def setup(self, **kwargs):
self.logger.debug("ENTER: ID.setup()")
if not self.is_local_myproxy():
print "Using MyProxy server on " \
+ str(self.conf.get_myproxy_server())
self.logger.debug("No MyProxy configured for this host")
return
self.configure_credential(**kwargs)
self.configure_myproxy_ca(**kwargs)
self.configure_trust_roots(**kwargs)
self.configure_myproxy_pam()
self.configure_myproxy_mapapp()
self.configure_myproxy_cred_repo()
self.configure_myproxy_port()
self.write_myproxy_conf()
self.write_myproxy_init_conf()
self.enable()
self.restart()
cadir = self.conf.get_myproxy_ca_directory()
cert_path = os.path.join(cadir, "cacert.pem")
print "Configured MyProxy server on " \
+ self.conf.get_myproxy_server() + ":7512"
print "CA DN: " + security.get_certificate_subject(cert_path)
myproxy_dn = self.get_myproxy_dn_from_server()
if myproxy_dn is not None:
print "Service DN: " + myproxy_dn
self.logger.debug("EXIT: ID.setup()")
def setup(self, **kwargs):
self.logger.debug("ENTER: ID.setup()")
if not self.is_local_myproxy():
print "Using MyProxy server on " \
+ str(self.conf.get_myproxy_server())
self.logger.debug("No MyProxy configured for this host")
return
self.configure_credential(**kwargs)
self.configure_myproxy_ca(**kwargs)
self.configure_trust_roots(**kwargs)
self.configure_myproxy_pam()
self.configure_myproxy_mapapp()
self.configure_myproxy_cred_repo()
self.configure_myproxy_port()
self.write_myproxy_conf()
self.write_myproxy_init_conf()
self.enable()
self.restart()
cadir = self.conf.get_myproxy_ca_directory()
cert_path = os.path.join(cadir, "cacert.pem")
print "Configured MyProxy server on " \
+ self.conf.get_myproxy_server() + ":7512"
print "CA DN: " + security.get_certificate_subject(cert_path)
myproxy_dn = self.get_myproxy_dn_from_server()
if myproxy_dn is not None:
print "Service DN: " + myproxy_dn
self.logger.debug("EXIT: ID.setup()")
def setup(self, **kwargs):
self.logger.debug("ENTER: IO.setup()")
if not self.is_local():
self.logger.debug("No GridFTP server to configure on this node")
return
self.configure_credential(**kwargs)
self.configure_server(**kwargs)
self.configure_sharing(**kwargs)
self.configure_trust_roots(**kwargs)
self.configure_authorization(**kwargs)
self.restart(**kwargs)
self.enable(**kwargs)
self.bind_to_endpoint(**kwargs)
print "Configured GridFTP server to run on " + self.conf.get_gridftp_server()
print "Server DN: " + security.get_certificate_subject(self.conf.get_security_certificate_file())
print "Using Authentication Method " + self.conf.get_security_identity_method()
print "Configured Endpoint " + self.conf.get_endpoint_name()
self.logger.debug("EXIT: IO.setup()")
def configure_myproxy_mapapp(self, force=False):
method = self.conf.get_security_authorization_method()
if method != "MyProxyGridmapCallout":
self.logger.debug("Not using MyProxy GridMap Callout, " + "nothing to configure")
return
cadir = self.conf.get_myproxy_ca_directory()
mapapp = os.path.join(cadir, "mapapp")
dn = security.get_certificate_subject(os.path.join(cadir, "cacert.pem"))
mapapp_template = pkgutil.get_data("globus.connect.server", "mapapp-template")
old_umask = os.umask(0o22)
mapapp_file = file(mapapp, "w")
try:
mapapp_file.write(mapapp_template % {"dn": dn})
finally:
mapapp_file.close()
os.umask(old_umask)
os.chmod(mapapp, 0o755)
self.myproxy_mapapp_config = "certificate_mapapp " + mapapp + "\n"
def setup(self, **kwargs):
self.logger.debug("ENTER: IO.setup()")
if not self.is_local():
self.logger.debug("No GridFTP server to configure on this node")
return
self.configure_credential(**kwargs)
self.configure_server(**kwargs)
self.configure_sharing(**kwargs)
self.configure_trust_roots(**kwargs)
self.configure_authorization(**kwargs)
self.restart(**kwargs)
self.enable(**kwargs)
self.bind_to_endpoint(**kwargs)
print "Configured GridFTP server to run on " \
+ self.conf.get_gridftp_server()
print "Server DN: " + security.get_certificate_subject(
self.conf.get_security_certificate_file())
print "Using Authentication Method " + \
self.conf.get_security_identity_method()
print "Configured Endpoint " + self.conf.get_endpoint_name()
self.logger.debug("EXIT: IO.setup()")
def configure_myproxy_mapapp(self, force=False):
method = self.conf.get_security_authorization_method()
if method != "MyProxyGridmapCallout":
self.logger.debug("Not using MyProxy GridMap Callout, " +
"nothing to configure")
return
cadir = self.conf.get_myproxy_ca_directory()
mapapp = os.path.join(cadir, 'mapapp')
dn = security.get_certificate_subject(os.path.join(
cadir, "cacert.pem"))
mapapp_template = pkgutil.get_data("globus.connect.server",
"mapapp-template")
old_umask = os.umask(022)
mapapp_file = file(mapapp, "w")
try:
mapapp_file.write(mapapp_template % {'dn': dn})
finally:
mapapp_file.close()
os.umask(old_umask)
os.chmod(mapapp, 0755)
self.myproxy_mapapp_config = "certificate_mapapp " + mapapp + "\n"
def bind_to_endpoint(self, **kwargs):
"""
Adds this gridftp server to the endpoint named in the configuration
file. If force=True is passed, then the endpoint is deleted prior
to binding this gridftp server. If reset=True is passed, then
all other GridFTP servers will be removed from this endpoint before
adding this one.
"""
self.logger.debug("ENTER: IO.bind_to_endpoint()")
endpoint_name = self.conf.get_endpoint_name()
if endpoint_name is None:
return
if kwargs.get('force'):
try:
self.logger.debug("Removing old endpoint definition")
self.api.endpoint_delete(endpoint_name)
except:
pass
self.logger.debug("Configuring endpoint " + endpoint_name)
endpoint_public = self.conf.get_endpoint_public()
endpoint_default_dir = self.conf.get_endpoint_default_dir()
server = self.conf.get_gridftp_server()
scheme = "gsiftp"
port = 2811
hostname = None
if "://" in server:
(scheme, server) = server.split("://", 1)
if ":" in server:
(hostname, port_s) = server.split(":", 1)
port = int(port_s)
else:
hostname = server
server = scheme + "://" + hostname + ":" + str(port)
oauth_server = None
myproxy_server = None
myproxy_dn = None
if self.conf.get_security_identity_method() == \
self.conf.IDENTITY_METHOD_OAUTH:
oauth_server = self.conf.get_oauth_server()
if oauth_server is None:
raise Exception("Configured to use OAuth, but no OAuth server defined")
elif self.conf.get_security_identity_method() == \
self.conf.IDENTITY_METHOD_CILOGON:
oauth_server = "cilogon.org"
else:
myproxy_server = self.conf.get_myproxy_server()
myproxy_dn = self.conf.get_myproxy_dn()
if myproxy_dn is None:
myproxy_dn = self.get_myproxy_dn_from_server()
if myproxy_server is not None:
myproxy_server = gcmu.to_unicode(myproxy_server)
if myproxy_dn is not None:
myproxy_dn = gcmu.to_unicode(myproxy_dn)
if oauth_server is not None:
if ":" in oauth_server:
raise Exception("[OAuth] Server value must be a public host name only")
oauth_server = gcmu.to_unicode(oauth_server)
new_gridftp_server = {
u'DATA_TYPE': u'server',
u'uri': gcmu.to_unicode(server),
u'scheme': gcmu.to_unicode(scheme),
u'hostname': gcmu.to_unicode(hostname),
u'port': port,
u'is_connected': True,
u'subject': gcmu.to_unicode(security.get_certificate_subject(self.conf.get_security_certificate_file())),
u'update': True,
}
try:
(status_code, status_reason, data) = \
self.api.endpoint(endpoint_name)
old_default_dir = data.get("default_directory")
changed = False
if old_default_dir is None or \
old_default_dir != endpoint_default_dir:
self.logger.debug("Changing default_directory on endpoint " \
"from [%(old)s] to [%(new)s]" % {
'old': str(old_default_dir),
'new': endpoint_default_dir
})
data[u'default_directory'] = \
gcmu.to_unicode(endpoint_default_dir)
old_public = data.get('public')
if old_public is not None and old_public != endpoint_public:
data[u'public'] = endpoint_public
if kwargs.get("reset"):
servers_filtered = [new_gridftp_server]
else:
servers_filtered = [x for x in data[u'DATA'] \
if x[u'hostname'] != None and
x[u'hostname'] != \
u'relay-disconnected.globusonline.org' and \
x[u'uri'] != gcmu.to_unicode(server)]
servers_filtered.append(new_gridftp_server)
data[u'DATA'] = servers_filtered
data[u'myproxy_server'] = myproxy_server
data[u'myproxy_dn'] = myproxy_dn
data[u'oauth_server'] = oauth_server
self.api.endpoint_update(endpoint_name, data)
except TransferAPIError, e:
if e.status_code == 404:
self.logger.debug("endpoint %s does not exist, creating"
%(endpoint_name))
try:
(status_code, status_reason, data) = \
self.api.endpoint_create(
endpoint_name,
default_directory = endpoint_default_dir,
public = endpoint_public,
is_globus_connect = False,
hostname=new_gridftp_server[u'hostname'],
scheme=new_gridftp_server[u'scheme'],
port=new_gridftp_server[u'port'],
subject=new_gridftp_server[u'subject'],
myproxy_server=myproxy_server,
myproxy_dn=myproxy_dn,
oauth_server=oauth_server)
except TransferAPIError, e:
self.logger.error("endpoint create failed: %s" % \
(e.message))
self.errorcount += 1
def configure_gridmap_verify_myproxy_callout(self, conf_file_name, conf_link_name, **kwargs):
self.logger.debug("ENTER: configure_gridmap_verify_myproxy_callout()")
conf_file = file(conf_file_name, "w")
try:
conf_file.write("$GSI_AUTHZ_CONF \"%s\"\n" % (
os.path.join(
self.conf.root, "etc",
"gridmap_verify_myproxy_callout-gsi_authz.conf"
)
)
)
myproxy_certpath = None
myproxy_signing_policy = None
myproxy_ca_dn = self.conf.get_myproxy_ca_subject_dn()
myproxy_server = self.conf.get_myproxy_server()
if myproxy_ca_dn is None and \
myproxy_server is not None and \
self.is_local_myproxy():
myproxy_ca_dir = self.conf.get_myproxy_ca_directory()
myproxy_ca_dn = security.get_certificate_subject(
os.path.join(myproxy_ca_dir, "cacert.pem"))
else:
# Assume the CA name is the same as the MyProxy server's
# subject
myproxy_ca_dn = self.conf.get_myproxy_dn()
if myproxy_ca_dn is None:
myproxy_ca_dn = self.get_myproxy_dn_from_server()
cadir = self.conf.get_security_trusted_certificate_directory()
self.logger.debug("MyProxy CA DN is " + str(myproxy_ca_dn))
self.logger.debug("CA dir is " + str(cadir))
if self.is_local_myproxy():
myproxy_certpath = os.path.join(
self.conf.get_myproxy_ca_directory(),
"cacert.pem")
myproxy_signing_policy = os.path.join(
self.conf.get_myproxy_ca_directory(),
"signing-policy")
elif myproxy_ca_dn is not None:
self.logger.debug("Looking for MyProxy CA cert in " + cadir)
for certfile in os.listdir(cadir):
certpath = os.path.join(cadir, certfile)
if certfile[-2:] == '.0':
self.logger.debug("Checking to see if " + certfile + " matches MyProxyDN")
if security.get_certificate_subject(
certpath) == myproxy_ca_dn:
myproxy_certpath = certpath
(myproxy_signing_policy, _) = \
os.path.splitext(
myproxy_certpath)
myproxy_signing_policy += \
".signing_policy"
break
if myproxy_certpath is None:
raise Exception("ERROR: Unable to determine " +
"path to MyProxy CA certificate, set " + \
"CaCert option in MyProxy section of config.\n")
myproxy_ca_hash = security.get_certificate_hash(
myproxy_certpath)
cadir = \
self.conf.get_security_trusted_certificate_directory()
installed_cert = os.path.join(
cadir, myproxy_ca_hash + ".0")
installed_signing_policy = os.path.join(
cadir, myproxy_ca_hash + ".signing_policy")
if not os.path.exists(installed_cert):
self.logger.error("MyProxy CA not installed in trusted CA dir")
if not os.path.exists(installed_signing_policy):
self.logger.error("MyProxy CA signing policy not installed " + \
"in trusted CA dir")
conf_file.write(
"$GLOBUS_MYPROXY_CA_CERT \"%s\"\n" %
installed_cert)
os.symlink(conf_file_name, conf_link_name)
finally:
conf_file.close()
self.logger.debug("EXIT: configure_gridmap_verify_myproxy_callout()")
def bind_to_endpoint(self, **kwargs):
"""
Adds this gridftp server to the endpoint named in the configuration
file. If force=True is passed, then the endpoint is deleted prior
to binding this gridftp server. If reset=True is passed, then
all other GridFTP servers will be removed from this endpoint before
adding this one.
"""
self.logger.debug("ENTER: IO.bind_to_endpoint()")
endpoint_name = self.conf.get_endpoint_name()
if endpoint_name is None:
return
if kwargs.get('force'):
try:
self.logger.debug("Removing old endpoint definition")
self.api.endpoint_delete(endpoint_name)
except:
pass
self.logger.debug("Configuring endpoint " + endpoint_name)
endpoint_public = self.conf.get_endpoint_public()
endpoint_default_dir = self.conf.get_endpoint_default_dir()
server = self.conf.get_gridftp_server()
scheme = "gsiftp"
port = 2811
hostname = None
if "://" in server:
(scheme, server) = server.split("://", 1)
if ":" in server:
(hostname, port_s) = server.split(":", 1)
port = int(port_s)
else:
hostname = server
server = scheme + "://" + hostname + ":" + str(port)
oauth_server = None
myproxy_server = None
myproxy_dn = None
if self.conf.get_security_identity_method() == \
self.conf.IDENTITY_METHOD_OAUTH:
oauth_server = self.conf.get_oauth_server()
if oauth_server is None:
raise Exception(
"Configured to use OAuth, but no OAuth server defined")
elif self.conf.get_security_identity_method() == \
self.conf.IDENTITY_METHOD_CILOGON:
oauth_server = "cilogon.org"
else:
myproxy_server = self.conf.get_myproxy_server()
myproxy_dn = self.conf.get_myproxy_dn()
if myproxy_dn is None and myproxy_server is not None:
myproxy_dn = self.get_myproxy_dn_from_server()
if myproxy_server is not None:
myproxy_server = gcmu.to_unicode(myproxy_server)
if myproxy_dn is not None:
myproxy_dn = gcmu.to_unicode(myproxy_dn)
if oauth_server is not None:
if ":" in oauth_server:
raise Exception(
"[OAuth] Server value must be a public host name only")
oauth_server = gcmu.to_unicode(oauth_server)
new_gridftp_server = {
gcmu.to_unicode('DATA_TYPE'):
gcmu.to_unicode('server'),
gcmu.to_unicode('scheme'):
gcmu.to_unicode(scheme),
gcmu.to_unicode('hostname'):
gcmu.to_unicode(hostname),
gcmu.to_unicode('port'):
port,
gcmu.to_unicode('subject'):
gcmu.to_unicode(
security.get_certificate_subject(
self.conf.get_security_certificate_file()))
}
try:
new_endpoint = {'DATA_TYPE': 'endpoint'}
(status_code, status_reason, data) = \
self.api.endpoint(endpoint_name)
default_directory_key = gcmu.to_unicode('default_directory')
public_key = gcmu.to_unicode('public')
myproxy_server_key = gcmu.to_unicode('myproxy_server')
myproxy_dn_key = gcmu.to_unicode('myproxy_dn')
oauth_server_key = gcmu.to_unicode('oauth_server')
hostname_key = gcmu.to_unicode('hostname')
id_key = gcmu.to_unicode('id')
data_key = gcmu.to_unicode('DATA')
# Update any changed endpoint-level metadata
if data.get(default_directory_key) != endpoint_default_dir:
self.logger.debug("Changing default_directory on endpoint " \
"to [%(new)s]" % { 'new': endpoint_default_dir })
new_endpoint[default_directory_key] = \
gcmu.to_unicode(endpoint_default_dir)
if data.get(public_key) != endpoint_public:
self.logger.debug("Changing public to " + str(endpoint_public))
new_endpoint[public_key] = endpoint_public
if data.get(myproxy_server_key) != myproxy_server:
self.logger.debug("Changing myproxy_server to " +
str(myproxy_server))
new_endpoint[myproxy_server_key] = myproxy_server
if data.get(myproxy_dn_key) != myproxy_dn:
self.logger.debug("Changing myproxy_dn to " + str(myproxy_dn))
new_endpoint[myproxy_dn_key] = myproxy_dn
if data.get(oauth_server_key) != oauth_server:
self.logger.debug("Changing oauth_server to " +
str(oauth_server))
new_endpoint[oauth_server_key] = oauth_server
if len(new_endpoint.keys()) > 1:
self.logger.debug("Updating endpoint")
(status_code, status, data) = \
self.api.endpoint_update(endpoint_name, new_endpoint)
self.logger.debug("endpoint update result: " +
str(status_code))
(status_code, status_reason, data) = \
self.api.endpoint_server_list(endpoint_name)
self.logger.debug("Existing endpoint server list: " +
str(data.get(data_key, [])))
for server_item in data.get(data_key, []):
self.logger.debug("existing server for endpoint: " +
str(server_item.get(hostname_key, "")))
this_server_hostname = server_item.get(hostname_key)
this_server_id = server_item.get(id_key)
if kwargs.get('reset') or \
this_server_hostname == gcmu.to_unicode(hostname):
self.logger.debug("deleting server entry for " +
str(this_server_hostname) +
" with id " + str(this_server_id))
self.api.endpoint_server_delete(endpoint_name,
this_server_id)
self.api.endpoint_server_add(endpoint_name, new_gridftp_server)
except TransferAPIError as e:
if e.status_code == 404:
self.logger.debug("endpoint %s does not exist, creating" %
(endpoint_name))
try:
(status_code, status_reason, data) = \
self.api.endpoint_create(
endpoint_name,
default_directory = endpoint_default_dir,
public = endpoint_public,
is_globus_connect = False,
hostname=new_gridftp_server['hostname'],
scheme=new_gridftp_server['scheme'],
port=new_gridftp_server['port'],
subject=new_gridftp_server['subject'],
myproxy_server=myproxy_server,
myproxy_dn=myproxy_dn,
oauth_server=oauth_server)
except TransferAPIError as e:
self.logger.error("endpoint create failed: %s" % \
(e.message))
self.errorcount += 1
else:
self.logger.error("endpoint failed: %s" % (e.message))
self.errorcount += 1
self.logger.debug("EXIT: IO.bind_to_endpoint()")
def bind_to_endpoint(self, **kwargs):
"""
Adds this gridftp server to the endpoint named in the configuration
file. If force=True is passed, then the endpoint is deleted prior
to binding this gridftp server. If reset=True is passed, then
all other GridFTP servers will be removed from this endpoint before
adding this one.
"""
self.logger.debug("ENTER: IO.bind_to_endpoint()")
endpoint_name = self.conf.get_endpoint_name()
if endpoint_name is None:
return
if kwargs.get("force"):
try:
self.logger.debug("Removing old endpoint definition")
self.api.endpoint_delete(endpoint_name)
except:
pass
self.logger.debug("Configuring endpoint " + endpoint_name)
endpoint_public = self.conf.get_endpoint_public()
endpoint_default_dir = self.conf.get_endpoint_default_dir()
server = self.conf.get_gridftp_server()
scheme = "gsiftp"
port = 2811
hostname = None
if "://" in server:
(scheme, server) = server.split("://", 1)
if ":" in server:
(hostname, port_s) = server.split(":", 1)
port = int(port_s)
else:
hostname = server
server = scheme + "://" + hostname + ":" + str(port)
oauth_server = None
myproxy_server = None
myproxy_dn = None
if self.conf.get_security_identity_method() == self.conf.IDENTITY_METHOD_OAUTH:
oauth_server = self.conf.get_oauth_server()
if oauth_server is None:
raise Exception("Configured to use OAuth, but no OAuth server defined")
elif self.conf.get_security_identity_method() == self.conf.IDENTITY_METHOD_CILOGON:
oauth_server = "cilogon.org"
else:
myproxy_server = self.conf.get_myproxy_server()
myproxy_dn = self.conf.get_myproxy_dn()
if myproxy_dn is None:
myproxy_dn = self.get_myproxy_dn_from_server()
if myproxy_server is not None:
myproxy_server = gcmu.to_unicode(myproxy_server)
if myproxy_dn is not None:
myproxy_dn = gcmu.to_unicode(myproxy_dn)
if oauth_server is not None:
if ":" in oauth_server:
raise Exception("[OAuth] Server value must be a public host name only")
oauth_server = gcmu.to_unicode(oauth_server)
new_gridftp_server = {
u"DATA_TYPE": u"server",
u"uri": gcmu.to_unicode(server),
u"scheme": gcmu.to_unicode(scheme),
u"hostname": gcmu.to_unicode(hostname),
u"port": port,
u"is_connected": True,
u"subject": gcmu.to_unicode(security.get_certificate_subject(self.conf.get_security_certificate_file())),
u"update": True,
}
try:
(status_code, status_reason, data) = self.api.endpoint(endpoint_name)
old_default_dir = data.get("default_directory")
changed = False
if old_default_dir is None or old_default_dir != endpoint_default_dir:
self.logger.debug(
"Changing default_directory on endpoint "
"from [%(old)s] to [%(new)s]" % {"old": str(old_default_dir), "new": endpoint_default_dir}
)
data[u"default_directory"] = gcmu.to_unicode(endpoint_default_dir)
old_public = data.get("public")
if old_public is not None and old_public != endpoint_public:
data[u"public"] = endpoint_public
if kwargs.get("reset"):
servers_filtered = [new_gridftp_server]
else:
servers_filtered = [
x
for x in data[u"DATA"]
if x[u"hostname"] != None
and x[u"hostname"] != u"relay-disconnected.globusonline.org"
and x[u"uri"] != gcmu.to_unicode(server)
]
servers_filtered.append(new_gridftp_server)
data[u"DATA"] = servers_filtered
data[u"myproxy_server"] = myproxy_server
data[u"myproxy_dn"] = myproxy_dn
data[u"oauth_server"] = oauth_server
self.api.endpoint_update(endpoint_name, data)
except TransferAPIError, e:
if e.status_code == 404:
self.logger.debug("endpoint %s does not exist, creating" % (endpoint_name))
try:
(status_code, status_reason, data) = self.api.endpoint_create(
endpoint_name,
default_directory=endpoint_default_dir,
public=endpoint_public,
is_globus_connect=False,
hostname=new_gridftp_server[u"hostname"],
scheme=new_gridftp_server[u"scheme"],
port=new_gridftp_server[u"port"],
subject=new_gridftp_server[u"subject"],
myproxy_server=myproxy_server,
myproxy_dn=myproxy_dn,
oauth_server=oauth_server,
)
except TransferAPIError, e:
self.logger.error("endpoint create failed: %s" % (e.message))
self.errorcount += 1
def configure_gridmap_verify_myproxy_callout(self, conf_file_name, conf_link_name, **kwargs):
self.logger.debug("ENTER: configure_gridmap_verify_myproxy_callout()")
conf_file = file(conf_file_name, "w")
try:
conf_file.write(
'$GSI_AUTHZ_CONF "%s"\n'
% (os.path.join(self.conf.root, "etc", "gridmap_verify_myproxy_callout-gsi_authz.conf"))
)
myproxy_certpath = None
myproxy_signing_policy = None
myproxy_ca_dn = self.conf.get_myproxy_ca_subject_dn()
myproxy_server = self.conf.get_myproxy_server()
if myproxy_ca_dn is None and myproxy_server is not None and self.is_local_myproxy():
myproxy_ca_dir = self.conf.get_myproxy_ca_directory()
myproxy_ca_dn = security.get_certificate_subject(os.path.join(myproxy_ca_dir, "cacert.pem"))
else:
# Assume the CA name is the same as the MyProxy server's
# subject
myproxy_ca_dn = self.conf.get_myproxy_dn()
if myproxy_ca_dn is None:
myproxy_ca_dn = self.get_myproxy_dn_from_server()
cadir = self.conf.get_security_trusted_certificate_directory()
self.logger.debug("MyProxy CA DN is " + str(myproxy_ca_dn))
self.logger.debug("CA dir is " + str(cadir))
if self.is_local_myproxy():
myproxy_certpath = os.path.join(self.conf.get_myproxy_ca_directory(), "cacert.pem")
myproxy_signing_policy = os.path.join(self.conf.get_myproxy_ca_directory(), "signing-policy")
elif myproxy_ca_dn is not None:
self.logger.debug("Looking for MyProxy CA cert in " + cadir)
for certfile in os.listdir(cadir):
certpath = os.path.join(cadir, certfile)
if certfile[-2:] == ".0":
self.logger.debug("Checking to see if " + certfile + " matches MyProxyDN")
if security.get_certificate_subject(certpath) == myproxy_ca_dn:
myproxy_certpath = certpath
(myproxy_signing_policy, _) = os.path.splitext(myproxy_certpath)
myproxy_signing_policy += ".signing_policy"
break
if myproxy_certpath is None:
raise Exception(
"ERROR: Unable to determine "
+ "path to MyProxy CA certificate, set "
+ "CaCert option in MyProxy section of config.\n"
)
myproxy_ca_hash = security.get_certificate_hash(myproxy_certpath)
cadir = self.conf.get_security_trusted_certificate_directory()
installed_cert = os.path.join(cadir, myproxy_ca_hash + ".0")
installed_signing_policy = os.path.join(cadir, myproxy_ca_hash + ".signing_policy")
if not os.path.exists(installed_cert):
self.logger.error("MyProxy CA not installed in trusted CA dir")
if not os.path.exists(installed_signing_policy):
self.logger.error("MyProxy CA signing policy not installed " + "in trusted CA dir")
conf_file.write('$GLOBUS_MYPROXY_CA_CERT "%s"\n' % installed_cert)
os.symlink(conf_file_name, conf_link_name)
finally:
conf_file.close()
self.logger.debug("EXIT: configure_gridmap_verify_myproxy_callout()")
def configure_myproxy_ca(self, force=False):
if not self.conf.get_myproxy_ca():
self.logger.debug("Not using MyProxy CA, nothing to configure")
return
cadir = self.conf.get_myproxy_ca_directory()
if force:
if cadir is not None and os.path.exists(cadir):
shutil.rmtree(cadir, ignore_errors=True)
if cadir is not None and not os.path.exists(cadir):
ca_subject = self.conf.get_myproxy_ca_subject_dn()
if ca_subject is None:
ca_subject = security.get_certificate_subject(
self.conf.get_security_certificate_file(),
nameopt='RFC2253')
try:
args = [
'grid-ca-create',
'-nobuild',
'-verbose',
'-dir', self.conf.get_myproxy_ca_directory(),
'-subject', ca_subject,
'-noint']
if force:
args.append('-force')
ca_create = Popen(args, stdout = PIPE, stderr = PIPE)
(out, err) = ca_create.communicate()
out = "".join(s for s in out if s in string.printable)
err = "".join(s for s in err if s in string.printable)
self.logger.debug("ca create output: " + out)
self.logger.debug("ca create stderr: " + err)
finally:
pass
if ca_create.returncode != 0:
raise Exception("Error creating CA: " + \
str(ca_create.returncode) + out + err)
trustdir = self.conf.get_security_trusted_certificate_directory()
if trustdir is not None:
if not os.path.exists(trustdir):
os.makedirs(trustdir, 0755)
cert_path = os.path.join(cadir, "cacert.pem")
signing_policy_path = os.path.join(cadir, "signing-policy")
cahash = security.get_certificate_hash(cert_path)
installed_cert_path = os.path.join(trustdir, cahash + ".0")
installed_signing_policy = os.path.join(
trustdir, cahash + ".signing_policy")
shutil.copyfile(signing_policy_path, installed_signing_policy)
os.chmod(installed_signing_policy, 0644)
shutil.copyfile(cert_path, installed_cert_path)
os.chmod(installed_cert_path, 0644)
self.myproxy_ca_config = """
certificate_issuer_cert "%(cadir)s/cacert.pem"
certificate_issuer_key "%(cadir)s/private/cakey.pem"
certificate_issuer_key_passphrase "%(passphrase)s"
certificate_serialfile "%(cadir)s/serial"
certificate_out_dir "%(cadir)s/newcerts"
certificate_issuer_subca_certfile "%(cadir)s/cacert.pem"
max_cert_lifetime 168
cert_dir %(certdir)s
""" % {
'cadir': cadir,
'passphrase': self.conf.get_myproxy_ca_passphrase(),
'certdir': \
self.conf.get_security_trusted_certificate_directory()
}
def configure_myproxy_ca(self, force=False):
if not self.conf.get_myproxy_ca():
self.logger.debug("Not using MyProxy CA, nothing to configure")
return
cadir = self.conf.get_myproxy_ca_directory()
if force:
if cadir is not None and os.path.exists(cadir):
shutil.rmtree(cadir, ignore_errors=True)
if cadir is not None and not os.path.exists(cadir):
ca_subject = self.conf.get_myproxy_ca_subject_dn()
if ca_subject is None:
ca_subject = security.get_certificate_subject(
self.conf.get_security_certificate_file(),
nameopt='RFC2253')
try:
args = [
'grid-ca-create', '-nobuild', '-verbose', '-dir',
self.conf.get_myproxy_ca_directory(), '-subject',
ca_subject, '-noint'
]
if force:
args.append('-force')
ca_create = Popen(args, stdout=PIPE, stderr=PIPE)
(out, err) = ca_create.communicate()
out = "".join(s for s in out if s in string.printable)
err = "".join(s for s in err if s in string.printable)
self.logger.debug("ca create output: " + out)
self.logger.debug("ca create stderr: " + err)
finally:
pass
if ca_create.returncode != 0:
raise Exception("Error creating CA: " + \
str(ca_create.returncode) + out + err)
trustdir = self.conf.get_security_trusted_certificate_directory()
if trustdir is not None:
if not os.path.exists(trustdir):
os.makedirs(trustdir, 0755)
cert_path = os.path.join(cadir, "cacert.pem")
signing_policy_path = os.path.join(cadir, "signing-policy")
cahash = security.get_certificate_hash(cert_path)
installed_cert_path = os.path.join(trustdir, cahash + ".0")
installed_signing_policy = os.path.join(trustdir,
cahash + ".signing_policy")
shutil.copyfile(signing_policy_path, installed_signing_policy)
os.chmod(installed_signing_policy, 0644)
shutil.copyfile(cert_path, installed_cert_path)
os.chmod(installed_cert_path, 0644)
self.myproxy_ca_config = """
certificate_issuer_cert "%(cadir)s/cacert.pem"
certificate_issuer_key "%(cadir)s/private/cakey.pem"
certificate_issuer_key_passphrase "%(passphrase)s"
certificate_serialfile "%(cadir)s/serial"
certificate_out_dir "%(cadir)s/newcerts"
certificate_issuer_subca_certfile "%(cadir)s/cacert.pem"
max_cert_lifetime 168
cert_dir %(certdir)s
""" % {
'cadir': cadir,
'passphrase': self.conf.get_myproxy_ca_passphrase(),
'certdir': \
self.conf.get_security_trusted_certificate_directory()
}
def bind_to_endpoint(self, **kwargs):
"""
Adds this gridftp server to the endpoint named in the configuration
file. If force=True is passed, then the endpoint is deleted prior
to binding this gridftp server. If reset=True is passed, then
all other GridFTP servers will be removed from this endpoint before
adding this one.
"""
self.logger.debug("ENTER: IO.bind_to_endpoint()")
endpoint_name = self.conf.get_endpoint_name()
if endpoint_name is None:
return
if kwargs.get('force'):
try:
self.logger.debug("Removing old endpoint definition")
self.api.endpoint_delete(endpoint_name)
except:
pass
self.logger.debug("Configuring endpoint " + endpoint_name)
endpoint_public = self.conf.get_endpoint_public()
endpoint_default_dir = self.conf.get_endpoint_default_dir()
server = self.conf.get_gridftp_server()
scheme = "gsiftp"
port = 2811
hostname = None
if "://" in server:
(scheme, server) = server.split("://", 1)
if ":" in server:
(hostname, port_s) = server.split(":", 1)
port = int(port_s)
else:
hostname = server
server = scheme + "://" + hostname + ":" + str(port)
oauth_server = None
myproxy_server = None
myproxy_dn = None
if self.conf.get_security_identity_method() == \
self.conf.IDENTITY_METHOD_OAUTH:
oauth_server = self.conf.get_oauth_server()
if oauth_server is None:
raise Exception("Configured to use OAuth, but no OAuth server defined")
elif self.conf.get_security_identity_method() == \
self.conf.IDENTITY_METHOD_CILOGON:
oauth_server = "cilogon.org"
else:
myproxy_server = self.conf.get_myproxy_server()
myproxy_dn = self.conf.get_myproxy_dn()
if myproxy_dn is None:
myproxy_dn = self.get_myproxy_dn_from_server()
if myproxy_server is not None:
myproxy_server = gcmu.to_unicode(myproxy_server)
if myproxy_dn is not None:
myproxy_dn = gcmu.to_unicode(myproxy_dn)
if oauth_server is not None:
if ":" in oauth_server:
raise Exception("[OAuth] Server value must be a public host name only")
oauth_server = gcmu.to_unicode(oauth_server)
new_gridftp_server = {
gcmu.to_unicode('DATA_TYPE'): gcmu.to_unicode('server'),
gcmu.to_unicode('scheme'): gcmu.to_unicode(scheme),
gcmu.to_unicode('hostname'): gcmu.to_unicode(hostname),
gcmu.to_unicode('port'): port,
gcmu.to_unicode('subject'): gcmu.to_unicode(security.get_certificate_subject(self.conf.get_security_certificate_file()))
}
try:
new_endpoint = {
'DATA_TYPE': 'endpoint'
}
(status_code, status_reason, data) = \
self.api.endpoint(endpoint_name)
default_directory_key = gcmu.to_unicode('default_directory')
public_key = gcmu.to_unicode('public')
myproxy_server_key = gcmu.to_unicode('myproxy_server')
myproxy_dn_key = gcmu.to_unicode('myproxy_dn')
oauth_server_key = gcmu.to_unicode('oauth_server')
hostname_key = gcmu.to_unicode('hostname')
id_key = gcmu.to_unicode('id')
data_key = gcmu.to_unicode('DATA')
# Update any changed endpoint-level metadata
if data.get(default_directory_key) != endpoint_default_dir:
self.logger.debug("Changing default_directory on endpoint " \
"to [%(new)s]" % { 'new': endpoint_default_dir })
new_endpoint[default_directory_key] = \
gcmu.to_unicode(endpoint_default_dir)
if data.get(public_key) != endpoint_public:
self.logger.debug("Changing public to " + str(endpoint_public))
new_endpoint[public_key] = endpoint_public
if data.get(myproxy_server_key) != myproxy_server:
self.logger.debug("Changing myproxy_server to " + str(myproxy_server))
new_endpoint[myproxy_server_key] = myproxy_server
if data.get(myproxy_dn_key) != myproxy_dn:
self.logger.debug("Changing myproxy_dn to " + str(myproxy_dn))
new_endpoint[myproxy_dn_key] = myproxy_dn
if data.get(oauth_server_key) != oauth_server:
self.logger.debug("Changing oauth_server to " + str(oauth_server))
new_endpoint[oauth_server_key] = oauth_server
if len(new_endpoint.keys()) > 1:
self.logger.debug("Updating endpoint")
(status_code, status, data) = \
self.api.endpoint_update(endpoint_name, new_endpoint)
self.logger.debug("endpoint update result: " + str(status_code))
(status_code, status_reason, data) = \
self.api.endpoint_server_list(endpoint_name)
self.logger.debug("Existing endpoint server list: " +
str(data.get(data_key, [])))
for server_item in data.get(data_key, []):
self.logger.debug("existing server for endpoint: " +
str(server_item.get(hostname_key, "")))
this_server_hostname = server_item.get(hostname_key)
this_server_id = server_item.get(id_key)
if kwargs.get('reset') or \
this_server_hostname == gcmu.to_unicode(hostname):
self.logger.debug("deleting server entry for " +
str(this_server_hostname) + " with id " +
str(this_server_id))
self.api.endpoint_server_delete(endpoint_name,
this_server_id)
self.api.endpoint_server_add(endpoint_name, new_gridftp_server)
except TransferAPIError as e:
if e.status_code == 404:
self.logger.debug("endpoint %s does not exist, creating"
%(endpoint_name))
try:
(status_code, status_reason, data) = \
self.api.endpoint_create(
endpoint_name,
default_directory = endpoint_default_dir,
public = endpoint_public,
is_globus_connect = False,
hostname=new_gridftp_server['hostname'],
scheme=new_gridftp_server['scheme'],
port=new_gridftp_server['port'],
subject=new_gridftp_server['subject'],
myproxy_server=myproxy_server,
myproxy_dn=myproxy_dn,
oauth_server=oauth_server)
except TransferAPIError as e:
self.logger.error("endpoint create failed: %s" % \
(e.message))
self.errorcount += 1
else:
self.logger.error("endpoint failed: %s" % (e.message))
self.errorcount += 1
self.logger.debug("EXIT: IO.bind_to_endpoint()")
def bind_to_endpoint(self, **kwargs):
"""
Adds this gridftp server to the endpoint named in the configuration
file. If force=True is passed, then the endpoint is deleted prior
to binding this gridftp server. If reset=True is passed, then
all other GridFTP servers will be removed from this endpoint before
adding this one.
"""
self.logger.debug("ENTER: IO.bind_to_endpoint()")
if self.endpoint_xid is None:
return
if kwargs.get('force'):
try:
self.logger.debug("Removing old endpoint definition")
self.api.endpoint_delete(self.endpoint_xid)
if os.path.exists(self.endpoint_id_file):
os.remove(self.endpoint_id_file)
self.endpoint_xid = urllib_parse.quote(
self.conf.get_endpoint_name())
except:
pass
self.logger.debug("Configuring endpoint " + self.endpoint_xid)
endpoint_public = self.conf.get_endpoint_public()
endpoint_default_dir = self.conf.get_endpoint_default_dir()
server = self.conf.get_gridftp_server()
scheme = "gsiftp"
port = 2811
hostname = None
if "://" in server:
(scheme, server) = server.split("://", 1)
if ":" in server:
(hostname, port_s) = server.split(":", 1)
port = int(port_s)
else:
hostname = server
server = scheme + "://" + hostname + ":" + str(port)
oauth_server = None
myproxy_server = None
myproxy_dn = None
if self.conf.get_security_identity_method() == \
self.conf.IDENTITY_METHOD_OAUTH:
oauth_server = self.conf.get_oauth_server()
if oauth_server is None:
raise Exception("Configured to use OAuth, but no OAuth server defined")
elif self.conf.get_security_identity_method() == \
self.conf.IDENTITY_METHOD_CILOGON:
oauth_server = "cilogon.org"
else:
myproxy_server = self.conf.get_myproxy_server()
myproxy_dn = self.conf.get_myproxy_dn()
if myproxy_dn is None and myproxy_server is not None:
myproxy_dn = self.get_myproxy_dn_from_server()
if myproxy_server is not None:
myproxy_server = gcmu.to_unicode(myproxy_server)
if myproxy_dn is not None:
myproxy_dn = gcmu.to_unicode(myproxy_dn)
if oauth_server is not None:
if ":" in oauth_server:
raise Exception("[OAuth] Server value must be a public host name only")
oauth_server = gcmu.to_unicode(oauth_server)
new_gridftp_server = {
gcmu.to_unicode('DATA_TYPE'): gcmu.to_unicode('server'),
gcmu.to_unicode('scheme'): gcmu.to_unicode(scheme),
gcmu.to_unicode('hostname'): gcmu.to_unicode(hostname),
gcmu.to_unicode('port'): port,
gcmu.to_unicode('subject'): gcmu.to_unicode(security.get_certificate_subject(self.conf.get_security_certificate_file()))
}
try:
new_endpoint = {
'DATA_TYPE': 'endpoint'
}
result = self.api.get_endpoint(self.endpoint_xid)
data = result.data
default_directory_key = 'default_directory'
public_key = 'public'
myproxy_server_key = 'myproxy_server'
myproxy_dn_key = 'myproxy_dn'
oauth_server_key = 'oauth_server'
hostname_key = 'hostname'
id_key = 'id'
data_key = 'DATA'
# Update any changed endpoint-level metadata
if data.get(default_directory_key) != endpoint_default_dir:
self.logger.debug(
"Changing default_directory on endpoint "
"to [{}]".format(endpoint_default_dir))
new_endpoint[default_directory_key] = endpoint_default_dir
if data.get(public_key) != endpoint_public:
self.logger.debug("Changing public to " + str(endpoint_public))
new_endpoint[public_key] = endpoint_public
if data.get(myproxy_server_key) != myproxy_server:
self.logger.debug(
"Changing myproxy_server to " + str(myproxy_server))
new_endpoint[myproxy_server_key] = myproxy_server
if data.get(myproxy_dn_key) != myproxy_dn:
self.logger.debug("Changing myproxy_dn to " + str(myproxy_dn))
new_endpoint[myproxy_dn_key] = myproxy_dn
if data.get(oauth_server_key) != oauth_server:
self.logger.debug(
"Changing oauth_server to " + str(oauth_server))
new_endpoint[oauth_server_key] = oauth_server
if len(new_endpoint.keys()) > 1:
self.logger.debug("Updating endpoint")
result = self.api.update_endpoint(
self.endpoint_xid, new_endpoint)
self.logger.debug("endpoint update result: {}".format(
result.http_status))
self.logger.debug("endpoint update data: {}".format(
result.data))
returned_id = result.data.get('resource', '').split('/')[-1]
if self.endpoint_xid != returned_id and returned_id != '':
self._update_xid(returned_id)
result = self.api.endpoint_server_list(self.endpoint_xid)
data = result.data
self.logger.debug(
"Existing endpoint server list: "
+ str(data.get(data_key, [])))
for server_item in data.get(data_key, []):
self.logger.debug(
"existing server for endpoint: "
+ str(server_item.get(hostname_key, "")))
this_server_hostname = server_item.get(hostname_key)
this_server_id = server_item.get(id_key)
if (kwargs.get('reset')
or this_server_hostname == gcmu.to_unicode(hostname)):
self.logger.debug(
"deleting server entry for "
+ str(this_server_hostname) + " with id "
+ str(this_server_id))
self.api.delete_endpoint_server(
self.endpoint_xid, this_server_id)
self.api.add_endpoint_server(
self.endpoint_xid, new_gridftp_server)
except GlobusAPIError as e:
if e.http_status == 404:
self.logger.debug(
"endpoint {} does not exist, creating" .format(
self.endpoint_xid))
try:
result = self.api.create_endpoint(dict(
canonical_name=self.conf.get_endpoint_name(),
default_directory=endpoint_default_dir,
public=endpoint_public,
is_globus_connect=False,
DATA=[dict(
DATA_TYPE="server",
hostname=new_gridftp_server['hostname'],
scheme=new_gridftp_server['scheme'],
port=new_gridftp_server['port'],
subject=new_gridftp_server['subject'])],
myproxy_server=myproxy_server,
myproxy_dn=myproxy_dn,
oauth_server=oauth_server))
if self.endpoint_xid != result.data['id']:
self._update_xid(result.data['id'])
except GlobusAPIError as e:
self.logger.error("endpoint create failed: %s" % \
(e.message))
self.errorcount += 1
else:
self.logger.error("endpoint failed: %s" % (e.message))
self.errorcount += 1
self.logger.debug("EXIT: IO.bind_to_endpoint()")
