accordingly:

{"bridge_meta_api": true,
 "changed": null,
 "description": null,
 "enable_meta_api": true,
 "label": null,
 "name": "myrealm1",
 "oid": "f1b58365-f936-4c4f-a820-9c5ed06eacfb",
 "owner": null,
 "status": "RUNNING",
 "tags": null,
 "webcluster_oid": "2f279b0f-e65a-4d7d-bef2-983f3b723e95",
 "workergroup_oid": "74ba0f88-eb7d-4810-a901-4a6d611d7519"}

get_arealm_by_name(arealm_name: str, details: autobahn.wamp.types.CallDetails | None = None)[source]¶

Return configuration and run-time status information for an application realm (by name).

See also the corresponding procedure crossbar.master.arealm.ApplicationRealmManager.get_arealm() which returns the same information, given and object ID rather than name.

Parameters:: arealm_name – Name (WAMP realm) of the application realm to return.
Returns:: Application realm definition.

get_arealm_role(arealm_oid: str, role_oid: str, details: autobahn.wamp.types.CallDetails | None = None) → dict[source]¶

Get information for the association of a role with an application realm.

Parameters:

arealm_oid – The application realm for which to return the association for.
role_oid – The role for which to return the association for.

Returns:

Application realm role association removal information.

get_principal(arealm_oid: str, principal_oid: str, details: autobahn.wamp.types.CallDetails | None = None) → dict[source]¶

Return definition of principal.

Parameters:

arealm_oid – Object ID of application realm the principal is defined on.
principal_oid – Object ID of the principal to return.

Returns:

Principal definition.

get_principal_by_name(arealm_oid: str, principal_name: str, details: autobahn.wamp.types.CallDetails | None = None)[source]¶

Return definition of principal by principal name (WAMP authid).

Parameters:

arealm_oid – Object ID of application realm the principal is defined on.
principal_oid – Object ID of the principal to return.

Returns:

Principal definition.

abstractmethod get_principal_credential(arealm_oid: str, principal_oid: str, credential_oid: str, details: autobahn.wamp.types.CallDetails | None = None) → dict[source]¶

Return definition of a credential of a principal.

Parameters:

arealm_oid – Object ID of application realm of the principal to return a credential for.
principal_oid – Object ID of the principal to get a credentials for.
credential_oid – Object ID of the credential to return.

Returns:

Credential detail information.

get_role(role_oid: str, details: autobahn.wamp.types.CallDetails | None = None) → dict[source]¶

Return configuration information for a role.

Parameters:: role_oid – Object ID of the role to return.
Returns:: Role definition.

get_role_by_name(role_name: str, details: autobahn.wamp.types.CallDetails | None = None)[source]¶

Return configuration information for a role given by name.

Parameters:: role_name – The name of the role to return the definition for.
Returns:: Role definition.

get_role_permission(role_oid: str, permission_oid: str, details: autobahn.wamp.types.CallDetails | None = None) → dict[source]¶

Get information for the permission on a role.

Parameters:

role_oid – Object ID of the role to retrieve the permission for.
permission_oid – Object ID of the permission to retrieve.

Returns:

Permission definition.

get_role_permissions_by_uri(role_oid: str, prefix: str | None = None, details: autobahn.wamp.types.CallDetails | None = None) → List[Dict][source]¶

Get information for the permission on a role.

Parameters:

role_oid – Object ID of the role to retrieve the permission for.
permission_oid – Object ID of the permission to retrieve.

Returns:

Permission definition.

gschema¶

list_arealm_roles(arealm_oid: str, return_names: bool | None = None, details: autobahn.wamp.types.CallDetails | None = None) → List[str][source]¶

List roles currently associated with the given application realm.

Parameters:: arealm_oid – The application realm to list roles for.
Returns:: List of role object IDs of roles associated with the application realm.

list_arealms(return_names: bool | None = None, details: autobahn.wamp.types.CallDetails | None = None) → List[str][source]¶

Returns list of application realms defined. Detail information for an application realm can be retrieved using crossbar.master.arealm.ApplicationRealmManager.get_arealm().

Parameters:

return_names – Return application realm names instead of object IDs

Returns:

List of application realm object IDs or names. For example:

["788cda65-a41d-49ae-b09a-b51967a34915",
 "4b051f7a-1733-4784-aade-35dbdab6a234",
 "0bb832f4-9fd0-4916-8ef1-a5799564f5fc"]

list_principal_credentials(arealm_oid: str, principal_oid: str, details: autobahn.wamp.types.CallDetails | None = None) → List[str][source]¶

List credentials for a principal.

Parameters:

arealm_oid – Object ID of application realm of the principal to list credentials for.
principal_oid – Object ID of the principal to list credentials for.

Returns:

List of credential object IDs or names (WAMP authids).

list_principals(arealm_oid: str, return_names: bool | None = None, details: autobahn.wamp.types.CallDetails | None = None) → List[str][source]¶

List all principals defined on this application realm.

Parameters:

arealm_oid – Object ID of application realm to list principals for.
return_names – Return principal names (WAMP authids) rather than object IDs.

Returns:

List of principal object IDs or names.

list_role_permissions(role_oid: str, prefix: str | None = None, details: autobahn.wamp.types.CallDetails | None = None) → List[str][source]¶

List permissions in a role.

Parameters:

role_oid – The role to get permissions for.
prefix – WAMP URI prefix of permission to filter for.

Returns:

List of permissions object IDs of this role.

list_roles(return_names: bool | None = None, details: autobahn.wamp.types.CallDetails | None = None) → List[str][source]¶

Returns list of roles defined.

Parameters:: return_names – Return roles names instead of object IDs
Returns:: List of role object IDs or names.

abstractmethod list_router_workers(arealm_oid: str, details: autobahn.wamp.types.CallDetails | None = None) → List[str][source]¶

NOT YET IMPLEMENTED

When an application realm has been started on a router workergroup and is running, the list of router workers (in the router worker group) the application realm is hosted on.

Parameters:: arealm_oid – Object ID of application realm to list router workers for.
Returns:: List of router workers in the router worker group running the application realm.

log¶

async remove_arealm_role(arealm_oid: str, role_oid: str, details: autobahn.wamp.types.CallDetails | None = None)[source]¶

Remove a role from an application realm.

Parameters:

arealm_oid – Object ID of the application realm to remove the role from.
role_oid – Object ID of the role to remove from the application realm.

Returns:

Application realm role removal information.

abstractmethod remove_principal(arealm_oid: str, principal_oid: str, details: autobahn.wamp.types.CallDetails | None = None)[source]¶

Remove a principal from the given application realm.

Parameters:

arealm_oid – Object ID of application realm from which to remove the principal.
principal_oid – Object ID of the principal to remove.

Returns:

Principal removal information.

abstractmethod remove_principal_credential(arealm_oid: str, principal_oid: str, credential_oid: str, details: autobahn.wamp.types.CallDetails | None = None) → dict[source]¶

Remove credentials from a principal.

Parameters:

arealm_oid – Object ID of application realm of the principal to remove a credential from.
principal_oid – Object ID of the principal to remove a credentials from.
credential_oid – Object ID of the credential to remove.

Returns:

Credential removal information.

async remove_role_permission(role_oid: str, permission_oid: str, details: autobahn.wamp.types.CallDetails | None = None) → dict[source]¶

Remove a permission from a role.

Parameters:

role_oid – Object ID of the role from which to remove the permission.
permission_oid – Object ID of the permission to remove.

Returns:

Permission removal information.

schema¶

start(prefix)[source]¶

async start_arealm(arealm_oid: str, router_workergroup_oid: str, webcluster_oid: str, details: autobahn.wamp.types.CallDetails | None = None) → dict[source]¶

Start an application realm on a router cluster worker group and webcluster.

The webcluster is responsible for accepting frontend client connections, performing WAMP authentication, selecting a backend router worker (from the router worker group) and forward application traffic of the connected frontend session to the backend router worker.

Clients will be able to authenticate (to the frontend webcluster) using any credentials defined on the application realm. When a client successfully authenticates using one of the credentials defined, it will be identified as the principal on the application realm associated with the credential.

A principal in turn will have an associated role defined, and the permissions on that role ultimately then determine the rights granted to the client to perform respective WAMP actions (eg call “com.example.add2” or subscribe “com.example.onevent1”) on URIs within the application realm.

The application realm monitor will take care of:

start the application realm on all router workers on nodes of the respective router worker group
start all roles defined for the application realm on those router workers
start router-to-router links between the router workers in the router worker group for the respective application realm
start backend connections and routes to the router workers from the proxy workers of the webcluster
configure credentials for the principals on the application realm in the proxy workers of the webcluster

Parameters:

arealm_oid – The application realm to start.
router_workergroup_oid – The router cluster worker group to start the application realm on.
webcluster_oid – The web cluster to serve as a frontend layer for the application realm.

Returns:

Application realm start information.

stat_arealm(arealm_oid: str, details: autobahn.wamp.types.CallDetails | None = None) → dict[source]¶

NOT YET IMPLEMENTED

Get current status and statistics for given application realm.

Parameters:: arealm_oid – The application realm to return status and statistics for.
Returns:: Current status and statistics for given routercluster.

stop()[source]¶

async stop_arealm(arealm_oid: str, details: autobahn.wamp.types.CallDetails | None = None) → dict[source]¶

Stop a currently running application realm. This will stop router workers started in the worker group assigned for the application realm, and remove the association with the proxy workers of the web cluster responsible for the application realm.

Event:: crossbarfabriccenter.mrealm.arealm.on_arealm_stopping WAMP event published once the application realm is stopping.
Error:: wamp.error.invalid_argument WAMP error returned when arealm_oid was invalid.
Error:: crossbar.error.no_such_object WAMP error returned when arealm_oid was not found.
Error:: crossbar.error.cannot_stop WAMP error returned when application realm cannot be stopped, because it is not in status RUNNING or STARTING.
Parameters:: arealm_oid – The application realm to stop.
Returns:: Application realm stopping information.