def create_top_level_auth_records(self, hrn):
"""
Create top level records (includes root and sub authorities (local/remote)
"""
urn = hrn_to_urn(hrn, 'authority')
# make sure parent exists
parent_hrn = get_authority(hrn)
if not parent_hrn:
parent_hrn = hrn
if not parent_hrn == hrn:
self.create_top_level_auth_records(parent_hrn)
# create the authority if it doesnt already exist
if not self.AuthHierarchy.auth_exists(urn):
self.logger.info("Import: creating top level authorities")
self.AuthHierarchy.create_auth(urn)
# create the db record if it doesnt already exist
auth_info = self.AuthHierarchy.get_auth_info(hrn)
table = SfaTable()
auth_record = table.find({'type': 'authority', 'hrn': hrn})
if not auth_record:
auth_record = SfaRecord(hrn=hrn, gid=auth_info.get_gid_object(), type="authority", pointer=-1)
auth_record['authority'] = get_authority(auth_record['hrn'])
self.logger.info("Import: inserting authority record for %s"%hrn)
table.insert(auth_record)
def get_sfa_peer(api, hrn):
# return the authority for this hrn or None if we are the authority
sfa_peer = None
slice_authority = get_authority(hrn)
site_authority = get_authority(slice_authority)
if site_authority != api.hrn:
sfa_peer = site_authority
return sfa_peer
def get_sfa_peer(self, xrn):
hrn, type = urn_to_hrn(xrn)
# return the authority for this hrn or None if we are the authority
sfa_peer = None
slice_authority = get_authority(hrn)
site_authority = get_authority(slice_authority)
if site_authority != self.driver.hrn:
sfa_peer = site_authority
return sfa_peer
def get_sfa_peer(self, xrn):
hrn, type = urn_to_hrn(xrn)
# return the authority for this hrn or None if we are the authority
sfa_peer = None
slice_authority = get_authority(hrn)
site_authority = get_authority(slice_authority)
if site_authority != self.api.hrn:
sfa_peer = site_authority
return sfa_peer
def import_tenants(self, existing_hrns, existing_records):
# Get all tenants
# A tenant can represent an organizational group (site) or a
# slice. If a tenant's authorty/parent matches the root authority it is
# considered a group/site. All other tenants are considered slices.
tenants = self.shell.auth_manager.tenants.list()
tenants_dict = {}
for tenant in tenants:
hrn = self.config.SFA_INTERFACE_HRN + '.' + tenant.name
tenants_dict[hrn] = tenant
authority_hrn = OSXrn(xrn=hrn,
type='authority').get_authority_hrn()
if hrn in existing_hrns:
continue
if authority_hrn == self.config.SFA_INTERFACE_HRN:
# import group/site
record = RegAuthority()
urn = OSXrn(xrn=hrn, type='authority').get_urn()
if not self.auth_hierarchy.auth_exists(urn):
self.auth_hierarchy.create_auth(urn)
auth_info = self.auth_hierarchy.get_auth_info(urn)
gid = auth_info.get_gid_object()
record.type = 'authority'
record.hrn = hrn
record.gid = gid
record.authority = get_authority(hrn)
global_dbsession.add(record)
global_dbsession.commit()
self.logger.info("OpenstackImporter: imported authority: %s" %
record)
else:
record = RegSlice()
urn = OSXrn(xrn=hrn, type='slice').get_urn()
pkey = Keypair(create=True)
gid = self.auth_hierarchy.create_gid(urn, create_uuid(), pkey)
record.type = 'slice'
record.hrn = hrn
record.gid = gid
record.authority = get_authority(hrn)
global_dbsession.add(record)
global_dbsession.commit()
self.logger.info("OpenstackImporter: imported slice: %s" %
record)
return tenants_dict
def import_site(self, hrn, site):
shell = self.shell
plc_auth = self.plc_auth
urn = hrn_to_urn(hrn, 'authority')
self.logger.info("Import: site %s"%hrn)
# create the authority
if not self.AuthHierarchy.auth_exists(urn):
self.AuthHierarchy.create_auth(urn)
auth_info = self.AuthHierarchy.get_auth_info(urn)
table = SfaTable()
auth_record = SfaRecord(hrn=hrn, gid=auth_info.get_gid_object(), type="authority", pointer=site['site_id'])
auth_record['authority'] = get_authority(auth_record['hrn'])
existing_records = table.find({'hrn': hrn, 'type': 'authority', 'pointer': site['site_id']})
if not existing_records:
table.insert(auth_record)
else:
self.logger.info("Import: %s exists, updating " % hrn)
existing_record = existing_records[0]
auth_record['record_id'] = existing_record['record_id']
table.update(auth_record)
return hrn
def import_slice(self, parent_hrn, slice):
slicename = slice['name'].split("_",1)[-1]
slicename = _cleanup_string(slicename)
if not slicename:
self.logger.error("Import: failed to parse slice name %s" %slice['name'])
return
hrn = parent_hrn + "." + slicename
self.logger.info("Import: slice %s"%hrn)
pkey = Keypair(create=True)
urn = hrn_to_urn(hrn, 'slice')
slice_gid = self.AuthHierarchy.create_gid(urn, create_uuid(), pkey)
slice_record = SfaRecord(hrn=hrn, gid=slice_gid, type="slice", pointer=slice['slice_id'])
slice_record['authority'] = get_authority(slice_record['hrn'])
table = SfaTable()
existing_records = table.find({'hrn': hrn, 'type': 'slice', 'pointer': slice['slice_id']})
if not existing_records:
table.insert(slice_record)
else:
self.logger.info("Import: %s exists, updating " % hrn)
existing_record = existing_records[0]
slice_record['record_id'] = existing_record['record_id']
table.update(slice_record)
def create_interface_records(self):
"""
Create a record for each SFA interface
"""
# just create certs for all sfa interfaces even if they
# aren't enabled
auth_info = self.auth_hierarchy.get_auth_info(
self.config.SFA_INTERFACE_HRN)
pkey = auth_info.get_pkey_object()
hrn = self.config.SFA_INTERFACE_HRN
for type in [
'authority+sa',
'authority+am',
'authority+sm',
]:
urn = hrn_to_urn(hrn, type)
gid = self.auth_hierarchy.create_gid(urn, create_uuid(), pkey)
# for now we have to preserve the authority+<> stuff
if self.record_exists(type, hrn): continue
interface_record = RegAuthority(type=type,
hrn=hrn,
gid=gid,
authority=get_authority(hrn))
interface_record.just_created()
global_dbsession.add(interface_record)
global_dbsession.commit()
self.logger.info("SfaImporter: imported authority (%s) %s " %
(type, interface_record))
def get_auth_ticket(self, xrn):
hrn, type = urn_to_hrn(xrn)
auth_info = self.get_auth_info(hrn)
gid = auth_info.get_gid_object()
ticket = SfaTicket(subject=hrn)
ticket.set_gid_caller(gid)
ticket.set_gid_object(gid)
ticket.set_delegate(True)
ticket.set_pubkey(auth_info.get_gid_object().get_pubkey())
parent_hrn = get_authority(hrn)
if not parent_hrn:
# if there is no parent hrn, then it must be self-signed. this
# is where we terminate the recursion
ticket.set_issuer(auth_info.get_pkey_object(), hrn)
else:
# we need the parent's private key in order to sign this GID
parent_auth_info = self.get_auth_info(parent_hrn)
ticket.set_issuer(parent_auth_info.get_pkey_object(), parent_auth_info.hrn)
ticket.set_parent(self.get_auth_cred(parent_hrn))
ticket.encode()
ticket.sign()
return ticket
def update_cert_records(gids):
"""
Make sure there is a record in the registry for the specified gids.
Removes old records from the db.
"""
# import db stuff here here so this module can be loaded by PlcComponentApi
from sfa.storage.alchemy import dbsession
from sfa.storage.model import RegRecord
if not gids:
return
# get records that actually exist in the db
gid_urns = [gid.get_urn() for gid in gids]
hrns_expected = [gid.get_hrn() for gid in gids]
records_found = dbsession.query(RegRecord).\
filter_by(pointer=-1).filter(RegRecord.hrn.in_(hrns_expected)).all()
# remove old records
for record in records_found:
if record.hrn not in hrns_expected and \
record.hrn != self.api.config.SFA_INTERFACE_HRN:
dbsession.delete(record)
# TODO: store urn in the db so we do this in 1 query
for gid in gids:
hrn, type = gid.get_hrn(), gid.get_type()
record = dbsession.query(RegRecord).filter_by(hrn=hrn, type=type,pointer=-1).first()
if not record:
record = RegRecord (dict= {'type':type,
'hrn': hrn,
'authority': get_authority(hrn),
'gid': gid.save_to_string(save_parents=True),
})
dbsession.add(record)
dbsession.commit()
def get_pis (self):
# don't ruin the import of that file in a client world
from sfa.storage.alchemy import dbsession
from sfa.util.xrn import get_authority
authority_hrn = get_authority(self.hrn)
auth_record = dbsession.query(RegAuthority).filter_by(hrn=authority_hrn).first()
return auth_record.reg_pis
def get_auth_cred(self, xrn, kind="authority"):
hrn, type = urn_to_hrn(xrn)
auth_info = self.get_auth_info(hrn)
gid = auth_info.get_gid_object()
cred = Credential(subject=hrn)
cred.set_gid_caller(gid)
cred.set_gid_object(gid)
cred.set_privileges(kind)
cred.get_privileges().delegate_all_privileges(True)
#cred.set_pubkey(auth_info.get_gid_object().get_pubkey())
parent_hrn = get_authority(hrn)
if not parent_hrn or hrn == self.config.SFA_INTERFACE_HRN:
# if there is no parent hrn, then it must be self-signed. this
# is where we terminate the recursion
cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename())
else:
# we need the parent's private key in order to sign this GID
parent_auth_info = self.get_auth_info(parent_hrn)
cred.set_issuer_keys(parent_auth_info.get_privkey_filename(), parent_auth_info.get_gid_filename())
cred.set_parent(self.get_auth_cred(parent_hrn, kind))
cred.encode()
cred.sign()
return cred
def testUpdate(self):
authority = get_authority(self.hrn)
auth_cred = self.client.GetCredential(authority, 'authority')
records = self.registry.Resolve(self.credential, self.hrn)
if not records: assert False
record = records[0]
self.registry.update(auth_cred, record)
def get_peer(self, xrn):
hrn, hrn_type = urn_to_hrn(xrn)
#Does this slice belong to a local site or a peer senslab site?
peer = None
# get this slice's authority (site)
slice_authority = get_authority(hrn)
site_authority = slice_authority
# get this site's authority (sfa root authority or sub authority)
#site_authority = get_authority(slice_authority).lower()
logger.debug("SLABSLICES \ get_peer slice_authority %s \
site_authority %s hrn %s" %(slice_authority, \
site_authority, hrn))
#This slice belongs to the current site
if site_authority == self.driver.root_auth :
return None
# check if we are already peered with this site_authority, if so
#peers = self.driver.GetPeers({})
peers = self.driver.GetPeers(peer_filter = slice_authority)
for peer_record in peers:
if site_authority == peer_record.hrn:
peer = peer_record
logger.debug(" SLABSLICES \tget_peer peer %s " %(peer))
return peer
def testUpdate(self):
authority = get_authority(self.hrn)
auth_cred = self.client.GetCredential(authority, 'authority')
records = self.registry.Resolve(self.credential, self.hrn)
if not records: assert False
record = records[0]
self.registry.update(auth_cred, record)
def get_auth_ticket(self, xrn):
hrn, type = urn_to_hrn(xrn)
auth_info = self.get_auth_info(hrn)
gid = auth_info.get_gid_object()
ticket = SfaTicket(subject=hrn)
ticket.set_gid_caller(gid)
ticket.set_gid_object(gid)
ticket.set_delegate(True)
ticket.set_pubkey(auth_info.get_gid_object().get_pubkey())
parent_hrn = get_authority(hrn)
if not parent_hrn:
# if there is no parent hrn, then it must be self-signed. this
# is where we terminate the recursion
ticket.set_issuer(auth_info.get_pkey_object(), hrn)
else:
# we need the parent's private key in order to sign this GID
parent_auth_info = self.get_auth_info(parent_hrn)
ticket.set_issuer(parent_auth_info.get_pkey_object(), parent_auth_info.hrn)
ticket.set_parent(self.get_auth_cred(parent_hrn))
ticket.encode()
ticket.sign()
return ticket
def get_auth_cred(self, xrn, kind="authority"):
hrn, type = urn_to_hrn(xrn)
auth_info = self.get_auth_info(hrn)
gid = auth_info.get_gid_object()
cred = Credential(subject=hrn)
cred.set_gid_caller(gid)
cred.set_gid_object(gid)
cred.set_privileges(kind)
cred.get_privileges().delegate_all_privileges(True)
#cred.set_pubkey(auth_info.get_gid_object().get_pubkey())
parent_hrn = get_authority(hrn)
if not parent_hrn or hrn == self.config.SFA_INTERFACE_HRN:
# if there is no parent hrn, then it must be self-signed. this
# is where we terminate the recursion
cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename())
else:
# we need the parent's private key in order to sign this GID
parent_auth_info = self.get_auth_info(parent_hrn)
cred.set_issuer_keys(parent_auth_info.get_privkey_filename(), parent_auth_info.get_gid_filename())
cred.set_parent(self.get_auth_cred(parent_hrn, kind))
cred.encode()
cred.sign()
return cred
def create_special_vini_record(self, interface_hrn):
# special case for vini
if ".vini" in interface_hrn and interface_hrn.endswith('vini'):
# create a fake internet2 site first
i2site = {
'name': 'Internet2',
'login_base': 'internet2',
'site_id': -1
}
site_hrn = _get_site_hrn(interface_hrn, i2site)
# import if hrn is not in list of existing hrns or if the hrn exists
# but its not a site record
if (
'authority',
site_hrn,
) not in self.records_by_type_hrn:
urn = hrn_to_urn(site_hrn, 'authority')
if not self.auth_hierarchy.auth_exists(urn):
self.auth_hierarchy.create_auth(urn)
auth_info = self.auth_hierarchy.get_auth_info(urn)
auth_record = RegAuthority(hrn=site_hrn,
gid=auth_info.get_gid_object(),
pointer=site['site_id'],
authority=get_authority(site_hrn))
auth_record.just_created()
global_dbsession.add(auth_record)
global_dbsession.commit()
self.logger.info(
"PlImporter: Imported authority (vini site) %s" %
auth_record)
self.remember_record(site_record)
def call(self, cred, record_dict, origin_hrn=None):
user_cred = Credential(string=cred)
#log the call
if not origin_hrn:
origin_hrn = user_cred.get_gid_caller().get_hrn()
self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, None, self.name))
# validate the cred
self.api.auth.check(cred, "register")
# make sure this is a peer record
if 'peer_authority' not in record_dict or \
not record_dict['peer_authority']:
raise SfaInvalidArgument, "peer_authority must be specified"
record = SfaRecord(dict = record_dict)
type, hrn, peer_authority = record['type'], record['hrn'], record['peer_authority']
record['authority'] = get_authority(record['hrn'])
# verify permissions
self.api.auth.verify_cred_is_me(cred)
# check if record already exists
table = SfaTable()
existing_records = table.find({'type': type, 'hrn': hrn, 'peer_authority': peer_authority})
if existing_records:
for existing_record in existing_records:
if existing_record['pointer'] != record['pointer']:
record['record_id'] = existing_record['record_id']
table.update(record)
else:
record_id = table.insert(record)
return 1
def testRegister(self):
authority = get_authority(self.hrn)
auth_cred = self.client.GetCredential(authority, 'authority')
auth_record = {'hrn': '.'.join([authority, random_string(10).lower()]),
'type': 'authority'}
node_record = {'hrn': '.'.join([authority, random_string(10)]),
'type': 'node',
'hostname': random_string(6) + '.' + random_string(6)}
slice_record = {'hrn': '.'.join([authority, random_string(10)]),
'type': 'slice', 'researcher': [self.hrn]}
user_record = {'hrn': '.'.join([authority, random_string(10)]),
'type': 'user',
'email': random_string(6) +'@'+ random_string(5) +'.'+ random_string(3),
'first_name': random_string(7),
'last_name': random_string(7)}
all_records = [auth_record, node_record, slice_record, user_record]
for record in all_records:
try:
self.registry.Register(auth_cred, record)
self.registry.Resolve(self.credential, record['hrn'])
except:
raise
finally:
try: self.registry.Remove(auth_cred, record['type'], record['hrn'])
except: pass
def get_slice_and_slivers(self, slice_xrn, login=None):
"""
Returns a dict of slivers keyed on the sliver's node_id
"""
slivers = {}
sfa_slice = None
if not slice_xrn:
return (sfa_slice, slivers)
slice_urn = hrn_to_urn(slice_xrn, 'slice')
slice_hrn, _ = urn_to_hrn(slice_xrn)
slice_name = slice_hrn
slices = self.driver.GetSlices(slice_filter= str(slice_name), \
slice_filter_type = 'slice_hrn', login=login)
logger.debug("Slabaggregate api \tget_slice_and_slivers \
sfa_slice %s \r\n slices %s self.driver.hrn %s" \
%(sfa_slice, slices, self.driver.hrn))
if not slices:
return (sfa_slice, slivers)
#if isinstance(sfa_slice, list):
#sfa_slice = slices[0]
#else:
#sfa_slice = slices
# sort slivers by node id , if there is a job
#and therfore, node allocated to this slice
for sfa_slice in slices:
try:
node_ids_list = sfa_slice['node_ids']
except KeyError:
logger.log_exc("SLABAGGREGATE \t \
get_slice_and_slivers KeyError ")
continue
for node in node_ids_list:
sliver_xrn = Xrn(slice_urn, type='sliver', id=node)
sliver_xrn.set_authority(self.driver.hrn)
#node_id = self.driver.root_auth + '.' + node_id
sliver = Sliver({'sliver_id':sliver_xrn.urn,
'name': sfa_slice['hrn'],
'type': 'slab-node',
'tags': []})
slivers[node] = sliver
#Add default sliver attribute :
#connection information for senslab
if get_authority (sfa_slice['hrn']) == self.driver.root_auth:
tmp = sfa_slice['hrn'].split('.')
ldap_username = tmp[1].split('_')[0]
vmaddr = 'ssh ' + ldap_username + '@grenoble.senslab.info'
slivers['default_sliver'] = {'vm': vmaddr , 'login': ldap_username}
#TODO get_slice_and_slivers Find the login of the external user
logger.debug("SLABAGGREGATE api get_slice_and_slivers slivers %s "\
%(slivers))
return (slices, slivers)
def get_credentials(pl_username, private_key, sfi_dir, password):
# Getting user from PLE
auth = {
'AuthMethod': 'password',
'Username': pl_username,
'AuthString': password
}
ple = xmlrpclib.Server(PLE_API, allow_none=1)
persons = ple.GetPersons(auth, {'email': pl_username},
['person_id', 'site_ids'])
if not persons:
raise Exception, "User not found."
sys.exit(1)
person_id = persons[0]['person_id']
site_id = persons[0]['site_ids'][0]
# Getting site from PLE
sites = ple.GetSites(auth, {'site_id': site_id}, ['login_base'])
if not sites:
raise Exception, "Site not found"
sys.exit(1)
site_hrn = ".".join([INTERFACE_HRN, sites[0]['login_base']])
user_hrn = email_to_hrn(site_hrn, pl_username)
# Getting slices from PLE
slices = ple.GetSlices(auth, {}, ['name', 'person_ids'])
slices = [s for s in slices if person_id in s['person_ids']]
# Delegating user account and slices
sfa = SfaHelper(user_hrn, private_key, sfi_dir)
sfa.bootstrap()
creds = []
c = {
'target': user_hrn,
'type': 'user',
'cred': sfa.delegate('user', user_hrn)
}
creds.append(c)
user_auth = get_authority(user_hrn)
c = {
'target': user_auth,
'type': 'authority',
'cred': sfa.delegate('authority', user_auth)
}
creds.append(c)
for s in slices:
s_hrn = slicename_to_hrn(INTERFACE_HRN, s['name'])
c = {
'target': s_hrn,
'type': 'slice',
'cred': sfa.delegate('slice', s_hrn)
}
creds.append(c)
return creds
def _process_ldap_info_for_one_user(self, record, result_data):
"""
Put the user's ldap data into shape. Only deals with one user
record and one user data from ldap.
:param record: user record
:param result_data: Raw ldap data coming from LdapSearch
:returns: user's data dict with 'type','pkey','uid', 'email',
'first_name' 'last_name''serial''authority''peer_authority'
'pointer''hrn'
:type record: dict
:type result_data: list
:rtype :dict
"""
#One entry only in the ldap data because we used a filter
#to find one user only
ldapentry = result_data[0][1]
logger.debug("LDAP.PY \t LdapFindUser ldapentry %s" % (ldapentry))
tmpname = ldapentry['uid'][0]
tmpemail = ldapentry['mail'][0]
if ldapentry['mail'][0] == "unknown":
tmpemail = None
parent_hrn = None
peer_authority = None
if 'hrn' in record:
hrn = record['hrn']
parent_hrn = get_authority(hrn)
if parent_hrn != self.authname:
peer_authority = parent_hrn
#In case the user was not imported from Iotlab LDAP
#but from another federated site, has an account in
#iotlab but currently using his hrn from federated site
#then the login is different from the one found in its hrn
if tmpname != hrn.split('.')[1]:
hrn = None
else:
hrn = None
results = {
'type': 'user',
'pkey': ldapentry['sshPublicKey'],
#'uid': ldapentry[1]['uid'][0],
'uid': tmpname,
'email': tmpemail,
#'email': ldapentry[1]['mail'][0],
'first_name': ldapentry['givenName'][0],
'last_name': ldapentry['sn'][0],
#'phone': 'none',
'serial': 'none',
'authority': parent_hrn,
'peer_authority': peer_authority,
'pointer': -1,
'hrn': hrn,
}
return results
def get_pis (self):
from sqlalchemy.orm import sessionmaker
Session=sessionmaker()
dbsession=Session.object_session(self)
from sfa.util.xrn import get_authority
authority_hrn = get_authority(self.hrn)
auth_record = dbsession.query(RegAuthority).filter_by(hrn=authority_hrn).first()
return auth_record.reg_pis
def CreateSliver(client):
# register a slice that will be used for some test
authority = get_authority(client.hrn)
auth_cred = client.GetCredential(authority, 'authority')
slice_record = {'hrn': ".".join([authority, random_string(10)]),
'type': 'slice', 'researcher': [client.hrn]}
client.registry.Register(auth_cred, slice_record)
return slice_record
def __get_registry_objects(slice_xrn, creds, users):
"""
"""
hrn, type = urn_to_hrn(slice_xrn)
hrn_auth = get_authority(hrn)
# Build up objects that an SFA registry would return if SFA
# could contact the slice's registry directly
reg_objects = None
if users:
# dont allow special characters in the site login base
#only_alphanumeric = re.compile('[^a-zA-Z0-9]+')
#login_base = only_alphanumeric.sub('', hrn_auth[:20]).lower()
slicename = hrn_to_pl_slicename(hrn)
login_base = slicename.split('_')[0]
reg_objects = {}
site = {}
site['site_id'] = 0
site['name'] = 'geni.%s' % login_base
site['enabled'] = True
site['max_slices'] = 100
# Note:
# Is it okay if this login base is the same as one already at this myplc site?
# Do we need uniqueness? Should use hrn_auth instead of just the leaf perhaps?
site['login_base'] = login_base
site['abbreviated_name'] = login_base
site['max_slivers'] = 1000
reg_objects['site'] = site
slice = {}
# get_expiration always returns a normalized datetime - no need to utcparse
extime = Credential(string=creds[0]).get_expiration()
# If the expiration time is > 60 days from now, set the expiration time to 60 days from now
if extime > datetime.datetime.utcnow() + datetime.timedelta(days=60):
extime = datetime.datetime.utcnow() + datetime.timedelta(days=60)
slice['expires'] = int(time.mktime(extime.timetuple()))
slice['hrn'] = hrn
slice['name'] = hrn_to_pl_slicename(hrn)
slice['url'] = hrn
slice['description'] = hrn
slice['pointer'] = 0
reg_objects['slice_record'] = slice
reg_objects['users'] = {}
for user in users:
user['key_ids'] = []
hrn, _ = urn_to_hrn(user['urn'])
user['email'] = hrn_to_pl_slicename(hrn) + "@geni.net"
user['first_name'] = hrn
user['last_name'] = hrn
reg_objects['users'][user['email']] = user
return reg_objects
def import_tenants(self, existing_hrns, existing_records):
# Get all tenants
# A tenant can represent an organizational group (site) or a
# slice. If a tenant's authorty/parent matches the root authority it is
# considered a group/site. All other tenants are considered slices.
tenants = self.shell.auth_manager.tenants.list()
tenants_dict = {}
for tenant in tenants:
hrn = self.config.SFA_INTERFACE_HRN + '.' + tenant.name
tenants_dict[hrn] = tenant
authority_hrn = OSXrn(xrn=hrn, type='authority').get_authority_hrn()
if hrn in existing_hrns:
continue
if authority_hrn == self.config.SFA_INTERFACE_HRN:
# import group/site
record = RegAuthority()
urn = OSXrn(xrn=hrn, type='authority').get_urn()
if not self.auth_hierarchy.auth_exists(urn):
self.auth_hierarchy.create_auth(urn)
auth_info = self.auth_hierarchy.get_auth_info(urn)
gid = auth_info.get_gid_object()
record.type='authority'
record.hrn=hrn
record.gid=gid
record.authority=get_authority(hrn)
dbsession.add(record)
dbsession.commit()
self.logger.info("OpenstackImporter: imported authority: %s" % record)
else:
record = RegSlice ()
urn = OSXrn(xrn=hrn, type='slice').get_urn()
pkey = Keypair(create=True)
gid = self.auth_hierarchy.create_gid(urn, create_uuid(), pkey)
record.type='slice'
record.hrn=hrn
record.gid=gid
record.authority=get_authority(hrn)
dbsession.add(record)
dbsession.commit()
self.logger.info("OpenstackImporter: imported slice: %s" % record)
return tenants_dict
def import_users(self, existing_hrns, existing_records):
# Get all users
users = self.shell.auth_manager.users.list()
users_dict = {}
keys_filename = self.config.config_path + os.sep + 'person_keys.py'
old_user_keys = load_keys(keys_filename)
user_keys = {}
for user in users:
auth_hrn = self.config.SFA_INTERFACE_HRN
if user.tenantId is not None:
tenant = self.shell.auth_manager.tenants.find(id=user.tenantId)
auth_hrn = OSXrn(name=tenant.name,
auth=self.config.SFA_INTERFACE_HRN,
type='authority').get_hrn()
hrn = OSXrn(name=user.name, auth=auth_hrn, type='user').get_hrn()
users_dict[hrn] = user
old_keys = old_user_keys.get(hrn, [])
keyname = OSXrn(xrn=hrn, type='user').get_slicename()
keys = [
k.public_key
for k in self.shell.nova_manager.keypairs.findall(name=keyname)
]
user_keys[hrn] = keys
update_record = False
if old_keys != keys:
update_record = True
if hrn not in existing_hrns or \
(hrn, 'user') not in existing_records or update_record:
urn = OSXrn(xrn=hrn, type='user').get_urn()
if keys:
try:
pkey = convert_public_key(keys[0])
except:
self.logger.log_exc(
'unable to convert public key for %s' % hrn)
pkey = Keypair(create=True)
else:
self.logger.warn(
"OpenstackImporter: person %s does not have a PL public key"
% hrn)
pkey = Keypair(create=True)
user_gid = self.auth_hierarchy.create_gid(urn,
create_uuid(),
pkey,
email=user.email)
user_record = RegUser()
user_record.type = 'user'
user_record.hrn = hrn
user_record.gid = user_gid
user_record.authority = get_authority(hrn)
global_dbsession.add(user_record)
global_dbsession.commit()
self.logger.info("OpenstackImporter: imported person %s" %
user_record)
return users_dict, user_keys
def get_pis(self):
from sqlalchemy.orm import sessionmaker
Session = sessionmaker()
dbsession = Session.object_session(self)
from sfa.util.xrn import get_authority
authority_hrn = get_authority(self.hrn)
auth_record = dbsession.query(RegAuthority).filter_by(
hrn=authority_hrn).first()
return auth_record.reg_pis
def shutdown(self, opts, args):
slice_hrn = args[0]
slice_urn = hrn_to_urn(slice_hrn, 'slice')
slice_cred = self.get_slice_cred(slice_hrn).save_to_string(save_parents=True)
creds = [slice_cred]
if opts.delegate:
delegated_cred = self.delegate_cred(slice_cred, get_authority(self.authority))
creds.append(delegated_cred)
server = self.get_server_from_opts(opts)
return server.Shutdown(slice_urn, creds)
def get_auth_filenames(self, xrn):
hrn, type = urn_to_hrn(xrn)
leaf = get_leaf(hrn)
parent_hrn = get_authority(hrn)
directory = os.path.join(self.basedir, hrn.replace(".", "/"))
gid_filename = os.path.join(directory, leaf+".gid")
privkey_filename = os.path.join(directory, leaf+".pkey")
return (directory, gid_filename, privkey_filename)
def get_peer(pldriver, hrn):
# Because of myplc native federation, we first need to determine if this
# slice belongs to out local plc or a myplc peer. We will assume it
# is a local site, unless we find out otherwise
peer = None
# get this slice's authority (site)
slice_authority = get_authority(hrn)
# get this site's authority (sfa root authority or sub authority)
site_authority = get_authority(slice_authority).lower()
# check if we are already peered with this site_authority, if so
peers = pldriver.shell.GetPeers( {}, ['peer_id', 'peername', 'shortname', 'hrn_root'])
for peer_record in peers:
names = [name.lower() for name in peer_record.values() if isinstance(name, StringTypes)]
if site_authority in names:
peer = peer_record['shortname']
return peer
def import_sites_and_nodes(self, testbed_shell):
"""
Gets all the sites and nodes from OAR, process the information,
creates hrns and RegAuthority for sites, and feed them to the database.
For each site, import the site's nodes to the DB by calling
import_nodes.
:param testbed_shell: IotlabDriver object, used to have access to
testbed_shell methods and fetching info on sites and nodes.
:type testbed_shell: IotlabDriver
"""
sites_listdict = testbed_shell.GetSites()
nodes_listdict = testbed_shell.GetNodes()
nodes_by_id = dict([(node['node_id'], node)
for node in nodes_listdict])
for site in sites_listdict:
site_hrn = site['name']
site_record = self.find_record_by_type_hrn('authority', site_hrn)
self.logger.info("IotlabImporter: import_sites_and_nodes \
(site) %s \r\n " % site_record)
if not site_record:
try:
urn = hrn_to_urn(site_hrn, 'authority')
if not self.auth_hierarchy.auth_exists(urn):
self.auth_hierarchy.create_auth(urn)
auth_info = self.auth_hierarchy.get_auth_info(urn)
site_record = \
RegAuthority(hrn=site_hrn,
gid=auth_info.get_gid_object(),
pointer='-1',
authority=get_authority(site_hrn))
site_record.just_created()
global_dbsession.add(site_record)
global_dbsession.commit()
self.logger.info("IotlabImporter: imported authority \
(site) %s" % site_record)
self.update_just_added_records_dict(site_record)
except SQLAlchemyError:
# if the site import fails then there is no point in
# trying to import the
# site's child records(node, slices, persons), so skip them.
self.logger.log_exc("IotlabImporter: failed to import \
site. Skipping child records")
continue
else:
# xxx update the record ...
pass
site_record.stale = False
self.import_nodes(site['node_ids'], nodes_by_id, testbed_shell)
return
def CreateSliver(client):
# register a slice that will be used for some test
authority = get_authority(client.hrn)
auth_cred = client.GetCredential(authority, 'authority')
slice_record = {
'hrn': ".".join([authority, random_string(10)]),
'type': 'slice',
'researcher': [client.hrn]
}
client.registry.Register(auth_cred, slice_record)
return slice_record
def import_sites_and_nodes(self, testbed_shell):
"""
Gets all the sites and nodes from OAR, process the information,
creates hrns and RegAuthority for sites, and feed them to the database.
For each site, import the site's nodes to the DB by calling
import_nodes.
:param testbed_shell: IotlabDriver object, used to have access to
testbed_shell methods and fetching info on sites and nodes.
:type testbed_shell: IotlabDriver
"""
sites_listdict = testbed_shell.GetSites()
nodes_listdict = testbed_shell.GetNodes()
nodes_by_id = dict([(node['node_id'], node) for node in nodes_listdict])
for site in sites_listdict:
site_hrn = site['name']
site_record = self.find_record_by_type_hrn ('authority', site_hrn)
self.logger.info("IotlabImporter: import_sites_and_nodes \
(site) %s \r\n " % site_record)
if not site_record:
try:
urn = hrn_to_urn(site_hrn, 'authority')
if not self.auth_hierarchy.auth_exists(urn):
self.auth_hierarchy.create_auth(urn)
auth_info = self.auth_hierarchy.get_auth_info(urn)
site_record = \
RegAuthority(hrn=site_hrn,
gid=auth_info.get_gid_object(),
pointer='-1',
authority=get_authority(site_hrn))
site_record.just_created()
global_dbsession.add(site_record)
global_dbsession.commit()
self.logger.info("IotlabImporter: imported authority \
(site) %s" % site_record)
self.update_just_added_records_dict(site_record)
except SQLAlchemyError:
# if the site import fails then there is no point in
# trying to import the
# site's child records(node, slices, persons), so skip them.
self.logger.log_exc("IotlabImporter: failed to import \
site. Skipping child records")
continue
else:
# xxx update the record ...
pass
site_record.stale = False
self.import_nodes(site['node_ids'], nodes_by_id, testbed_shell)
return
def get_sfa_peer(self, xrn):
"""Returns the authority name for the xrn or None if the local site
is the authority.
:param xrn: the xrn of the resource we are looking the authority for.
:type xrn: string
:returns: the resources's authority name.
:rtype: string
"""
hrn, hrn_type = urn_to_hrn(xrn)
# return the authority for this hrn or None if we are the authority
sfa_peer = None
slice_authority = get_authority(hrn)
site_authority = get_authority(slice_authority)
if site_authority != self.driver.hrn:
sfa_peer = site_authority
return sfa_peer
def get_sfa_peer(self, xrn):
"""Returns the authority name for the xrn or None if the local site
is the authority.
:param xrn: the xrn of the resource we are looking the authority for.
:type xrn: string
:returns: the resources's authority name.
:rtype: string
"""
hrn, hrn_type = urn_to_hrn(xrn)
# return the authority for this hrn or None if we are the authority
sfa_peer = None
slice_authority = get_authority(hrn)
site_authority = get_authority(slice_authority)
if site_authority != self.driver.hrn:
sfa_peer = site_authority
return sfa_peer
def get_peer(self, xrn):
"""
Finds the authority of a resource based on its xrn.
If the authority is Iotlab (local) return None,
Otherwise, look up in the DB if Iotlab is federated with this site
authority and returns its DB record if it is the case.
:param xrn: resource's xrn
:type xrn: string
:returns: peer record
:rtype: dict
"""
hrn, hrn_type = urn_to_hrn(xrn)
#Does this slice belong to a local site or a peer iotlab site?
peer = None
# get this slice's authority (site)
slice_authority = get_authority(hrn)
#Iotlab stuff
#This slice belongs to the current site
if slice_authority == self.driver.testbed_shell.root_auth:
site_authority = slice_authority
return None
site_authority = get_authority(slice_authority).lower()
# get this site's authority (sfa root authority or sub authority)
logger.debug("IOTLABSLICES \t get_peer slice_authority %s \
site_authority %s hrn %s"
% (slice_authority, site_authority, hrn))
# check if we are already peered with this site_authority
#if so find the peer record
peers = self.driver.GetPeers(peer_filter=site_authority)
for peer_record in peers:
if site_authority == peer_record.hrn:
peer = peer_record
logger.debug(" IOTLABSLICES \tget_peer peer %s " % (peer))
return peer
def get_peer(self, xrn):
"""
Finds the authority of a resource based on its xrn.
If the authority is Iotlab (local) return None,
Otherwise, look up in the DB if Iotlab is federated with this site
authority and returns its DB record if it is the case.
:param xrn: resource's xrn
:type xrn: string
:returns: peer record
:rtype: dict
"""
hrn, hrn_type = urn_to_hrn(xrn)
#Does this slice belong to a local site or a peer iotlab site?
peer = None
# get this slice's authority (site)
slice_authority = get_authority(hrn)
#Iotlab stuff
#This slice belongs to the current site
if slice_authority == self.driver.testbed_shell.root_auth:
site_authority = slice_authority
return None
site_authority = get_authority(slice_authority).lower()
# get this site's authority (sfa root authority or sub authority)
logger.debug("IOTLABSLICES \t get_peer slice_authority %s \
site_authority %s hrn %s" %
(slice_authority, site_authority, hrn))
# check if we are already peered with this site_authority
#if so find the peer record
peers = self.driver.GetPeers(peer_filter=site_authority)
for peer_record in peers:
if site_authority == peer_record.hrn:
peer = peer_record
logger.debug(" IOTLABSLICES \tget_peer peer %s " % (peer))
return peer
def testRemove(self):
authority = get_authority(self.hrn)
auth_cred = self.client.GetCredential(authority, 'authority')
record = {'hrn': ".".join([authority, random_string(10)]),
'type': 'slice'}
self.registry.Register(auth_cred, record)
self.registry.Remove(auth_cred, record['type'], record['hrn'])
# should generate an exception
try:
self.registry.Resolve(self.credential, record['hrn'])
assert False
except:
assert True
def create_top_level_auth_records(self, hrn):
"""
Create top level db records (includes root and sub authorities (local/remote)
"""
# make sure parent exists
parent_hrn = get_authority(hrn)
if not parent_hrn:
parent_hrn = hrn
if not parent_hrn == hrn:
self.create_top_level_auth_records(parent_hrn)
# ensure key and cert exists:
self.auth_hierarchy.create_top_level_auth(hrn)
# create the db record if it doesnt already exist
if not self.record_exists ('authority',hrn):
auth_info = self.auth_hierarchy.get_auth_info(hrn)
auth_record = RegAuthority(hrn=hrn, gid=auth_info.get_gid_object(),
authority=get_authority(hrn))
auth_record.just_created()
dbsession.add (auth_record)
dbsession.commit()
self.logger.info("SfaImporter: imported authority (parent) %s " % auth_record)
def get_peer(pldriver, hrn):
# Because of myplc native federation, we first need to determine if this
# slice belongs to out local plc or a myplc peer. We will assume it
# is a local site, unless we find out otherwise
peer = None
# get this slice's authority (site)
slice_authority = get_authority(hrn)
# get this site's authority (sfa root authority or sub authority)
site_authority = get_authority(slice_authority).lower()
# check if we are already peered with this site_authority, if so
peers = pldriver.shell.GetPeers(
{}, ['peer_id', 'peername', 'shortname', 'hrn_root'])
for peer_record in peers:
names = [
name.lower() for name in peer_record.values()
if isinstance(name, StringTypes)
]
if site_authority in names:
peer = peer_record['shortname']
return peer
def import_slice(self, slice_hrn, slice_record, user_record):
"""
Create RegSlice record according to the slice hrn if the slice
does not exist yet.Creates a relationship with the user record
associated with the slice.
Commit the record to the database.
:param slice_hrn: Human readable name of the slice.
:type slice_hrn: string
:param slice_record: record of the slice found in the DB, if any.
:type slice_record: RegSlice or None
:param user_record: user record found in the DB if any.
:type user_record: RegUser
.. todo::Update the record if a slice record already exists.
"""
if not slice_record:
pkey = Keypair(create=True)
urn = hrn_to_urn(slice_hrn, 'slice')
slice_gid = \
self.auth_hierarchy.create_gid(urn,
create_uuid(), pkey)
slice_record = RegSlice(hrn=slice_hrn,
gid=slice_gid,
pointer='-1',
authority=get_authority(slice_hrn))
try:
slice_record.just_created()
global_dbsession.add(slice_record)
global_dbsession.commit()
self.update_just_added_records_dict(slice_record)
except SQLAlchemyError:
self.logger.log_exc("IotlabImporter: failed to import slice")
#No slice update upon import in iotlab
else:
# xxx update the record ...
self.logger.warning("Iotlab Slice update not implemented")
# record current users affiliated with the slice
slice_record.reg_researchers = [user_record]
try:
global_dbsession.commit()
slice_record.stale = False
except SQLAlchemyError:
self.logger.log_exc("IotlabImporter: failed to update slice")
def get_auth_filenames(self, xrn):
hrn, type = urn_to_hrn(xrn)
if '\\' in hrn:
hrn = hrn.replace('\\', '')
leaf = hrn
else:
leaf = get_leaf(hrn)
parent_hrn = get_authority(hrn)
directory = os.path.join(self.basedir, hrn.replace(".", "/"))
gid_filename = os.path.join(directory, leaf+".gid")
privkey_filename = os.path.join(directory, leaf+".pkey")
return (directory, gid_filename, privkey_filename)
def import_slice(self, slice_hrn, slice_record, user_record):
"""
Create RegSlice record according to the slice hrn if the slice
does not exist yet.Creates a relationship with the user record
associated with the slice.
Commit the record to the database.
:param slice_hrn: Human readable name of the slice.
:type slice_hrn: string
:param slice_record: record of the slice found in the DB, if any.
:type slice_record: RegSlice or None
:param user_record: user record found in the DB if any.
:type user_record: RegUser
.. todo::Update the record if a slice record already exists.
"""
if not slice_record:
pkey = Keypair(create=True)
urn = hrn_to_urn(slice_hrn, 'slice')
slice_gid = \
self.auth_hierarchy.create_gid(urn,
create_uuid(), pkey)
slice_record = RegSlice(hrn=slice_hrn, gid=slice_gid,
pointer='-1',
authority=get_authority(slice_hrn))
try:
slice_record.just_created()
global_dbsession.add(slice_record)
global_dbsession.commit()
self.update_just_added_records_dict(slice_record)
except SQLAlchemyError:
self.logger.log_exc("IotlabImporter: failed to import slice")
#No slice update upon import in iotlab
else:
# xxx update the record ...
self.logger.warning("Iotlab Slice update not implemented")
# record current users affiliated with the slice
slice_record.reg_researchers = [user_record]
try:
global_dbsession.commit()
slice_record.stale = False
except SQLAlchemyError:
self.logger.log_exc("IotlabImporter: failed to update slice")
def delete(self, opts, args):
slice_hrn = args[0]
slice_urn = hrn_to_urn(slice_hrn, 'slice')
slice_cred = self.get_slice_cred(slice_hrn).save_to_string(save_parents=True)
creds = [slice_cred]
if opts.delegate:
delegated_cred = self.delegate_cred(slice_cred, get_authority(self.authority))
creds.append(delegated_cred)
server = self.get_server_from_opts(opts)
call_args = [slice_urn, creds]
if self.server_supports_call_id_arg(server):
call_args.append(unique_call_id())
return server.DeleteSliver(*call_args)
def slices(self, opts, args):
"""
list instantiated slices
"""
user_cred = self.get_user_cred().save_to_string(save_parents=True)
creds = [user_cred]
if opts.delegate:
delegated_cred = self.delegate_cred(user_cred, get_authority(self.authority))
creds.append(delegated_cred)
server = self.get_server_from_opts(opts)
#results = server.ListSlices(creds, unique_call_id())
results = server.ListSlices(creds)
display_list(results)
return
def testRemove(self):
authority = get_authority(self.hrn)
auth_cred = self.client.GetCredential(authority, 'authority')
record = {
'hrn': ".".join([authority, random_string(10)]),
'type': 'slice'
}
self.registry.Register(auth_cred, record)
self.registry.Remove(auth_cred, record['type'], record['hrn'])
# should generate an exception
try:
self.registry.Resolve(self.credential, record['hrn'])
assert False
except:
assert True
def create_top_level_auth_records(self, hrn):
"""
Create top level db records (includes root and sub authorities (local/remote)
"""
# make sure parent exists
parent_hrn = get_authority(hrn)
if not parent_hrn:
parent_hrn = hrn
if not parent_hrn == hrn:
self.create_top_level_auth_records(parent_hrn)
# ensure key and cert exists:
self.auth_hierarchy.create_top_level_auth(hrn)
# create the db record if it doesnt already exist
if not self.record_exists('authority', hrn):
auth_info = self.auth_hierarchy.get_auth_info(hrn)
auth_record = RegAuthority(hrn=hrn,
gid=auth_info.get_gid_object(),
authority=get_authority(hrn))
auth_record.just_created()
global_dbsession.add(auth_record)
global_dbsession.commit()
self.logger.info("SfaImporter: imported authority (parent) %s " %
auth_record)
def get_credentials(self):
# Getting the list of slices in which user_hrn is a researcher
user_cred = self.my_credential_string
records = self.registry.Resolve(hrn_to_urn(self.user_hrn, 'user'),
user_cred)
if not records:
raise Exception, "Cannot retrieve slice information for %s" % self.user_hrn
record = records[0]
slices = record['reg-slices']
creds = []
#c = {
# 'target': self.user_hrn,
# 'type': 'user',
# 'cred': self.delegate('user', self.user_hrn)
#}
c = self.delegate('user', self.user_hrn)
creds.append(c)
try:
user_auth = get_authority(self.user_hrn)
#c = {
# 'target': user_auth,
# 'type': 'authority',
# 'cred': self.delegate('authority', user_auth)
#}
c = self.delegate('authority', user_auth)
creds.append(c)
except Exception:
print "I: No authority credential."
for s in slices:
#c = {
# 'target': s,
# 'type': 'slice',
# 'cred': self.delegate('slice', s)
#}
c = self.delegate('slice', s)
creds.append(c)
return creds
def testRegister(self):
authority = get_authority(self.hrn)
auth_cred = self.client.GetCredential(authority, 'authority')
auth_record = {
'hrn': '.'.join([authority, random_string(10).lower()]),
'type': 'authority'
}
node_record = {
'hrn': '.'.join([authority, random_string(10)]),
'type': 'node',
'hostname': random_string(6) + '.' + random_string(6)
}
slice_record = {
'hrn': '.'.join([authority, random_string(10)]),
'type': 'slice',
'researcher': [self.hrn]
}
user_record = {
'hrn':
'.'.join([authority, random_string(10)]),
'type':
'user',
'email':
random_string(6) + '@' + random_string(5) + '.' + random_string(3),
'first_name':
random_string(7),
'last_name':
random_string(7)
}
all_records = [auth_record, node_record, slice_record, user_record]
for record in all_records:
try:
self.registry.Register(auth_cred, record)
self.registry.Resolve(self.credential, record['hrn'])
except:
raise
finally:
try:
self.registry.Remove(auth_cred, record['type'],
record['hrn'])
except:
pass
def create_auth(self, xrn, create_parents=False):
hrn, type = urn_to_hrn(str(xrn))
logger.debug("Hierarchy: creating authority: %s"% hrn)
# create the parent authority if necessary
parent_hrn = get_authority(hrn)
parent_urn = hrn_to_urn(parent_hrn, 'authority')
if (parent_hrn) and (not self.auth_exists(parent_urn)) and (create_parents):
self.create_auth(parent_urn, create_parents)
(directory, gid_filename, privkey_filename,) = \
self.get_auth_filenames(hrn)
# create the directory to hold the files
try:
os.makedirs(directory)
# if the path already exists then pass
except OSError, (errno, strerr):
if errno == 17:
pass
def create_sm_client_record(self):
"""
Create a user record for the Slicemanager service.
"""
hrn = self.interface_hrn + '.slicemanager'
urn = hrn_to_urn(hrn, 'user')
if not self.auth_hierarchy.auth_exists(urn):
self.logger.info("SfaImporter: creating Slice Manager user")
self.auth_hierarchy.create_auth(urn)
if self.record_exists('user', hrn): return
auth_info = self.auth_hierarchy.get_auth_info(hrn)
user_record = RegUser(hrn=hrn,
gid=auth_info.get_gid_object(),
authority=get_authority(hrn))
user_record.just_created()
global_dbsession.add(user_record)
global_dbsession.commit()
self.logger.info("SfaImporter: importing user (slicemanager) %s " %
user_record)
def verify_object_permission(self, name):
"""
Verify that the object gid that was specified in the credential
allows permission to the object 'name'. This is done by a simple
prefix test. For example, an object_gid for plc.arizona would
match the objects plc.arizona.slice1 and plc.arizona.
@param name human readable name to test
"""
object_hrn = self.object_gid.get_hrn()
logger.debug(
"VERIFY OBJECT PERMISSION. \n\n object_hrn: %s \n name: %s \n get_authority(name): %s"
% (object_hrn, name, get_authority(name)))
if object_hrn == name:
return
if name.startswith(object_hrn + "."):
return
#if name.startswith(get_authority(name)):
#return
raise PermissionError(name)
def update_cert_records(gids):
"""
Make sure there is a record in the registry for the specified gids.
Removes old records from the db.
"""
# import db stuff here here so this module can be loaded by PlcComponentApi
from sfa.storage.alchemy import global_dbsession
from sfa.storage.model import RegRecord
dbsession = global_dbsession
if not gids:
return
# get records that actually exist in the db
gid_urns = [gid.get_urn() for gid in gids]
hrns_expected = [gid.get_hrn() for gid in gids]
records_found = dbsession.query(RegRecord).\
filter_by(pointer=-1).filter(RegRecord.hrn.in_(hrns_expected)).all()
# remove old records
for record in records_found:
if record.hrn not in hrns_expected and \
record.hrn != self.api.config.SFA_INTERFACE_HRN:
dbsession.delete(record)
# TODO: store urn in the db so we do this in 1 query
for gid in gids:
hrn, type = gid.get_hrn(), gid.get_type()
record = dbsession.query(RegRecord).filter_by(hrn=hrn,
type=type,
pointer=-1).first()
if not record:
record = RegRecord(
dict={
'type': type,
'hrn': hrn,
'authority': get_authority(hrn),
'gid': gid.save_to_string(save_parents=True),
})
dbsession.add(record)
dbsession.commit()
def create_gid(self, xrn, uuid, pkey, CA=False, email=None):
hrn, type = urn_to_hrn(xrn)
if not type:
type = 'authority'
parent_hrn = get_authority(hrn)
# Using hrn_to_urn() here to make sure the urn is in the right format
# If xrn was a hrn instead of a urn, then the gid's urn will be
# of type None
urn = hrn_to_urn(hrn, type)
gid = GID(subject=hrn, uuid=uuid, hrn=hrn, urn=urn, email=email)
# is this a CA cert
if hrn == self.config.SFA_INTERFACE_HRN or not parent_hrn:
# root or sub authority
gid.set_intermediate_ca(True)
elif type and 'authority' in type:
# authority type
gid.set_intermediate_ca(True)
elif CA:
gid.set_intermediate_ca(True)
else:
gid.set_intermediate_ca(False)
# set issuer
if not parent_hrn or hrn == self.config.SFA_INTERFACE_HRN:
# if there is no parent hrn, then it must be self-signed. this
# is where we terminate the recursion
gid.set_issuer(pkey, hrn)
else:
# we need the parent's private key in order to sign this GID
parent_auth_info = self.get_auth_info(parent_hrn)
gid.set_issuer(parent_auth_info.get_pkey_object(), parent_auth_info.hrn)
gid.set_parent(parent_auth_info.get_gid_object())
gid.set_pubkey(pkey)
gid.encode()
gid.sign()
return gid
def import_persons_and_slices(self, testbed_shell):
"""
Gets user data from LDAP, process the information.
Creates hrn for the user's slice, the user's gid, creates
the RegUser record associated with user. Creates the RegKey record
associated nwith the user's key.
Saves those records into the SFA DB.
import the user's slice onto the database as well by calling
import_slice.
:param testbed_shell: IotlabDriver object, used to have access to
testbed_shell attributes.
:type testbed_shell: IotlabDriver
.. warning:: does not support multiple keys per user
"""
ldap_person_listdict = testbed_shell.GetPersons()
self.logger.info("IOTLABIMPORT \t ldap_person_listdict %s \r\n" %
(ldap_person_listdict))
# import persons
for person in ldap_person_listdict:
self.logger.info("IotlabImporter: person :" % (person))
if 'ssh-rsa' not in person['pkey']:
#people with invalid ssh key (ssh-dss, empty, bullshit keys...)
#won't be imported
continue
person_hrn = person['hrn']
slice_hrn = self.slicename_to_hrn(person['hrn'])
# xxx suspicious again
if len(person_hrn) > 64:
person_hrn = person_hrn[:64]
person_urn = hrn_to_urn(person_hrn, 'user')
self.logger.info("IotlabImporter: users_rec_by_email %s " %
(self.users_rec_by_email))
#Check if user using person['email'] from LDAP is already registered
#in SFA. One email = one person. In this case, do not create another
#record for this person
#person_hrn returned by GetPerson based on iotlab root auth +
#uid ldap
user_record = self.find_record_by_type_hrn('user', person_hrn)
if not user_record and person['email'] in self.users_rec_by_email:
user_record = self.users_rec_by_email[person['email']]
person_hrn = user_record.hrn
person_urn = hrn_to_urn(person_hrn, 'user')
slice_record = self.find_record_by_type_hrn('slice', slice_hrn)
iotlab_key = person['pkey']
# new person
if not user_record:
(pubkey, pkey) = self.init_person_key(person, iotlab_key)
if pubkey is not None and pkey is not None:
person_gid = \
self.auth_hierarchy.create_gid(person_urn,
create_uuid(), pkey)
if person['email']:
self.logger.debug("IOTLAB IMPORTER \
PERSON EMAIL OK email %s " % (person['email']))
person_gid.set_email(person['email'])
user_record = \
RegUser(hrn=person_hrn,
gid=person_gid,
pointer='-1',
authority=get_authority(person_hrn),
email=person['email'])
else:
user_record = \
RegUser(hrn=person_hrn,
gid=person_gid,
pointer='-1',
authority=get_authority(person_hrn))
if pubkey:
user_record.reg_keys = [RegKey(pubkey)]
else:
self.logger.warning("No key found for user %s" %
(user_record))
try:
user_record.just_created()
global_dbsession.add(user_record)
global_dbsession.commit()
self.logger.info("IotlabImporter: imported person \
%s" % (user_record))
self.update_just_added_records_dict(user_record)
except SQLAlchemyError:
self.logger.log_exc("IotlabImporter: \
failed to import person %s" % (person))
else:
# update the record ?
# if user's primary key has changed then we need to update
# the users gid by forcing an update here
sfa_keys = user_record.reg_keys
new_key = False
if iotlab_key is not sfa_keys:
new_key = True
if new_key:
self.logger.info("IotlabImporter: \t \t USER UPDATE \
person: %s" % (person['hrn']))
(pubkey, pkey) = self.init_person_key(person, iotlab_key)
person_gid = \
self.auth_hierarchy.create_gid(person_urn,
create_uuid(), pkey)
if not pubkey:
user_record.reg_keys = []
else:
user_record.reg_keys = [RegKey(pubkey)]
self.logger.info("IotlabImporter: updated person: %s" %
(user_record))
if person['email']:
user_record.email = person['email']
try:
global_dbsession.commit()
user_record.stale = False
except SQLAlchemyError:
self.logger.log_exc("IotlabImporter: \
failed to update person %s" % (person))
self.import_slice(slice_hrn, slice_record, user_record)
def get_authority(self, hrn):
return get_authority(hrn)
def run (self, options):
config = Config ()
interface_hrn = config.SFA_INTERFACE_HRN
root_auth = config.SFA_REGISTRY_ROOT_AUTH
shell = DummyShell (config)
######## retrieve all existing SFA objects
all_records = global_dbsession.query(RegRecord).all()
# create hash by (type,hrn)
# we essentially use this to know if a given record is already known to SFA
self.records_by_type_hrn = \
dict ( [ ( (record.type, record.hrn) , record ) for record in all_records ] )
# create hash by (type,pointer)
self.records_by_type_pointer = \
dict ( [ ( (record.type, record.pointer) , record ) for record in all_records
if record.pointer != -1] )
# initialize record.stale to True by default, then mark stale=False on the ones that are in use
for record in all_records: record.stale=True
# DEBUG
#all_records = global_dbsession.query(RegRecord).all()
#for record in all_records: print record
######## retrieve Dummy TB data
# Get all plc sites
# retrieve only required stuf
sites = [shell.GetTestbedInfo()]
print "sites: " + sites
# create a hash of sites by login_base
# sites_by_login_base = dict ( [ ( site['login_base'], site ) for site in sites ] )
# Get all dummy TB users
users = shell.GetUsers()
# create a hash of users by user_id
users_by_id = dict ( [ ( user['user_id'], user) for user in users ] )
# Get all dummy TB public keys
keys = []
for user in users:
if 'keys' in user:
keys.extend(user['keys'])
# create a dict user_id -> [ keys ]
keys_by_person_id = {}
for user in users:
if 'keys' in user:
keys_by_person_id[user['user_id']] = user['keys']
# Get all dummy TB nodes
nodes = shell.GetNodes()
# create hash by node_id
nodes_by_id = dict ( [ ( node['node_id'], node, ) for node in nodes ] )
# Get all dummy TB slices
slices = shell.GetSlices()
# create hash by slice_id
slices_by_id = dict ( [ (slice['slice_id'], slice ) for slice in slices ] )
# start importing
print " STARTING FOR SITES"
for site in sites:
site_hrn = _get_site_hrn(interface_hrn, site)
# import if hrn is not in list of existing hrns or if the hrn exists
# but its not a site record
site_record=self.locate_by_type_hrn ('authority', site_hrn)
print site_hrn
print site_record
if not site_record:
try:
print "TRY TO CREATE SITE RECORD"
urn = hrn_to_urn(site_hrn, 'authority')
if not self.auth_hierarchy.auth_exists(urn):
print "create auth "+urn
self.auth_hierarchy.create_auth(urn)
auth_info = self.auth_hierarchy.get_auth_info(urn)
site_record = RegAuthority(hrn=site_hrn, gid=auth_info.get_gid_object(),
pointer= -1,
authority=get_authority(site_hrn))
site_record.just_created()
print "urn: "+urn
print "auth_info: " + auth_info
print site_record
global_dbsession.add(site_record)
global_dbsession.commit()
self.logger.info("DummyImporter: imported authority (site) : %s" % site_record)
self.remember_record (site_record)
except:
# if the site import fails then there is no point in trying to import the
# site's child records (node, slices, persons), so skip them.
self.logger.log_exc("DummyImporter: failed to import site. Skipping child records")
continue
else:
# xxx update the record ...
pass
site_record.stale=False
# import node records
for node in nodes:
site_auth = get_authority(site_hrn)
site_name = site['name']
node_hrn = hostname_to_hrn(site_auth, site_name, node['hostname'])
# xxx this sounds suspicious
if len(node_hrn) > 64: node_hrn = node_hrn[:64]
node_record = self.locate_by_type_hrn ( 'node', node_hrn )
if not node_record:
try:
pkey = Keypair(create=True)
urn = hrn_to_urn(node_hrn, 'node')
node_gid = self.auth_hierarchy.create_gid(urn, create_uuid(), pkey)
node_record = RegNode (hrn=node_hrn, gid=node_gid,
pointer =node['node_id'],
authority=get_authority(node_hrn))
node_record.just_created()
global_dbsession.add(node_record)
global_dbsession.commit()
self.logger.info("DummyImporter: imported node: %s" % node_record)
self.remember_record (node_record)
except:
self.logger.log_exc("DummyImporter: failed to import node")
else:
# xxx update the record ...
pass
node_record.stale=False
all_records = global_dbsession.query(RegRecord).all()
for record in all_records: print record
site_pis=[]
# import users
for user in users:
user_hrn = email_to_hrn(site_hrn, user['email'])
# xxx suspicious again
if len(user_hrn) > 64: user_hrn = user_hrn[:64]
user_urn = hrn_to_urn(user_hrn, 'user')
user_record = self.locate_by_type_hrn ( 'user', user_hrn)
# return a tuple pubkey (a dummy TB key object) and pkey (a Keypair object)
def init_user_key (user):
pubkey = None
pkey = None
if user['keys']:
# randomly pick first key in set
for key in user['keys']:
pubkey = key
try:
pkey = convert_public_key(pubkey)
break
except:
continue
if not pkey:
self.logger.warn('DummyImporter: unable to convert public key for %s' % user_hrn)
pkey = Keypair(create=True)
else:
# the user has no keys. Creating a random keypair for the user's gid
self.logger.warn("DummyImporter: user %s does not have a NITOS public key"%user_hrn)
pkey = Keypair(create=True)
return (pubkey, pkey)
# new user
try:
if not user_record:
(pubkey,pkey) = init_user_key (user)
user_gid = self.auth_hierarchy.create_gid(user_urn, create_uuid(), pkey)
user_gid.set_email(user['email'])
user_record = RegUser (hrn=user_hrn, gid=user_gid,
pointer=user['user_id'],
authority=get_authority(user_hrn),
email=user['email'])
if pubkey:
user_record.reg_keys=[RegKey (pubkey)]
else:
self.logger.warning("No key found for user %s"%user_record)
user_record.just_created()
global_dbsession.add (user_record)
global_dbsession.commit()
self.logger.info("DummyImporter: imported person: %s" % user_record)
self.remember_record ( user_record )
else:
# update the record ?
# if user's primary key has changed then we need to update the
# users gid by forcing an update here
sfa_keys = user_record.reg_keys
def key_in_list (key,sfa_keys):
for reg_key in sfa_keys:
if reg_key.key==key: return True
return False
# is there a new key in Dummy TB ?
new_keys=False
for key in user['keys']:
if not key_in_list (key,sfa_keys):
new_keys = True
if new_keys:
(pubkey,pkey) = init_user_key (user)
user_gid = self.auth_hierarchy.create_gid(user_urn, create_uuid(), pkey)
if not pubkey:
user_record.reg_keys=[]
else:
user_record.reg_keys=[ RegKey (pubkey)]
self.logger.info("DummyImporter: updated person: %s" % user_record)
user_record.email = user['email']
global_dbsession.commit()
user_record.stale=False
except:
self.logger.log_exc("DummyImporter: failed to import user %d %s"%(user['user_id'],user['email']))
# import slices
for slice in slices:
slice_hrn = slicename_to_hrn(site_hrn, slice['slice_name'])
slice_record = self.locate_by_type_hrn ('slice', slice_hrn)
if not slice_record:
try:
pkey = Keypair(create=True)
urn = hrn_to_urn(slice_hrn, 'slice')
slice_gid = self.auth_hierarchy.create_gid(urn, create_uuid(), pkey)
slice_record = RegSlice (hrn=slice_hrn, gid=slice_gid,
pointer=slice['slice_id'],
authority=get_authority(slice_hrn))
slice_record.just_created()
global_dbsession.add(slice_record)
global_dbsession.commit()
self.logger.info("DummyImporter: imported slice: %s" % slice_record)
self.remember_record ( slice_record )
except:
self.logger.log_exc("DummyImporter: failed to import slice")
else:
# xxx update the record ...
self.logger.warning ("Slice update not yet implemented")
pass
# record current users affiliated with the slice
slice_record.reg_researchers = \
[ self.locate_by_type_pointer ('user',user_id) for user_id in slice['user_ids'] ]
global_dbsession.commit()
slice_record.stale=False
### remove stale records
# special records must be preserved
system_hrns = [interface_hrn, root_auth, interface_hrn + '.slicemanager']
for record in all_records:
if record.hrn in system_hrns:
record.stale=False
if record.peer_authority:
record.stale=False
for record in all_records:
try: stale=record.stale
except:
stale=True
self.logger.warning("stale not found with %s"%record)
if stale:
self.logger.info("DummyImporter: deleting stale record: %s" % record)
global_dbsession.delete(record)
global_dbsession.commit()
