def export_gid(options): from sfa.util.table import SfaTable # lookup the record for the specified hrn hrn = options.export type = options.type # check sfa table first filter = {'hrn': hrn} if type: filter['type'] = type table = SfaTable() records = table.find(filter) if not records: # check the authorities hierarchy hierarchy = Hierarchy() try: auth_info = hierarchy.get_auth_info() gid = auth_info.gid_object except: print "Record: %s not found" % hrn sys.exit(1) else: record = records[0] gid = GID(string=record['gid']) # get the outfile outfile = options.outfile if not outfile: outfile = os.path.abspath('./%s.gid' % gid.get_hrn()) # save it if options.verbose: print "Writing %s gid to %s" % (gid.get_hrn(), outfile) gid.save_to_file(outfile, save_parents=True)
def sign(options): """ Sign the specified gid """ hierarchy = Hierarchy() config = Config() default_authority = config.SFA_INTERFACE_HRN auth_info = hierarchy.get_auth_info(default_authority) # load the gid gidfile = os.path.abspath(options.sign) if not os.path.isfile(gidfile): print "no such gid: %s" % gidfile sys.exit(1) gid = GID(filename=gidfile) # extract pub_key and create new gid pkey = gid.get_pubkey() urn = gid.get_urn() gid = hierarchy.create_gid(urn, create_uuid(), pkey) # get the outfile outfile = options.outfile if not outfile: outfile = os.path.abspath('./signed-%s.gid' % gid.get_hrn()) # save the signed gid if options.verbose: print "Writing signed gid %s" % outfile gid.save_to_file(outfile, save_parents=True)
def getCredential(self): """ Get our credential from a remote registry """ path = self.config.SFA_DATA_DIR config_dir = self.config.config_path cred_filename = path + os.sep + 'node.cred' try: credential = Credential(filename = cred_filename) return credential.save_to_string(save_parents=True) except IOError: node_pkey_file = config_dir + os.sep + "node.key" node_gid_file = config_dir + os.sep + "node.gid" cert_filename = path + os.sep + 'server.cert' if not os.path.exists(node_pkey_file) or \ not os.path.exists(node_gid_file): self.get_node_key() # get node's hrn gid = GID(filename=node_gid_file) hrn = gid.get_hrn() # get credential from registry cert_str = Certificate(filename=cert_filename).save_to_string(save_parents=True) registry = self.get_registry() cred = registry.GetSelfCredential(cert_str, hrn, 'node') # xxx credfile is undefined Credential(string=cred).save_to_file(credfile, save_parents=True) return cred
def delegate(self, delegee_gidfile, caller_keyfile, caller_gidfile): """ Return a delegated copy of this credential, delegated to the specified gid's user. """ # get the gid of the object we are delegating object_gid = self.get_gid_object() object_hrn = object_gid.get_hrn() # the hrn of the user who will be delegated to delegee_gid = GID(filename=delegee_gidfile) delegee_hrn = delegee_gid.get_hrn() #user_key = Keypair(filename=keyfile) #user_hrn = self.get_gid_caller().get_hrn() subject_string = "%s delegated to %s" % (object_hrn, delegee_hrn) dcred = Credential(subject=subject_string) dcred.set_gid_caller(delegee_gid) dcred.set_gid_object(object_gid) dcred.set_parent(self) dcred.set_expiration(self.get_expiration()) dcred.set_privileges(self.get_privileges()) dcred.get_privileges().delegate_all_privileges(True) #dcred.set_issuer_keys(keyfile, delegee_gidfile) dcred.set_issuer_keys(caller_keyfile, caller_gidfile) dcred.encode() dcred.sign() return dcred
def getCredential(self): """ Get our credential from a remote registry """ path = self.config.SFA_DATA_DIR config_dir = self.config.config_path cred_filename = path + os.sep + 'node.cred' try: credential = Credential(filename=cred_filename) return credential.save_to_string(save_parents=True) except IOError: node_pkey_file = config_dir + os.sep + "node.key" node_gid_file = config_dir + os.sep + "node.gid" cert_filename = path + os.sep + 'server.cert' if not os.path.exists(node_pkey_file) or \ not os.path.exists(node_gid_file): self.get_node_key() # get node's hrn gid = GID(filename=node_gid_file) hrn = gid.get_hrn() # get credential from registry cert_str = Certificate(filename=cert_filename).save_to_string( save_parents=True) registry = self.get_registry() cred = registry.GetSelfCredential(cert_str, hrn, 'node') # xxx credfile is undefined Credential(string=cred).save_to_file(credfile, save_parents=True) return cred
def install_peer_certs(server_key_file, server_cert_file): """ Attempt to install missing trusted gids and db records for our federated interfaces """ # Attempt to get any missing peer gids # There should be a gid file in /etc/sfa/trusted_roots for every # peer registry found in in the registries.xml config file. If there # are any missing gids, request a new one from the peer registry. api = SfaAPI(key_file=server_key_file, cert_file=server_cert_file) registries = Registries() aggregates = Aggregates() interfaces = dict(registries.items() + aggregates.items()) gids_current = api.auth.trusted_cert_list hrns_current = [gid.get_hrn() for gid in gids_current] hrns_expected = set([hrn for hrn in interfaces]) new_hrns = set(hrns_expected).difference(hrns_current) # gids = self.get_peer_gids(new_hrns) + gids_current peer_gids = [] if not new_hrns: return trusted_certs_dir = api.config.get_trustedroots_dir() for new_hrn in new_hrns: if not new_hrn: continue # the gid for this interface should already be installed if new_hrn == api.config.SFA_INTERFACE_HRN: continue try: # get gid from the registry url = interfaces[new_hrn].get_url() interface = interfaces[new_hrn].get_server(server_key_file, server_cert_file, timeout=30) # skip non sfa aggregates server_version = api.get_cached_server_version(interface) if "sfa" not in server_version: logger.info("get_trusted_certs: skipping non sfa aggregate: %s" % new_hrn) continue trusted_gids = interface.get_trusted_certs() if trusted_gids: # the gid we want should be the first one in the list, # but lets make sure for trusted_gid in trusted_gids: # default message message = "interface: %s\t" % (api.interface) message += "unable to install trusted gid for %s" % (new_hrn) gid = GID(string=trusted_gids[0]) peer_gids.append(gid) if gid.get_hrn() == new_hrn: gid_filename = os.path.join(trusted_certs_dir, "%s.gid" % new_hrn) gid.save_to_file(gid_filename, save_parents=True) message = "installed trusted cert for %s" % new_hrn # log the message api.logger.info(message) except: message = "interface: %s\tunable to install trusted gid for %s" % (api.interface, new_hrn) api.logger.log_exc(message) # doesnt matter witch one update_cert_records(peer_gids)
def get_trusted_certs(registry=None, verbose=False): """ refresh our list of trusted certs. """ # define useful variables config = Config() data_dir = config.SFA_DATA_DIR config_dir = config.SFA_CONFIG_DIR trusted_certs_dir = config.get_trustedroots_dir() keyfile = data_dir + os.sep + "server.key" certfile = data_dir + os.sep + "server.cert" node_gid_file = config_dir + os.sep + "node.gid" node_gid = GID(filename=node_gid_file) hrn = node_gid.get_hrn() # get credential cred = GetCredential(registry=registry, verbose=verbose) # make sure server key cert pair exists create_server_keypair(keyfile=keyfile, certfile=certfile, hrn=hrn, verbose=verbose) registry = server_proxy(url=registry, keyfile=keyfile, certfile=certfile) # get the trusted certs and save them in the right place if verbose: print "Getting trusted certs from registry" trusted_certs = registry.get_trusted_certs(cred) trusted_gid_names = [] for gid_str in trusted_certs: gid = GID(string=gid_str) gid.decode() relative_filename = gid.get_hrn() + ".gid" trusted_gid_names.append(relative_filename) gid_filename = trusted_certs_dir + os.sep + relative_filename if verbose: print "Writing GID for %s as %s" % (gid.get_hrn(), gid_filename) gid.save_to_file(gid_filename, save_parents=True) # remove old certs all_gids_names = os.listdir(trusted_certs_dir) for gid_name in all_gids_names: if gid_name not in trusted_gid_names: if verbose: print "Removing old gid ", gid_name os.unlink(trusted_certs_dir + os.sep + gid_name)
def import_gid(options): """ Import the specified gid into the registry (db and authorities hierarchy) overwriting any previous gid. """ from sfa.util.table import SfaTable from sfa.util.record import SfaRecord # load the gid gidfile = os.path.abspath(options.importgid) if not gidfile or not os.path.isfile(gidfile): print "No such gid: %s" % gidfile sys.exit(1) gid = GID(filename=gidfile) # check if it exists within the hierarchy hierarchy = Hierarchy() if not hierarchy.auth_exists(gid.get_hrn()): print "%s not found in hierarchy" % gid.get_hrn() sys.exit(1) # check if record exists in db table = SfaTable() records = table.find({'hrn': gid.get_hrn(), 'type': 'authority'}) if not records: print "%s not found in record database" % get.get_hrn() sys.exit(1) # update the database record record = records[0] record['gid'] = gid.save_to_string(save_parents=True) table.update(record) if options.verbose: print "Imported %s gid into db" % record['hrn'] # update the hierarchy auth_info = hierarchy.get_auth_info(gid.get_hrn()) filename = auth_info.gid_filename gid.save_to_file(filename, save_parents=True) if options.verbose: print "Writing %s gid to %s" % (gid.get_hrn(), filename) # ending here return
def install_gids(api, slivers): # install node gid node_gid_file = api.config.config_path + os.sep + "node.gid" node_gid = GID(filename=node_gid_file) node_gid_str = node_gid.save_to_string(save_parents=True) node_hrn = node_gid.get_hrn() # get currently installed slice and node gids interface_hrn = api.config.SFA_INTERFACE_HRN slice_gids = {} node_gids = {} for slicename in slivers: slice_gid_filename = "/vservers/%s/etc/slice.gid" % slicename node_gid_filename = "/vservers/%s/etc/node.gid" % slicename if os.path.isfile(slice_gid_filename): gid_file = open(slice_gid_filename, 'r') slice_gids[sliver] = gid_file.read() gid_file.close() if os.path.isfile(node_gid_filename): gid_file = open(node_gid_filename, 'r') node_gids[sliver] = gid_file.read() gid_file.close() # convert slicenames to hrns hrns = [slicename_to_hrn(interface_hrn, slicename) \ for slicename in slivers] # get current gids from registry cred = api.getCredential() registry = api.get_registry() #records = registry.GetGids(cred, hrns) records = registry.get_gids(cred, hrns) for record in records: # skip if this isnt a slice record if not record['type'] == 'slice': continue vserver_path = "/vservers/%(slicename)s" % locals() # skip if the slice isnt instantiated if not os.path.exists(vserver_path): continue # install slice gid if it doesnt already exist or has changed slice_gid_str = record['gid'] slicename = hrn_to_pl_slicename(record['hrn']) if slicename not in slice_gids or slice_gids[slicename] != slice_gid_str: gid_filename = os.sep.join([vserver_path, "etc", "slice.gid"]) GID(string=slice_gid_str).save_to_file(gid_filename, save_parents=True) # install slice gid if it doesnt already exist or has changed if slicename not in node_gids or node_gids[slicename] != node_gid_str: gid_filename = os.sep.join([vserver_path, "etc", "node.gid"]) GID(string=node_gid_str).save_to_file(gid_filename, save_parents=True)
def install_trusted_certs(api): cred = api.getCredential() registry = api.get_registry() trusted_certs = registry.get_trusted_certs(cred) trusted_gid_names = [] for gid_str in trusted_certs: gid = GID(string=gid_str) gid.decode() relative_filename = gid.get_hrn() + ".gid" trusted_gid_names.append(relative_filename) gid_filename = trusted_certs_dir + os.sep + relative_filename if verbose: print("Writing GID for %s as %s" % (gid.get_hrn(), gid_filename)) gid.save_to_file(gid_filename, save_parents=True) # remove old certs all_gids_names = os.listdir(trusted_certs_dir) for gid_name in all_gids_names: if gid_name not in trusted_gid_names: if verbose: print("Removing old gid ", gid_name) os.unlink(trusted_certs_dir + os.sep + gid_name)
def GetCredential(registry=None, force=False, verbose=False): config = Config() hierarchy = Hierarchy() key_dir = hierarchy.basedir data_dir = config.data_path config_dir = config.config_path credfile = data_dir + os.sep + 'node.cred' # check for existing credential if not force and os.path.exists(credfile): if verbose: print "Loading Credential from %(credfile)s " % locals() cred = Credential(filename=credfile).save_to_string(save_parents=True) else: if verbose: print "Getting credential from registry" # make sure node private key exists node_pkey_file = config_dir + os.sep + "node.key" node_gid_file = config_dir + os.sep + "node.gid" if not os.path.exists(node_pkey_file) or \ not os.path.exists(node_gid_file): get_node_key(registry=registry, verbose=verbose) gid = GID(filename=node_gid_file) hrn = gid.get_hrn() # create server key and certificate keyfile = data_dir + os.sep + "server.key" certfile = data_dir + os.sep + "server.cert" key = Keypair(filename=node_pkey_file) key.save_to_file(keyfile) create_server_keypair(keyfile, certfile, hrn, verbose) # get credential from registry registry = server_proxy(url=registry, keyfile=keyfile, certfile=certfile) cert = Certificate(filename=certfile) cert_str = cert.save_to_string(save_parents=True) cred = registry.GetSelfCredential(cert_str, 'node', hrn) Credential(string=cred).save_to_file(credfile, save_parents=True) return cred
def export(self, xrn, type=None, outfile=None): """Fetch an object's GID from the Registry""" from sfa.storage.model import RegRecord hrn = Xrn(xrn).get_hrn() request = self.api.dbsession().query(RegRecord).filter_by(hrn=hrn) if type: request = request.filter_by(type=type) record = request.first() if record: gid = GID(string=record.gid) else: # check the authorities hierarchy hierarchy = Hierarchy() try: auth_info = hierarchy.get_auth_info(hrn) gid = auth_info.gid_object except: print "Record: %s not found" % hrn sys.exit(1) # save to file if not outfile: outfile = os.path.abspath('./%s.gid' % gid.get_hrn()) gid.save_to_file(outfile, save_parents=True)
def GetCredential(registry=None, force=False, verbose=False): config = Config() hierarchy = Hierarchy() key_dir= hierarchy.basedir data_dir = config.data_path config_dir = config.config_path credfile = data_dir + os.sep + 'node.cred' # check for existing credential if not force and os.path.exists(credfile): if verbose: print "Loading Credential from %(credfile)s " % locals() cred = Credential(filename=credfile).save_to_string(save_parents=True) else: if verbose: print "Getting credential from registry" # make sure node private key exists node_pkey_file = config_dir + os.sep + "node.key" node_gid_file = config_dir + os.sep + "node.gid" if not os.path.exists(node_pkey_file) or \ not os.path.exists(node_gid_file): get_node_key(registry=registry, verbose=verbose) gid = GID(filename=node_gid_file) hrn = gid.get_hrn() # create server key and certificate keyfile =data_dir + os.sep + "server.key" certfile = data_dir + os.sep + "server.cert" key = Keypair(filename=node_pkey_file) key.save_to_file(keyfile) create_server_keypair(keyfile, certfile, hrn, verbose) # get credential from registry registry = server_proxy(url=registry, keyfile=keyfile, certfile=certfile) cert = Certificate(filename=certfile) cert_str = cert.save_to_string(save_parents=True) cred = registry.GetSelfCredential(cert_str, 'node', hrn) Credential(string=cred).save_to_file(credfile, save_parents=True) return cred
def export(self, xrn, type=None, outfile=None): """Fetch an object's GID from the Registry""" from sfa.storage.model import RegRecord hrn = Xrn(xrn).get_hrn() request=self.api.dbsession().query(RegRecord).filter_by(hrn=hrn) if type: request = request.filter_by(type=type) record=request.first() if record: gid = GID(string=record.gid) else: # check the authorities hierarchy hierarchy = Hierarchy() try: auth_info = hierarchy.get_auth_info(hrn) gid = auth_info.gid_object except: print "Record: %s not found" % hrn sys.exit(1) # save to file if not outfile: outfile = os.path.abspath('./%s.gid' % gid.get_hrn()) gid.save_to_file(outfile, save_parents=True)
def get_gids(registry=None, verbose=False): """ Get the gid for all instantiated slices on this node and store it in /etc/sfa/slice.gid in the slice's filesystem """ # define useful variables config = Config() data_dir = config.data_path config_dir = config.SFA_CONFIG_DIR trusted_certs_dir = config.get_trustedroots_dir() keyfile = data_dir + os.sep + "server.key" certfile = data_dir + os.sep + "server.cert" node_gid_file = config_dir + os.sep + "node.gid" node_gid = GID(filename=node_gid_file) hrn = node_gid.get_hrn() interface_hrn = config.SFA_INTERFACE_HRN # get credential cred = GetCredential(registry=registry, verbose=verbose) # make sure server key cert pair exists create_server_keypair(keyfile=keyfile, certfile=certfile, hrn=hrn, verbose=verbose) registry = server_proxy(url=registry, keyfile=keyfile, certfile=certfile) if verbose: print "Getting current slices on this node" # get a list of slices on this node from sfa.generic import Generic generic=Generic.the_flavour() api = generic.make_api(interface='component') xids_tuple = api.driver.nodemanager.GetXIDs() slices = eval(xids_tuple[1]) slicenames = slices.keys() # generate a list of slices that dont have gids installed slices_without_gids = [] for slicename in slicenames: if not os.path.isfile("/vservers/%s/etc/slice.gid" % slicename) \ or not os.path.isfile("/vservers/%s/etc/node.gid" % slicename): slices_without_gids.append(slicename) # convert slicenames to hrns hrns = [slicename_to_hrn(interface_hrn, slicename) \ for slicename in slices_without_gids] # exit if there are no gids to install if not hrns: return if verbose: print "Getting gids for slices on this node from registry" # get the gids # and save them in the right palce records = registry.GetGids(hrns, cred) for record in records: # if this isnt a slice record skip it if not record['type'] == 'slice': continue slicename = hrn_to_pl_slicename(record['hrn']) # if this slice isnt really instatiated skip it if not os.path.exists("/vservers/%(slicename)s" % locals()): continue # save the slice gid in /etc/sfa/ in the vservers filesystem vserver_path = "/vservers/%(slicename)s" % locals() gid = record['gid'] slice_gid_filename = os.sep.join([vserver_path, "etc", "slice.gid"]) if verbose: print "Saving GID for %(slicename)s as %(slice_gid_filename)s" % locals() GID(string=gid).save_to_file(slice_gid_filename, save_parents=True) # save the node gid in /etc/sfa node_gid_filename = os.sep.join([vserver_path, "etc", "node.gid"]) if verbose: print "Saving node GID for %(slicename)s as %(node_gid_filename)s" % locals() node_gid.save_to_file(node_gid_filename, save_parents=True)
def install_peer_certs(server_key_file, server_cert_file): """ Attempt to install missing trusted gids and db records for our federated interfaces """ # Attempt to get any missing peer gids # There should be a gid file in /etc/sfa/trusted_roots for every # peer registry found in in the registries.xml config file. If there # are any missing gids, request a new one from the peer registry. api = SfaApi(key_file=server_key_file, cert_file=server_cert_file) registries = Registries() aggregates = Aggregates() interfaces = dict(registries.items() + aggregates.items()) gids_current = api.auth.trusted_cert_list hrns_current = [gid.get_hrn() for gid in gids_current] hrns_expected = set([hrn for hrn in interfaces]) new_hrns = set(hrns_expected).difference(hrns_current) #gids = self.get_peer_gids(new_hrns) + gids_current peer_gids = [] if not new_hrns: return trusted_certs_dir = api.config.get_trustedroots_dir() for new_hrn in new_hrns: if not new_hrn: continue # the gid for this interface should already be installed if new_hrn == api.config.SFA_INTERFACE_HRN: continue try: # get gid from the registry url = interfaces[new_hrn].get_url() interface = interfaces[new_hrn].server_proxy(server_key_file, server_cert_file, timeout=30) # skip non sfa aggregates server_version = api.get_cached_server_version(interface) if 'sfa' not in server_version: logger.info( "get_trusted_certs: skipping non sfa aggregate: %s" % new_hrn) continue trusted_gids = ReturnValue.get_value(interface.get_trusted_certs()) if trusted_gids: # the gid we want should be the first one in the list, # but lets make sure for trusted_gid in trusted_gids: # default message message = "interface: %s\t" % (api.interface) message += "unable to install trusted gid for %s" % \ (new_hrn) gid = GID(string=trusted_gid) peer_gids.append(gid) if gid.get_hrn() == new_hrn: gid_filename = os.path.join(trusted_certs_dir, '%s.gid' % new_hrn) gid.save_to_file(gid_filename, save_parents=True) message = "installed trusted cert for %s" % new_hrn # log the message api.logger.info(message) except: message = "interface: %s\tunable to install trusted gid for %s" % \ (api.interface, new_hrn) api.logger.log_exc(message) # doesnt matter witch one update_cert_records(peer_gids)
def get_gids(registry=None, verbose=False): """ Get the gid for all instantiated slices on this node and store it in /etc/sfa/slice.gid in the slice's filesystem """ # define useful variables config = Config() data_dir = config.data_path config_dir = config.SFA_CONFIG_DIR trusted_certs_dir = config.get_trustedroots_dir() keyfile = data_dir + os.sep + "server.key" certfile = data_dir + os.sep + "server.cert" node_gid_file = config_dir + os.sep + "node.gid" node_gid = GID(filename=node_gid_file) hrn = node_gid.get_hrn() interface_hrn = config.SFA_INTERFACE_HRN # get credential cred = GetCredential(registry=registry, verbose=verbose) # make sure server key cert pair exists create_server_keypair(keyfile=keyfile, certfile=certfile, hrn=hrn, verbose=verbose) registry = server_proxy(url=registry, keyfile=keyfile, certfile=certfile) if verbose: print "Getting current slices on this node" # get a list of slices on this node from sfa.generic import Generic generic = Generic.the_flavour() api = generic.make_api(interface='component') xids_tuple = api.driver.nodemanager.GetXIDs() slices = eval(xids_tuple[1]) slicenames = slices.keys() # generate a list of slices that dont have gids installed slices_without_gids = [] for slicename in slicenames: if not os.path.isfile("/vservers/%s/etc/slice.gid" % slicename) \ or not os.path.isfile("/vservers/%s/etc/node.gid" % slicename): slices_without_gids.append(slicename) # convert slicenames to hrns hrns = [slicename_to_hrn(interface_hrn, slicename) \ for slicename in slices_without_gids] # exit if there are no gids to install if not hrns: return if verbose: print "Getting gids for slices on this node from registry" # get the gids # and save them in the right palce records = registry.GetGids(hrns, cred) for record in records: # if this isnt a slice record skip it if not record['type'] == 'slice': continue slicename = hrn_to_pl_slicename(record['hrn']) # if this slice isnt really instatiated skip it if not os.path.exists("/vservers/%(slicename)s" % locals()): continue # save the slice gid in /etc/sfa/ in the vservers filesystem vserver_path = "/vservers/%(slicename)s" % locals() gid = record['gid'] slice_gid_filename = os.sep.join([vserver_path, "etc", "slice.gid"]) if verbose: print "Saving GID for %(slicename)s as %(slice_gid_filename)s" % locals( ) GID(string=gid).save_to_file(slice_gid_filename, save_parents=True) # save the node gid in /etc/sfa node_gid_filename = os.sep.join([vserver_path, "etc", "node.gid"]) if verbose: print "Saving node GID for %(slicename)s as %(node_gid_filename)s" % locals( ) node_gid.save_to_file(node_gid_filename, save_parents=True)