def _get_registry_objects(self, slice_xrn, creds, users):
"""
"""
hrn, _ = urn_to_hrn(slice_xrn)
#hrn_auth = get_authority(hrn)
# Build up objects that an SFA registry would return if SFA
# could contact the slice's registry directly
reg_objects = None
if users:
# dont allow special characters in the site login base
#only_alphanumeric = re.compile('[^a-zA-Z0-9]+')
#login_base = only_alphanumeric.sub('', hrn_auth[:20]).lower()
slicename = hrn_to_pl_slicename(hrn)
login_base = slicename.split('_')[0]
reg_objects = {}
site = {}
site['site_id'] = 0
site['name'] = 'geni.%s' % login_base
site['enabled'] = True
site['max_slices'] = 100
# Note:
# Is it okay if this login base is the same as one already at this myplc site?
# Do we need uniqueness? Should use hrn_auth instead of just the leaf perhaps?
site['login_base'] = login_base
site['abbreviated_name'] = login_base
site['max_slivers'] = 1000
reg_objects['site'] = site
slice = {}
# get_expiration always returns a normalized datetime - no need to utcparse
extime = Credential(string=creds[0]).get_expiration()
# If the expiration time is > 60 days from now, set the expiration time to 60 days from now
if extime > datetime.datetime.utcnow() + datetime.timedelta(
days=60):
extime = datetime.datetime.utcnow() + datetime.timedelta(
days=60)
slice['expires'] = int(time.mktime(extime.timetuple()))
slice['hrn'] = hrn
slice['name'] = hrn_to_pl_slicename(hrn)
slice['url'] = hrn
slice['description'] = hrn
slice['pointer'] = 0
reg_objects['slice_record'] = slice
reg_objects['users'] = {}
for user in users:
user['key_ids'] = []
hrn, _ = urn_to_hrn(user['urn'])
user['email'] = hrn_to_pl_slicename(hrn) + "@geni.net"
user['first_name'] = hrn
user['last_name'] = hrn
reg_objects['users'][user['email']] = user
return reg_objects
def GetSelfCredential(certificate, xnr, type):
if type:
hrn = urn_to_hrn(xrn)[0]
else:
hrn, type = urn_to_hrn(xrn)
origin_hrn = Certificate(string=cert).get_subject()
### authenticate the gid
# import here so we can load this module at build-time for sfa2wsdl
#from sfa.storage.alchemy import dbsession
from sfa.storage.model import RegRecord
# xxx-local - the current code runs Resolve, which would forward to
# another registry if needed
# I wonder if this is truly the intention, or shouldn't we instead
# only look in the local db ?
records = self.api.manager.Resolve(self.api, xrn, type, details=False)
if not records:
raise RecordNotFound(hrn)
record_obj = RegRecord (dict=records[0])
# xxx-local the local-only version would read
#record_obj = dbsession.query(RegRecord).filter_by(hrn=hrn).first()
#if not record_obj: raise RecordNotFound(hrn)
gid = record_obj.get_gid_object()
gid_str = gid.save_to_string(save_parents=True)
self.api.auth.authenticateGid(gid_str, [cert, type, hrn])
# authenticate the certificate against the gid in the db
certificate = Certificate(string=cert)
if not certificate.is_pubkey(gid.get_pubkey()):
for (obj,name) in [ (certificate,"CERT"), (gid,"GID"), ]:
if hasattr (obj,'filename'):
raise ConnectionKeyGIDMismatch(gid.get_subject())
return self.api.manager.GetCredential(self.api, xrn, type)
def GetSelfCredential(certificate, xnr, type):
if type:
hrn = urn_to_hrn(xrn)[0]
else:
hrn, type = urn_to_hrn(xrn)
origin_hrn = Certificate(string=cert).get_subject()
### authenticate the gid
# import here so we can load this module at build-time for sfa2wsdl
#from sfa.storage.alchemy import dbsession
from sfa.storage.model import RegRecord
# xxx-local - the current code runs Resolve, which would forward to
# another registry if needed
# I wonder if this is truly the intention, or shouldn't we instead
# only look in the local db ?
records = self.api.manager.Resolve(self.api, xrn, type, details=False)
if not records:
raise RecordNotFound(hrn)
record_obj = RegRecord (dict=records[0])
# xxx-local the local-only version would read
#record_obj = dbsession.query(RegRecord).filter_by(hrn=hrn).first()
#if not record_obj: raise RecordNotFound(hrn)
gid = record_obj.get_gid_object()
gid_str = gid.save_to_string(save_parents=True)
self.api.auth.authenticateGid(gid_str, [cert, type, hrn])
# authenticate the certificate against the gid in the db
certificate = Certificate(string=cert)
if not certificate.is_pubkey(gid.get_pubkey()):
for (obj,name) in [ (certificate,"CERT"), (gid,"GID"), ]:
if hasattr (obj,'filename'):
raise ConnectionKeyGIDMismatch(gid.get_subject())
return self.api.manager.GetCredential(self.api, xrn, type)
def GetCredential(self, api, xrn, type, caller_xrn=None):
# convert xrn to hrn
if type:
hrn = urn_to_hrn(xrn)[0]
else:
hrn, type = urn_to_hrn(xrn)
# Is this a root or sub authority
auth_hrn = api.auth.get_authority(hrn)
if not auth_hrn or hrn == api.config.SFA_INTERFACE_HRN:
auth_hrn = hrn
auth_info = api.auth.get_auth_info(auth_hrn)
# get record info
record=dbsession.query(RegRecord).filter_by(type=type,hrn=hrn).first()
if not record:
raise RecordNotFound("hrn=%s, type=%s"%(hrn,type))
# get the callers gid
# if caller_xrn is not specified assume the caller is the record
# object itself.
if not caller_xrn:
caller_hrn = hrn
caller_gid = record.get_gid_object()
else:
caller_hrn, caller_type = urn_to_hrn(caller_xrn)
if caller_type:
caller_record = dbsession.query(RegRecord).filter_by(hrn=caller_hrn,type=caller_type).first()
else:
caller_record = dbsession.query(RegRecord).filter_by(hrn=caller_hrn).first()
if not caller_record:
raise RecordNotFound("Unable to associated caller (hrn=%s, type=%s) with credential for (hrn: %s, type: %s)"%(caller_hrn, caller_type, hrn, type))
caller_gid = GID(string=caller_record.gid)i
object_hrn = record.get_gid_object().get_hrn()
# call the builtin authorization/credential generation engine
rights = api.auth.determine_user_rights(caller_hrn, record)
# make sure caller has rights to this object
if rights.is_empty():
raise PermissionError("%s has no rights to %s (%s)" % \
(caller_hrn, object_hrn, xrn))
object_gid = GID(string=record.gid)
new_cred = Credential(subject = object_gid.get_subject())
new_cred.set_gid_caller(caller_gid)
new_cred.set_gid_object(object_gid)
new_cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename())
#new_cred.set_pubkey(object_gid.get_pubkey())
new_cred.set_privileges(rights)
new_cred.get_privileges().delegate_all_privileges(True)
if hasattr(record,'expires'):
date = utcparse(record.expires)
expires = datetime_to_epoch(date)
new_cred.set_expiration(int(expires))
auth_kind = "authority,ma,sa"
# Parent not necessary, verify with certs
#new_cred.set_parent(api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
new_cred.encode()
new_cred.sign()
return new_cred.save_to_string(save_parents=True)
def GetCredential(self, api, xrn, type, caller_xrn=None):
# convert xrn to hrn
if type:
hrn = urn_to_hrn(xrn)[0]
else:
hrn, type = urn_to_hrn(xrn)
# Is this a root or sub authority
auth_hrn = api.auth.get_authority(hrn)
if not auth_hrn or hrn == api.config.SFA_INTERFACE_HRN:
auth_hrn = hrn
auth_info = api.auth.get_auth_info(auth_hrn)
# get record info
record=dbsession.query(RegRecord).filter_by(type=type,hrn=hrn).first()
if not record:
raise RecordNotFound("hrn=%s, type=%s"%(hrn,type))
# get the callers gid
# if caller_xrn is not specified assume the caller is the record
# object itself.
if not caller_xrn:
caller_hrn = hrn
caller_gid = record.get_gid_object()
else:
caller_hrn, caller_type = urn_to_hrn(caller_xrn)
if caller_type:
caller_record = dbsession.query(RegRecord).filter_by(hrn=caller_hrn,type=caller_type).first()
else:
caller_record = dbsession.query(RegRecord).filter_by(hrn=caller_hrn).first()
if not caller_record:
raise RecordNotFound("Unable to associated caller (hrn=%s, type=%s) with credential for (hrn: %s, type: %s)"%(caller_hrn, caller_type, hrn, type))
caller_gid = GID(string=caller_record.gid)
object_hrn = record.get_gid_object().get_hrn()
# call the builtin authorization/credential generation engine
rights = api.auth.determine_user_rights(caller_hrn, record)
# make sure caller has rights to this object
if rights.is_empty():
raise PermissionError("%s has no rights to %s (%s)" % \
(caller_hrn, object_hrn, xrn))
object_gid = GID(string=record.gid)
new_cred = Credential(subject = object_gid.get_subject())
new_cred.set_gid_caller(caller_gid)
new_cred.set_gid_object(object_gid)
new_cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename())
#new_cred.set_pubkey(object_gid.get_pubkey())
new_cred.set_privileges(rights)
new_cred.get_privileges().delegate_all_privileges(True)
if hasattr(record,'expires'):
date = utcparse(record.expires)
expires = datetime_to_epoch(date)
new_cred.set_expiration(int(expires))
auth_kind = "authority,ma,sa"
# Parent not necessary, verify with certs
#new_cred.set_parent(api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
new_cred.encode()
new_cred.sign()
return new_cred.save_to_string(save_parents=True)
def _get_registry_objects(self, slice_xrn, creds, users):
"""
"""
hrn, _ = urn_to_hrn(slice_xrn)
#hrn_auth = get_authority(hrn)
# Build up objects that an SFA registry would return if SFA
# could contact the slice's registry directly
reg_objects = None
if users:
# dont allow special characters in the site login base
#only_alphanumeric = re.compile('[^a-zA-Z0-9]+')
#login_base = only_alphanumeric.sub('', hrn_auth[:20]).lower()
slicename = hrn_to_pl_slicename(hrn)
login_base = slicename.split('_')[0]
reg_objects = {}
site = {}
site['site_id'] = 0
site['name'] = 'geni.%s' % login_base
site['enabled'] = True
site['max_slices'] = 100
# Note:
# Is it okay if this login base is the same as one already at this myplc site?
# Do we need uniqueness? Should use hrn_auth instead of just the leaf perhaps?
site['login_base'] = login_base
site['abbreviated_name'] = login_base
site['max_slivers'] = 1000
reg_objects['site'] = site
slice = {}
# get_expiration always returns a normalized datetime - no need to utcparse
extime = Credential(string=creds[0]).get_expiration()
# If the expiration time is > 60 days from now, set the expiration time to 60 days from now
if extime > datetime.datetime.utcnow() + datetime.timedelta(days=60):
extime = datetime.datetime.utcnow() + datetime.timedelta(days=60)
slice['expires'] = int(time.mktime(extime.timetuple()))
slice['hrn'] = hrn
slice['name'] = hrn_to_pl_slicename(hrn)
slice['url'] = hrn
slice['description'] = hrn
slice['pointer'] = 0
reg_objects['slice_record'] = slice
reg_objects['users'] = {}
for user in users:
user['key_ids'] = []
hrn, _ = urn_to_hrn(user['urn'])
user['email'] = hrn_to_pl_slicename(hrn) + "@geni.net"
user['first_name'] = hrn
user['last_name'] = hrn
reg_objects['users'][user['email']] = user
return reg_objects
def get_credential(api, xrn, type, is_self=False):
# convert xrn to hrn
if type:
hrn = urn_to_hrn(xrn)[0]
else:
hrn, type = urn_to_hrn(xrn)
# Is this a root or sub authority
auth_hrn = api.auth.get_authority(hrn)
if not auth_hrn or hrn == api.config.SFA_INTERFACE_HRN:
auth_hrn = hrn
# get record info
auth_info = api.auth.get_auth_info(auth_hrn)
table = SfaTable()
records = table.findObjects({'type': type, 'hrn': hrn})
if not records:
raise RecordNotFound(hrn)
record = records[0]
# verify_cancreate_credential requires that the member lists
# (researchers, pis, etc) be filled in
api.fill_record_info(record)
if record['type']=='user':
if not record['enabled']:
raise AccountNotEnabled(": PlanetLab account %s is not enabled. Please contact your site PI" %(record['email']))
# get the callers gid
# if this is a self cred the record's gid is the caller's gid
if is_self:
caller_hrn = hrn
caller_gid = record.get_gid_object()
else:
caller_gid = api.auth.client_cred.get_gid_caller()
caller_hrn = caller_gid.get_hrn()
object_hrn = record.get_gid_object().get_hrn()
rights = api.auth.determine_user_rights(caller_hrn, record)
# make sure caller has rights to this object
if rights.is_empty():
raise PermissionError(caller_hrn + " has no rights to " + record['name'])
object_gid = GID(string=record['gid'])
new_cred = Credential(subject = object_gid.get_subject())
new_cred.set_gid_caller(caller_gid)
new_cred.set_gid_object(object_gid)
new_cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename())
#new_cred.set_pubkey(object_gid.get_pubkey())
new_cred.set_privileges(rights)
new_cred.get_privileges().delegate_all_privileges(True)
if 'expires' in record:
new_cred.set_expiration(int(record['expires']))
auth_kind = "authority,ma,sa"
# Parent not necessary, verify with certs
#new_cred.set_parent(api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
new_cred.encode()
new_cred.sign()
return new_cred.save_to_string(save_parents=True)
def call(self, cert, xrn, type):
"""
GetSelfCredential a degenerate version of GetCredential used by a client
to get his initial credential when de doesnt have one. This is the same as
GetCredential(..., cred = None, ...)
The registry ensures that the client is the principal that is named by
(type, name) by comparing the public key in the record's GID to the
private key used to encrypt the client side of the HTTPS connection. Thus
it is impossible for one principal to retrieve another principal's
credential without having the appropriate private key.
@param type type of object (user | slice | sa | ma | node)
@param hrn human readable name of authority to list
@return string representation of a credential object
"""
if type:
hrn = urn_to_hrn(xrn)[0]
else:
hrn, type = urn_to_hrn(xrn)
self.api.auth.verify_object_belongs_to_me(hrn)
origin_hrn = Certificate(string=cert).get_subject()
self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name))
### authenticate the gid
# import here so we can load this module at build-time for sfa2wsdl
#from sfa.storage.alchemy import dbsession
from sfa.storage.model import RegRecord
# xxx-local - the current code runs Resolve, which would forward to
# another registry if needed
# I wonder if this is truly the intention, or shouldn't we instead
# only look in the local db ?
records = self.api.manager.Resolve(self.api, xrn, type, details=False)
if not records:
raise RecordNotFound(hrn)
record_obj = RegRecord (dict=records[0])
# xxx-local the local-only version would read
#record_obj = dbsession.query(RegRecord).filter_by(hrn=hrn).first()
#if not record_obj: raise RecordNotFound(hrn)
gid = record_obj.get_gid_object()
gid_str = gid.save_to_string(save_parents=True)
self.api.auth.authenticateGid(gid_str, [cert, type, hrn])
# authenticate the certificate against the gid in the db
certificate = Certificate(string=cert)
if not certificate.is_pubkey(gid.get_pubkey()):
for (obj,name) in [ (certificate,"CERT"), (gid,"GID"), ]:
self.api.logger.debug("ConnectionKeyGIDMismatch, %s pubkey: %s"%(name,obj.get_pubkey().get_pubkey_string()))
self.api.logger.debug("ConnectionKeyGIDMismatch, %s dump: %s"%(name,obj.dump_string()))
if hasattr (obj,'filename'):
self.api.logger.debug("ConnectionKeyGIDMismatch, %s filename: %s"%(name,obj.filename))
raise ConnectionKeyGIDMismatch(gid.get_subject())
return self.api.manager.GetCredential(self.api, xrn, type)
def resolve(api, xrns, type=None, full=True):
# load all known registry names into a prefix tree and attempt to find
# the longest matching prefix
if not isinstance(xrns, types.ListType):
if not type:
type = Xrn(xrns).get_type()
xrns = [xrns]
hrns = [urn_to_hrn(xrn)[0] for xrn in xrns]
# create a dict where key is a registry hrn and its value is a
# hrns at that registry (determined by the known prefix tree).
xrn_dict = {}
registries = api.registries
tree = prefixTree()
registry_hrns = registries.keys()
tree.load(registry_hrns)
for xrn in xrns:
registry_hrn = tree.best_match(urn_to_hrn(xrn)[0])
if registry_hrn not in xrn_dict:
xrn_dict[registry_hrn] = []
xrn_dict[registry_hrn].append(xrn)
records = []
for registry_hrn in xrn_dict:
# skip the hrn without a registry hrn
# XX should we let the user know the authority is unknown?
if not registry_hrn:
continue
# if the best match (longest matching hrn) is not the local registry,
# forward the request
xrns = xrn_dict[registry_hrn]
if registry_hrn != api.hrn:
credential = api.getCredential()
peer_records = registries[registry_hrn].Resolve(xrns, credential)
records.extend([SfaRecord(dict=record).as_dict() for record in peer_records])
# try resolving the remaining unfound records at the local registry
remaining_hrns = set(hrns).difference([record['hrn'] for record in records])
# convert set to list
remaining_hrns = [hrn for hrn in remaining_hrns]
table = SfaTable()
local_records = table.findObjects({'hrn': remaining_hrns})
if full:
api.fill_record_info(local_records)
# convert local record objects to dicts
records.extend([dict(record) for record in local_records])
if not records:
raise RecordNotFound(str(hrns))
if type:
records = filter(lambda rec: rec['type'] in [type], records)
return records
def DeleteSliver(api, xrn, creds, call_id):
def _DeleteSliver(server, xrn, creds, call_id):
server_version = api.get_cached_server_version(server)
args = [xrn, creds]
if _call_id_supported(api, server):
args.append(call_id)
return server.DeleteSliver(*args)
if Callids().already_handled(call_id): return ""
(hrn, type) = urn_to_hrn(xrn)
# get the callers hrn
valid_cred = api.auth.checkCredentials(creds, 'deletesliver', hrn)[0]
caller_hrn = Credential(string=valid_cred).get_gid_caller().get_hrn()
# attempt to use delegated credential first
cred = api.getDelegatedCredential(creds)
if not cred:
cred = api.getCredential()
threads = ThreadManager()
for aggregate in api.aggregates:
# prevent infinite loop. Dont send request back to caller
# unless the caller is the aggregate's SM
if caller_hrn == aggregate and aggregate != api.hrn:
continue
interface = api.aggregates[aggregate]
server = api.get_server(interface, cred)
threads.run(_DeleteSliver, server, xrn, [cred], call_id)
threads.get_results()
return 1
def get_slice_and_slivers(self, slice_xrn, login=None):
"""
Returns a dict of slivers keyed on the sliver's node_id
"""
slivers = {}
sfa_slice = None
if not slice_xrn:
return (sfa_slice, slivers)
slice_urn = hrn_to_urn(slice_xrn, 'slice')
slice_hrn, _ = urn_to_hrn(slice_xrn)
slice_name = slice_hrn
slices = self.driver.GetSlices(slice_filter= str(slice_name), \
slice_filter_type = 'slice_hrn', login=login)
logger.debug("Slabaggregate api \tget_slice_and_slivers \
sfa_slice %s \r\n slices %s self.driver.hrn %s" \
%(sfa_slice, slices, self.driver.hrn))
if not slices:
return (sfa_slice, slivers)
#if isinstance(sfa_slice, list):
#sfa_slice = slices[0]
#else:
#sfa_slice = slices
# sort slivers by node id , if there is a job
#and therfore, node allocated to this slice
for sfa_slice in slices:
try:
node_ids_list = sfa_slice['node_ids']
except KeyError:
logger.log_exc("SLABAGGREGATE \t \
get_slice_and_slivers KeyError ")
continue
for node in node_ids_list:
sliver_xrn = Xrn(slice_urn, type='sliver', id=node)
sliver_xrn.set_authority(self.driver.hrn)
#node_id = self.driver.root_auth + '.' + node_id
sliver = Sliver({'sliver_id':sliver_xrn.urn,
'name': sfa_slice['hrn'],
'type': 'slab-node',
'tags': []})
slivers[node] = sliver
#Add default sliver attribute :
#connection information for senslab
if get_authority (sfa_slice['hrn']) == self.driver.root_auth:
tmp = sfa_slice['hrn'].split('.')
ldap_username = tmp[1].split('_')[0]
vmaddr = 'ssh ' + ldap_username + '@grenoble.senslab.info'
slivers['default_sliver'] = {'vm': vmaddr , 'login': ldap_username}
#TODO get_slice_and_slivers Find the login of the external user
logger.debug("SLABAGGREGATE api get_slice_and_slivers slivers %s "\
%(slivers))
return (slices, slivers)
def get_peer(self, xrn):
hrn, hrn_type = urn_to_hrn(xrn)
#Does this slice belong to a local site or a peer senslab site?
peer = None
# get this slice's authority (site)
slice_authority = get_authority(hrn)
site_authority = slice_authority
# get this site's authority (sfa root authority or sub authority)
#site_authority = get_authority(slice_authority).lower()
logger.debug("SLABSLICES \ get_peer slice_authority %s \
site_authority %s hrn %s" %(slice_authority, \
site_authority, hrn))
#This slice belongs to the current site
if site_authority == self.driver.root_auth :
return None
# check if we are already peered with this site_authority, if so
#peers = self.driver.GetPeers({})
peers = self.driver.GetPeers(peer_filter = slice_authority)
for peer_record in peers:
if site_authority == peer_record.hrn:
peer = peer_record
logger.debug(" SLABSLICES \tget_peer peer %s " %(peer))
return peer
def call(self, cred, xrn = None):
hrn, type = urn_to_hrn(xrn)
self.api.auth.check(cred, 'list')
registries = Registries(self.api).interfaces.values()
if hrn:
registries = [reg for reg in registries if reg['hrn'] == hrn]
return registries
def call(self, slice_xrn, creds, rspec, users, options):
hrn, type = urn_to_hrn(slice_xrn)
self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s" % (self.api.interface, hrn, self.name))
# Find the valid credentials
valid_creds = self.api.auth.checkCredentials(creds, "createsliver", hrn)
origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
# make sure users info is specified
if not users:
msg = "'users' must be specified and cannot be null. You may need to update your client."
raise SfaInvalidArgument(name="users", extra=msg)
# flter rspec through sfatables
if self.api.interface in ["aggregate"]:
chain_name = "INCOMING"
elif self.api.interface in ["slicemgr"]:
chain_name = "FORWARD-INCOMING"
self.api.logger.debug("CreateSliver: sfatables on chain %s" % chain_name)
rspec = run_sfatables(chain_name, hrn, origin_hrn, rspec)
slivers = RSpec(rspec).version.get_nodes_with_slivers()
if not slivers:
raise InvalidRSpec(
"Missing <sliver_type> or <sliver> element. Request rspec must explicitly allocate slivers"
)
result = self.api.manager.CreateSliver(self.api, slice_xrn, creds, rspec, users, options)
return result
def call(self, xrn, creds, rspec, options):
xrn = Xrn(xrn, type='slice')
self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, xrn.get_hrn(), self.name))
(speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
# Find the valid credentials
valid_creds = self.api.auth.checkCredentials(creds, 'createsliver', xrn.get_hrn(), speaking_for_hrn=speaking_for)
# use the expiration from the first valid credential to determine when
# the slivers should expire.
expiration = datetime_to_string(Credential(cred=valid_creds[0]).expiration)
# make sure request is not empty
slivers = RSpec(rspec).version.get_nodes_with_slivers()
if not slivers:
raise InvalidRSpec("Missing <sliver_type> or <sliver> element. Request rspec must explicitly allocate slivers")
# flter rspec through sfatables
if self.api.interface in ['aggregate']:
chain_name = 'INCOMING'
elif self.api.interface in ['slicemgr']:
chain_name = 'FORWARD-INCOMING'
self.api.logger.debug("Allocate: sfatables on chain %s"%chain_name)
origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn()
self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, xrn, self.name))
rspec = run_sfatables(chain_name, xrn.get_hrn(), origin_hrn, rspec)
slivers = RSpec(rspec).version.get_nodes_with_slivers()
if not slivers:
raise SfatablesRejected(slice_xrn)
result = self.api.manager.Allocate(self.api, xrn.get_urn(), creds, rspec, expiration, options)
return result
def call(self, creds, xrn, type):
if type:
hrn = urn_to_hrn(xrn)[0]
else:
hrn, type = urn_to_hrn(xrn)
# check creds
valid_creds = self.api.auth.checkCredentials(creds, 'getcredential')
self.api.auth.verify_object_belongs_to_me(hrn)
#log the call
origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name))
return self.api.manager.GetCredential(self.api, xrn, type, self.api.auth.client_gid.get_urn())
def __init__(self,
create=False,
subject=None,
string=None,
filename=None,
uuid=None,
hrn=None,
urn=None,
lifeDays=1825,
email=None):
self.uuid = None
self.hrn = None
self.urn = None
self.email = None # for adding to the SubjectAltName
Certificate.__init__(self, lifeDays, create, subject, string, filename)
if subject:
logger.debug("Creating GID for subject: %s" % subject)
if uuid:
self.uuid = int(uuid)
if hrn:
self.hrn = hrn
self.urn = hrn_to_urn(hrn, 'unknown')
if urn:
self.urn = urn
self.hrn, type = urn_to_hrn(urn)
if email:
self.set_email(email)
def list(api, xrn, origin_hrn=None):
hrn, type = urn_to_hrn(xrn)
# load all know registry names into a prefix tree and attempt to find
# the longest matching prefix
records = []
registries = api.registries
registry_hrns = registries.keys()
tree = prefixTree()
tree.load(registry_hrns)
registry_hrn = tree.best_match(hrn)
#if there was no match then this record belongs to an unknow registry
if not registry_hrn:
raise MissingAuthority(xrn)
# if the best match (longest matching hrn) is not the local registry,
# forward the request
records = []
if registry_hrn != api.hrn:
credential = api.getCredential()
record_list = registries[registry_hrn].List(xrn, credential)
records = [SfaRecord(dict=record).as_dict() for record in record_list]
# if we still have not found the record yet, try the local registry
if not records:
if not api.auth.hierarchy.auth_exists(hrn):
raise MissingAuthority(hrn)
table = SfaTable()
records = table.find({'authority': hrn})
return records
def call(self, creds, options, call_id=""):
self.api.logger.info("interface: %s\tmethod-name: %s" % (self.api.interface, self.name))
# get slice's hrn from options
xrn = options.get('geni_slice_urn', '')
(hrn, _) = urn_to_hrn(xrn)
# Find the valid credentials
valid_creds = self.api.auth.checkCredentials(creds, 'listnodes', hrn)
# get hrn of the original caller
origin_hrn = options.get('origin_hrn', None)
if not origin_hrn:
origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
# get manager for this interface
manager = self.api.get_interface_manager()
rspec = manager.ListResources(self.api, creds, options, call_id)
# filter rspec through sfatables
if self.api.interface in ['aggregate']:
chain_name = 'OUTGOING'
elif self.api.interface in ['slicemgr']:
chain_name = 'FORWARD-OUTGOING'
self.api.logger.debug("ListResources: sfatables on chain %s"%chain_name)
filtered_rspec = run_sfatables(chain_name, hrn, origin_hrn, rspec)
if options.has_key('geni_compressed') and options['geni_compressed'] == True:
filtered_rspec = zlib.compress(filtered_rspec).encode('base64')
return filtered_rspec
def add_slivers(self,
hostnames,
attributes=[],
sliver_urn=None,
append=False):
# add slice name to network tag
network_tags = self.xml.xpath('//network')
if network_tags:
network_tag = network_tags[0]
network_tag.set('slice', urn_to_hrn(sliver_urn)[0])
# add slivers
sliver = {'name': sliver_urn, 'pl_tags': attributes}
for hostname in hostnames:
if sliver_urn:
sliver['name'] = sliver_urn
node_elems = self.get_nodes({'component_id': '*%s*' % hostname})
if not node_elems:
continue
node_elem = node_elems[0]
SFAv1Sliver.add_slivers(node_elem.element, sliver)
# remove all nodes without slivers
if not append:
for node_elem in self.get_nodes():
if not node_elem['slivers']:
parent = node_elem.element.getparent()
parent.remove(node_elem.element)
def rspec_add_resources(cls, rspec, resources, lease_map):
for resource in resources:
if isinstance(resource, StringTypes):
urn = resource
hrn, type = urn_to_hrn(urn)
resource = {
'urn': urn,
'hrn': hrn,
'type': type,
}
# What information do we need in resources for REQUEST ?
resource_type = resource.pop('type')
# We add lease_ref wrt to each lease_id (old leases) and each client_id (new leases)
lease_dicts = lease_map.get(resource['urn'])
# NOTE : Shall we ignore reservation of resources without leases ?
lease_ids = list()
if lease_dicts:
for lease_dict in lease_dicts:
lease_id = lease_dict.get('lease_id')
if not lease_id:
lease_id = lease_dict.get('client_id')
lease_ids.append(lease_id)
if resource_type == 'node':
cls.rspec_add_node(rspec, resource, lease_ids)
elif resource_type == 'link':
cls.rspec_add_link(rspec, resource, lease_ids)
elif resource_type == 'channel':
cls.rspec_add_channel(rspec, resource, lease_ids)
def Delete(self, api, xrn, creds, options):
call_id = options.get('call_id')
if Callids().already_handled(call_id): return ""
def _Delete(server, xrn, creds, options):
return server.Delete(xrn, creds, options)
(hrn, type) = urn_to_hrn(xrn[0])
# get the callers hrn
valid_cred = api.auth.checkCredentials(creds, 'deletesliver', hrn)[0]
caller_hrn = Credential(cred=valid_cred).get_gid_caller().get_hrn()
# attempt to use delegated credential first
cred = api.getDelegatedCredential(creds)
if not cred:
cred = api.getCredential()
multiclient = MultiClient()
for aggregate in api.aggregates:
# prevent infinite loop. Dont send request back to caller
# unless the caller is the aggregate's SM
if caller_hrn == aggregate and aggregate != api.hrn:
continue
interface = api.aggregates[aggregate]
server = api.server_proxy(interface, cred)
multiclient.run(_Delete, server, xrn, [cred], options)
results = []
for result in multiclient.get_results():
results += ReturnValue.get_value(result)
return results
def verify_users(self, slice_hrn, slice_record, users, sfa_peer, options={}):
# get slice info
slicename = hrn_to_nitos_slicename(slice_hrn)
slices = self.driver.shell.getSlices({}, [])
slice = self.driver.filter_nitos_results(slices, {"slice_name": slicename})[0]
added_users = []
# get users info
users_info = []
for user in users:
user_urn = user["urn"]
user_hrn, type = urn_to_hrn(user_urn)
username = str(user_hrn).split(".")[-1]
email = user["email"]
# look for the user according to his username, email...
nitos_users = self.driver.filter_nitos_results(self.driver.shell.getUsers(), {"username": username})
if not nitos_users:
nitos_users = self.driver.filter_nitos_results(self.driver.shell.getUsers(), {"email": email})
if not nitos_users:
# create the user
user_id = self.driver.shell.addUser({"username": email.split("@")[0], "email": email})
added_users.append(user_id)
# add user keys
for key in user["keys"]:
self.driver.shell.addUserKey({"user_id": user_id, "key": key, "slice_id": slice["slice_id"]})
# add the user to the slice
self.driver.shell.addUserToSlice({"slice_id": slice["slice_id"], "user_id": user_id})
else:
# check if the users are in the slice
for user in nitos_users:
if not user["user_id"] in slice["user_ids"]:
self.driver.shell.addUserToSlice({"slice_id": slice["slice_id"], "user_id": user["user_id"]})
return added_users
def ListResources(api, creds, options, call_id):
if Callids().already_handled(call_id): return ""
# get slice's hrn from options
xrn = options.get('geni_slice_urn', None)
(hrn, type) = urn_to_hrn(xrn)
version_manager = VersionManager()
# get the rspec's return format from options
rspec_version = version_manager.get_version(options.get('rspec_version'))
version_string = "rspec_%s" % (rspec_version.to_string())
#panos adding the info option to the caching key (can be improved)
if options.get('info'):
version_string = version_string + "_"+options.get('info', 'default')
# look in cache first
if caching and api.cache and not xrn:
rspec = api.cache.get(version_string)
if rspec:
api.logger.info("aggregate.ListResources: returning cached value for hrn %s"%hrn)
return rspec
#panos: passing user-defined options
#print "manager options = ",options
aggregate = Aggregate(api, options)
rspec = aggregate.get_rspec(slice_xrn=xrn, version=rspec_version)
# cache the result
if caching and api.cache and not xrn:
api.cache.add(version_string, rspec)
return rspec
def get_auth_cred(self, xrn, kind="authority"):
hrn, type = urn_to_hrn(xrn)
auth_info = self.get_auth_info(hrn)
gid = auth_info.get_gid_object()
cred = Credential(subject=hrn)
cred.set_gid_caller(gid)
cred.set_gid_object(gid)
cred.set_privileges(kind)
cred.get_privileges().delegate_all_privileges(True)
#cred.set_pubkey(auth_info.get_gid_object().get_pubkey())
parent_hrn = get_authority(hrn)
if not parent_hrn or hrn == self.config.SFA_INTERFACE_HRN:
# if there is no parent hrn, then it must be self-signed. this
# is where we terminate the recursion
cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename())
else:
# we need the parent's private key in order to sign this GID
parent_auth_info = self.get_auth_info(parent_hrn)
cred.set_issuer_keys(parent_auth_info.get_privkey_filename(), parent_auth_info.get_gid_filename())
cred.set_parent(self.get_auth_cred(parent_hrn, kind))
cred.encode()
cred.sign()
return cred
def get_slice_and_slivers(self, slice_xrn):
"""
Returns a dict of slivers keyed on the sliver's node_id
"""
slivers = {}
slice = None
if not slice_xrn:
return (slice, slivers)
slice_urn = hrn_to_urn(slice_xrn, 'slice')
slice_hrn, _ = urn_to_hrn(slice_xrn)
slice_name = hrn_to_unigetestbed_slicename(slice_hrn)
slices = self.driver.shell.GetSlices({'slice_name': slice_name})
if not slices:
return (slice, slivers)
slice = slices[0]
# sort slivers by node id
slice_nodes = []
if 'node_ids' in slice.keys():
slice_nodes = self.driver.shell.GetNodes(
{'node_ids': slice['node_ids']})
for node in slice_nodes:
slivers[node['node_id']] = node
return (slice, slivers)
def get_auth_ticket(self, xrn):
hrn, type = urn_to_hrn(xrn)
auth_info = self.get_auth_info(hrn)
gid = auth_info.get_gid_object()
ticket = SfaTicket(subject=hrn)
ticket.set_gid_caller(gid)
ticket.set_gid_object(gid)
ticket.set_delegate(True)
ticket.set_pubkey(auth_info.get_gid_object().get_pubkey())
parent_hrn = get_authority(hrn)
if not parent_hrn:
# if there is no parent hrn, then it must be self-signed. this
# is where we terminate the recursion
ticket.set_issuer(auth_info.get_pkey_object(), hrn)
else:
# we need the parent's private key in order to sign this GID
parent_auth_info = self.get_auth_info(parent_hrn)
ticket.set_issuer(parent_auth_info.get_pkey_object(), parent_auth_info.hrn)
ticket.set_parent(self.get_auth_cred(parent_hrn))
ticket.encode()
ticket.sign()
return ticket
def verify_users(self, slice_hrn, slice_record, users, options={}):
slice_name = hrn_to_unigetestbed_slicename(slice_hrn)
users_by_email = {}
for user in users:
user['urn'] = user['urn'].lower()
hrn, type = urn_to_hrn(user['urn'])
username = get_leaf(hrn)
user['username'] = username
if 'email' in user:
user['email'] = user['email'].lower()
users_by_email[user['email']] = user
# start building a list of existing users
existing_users_by_email = {}
existing_slice_users_by_email = {}
existing_users = self.driver.shell.GetUsers()
existing_slice_users_ids = self.driver.shell.GetSlices(
{'slice_name': slice_name})[0]['user_ids']
for user in existing_users:
existing_users_by_email[user['email']] = user
if user['user_id'] in existing_slice_users_ids:
existing_slice_users_by_email[user['email']] = user
add_users_by_email = set(users_by_email).difference(
existing_slice_user_by_email)
delete_users_by_email = set(existing_slice_user_by_email).difference(
users_by_email)
try:
for user in add_users_by_email:
self.driver.shell.AddUser()
except:
pass
def call(self, creds, options):
self.api.logger.info("interface: %s\tmethod-name: %s" % (self.api.interface, self.name))
# client must specify a version
if not options.get('geni_rspec_version'):
if options.get('rspec_version'):
options['geni_rspec_version'] = options['rspec_version']
else:
raise SfaInvalidArgument('Must specify an rspec version option. geni_rspec_version cannot be null')
# get slice's hrn from options
xrn = options.get('geni_slice_urn', '')
(hrn, _) = urn_to_hrn(xrn)
# Find the valid credentials
valid_creds = self.api.auth.checkCredentials(creds, 'listnodes', hrn)
# get hrn of the original caller
origin_hrn = options.get('origin_hrn', None)
if not origin_hrn:
origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
rspec = self.api.manager.ListResources(self.api, creds, options)
# filter rspec through sfatables
if self.api.interface in ['aggregate']:
chain_name = 'OUTGOING'
elif self.api.interface in ['slicemgr']:
chain_name = 'FORWARD-OUTGOING'
self.api.logger.debug("ListResources: sfatables on chain %s"%chain_name)
filtered_rspec = run_sfatables(chain_name, hrn, origin_hrn, rspec)
if options.has_key('geni_compressed') and options['geni_compressed'] == True:
filtered_rspec = zlib.compress(filtered_rspec).encode('base64')
return filtered_rspec
def verify_users(self, slice_hrn, slice_record, users, options={}):
slice_name = hrn_to_dummy_slicename(slice_hrn)
users_by_email = {}
for user in users:
user['urn'] = user['urn'].lower()
hrn, type = urn_to_hrn(user['urn'])
username = get_leaf(hrn)
user['username'] = username
if 'email' in user:
user['email'] = user['email'].lower()
users_by_email[user['email']] = user
# start building a list of existing users
existing_users_by_email = {}
existing_slice_users_by_email = {}
existing_users = self.driver.shell.GetUsers()
existing_slice_users_ids = self.driver.shell.GetSlices({'slice_name': slice_name})[0]['user_ids']
for user in existing_users:
existing_users_by_email[user['email']] = user
if user['user_id'] in existing_slice_users_ids:
existing_slice_users_by_email[user['email']] = user
add_users_by_email = set(users_by_email).difference(existing_slice_user_by_email)
delete_users_by_email = set(existing_slice_user_by_email).difference(users_by_email)
try:
for user in add_users_by_email:
self.driver.shell.AddUser()
except:
pass
def get_auth_cred(self, xrn, kind="authority"):
hrn, type = urn_to_hrn(xrn)
auth_info = self.get_auth_info(hrn)
gid = auth_info.get_gid_object()
cred = Credential(subject=hrn)
cred.set_gid_caller(gid)
cred.set_gid_object(gid)
cred.set_privileges(kind)
cred.get_privileges().delegate_all_privileges(True)
#cred.set_pubkey(auth_info.get_gid_object().get_pubkey())
parent_hrn = get_authority(hrn)
if not parent_hrn or hrn == self.config.SFA_INTERFACE_HRN:
# if there is no parent hrn, then it must be self-signed. this
# is where we terminate the recursion
cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename())
else:
# we need the parent's private key in order to sign this GID
parent_auth_info = self.get_auth_info(parent_hrn)
cred.set_issuer_keys(parent_auth_info.get_privkey_filename(), parent_auth_info.get_gid_filename())
cred.set_parent(self.get_auth_cred(parent_hrn, kind))
cred.encode()
cred.sign()
return cred
def _process_node(cls, node):
node['type'] = 'node'
node['network_hrn'] = Xrn(node['component_id']).authority[0] # network ? XXX
node['hrn'] = urn_to_hrn(node['component_id'])[0]
node['urn'] = node['component_id']
node['hostname'] = node['component_name']
node['initscripts'] = node.pop('pl_initscripts')
# All Labora nodes are exclusive = true
node['exclusive'] = 'true'
if 'granularity' in node:
node['granularity'] = node['granularity']['grain']
# XXX This should use a MAP as before
if 'position' in node: # iotlab
node['x'] = node['position']['posx']
node['y'] = node['position']['posy']
node['z'] = node['position']['posz']
del node['position']
if 'location' in node:
if node['location']:
node['latitude'] = node['location']['latitude']
node['longitude'] = node['location']['longitude']
del node['location']
# Flatten tags
if 'tags' in node:
if node['tags']:
for tag in node['tags']:
node[tag['tagname']] = tag['value']
del node['tags']
return node
def call(self, urns, creds, options):
self.api.logger.info("interface: %s\tmethod-name: %s" % (self.api.interface, self.name))
# client must specify a version
if not options.get('geni_rspec_version'):
if options.get('rspec_version'):
options['geni_rspec_version'] = options['rspec_version']
else:
raise SfaInvalidArgument('Must specify an rspec version option. geni_rspec_version cannot be null')
(speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
valid_creds = self.api.auth.checkCredentials(creds, 'listnodes', urns, \
check_sliver_callback = self.api.driver.check_sliver_credentials,
speaking_for_hrn=speaking_for)
# get hrn of the original caller
origin_hrn = options.get('origin_hrn', None)
if not origin_hrn:
origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn()
desc = self.api.manager.Describe(self.api, creds, urns, options)
# filter rspec through sfatables
if self.api.interface in ['aggregate']:
chain_name = 'OUTGOING'
elif self.api.interface in ['slicemgr']:
chain_name = 'FORWARD-OUTGOING'
self.api.logger.debug("ListResources: sfatables on chain %s"%chain_name)
desc['geni_rspec'] = run_sfatables(chain_name, '', origin_hrn, desc['geni_rspec'])
if options.has_key('geni_compressed') and options['geni_compressed'] == True:
desc['geni_rspec'] = zlib.compress(desc['geni_rspec']).encode('base64')
return desc
def call(self, cred, xrn = None):
hrn, type = urn_to_hrn(xrn)
self.api.auth.check(cred, 'list')
aggregates = Aggregates(self.api).interfaces.values()
if hrn:
aggregates = [agg for agg in aggregates if agg['hrn'] == hrn]
return aggregates
def add_slivers(self, hostnames, attributes=[], sliver_urn=None, append=False):
# add slice name to network tag
network_tags = self.xml.xpath('//network')
if network_tags:
network_tag = network_tags[0]
network_tag.set('slice', urn_to_hrn(sliver_urn)[0])
# add slivers
sliver = {'name':sliver_urn,
'pl_tags': attributes}
for hostname in hostnames:
if sliver_urn:
sliver['name'] = sliver_urn
node_elems = self.get_nodes({'component_id': '*%s*' % hostname})
if not node_elems:
continue
node_elem = node_elems[0]
SFAv1Sliver.add_slivers(node_elem.element, sliver)
# remove all nodes without slivers
if not append:
for node_elem in self.get_nodes():
if not node_elem['slivers']:
parent = node_elem.element.getparent()
parent.remove(node_elem.element)
def get_auth_ticket(self, xrn):
hrn, type = urn_to_hrn(xrn)
auth_info = self.get_auth_info(hrn)
gid = auth_info.get_gid_object()
ticket = SfaTicket(subject=hrn)
ticket.set_gid_caller(gid)
ticket.set_gid_object(gid)
ticket.set_delegate(True)
ticket.set_pubkey(auth_info.get_gid_object().get_pubkey())
parent_hrn = get_authority(hrn)
if not parent_hrn:
# if there is no parent hrn, then it must be self-signed. this
# is where we terminate the recursion
ticket.set_issuer(auth_info.get_pkey_object(), hrn)
else:
# we need the parent's private key in order to sign this GID
parent_auth_info = self.get_auth_info(parent_hrn)
ticket.set_issuer(parent_auth_info.get_pkey_object(), parent_auth_info.hrn)
ticket.set_parent(self.get_auth_cred(parent_hrn))
ticket.encode()
ticket.sign()
return ticket
def add_slivers(self, slivers, network=None, sliver_urn=None, no_dupes=False):
# add slice name to network tag
network_tags = self.xml.xpath('//network')
if network_tags:
network_tag = network_tags[0]
network_tag.set('slice', urn_to_hrn(sliver_urn)[0])
all_nodes = self.get_nodes()
nodes_with_slivers = [sliver['hostname'] for sliver in slivers]
nodes_without_slivers = set(all_nodes).difference(nodes_with_slivers)
# add slivers
for sliver in slivers:
node_elem = self.get_node_element(sliver['hostname'], network)
if not node_elem: continue
sliver_elem = etree.SubElement(node_elem, 'sliver')
if 'tags' in sliver:
for tag in sliver['tags']:
etree.SubElement(sliver_elem, tag['tagname']).text = value=tag['value']
# remove all nodes without slivers
for node in nodes_without_slivers:
node_elem = self.get_node_element(node, network)
parent = node_elem.getparent()
parent.remove(node_elem)
def ListResources(api, creds, options,call_id):
if Callids().already_handled(call_id): return ""
# get slice's hrn from options
xrn = options.get('geni_slice_urn', '')
hrn, type = urn_to_hrn(xrn)
version_manager = VersionManager()
# get the rspec's return format from options
rspec_version = version_manager.get_version(options.get('rspec_version'))
version_string = "rspec_%s" % (rspec_version.to_string())
# look in cache first
if api.cache and not xrn:
rspec = api.cache.get(version_string)
if rspec:
api.logger.info("aggregate.ListResources: returning cached value for hrn %s"%hrn)
return rspec
aggregate = ViniAggregate(api, options)
rspec = aggregate.get_rspec(slice_xrn=xrn, version=rspec_version)
# cache the result
if api.cache and not xrn:
api.cache.add('nodes', rspec)
return rspec
def verify_users(self, slice_hrn, slice_record, users, sfa_peer, options=None):
if options is None: options={}
# get slice info
slicename = hrn_to_nitos_slicename(slice_hrn)
slices = self.driver.shell.getSlices({}, [])
slice = self.driver.filter_nitos_results(slices, {'slice_name': slicename})[0]
added_users = []
#get users info
users_info = []
for user in users:
user_urn = user['urn']
user_hrn, type = urn_to_hrn(user_urn)
username = str(user_hrn).split('.')[-1]
email = user['email']
# look for the user according to his username, email...
nitos_users = self.driver.filter_nitos_results(self.driver.shell.getUsers(), {'username': username})
if not nitos_users:
nitos_users = self.driver.filter_nitos_results(self.driver.shell.getUsers(), {'email': email})
if not nitos_users:
# create the user
user_id = self.driver.shell.addUser({'username': email.split('@')[0], 'email': email})
added_users.append(user_id)
# add user keys
for key in user['keys']:
self.driver.shell.addUserKey({'user_id': user_id, 'key': key, 'slice_id': slice['slice_id']})
# add the user to the slice
self.driver.shell.addUserToSlice({'slice_id': slice['slice_id'], 'user_id': user_id})
else:
# check if the users are in the slice
for user in nitos_users:
if not user['user_id'] in slice['user_ids']:
self.driver.shell.addUserToSlice({'slice_id': slice['slice_id'], 'user_id': user['user_id']})
return added_users
def get_slice_and_slivers(self, slice_xrn):
"""
Returns a dict of slivers keyed on the sliver's node_id
"""
slivers = {}
slice = None
if not slice_xrn:
return (slice, slivers)
slice_urn = hrn_to_urn(slice_xrn, 'slice')
slice_hrn, _ = urn_to_hrn(slice_xrn)
slice_name = hrn_to_nitos_slicename(slice_hrn)
slices = self.driver.shell.getSlices({'slice_name': slice_name}, [])
#filter results
for slc in slices:
if slc['slice_name'] == slice_name:
slice = slc
break
if not slice:
return (slice, slivers)
reserved_nodes = self.driver.shell.getReservedNodes({'slice_id': slice['slice_id']}, [])
reserved_node_ids = []
# filter on the slice
for node in reserved_nodes:
if node['slice_id'] == slice['slice_id']:
reserved_node_ids.append(node['node_id'])
#get all the nodes
all_nodes = self.driver.shell.getNodes({}, [])
for node in all_nodes:
if node['node_id'] in reserved_node_ids:
slivers[node['node_id']] = node
return (slice, slivers)
def call(self, slice_xrn, creds, rspec, users, call_id=""):
hrn, type = urn_to_hrn(slice_xrn)
self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, hrn, self.name))
# Find the valid credentials
valid_creds = self.api.auth.checkCredentials(creds, 'createsliver', hrn)
origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
# make sure users info is specified
if not users:
msg = "'users' musst be specified and cannot be null. You may need to update your client."
raise SfaInvalidArgument(name='users', extra=msg)
manager = self.api.get_interface_manager()
# flter rspec through sfatables
if self.api.interface in ['aggregate']:
chain_name = 'INCOMING'
elif self.api.interface in ['slicemgr']:
chain_name = 'FORWARD-INCOMING'
self.api.logger.debug("CreateSliver: sfatables on chain %s"%chain_name)
rspec = run_sfatables(chain_name, hrn, origin_hrn, rspec)
return manager.CreateSliver(self.api, slice_xrn, creds, rspec, users, call_id)
def verify_users(self,
slice_hrn,
slice_record,
users,
sfa_peer,
options={}):
# get slice info
slicename = hrn_to_nitos_slicename(slice_hrn)
slices = self.driver.shell.getSlices({}, [])
slice = self.driver.filter_nitos_results(slices,
{'slice_name': slicename})[0]
added_users = []
#get users info
users_info = []
for user in users:
user_urn = user['urn']
user_hrn, type = urn_to_hrn(user_urn)
username = str(user_hrn).split('.')[-1]
email = user['email']
# look for the user according to his username, email...
nitos_users = self.driver.filter_nitos_results(
self.driver.shell.getUsers(), {'username': username})
if not nitos_users:
nitos_users = self.driver.filter_nitos_results(
self.driver.shell.getUsers(), {'email': email})
if not nitos_users:
# create the user
user_id = self.driver.shell.addUser({
'username':
email.split('@')[0],
'email':
email
})
added_users.append(user_id)
# add user keys
for key in user['keys']:
self.driver.shell.addUserKey({
'user_id': user_id,
'key': key,
'slice_id': slice['slice_id']
})
# add the user to the slice
self.driver.shell.addUserToSlice({
'slice_id': slice['slice_id'],
'user_id': user_id
})
else:
# check if the users are in the slice
for user in nitos_users:
if not user['user_id'] in slice['user_ids']:
self.driver.shell.addUserToSlice({
'slice_id':
slice['slice_id'],
'user_id':
user['user_id']
})
return added_users
def xrn_hook(resource):
urn = resource.get('component_id')
if not urn:
Log.warning('No urn !!!')
return resource
resource['urn'] = urn
resource['hrn'] = urn_to_hrn(urn)[0]
return resource
def List(self, api, xrn, origin_hrn=None, options={}):
dbsession = api.dbsession()
# load all know registry names into a prefix tree and attempt to find
# the longest matching prefix
hrn, type = urn_to_hrn(xrn)
registries = api.registries
registry_hrns = registries.keys()
tree = prefixTree()
tree.load(registry_hrns)
registry_hrn = tree.best_match(hrn)
#if there was no match then this record belongs to an unknow registry
if not registry_hrn:
raise MissingAuthority(xrn)
# if the best match (longest matching hrn) is not the local registry,
# forward the request
record_dicts = []
if registry_hrn != api.hrn:
credential = api.getCredential()
interface = api.registries[registry_hrn]
server_proxy = api.server_proxy(interface, credential)
record_list = server_proxy.List(xrn, credential, options)
# same as above, no need to process what comes from through xmlrpc
# pass foreign records as-is
record_dicts = record_list
# if we still have not found the record yet, try the local registry
# logger.debug("before trying local records, %d foreign records"% len(record_dicts))
if not record_dicts:
recursive = False
if ('recursive' in options and options['recursive']):
recursive = True
elif hrn.endswith('*'):
hrn = hrn[:-1]
recursive = True
if not api.auth.hierarchy.auth_exists(hrn):
raise MissingAuthority(hrn)
if recursive:
records = dbsession.query(RegRecord).filter(
RegRecord.hrn.startswith(hrn)).all()
# logger.debug("recursive mode, found %d local records"%(len(records)))
else:
records = dbsession.query(RegRecord).filter_by(
authority=hrn).all()
# logger.debug("non recursive mode, found %d local records"%(len(records)))
# so that sfi list can show more than plain names...
for record in records:
augment_with_sfa_builtins(record)
record_dicts = [
record.todict(exclude_types=[InstrumentedList])
for record in records
]
return record_dicts
def get_plc_slice_id(self, cred, xrn):
(hrn, type) = urn_to_hrn(xrn)
slice_id = hrn.find(':')
sep = '.'
if hrn.find(':') != -1:
sep = ':'
elif hrn.find('+') != -1:
sep = '+'
else:
sep = '.'
slice_id = hrn.split(sep)[-2] + '_' + hrn.split(sep)[-1]
return slice_id
def get_sfa_peer(self, xrn):
hrn, type = urn_to_hrn(xrn)
# return the authority for this hrn or None if we are the authority
sfa_peer = None
slice_authority = get_authority(hrn)
site_authority = get_authority(slice_authority)
if site_authority != self.driver.hrn:
sfa_peer = site_authority
return sfa_peer
def call(self, xrns, creds, options):
(speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
valid_creds = self.api.auth.checkCredentials(
creds,
'sliverstatus',
xrns,
check_sliver_callback=self.api.driver.check_sliver_credentials,
speaking_for_hrn=speaking_for)
self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s" %
(self.api.interface, xrns, self.name))
return self.api.manager.Status(self.api, xrns, creds, options)
def call(self, xrn, creds, options={}):
hrn, type = urn_to_hrn(xrn)
valid_creds = self.api.auth.checkCredentials(creds, 'list')
#log the call
origin_hrn = Credential(
string=valid_creds[0]).get_gid_caller().get_hrn()
self.api.logger.info(
"interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s" %
(self.api.interface, origin_hrn, hrn, self.name))
return self.api.manager.List(self.api, xrn, options=options)
def __init__(self, create=False, subject=None, string=None, filename=None, uuid=None, hrn=None, urn=None, lifeDays=1825):
Certificate.__init__(self, lifeDays, create, subject, string, filename)
if subject:
logger.debug("Creating GID for subject: %s" % subject)
if uuid:
self.uuid = int(uuid)
if hrn:
self.hrn = hrn
self.urn = hrn_to_urn(hrn, 'unknown')
if urn:
self.urn = urn
self.hrn, type = urn_to_hrn(urn)
def sfa_client(request,
method,
hrn=None,
urn=None,
object_type=None,
rspec=None,
recursive=False,
options=None,
platforms=None,
output_format=None,
admin=False):
Config = ConfigParser.ConfigParser()
monitor_file = os.path.abspath(
os.path.dirname(__file__) + '/../myslice/monitor.ini')
Config.read(monitor_file)
if admin:
user_email, admin_password = config.manifold_admin_user_password()
else:
#logger.debug(request.session['user']['email'])
user_email = request.session['user']['email']
results = dict()
if hrn is None:
hrn = ''
if urn is None:
urn = ''
if object_type is None:
object_type = ''
if rspec is None:
rspec = ''
else:
logger.debug("RSPEC = %s" % rspec)
if recursive is None:
recursive = False
if options is None:
options = dict()
if platforms is None:
platforms = list()
if method not in ['GetVersion', 'ListResources']:
try:
if not hrn:
hrn = urn_to_hrn(urn)
else:
urn = hrn_to_urn(hrn, object_type)
except Exception, e:
logger.error(e)
raise Exception, "Provide urn OR hrn + type as parameters of method %s" % method
def get_auth_filenames(self, xrn):
hrn, type = urn_to_hrn(xrn)
if '\\' in hrn:
hrn = hrn.replace('\\', '')
leaf = hrn
else:
leaf = get_leaf(hrn)
parent_hrn = get_authority(hrn)
directory = os.path.join(self.basedir, hrn.replace(".", "/"))
gid_filename = os.path.join(directory, leaf+".gid")
privkey_filename = os.path.join(directory, leaf+".pkey")
return (directory, gid_filename, privkey_filename)
def call(self, creds, xrn, cert=None):
# TODO: is there a better right to check for or is 'update good enough?
valid_creds = self.api.auth.checkCredentials(creds, 'update')
# verify permissions
hrn, type = urn_to_hrn(xrn)
self.api.auth.verify_object_permission(hrn)
#log the call
origin_hrn = Credential(
string=valid_creds[0]).get_gid_caller().get_hrn()
self.api.logger.info(
"interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s" %
(self.api.interface, origin_hrn, xrn, self.name))
return self.api.manager.CreateGid(self.api, xrn, cert)
def call(self, xrns, creds, options):
(speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
valid_creds = self.api.auth.checkCredentials(
creds,
'deletesliver',
xrns,
check_sliver_callback=self.api.driver.check_sliver_credentials,
speaking_for_hrn=speaking_for)
#log the call
origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn()
self.api.logger.info(
"interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s" %
(self.api.interface, origin_hrn, xrns, self.name))
return self.api.manager.Delete(self.api, xrns, creds, options)
def prepare_slice(self, api, slice_xrn, creds, users):
reg_objects = self._get_registry_objects(slice_xrn, creds, users)
(hrn, type) = urn_to_hrn(slice_xrn)
slices = PlSlices(self.driver)
peer = slices.get_peer(hrn)
sfa_peer = slices.get_sfa_peer(hrn)
slice_record = None
if users:
slice_record = users[0].get('slice_record', {})
registry = api.registries[api.hrn]
credential = api.getCredential()
# ensure site record exists
site = slices.verify_site(hrn, slice_record, peer, sfa_peer)
# ensure slice record exists
slice = slices.verify_slice(hrn, slice_record, peer, sfa_peer)
# ensure person records exists
persons = slices.verify_persons(hrn, slice, users, peer, sfa_peer)
def _process_resource(cls, resource):
"""
Postprocess resources read from the RSpec. This applies to nodes, channels and links.
In particular, it sets the urn, hrn, network_hrn, facility_name and testbed_name fields.
"""
urn = resource['component_id']
hrn, type = urn_to_hrn(resource['component_id'])
resource['urn'] = urn
resource['hrn'] = hrn
resource['network_hrn'] = Xrn(resource['component_id']).authority[0] # network ? XXX
# We also add 'facility' and 'testbed' fields
resource['facility_name'] = cls.get_resource_facility_name(urn)
resource['testbed_name'] = cls.get_resource_testbed_name(urn)
return resource
def get_auth_info(self, xrn):
hrn, type = urn_to_hrn(xrn)
if not self.auth_exists(hrn):
logger.warning("Hierarchy: missing authority - xrn=%s, hrn=%s"%(xrn,hrn))
raise MissingAuthority(hrn)
(directory, gid_filename, privkey_filename, ) = \
self.get_auth_filenames(hrn)
auth_info = AuthInfo(hrn, gid_filename, privkey_filename)
# check the GID and see if it needs to be refreshed
gid = auth_info.get_gid_object()
gid_refreshed = self.refresh_gid(gid)
if gid != gid_refreshed:
auth_info.update_gid_object(gid_refreshed)
return auth_info
def _process_resource(cls, resource):
"""
Postprocess resources read from the RSpec. This applies to nodes, channels and links.
In particular, it sets the urn, hrn, network_hrn, facility_name and testbed_name fields.
"""
urn = resource['component_id']
hrn, type = urn_to_hrn(resource['component_id'])
resource['urn'] = urn
resource['hrn'] = hrn
resource['network_hrn'] = Xrn(resource['component_id']).authority[0] # network ? XXX
# We also add 'facility' and 'testbed' fields
resource['facility_name'] = cls.get_resource_facility_name(urn)
resource['testbed_name'] = cls.get_resource_testbed_name(urn)
if 'exclusive' not in resource:
resource['exclusive'] = 'true'
elif resource['exclusive'] is None:
resource['exclusive'] = 'true'
else:
Log.warning("EXCLUSIVE = ",resource['exclusive'])
#if 'location' in node:
# if node['location']:
# node['latitude'] = node['location']['latitude']
# node['longitude'] = node['location']['longitude']
# del node['location']
#else:
# if the location is not provided, aproximate it from the city
t_urn = resource['urn'].split('+')
city = t_urn[3].split('.')[1]
if city == 'iii':
city = 'Institute for Information Industry, Taïwan 106'
resource['country'] = 'Taiwan'
else:
resource['country'] = 'France'
location = cls.get_location(city)
if location is not None:
resource['latitude'] = str(location.latitude)
resource['longitude'] = str(location.longitude)
return resource
