Exemple #1
0
def __get_registry_objects(slice_xrn, creds, users):
    """

    """
    hrn, type = urn_to_hrn(slice_xrn)

    hrn_auth = get_authority(hrn)

    # Build up objects that an SFA registry would return if SFA
    # could contact the slice's registry directly
    reg_objects = None

    if users:
        # dont allow special characters in the site login base
        #only_alphanumeric = re.compile('[^a-zA-Z0-9]+')
        #login_base = only_alphanumeric.sub('', hrn_auth[:20]).lower()
        slicename = hrn_to_pl_slicename(hrn)
        login_base = slicename.split('_')[0]
        reg_objects = {}
        site = {}
        site['site_id'] = 0
        site['name'] = 'geni.%s' % login_base 
        site['enabled'] = True
        site['max_slices'] = 100

        # Note:
        # Is it okay if this login base is the same as one already at this myplc site?
        # Do we need uniqueness?  Should use hrn_auth instead of just the leaf perhaps?
        site['login_base'] = login_base
        site['abbreviated_name'] = login_base
        site['max_slivers'] = 1000
        reg_objects['site'] = site

        slice = {}
        
        # get_expiration always returns a normalized datetime - no need to utcparse
        extime = Credential(string=creds[0]).get_expiration()
        # If the expiration time is > 60 days from now, set the expiration time to 60 days from now
        if extime > datetime.datetime.utcnow() + datetime.timedelta(days=60):
            extime = datetime.datetime.utcnow() + datetime.timedelta(days=60)
        slice['expires'] = int(time.mktime(extime.timetuple()))
        slice['hrn'] = hrn
        slice['name'] = hrn_to_pl_slicename(hrn)
        slice['url'] = hrn
        slice['description'] = hrn
        slice['pointer'] = 0
        reg_objects['slice_record'] = slice

        reg_objects['users'] = {}
        for user in users:
            user['key_ids'] = []
            hrn, _ = urn_to_hrn(user['urn'])
            user['email'] = hrn_to_pl_slicename(hrn) + "@geni.net"
            user['first_name'] = hrn
            user['last_name'] = hrn
            reg_objects['users'][user['email']] = user

        return reg_objects
Exemple #2
0
    def verify_slice(self, slice_hrn, slice_record, peer, sfa_peer):
        slicename = hrn_to_pl_slicename(slice_hrn)
        parts = slicename.split("_")
        login_base = parts[0]
        slices = self.api.plshell.GetSlices(self.api.plauth, [slicename]) 
        if not slices:
            slice = {'name': slicename,
                     'url': slice_record.get('url', slice_hrn), 
                     'description': slice_record.get('description', slice_hrn)}
            # add the slice                          
            slice['slice_id'] = self.api.plshell.AddSlice(self.api.plauth, slice)
            slice['node_ids'] = []
            slice['person_ids'] = []
            if peer:
                slice['peer_slice_id'] = slice_record.get('slice_id', None) 
            # mark this slice as an sfa peer record
            if sfa_peer:
                peer_dict = {'type': 'slice', 'hrn': slice_hrn, 
                             'peer_authority': sfa_peer, 'pointer': slice['slice_id']}
                self.registry.register_peer_object(self.credential, peer_dict)
        else:
            slice = slices[0]
            if peer:
                slice['peer_slice_id'] = slice_record.get('slice_id', None)
                # unbind from peer so we can modify if necessary. Will bind back later
                self.api.plshell.UnBindObjectFromPeer(self.api.plauth, 'slice',\
                             slice['slice_id'], peer['shortname'])
	        #Update existing record (e.g. expires field) it with the latest info.
            if slice_record and slice['expires'] != slice_record['expires']:
                self.api.plshell.UpdateSlice(self.api.plauth, slice['slice_id'],\
                             {'expires' : slice_record['expires']})
       
        return slice
Exemple #3
0
def DeleteSliver(api, xrn, creds, call_id):
    if Callids().already_handled(call_id): return ""
    (hrn, type) = urn_to_hrn(xrn)
    slicename = hrn_to_pl_slicename(hrn)
    slices = api.plshell.GetSlices(api.plauth, {'name': slicename})
    if not slices:
        return 1
    slice = slices[0]

    api.plshell.DeleteSliceFromNodes(api.plauth, slicename, slice['node_ids'])
    return 1
Exemple #4
0
 def get_slice(self, api, hrn):
     """
     Return a Slice object for a single slice
     """
     slicename = hrn_to_pl_slicename(hrn)
     slice = api.plshell.GetSlices(api.plauth, [slicename])
     if len(slice):
         self.slice = Slice(self, slicename, slice[0])
         return self.slice
     else:
         return None
Exemple #5
0
def start_slice(api, xrn, creds):
    hrn, type = urn_to_hrn(xrn)
    slicename = hrn_to_pl_slicename(hrn)
    slices = api.plshell.GetSlices(api.plauth, {'name': slicename}, ['slice_id'])
    if not slices:
        raise RecordNotFound(hrn)
    slice_id = slices[0]['slice_id']
    slice_tags = api.plshell.GetSliceTags(api.plauth, {'slice_id': slice_id, 'tagname': 'enabled'}, ['slice_tag_id'])
    # just remove the tag if it exists
    if slice_tags:
        api.plshell.DeleteSliceTag(api.plauth, slice_tags[0]['slice_tag_id'])

    return 1
Exemple #6
0
def SliverStatus(api, slice_xrn, creds, call_id):
    if Callids().already_handled(call_id): return {}

    (hrn, type) = urn_to_hrn(slice_xrn)
    # find out where this slice is currently running
    slicename = hrn_to_pl_slicename(hrn)
    
    slices = api.plshell.GetSlices(api.plauth, [slicename], ['slice_id', 'node_ids','person_ids','name','expires'])
    if len(slices) == 0:        
        raise Exception("Slice %s not found (used %s as slicename internally)" % (slice_xrn, slicename))
    slice = slices[0]
    
    # report about the local nodes only
    nodes = api.plshell.GetNodes(api.plauth, {'node_id':slice['node_ids'],'peer_id':None},
                                 ['node_id', 'hostname', 'site_id', 'boot_state', 'last_contact'])
    site_ids = [node['site_id'] for node in nodes]
    sites = api.plshell.GetSites(api.plauth, site_ids, ['site_id', 'login_base'])
    sites_dict = dict ( [ (site['site_id'],site['login_base'] ) for site in sites ] )

    result = {}
    top_level_status = 'unknown'
    if nodes:
        top_level_status = 'ready'
    slice_urn = Xrn(slice_xrn, 'slice').get_urn()
    result['geni_urn'] = slice_urn
    result['pl_login'] = slice['name']
    result['pl_expires'] = datetime.datetime.fromtimestamp(slice['expires']).ctime()
    
    resources = []
    for node in nodes:
        res = {}
        res['pl_hostname'] = node['hostname']
        res['pl_boot_state'] = node['boot_state']
        res['pl_last_contact'] = node['last_contact']
        if node['last_contact'] is not None:
            res['pl_last_contact'] = datetime.datetime.fromtimestamp(node['last_contact']).ctime()
        sliver_id = urn_to_sliver_id(slice_urn, slice['slice_id'], node['node_id']) 
        res['geni_urn'] = sliver_id
        if node['boot_state'] == 'boot':
            res['geni_status'] = 'ready'
        else:
            res['geni_status'] = 'failed'
            top_level_staus = 'failed' 
            
        res['geni_error'] = ''

        resources.append(res)
        
    result['geni_status'] = top_level_status
    result['geni_resources'] = resources
    return result
Exemple #7
0
def stop_slice(api, xrn, creds):
    hrn, type = urn_to_hrn(xrn)
    slicename = hrn_to_pl_slicename(hrn)
    slices = api.plshell.GetSlices(api.plauth, {'name': slicename}, ['slice_id'])
    if not slices:
        raise RecordNotFound(hrn)
    slice_id = slices[0]['slice_id']
    slice_tags = api.plshell.GetSliceTags(api.plauth, {'slice_id': slice_id, 'tagname': 'enabled'})
    if not slice_tags:
        api.plshell.AddSliceTag(api.plauth, slice_id, 'enabled', '0')
    elif slice_tags[0]['value'] != "0":
        tag_id = attributes[0]['slice_tag_id']
        api.plshell.UpdateSliceTag(api.plauth, tag_id, '0')
    return 1
Exemple #8
0
def RenewSliver(api, xrn, creds, expiration_time, call_id):
    if Callids().already_handled(call_id): return True
    (hrn, type) = urn_to_hrn(xrn)
    slicename = hrn_to_pl_slicename(hrn)
    slices = api.plshell.GetSlices(api.plauth, {'name': slicename}, ['slice_id'])
    if not slices:
        raise RecordNotFound(hrn)
    slice = slices[0]
    requested_time = utcparse(expiration_time)
    record = {'expires': int(time.mktime(requested_time.timetuple()))}
    try:
        api.plshell.UpdateSlice(api.plauth, slice['slice_id'], record)
        return True
    except:
        return False
Exemple #9
0
    def sfa_fields_to_pl_fields(self, type, hrn, record):

        def convert_ints(tmpdict, int_fields):
            for field in int_fields:
                if field in tmpdict:
                    tmpdict[field] = int(tmpdict[field])

        pl_record = {}
        #for field in record:
        #    pl_record[field] = record[field]
 
        if type == "slice":
            if not "instantiation" in pl_record:
                pl_record["instantiation"] = "plc-instantiated"
            pl_record["name"] = hrn_to_pl_slicename(hrn)
	    if "url" in record:
               pl_record["url"] = record["url"]
	    if "description" in record:
	        pl_record["description"] = record["description"]
	    if "expires" in record:
	        pl_record["expires"] = int(record["expires"])

        elif type == "node":
            if not "hostname" in pl_record:
                if not "hostname" in record:
                    raise MissingSfaInfo("hostname")
                pl_record["hostname"] = record["hostname"]
            if not "model" in pl_record:
                pl_record["model"] = "geni"

        elif type == "authority":
            pl_record["login_base"] = hrn_to_pl_login_base(hrn)

            if not "name" in pl_record:
                pl_record["name"] = hrn

            if not "abbreviated_name" in pl_record:
                pl_record["abbreviated_name"] = hrn

            if not "enabled" in pl_record:
                pl_record["enabled"] = True

            if not "is_public" in pl_record:
                pl_record["is_public"] = True

        return pl_record
Exemple #10
0
def DeleteSliver(api, xrn, creds, call_id):
    if Callids().already_handled(call_id): return ""
    (hrn, type) = urn_to_hrn(xrn)
    slicename = hrn_to_pl_slicename(hrn)
    slices = api.plshell.GetSlices(api.plauth, {'name': slicename})
    if not slices:
        return 1
    slice = slices[0]

    # determine if this is a peer slice
    peer = peers.get_peer(api, hrn)
    try:
        if peer:
            api.plshell.UnBindObjectFromPeer(api.plauth, 'slice', slice['slice_id'], peer)
        api.plshell.DeleteSliceFromNodes(api.plauth, slicename, slice['node_ids'])
    finally:
        if peer:
            api.plshell.BindObjectToPeer(api.plauth, 'slice', slice['slice_id'], peer, slice['peer_slice_id'])
    return 1
Exemple #11
0
 def verify_site(self, slice_xrn, slice_record={}, peer=None, sfa_peer=None):
     (slice_hrn, type) = urn_to_hrn(slice_xrn)
     site_hrn = get_authority(slice_hrn)
     # login base can't be longer than 20 characters
     slicename = hrn_to_pl_slicename(slice_hrn)
     authority_name = slicename.split('_')[0]
     login_base = authority_name[:20]
     sites = self.api.plshell.GetSites(self.api.plauth, login_base)
     if not sites:
         # create new site record
         site = {'name': 'geni.%s' % authority_name,
                 'abbreviated_name': authority_name,
                 'login_base': login_base,
                 'max_slices': 100,
                 'max_slivers': 1000,
                 'enabled': True,
                 'peer_site_id': None}
         if peer:
             site['peer_site_id'] = slice_record.get('site_id', None)
         site['site_id'] = self.api.plshell.AddSite(self.api.plauth, site)
         # exempt federated sites from monitor policies
         self.api.plshell.AddSiteTag(self.api.plauth, site['site_id'], 'exempt_site_until', "20200101")
         
         # is this still necessary?
         # add record to the local registry 
         if sfa_peer and slice_record:
             peer_dict = {'type': 'authority', 'hrn': site_hrn, \
                          'peer_authority': sfa_peer, 'pointer': site['site_id']}
             self.registry.register_peer_object(self.credential, peer_dict)
     else:
         site =  sites[0]
         if peer:
             # unbind from peer so we can modify if necessary. Will bind back later
             self.api.plshell.UnBindObjectFromPeer(self.api.plauth, 'site', site['site_id'], peer['shortname']) 
     
     return site
Exemple #12
0
    def create_slice_aggregate(self, xrn, rspec):
        hrn, type = urn_to_hrn(xrn)
        # Determine if this is a peer slice
        peer = self.get_peer(hrn)
        sfa_peer = self.get_sfa_peer(hrn)

        spec = RSpec(rspec)
        # Get the slice record from sfa
        slicename = hrn_to_pl_slicename(hrn) 
        slice = {}
        slice_record = None
        registry = self.api.registries[self.api.hrn]
        credential = self.api.getCredential()

        site_id, remote_site_id = self.verify_site(registry, credential, hrn, peer, sfa_peer)
        slice = self.verify_slice(registry, credential, hrn, site_id, remote_site_id, peer, sfa_peer)

        # find out where this slice is currently running
        nodelist = self.api.plshell.GetNodes(self.api.plauth, slice['node_ids'], ['hostname'])
        hostnames = [node['hostname'] for node in nodelist]

        # get netspec details
        nodespecs = spec.getDictsByTagName('NodeSpec')

        # dict in which to store slice attributes to set for the nodes
        nodes = {}
        for nodespec in nodespecs:
            if isinstance(nodespec['name'], list):
                for nodename in nodespec['name']:
                    nodes[nodename] = {}
                    for k in nodespec.keys():
                        rspec_attribute_value = nodespec[k]
                        if (self.rspec_to_slice_tag.has_key(k)):
                            slice_tag_name = self.rspec_to_slice_tag[k]
                            nodes[nodename][slice_tag_name] = rspec_attribute_value
            elif isinstance(nodespec['name'], StringTypes):
                nodename = nodespec['name']
                nodes[nodename] = {}
                for k in nodespec.keys():
                    rspec_attribute_value = nodespec[k]
                    if (self.rspec_to_slice_tag.has_key(k)):
                        slice_tag_name = self.rspec_to_slice_tag[k]
                        nodes[nodename][slice_tag_name] = rspec_attribute_value

                for k in nodespec.keys():
                    rspec_attribute_value = nodespec[k]
                    if (self.rspec_to_slice_tag.has_key(k)):
                        slice_tag_name = self.rspec_to_slice_tag[k]
                        nodes[nodename][slice_tag_name] = rspec_attribute_value

        node_names = nodes.keys()
        # remove nodes not in rspec
        deleted_nodes = list(set(hostnames).difference(node_names))
        # add nodes from rspec
        added_nodes = list(set(node_names).difference(hostnames))

        try:
            if peer:
                self.api.plshell.UnBindObjectFromPeer(self.api.plauth, 'slice', slice['slice_id'], peer)

            self.api.plshell.AddSliceToNodes(self.api.plauth, slicename, added_nodes) 

            # Add recognized slice tags
            for node_name in node_names:
                node = nodes[node_name]
                for slice_tag in node.keys():
                    value = node[slice_tag]
                    if (isinstance(value, list)):
                        value = value[0]

                    self.api.plshell.AddSliceTag(self.api.plauth, slicename, slice_tag, value, node_name)

            self.api.plshell.DeleteSliceFromNodes(self.api.plauth, slicename, deleted_nodes)
        finally:
            if peer:
                self.api.plshell.BindObjectToPeer(self.api.plauth, 'slice', slice['slice_id'], peer, slice['peer_slice_id'])

        return 1
Exemple #13
0
    def get_slivers(self, xrn, node=None):
        hrn, type = urn_to_hrn(xrn)
         
        slice_name = hrn_to_pl_slicename(hrn)
        # XX Should we just call PLCAPI.GetSliceTicket(slice_name) instead
        # of doing all of this?
        #return self.api.GetSliceTicket(self.auth, slice_name) 
        
        # from PLCAPI.GetSlivers.get_slivers()
        slice_fields = ['slice_id', 'name', 'instantiation', 'expires', 'person_ids', 'slice_tag_ids']
        slices = self.api.plshell.GetSlices(self.api.plauth, slice_name, slice_fields)
        # Build up list of users and slice attributes
        person_ids = set()
        all_slice_tag_ids = set()
        for slice in slices:
            person_ids.update(slice['person_ids'])
            all_slice_tag_ids.update(slice['slice_tag_ids'])
        person_ids = list(person_ids)
        all_slice_tag_ids = list(all_slice_tag_ids)
        # Get user information
        all_persons_list = self.api.plshell.GetPersons(self.api.plauth, {'person_id':person_ids,'enabled':True}, ['person_id', 'enabled', 'key_ids'])
        all_persons = {}
        for person in all_persons_list:
            all_persons[person['person_id']] = person        

        # Build up list of keys
        key_ids = set()
        for person in all_persons.values():
            key_ids.update(person['key_ids'])
        key_ids = list(key_ids)
        # Get user account keys
        all_keys_list = self.api.plshell.GetKeys(self.api.plauth, key_ids, ['key_id', 'key', 'key_type'])
        all_keys = {}
        for key in all_keys_list:
            all_keys[key['key_id']] = key
        # Get slice attributes
        all_slice_tags_list = self.api.plshell.GetSliceTags(self.api.plauth, all_slice_tag_ids)
        all_slice_tags = {}
        for slice_tag in all_slice_tags_list:
            all_slice_tags[slice_tag['slice_tag_id']] = slice_tag
           
        slivers = []
        for slice in slices:
            keys = []
            for person_id in slice['person_ids']:
                if person_id in all_persons:
                    person = all_persons[person_id]
                    if not person['enabled']:
                        continue
                    for key_id in person['key_ids']:
                        if key_id in all_keys:
                            key = all_keys[key_id]
                            keys += [{'key_type': key['key_type'],
                                    'key': key['key']}]
            attributes = []
            # All (per-node and global) attributes for this slice
            slice_tags = []
            for slice_tag_id in slice['slice_tag_ids']:
                if slice_tag_id in all_slice_tags:
                    slice_tags.append(all_slice_tags[slice_tag_id]) 
            # Per-node sliver attributes take precedence over global
            # slice attributes, so set them first.
            # Then comes nodegroup slice attributes
            # Followed by global slice attributes
            sliver_attributes = []

            if node is not None:
                for sliver_attribute in filter(lambda a: a['node_id'] == node['node_id'], slice_tags):
                    sliver_attributes.append(sliver_attribute['tagname'])
                    attributes.append({'tagname': sliver_attribute['tagname'],
                                    'value': sliver_attribute['value']})

            # set nodegroup slice attributes
            for slice_tag in filter(lambda a: a['nodegroup_id'] in node['nodegroup_ids'], slice_tags):
                # Do not set any nodegroup slice attributes for
                # which there is at least one sliver attribute
                # already set.
                if slice_tag not in slice_tags:
                    attributes.append({'tagname': slice_tag['tagname'],
                        'value': slice_tag['value']})

            for slice_tag in filter(lambda a: a['node_id'] is None, slice_tags):
                # Do not set any global slice attributes for
                # which there is at least one sliver attribute
                # already set.
                if slice_tag['tagname'] not in sliver_attributes:
                    attributes.append({'tagname': slice_tag['tagname'],
                                   'value': slice_tag['value']})

            # XXX Sanity check; though technically this should be a system invariant
            # checked with an assertion
            if slice['expires'] > MAXINT:  slice['expires']= MAXINT
            
            slivers.append({
                'hrn': hrn,
                'name': slice['name'],
                'slice_id': slice['slice_id'],
                'instantiation': slice['instantiation'],
                'expires': slice['expires'],
                'keys': keys,
                'attributes': attributes
            })

        return slivers
Exemple #14
0
def get_gids(registry=None, verbose=False):
    """
    Get the gid for all instantiated slices on this node and store it
    in /etc/sfa/slice.gid in the slice's filesystem
    """
    # define useful variables
    config = Config()
    data_dir = config.data_path
    config_dir = config.SFA_CONFIG_DIR
    trusted_certs_dir = config.get_trustedroots_dir()
    keyfile = data_dir + os.sep + "server.key"
    certfile = data_dir + os.sep + "server.cert"
    node_gid_file = config_dir + os.sep + "node.gid"
    node_gid = GID(filename=node_gid_file)
    hrn = node_gid.get_hrn()
    interface_hrn = config.SFA_INTERFACE_HRN
    # get credential
    cred = get_credential(registry=registry, verbose=verbose)
    # make sure server key cert pair exists
    create_server_keypair(keyfile=keyfile, certfile=certfile, hrn=hrn, verbose=verbose)
    registry = get_server(url=registry, keyfile=keyfile, certfile=certfile)
            
    if verbose:
        print "Getting current slices on this node"
    # get a list of slices on this node
    from sfa.plc.api import ComponentAPI
    api = ComponentAPI()
    xids_tuple = api.nodemanager.GetXIDs()
    slices = eval(xids_tuple[1])
    slicenames = slices.keys()

    # generate a list of slices that dont have gids installed
    slices_without_gids = []
    for slicename in slicenames:
        if not os.path.isfile("/vservers/%s/etc/slice.gid" % slicename) \
        or not os.path.isfile("/vservers/%s/etc/node.gid" % slicename):
            slices_without_gids.append(slicename) 
    
    # convert slicenames to hrns
    hrns = [slicename_to_hrn(interface_hrn, slicename) \
            for slicename in slices_without_gids]
    
    # exit if there are no gids to install
    if not hrns:
        return
        
    if verbose:
        print "Getting gids for slices on this node from registry"  
    # get the gids
    # and save them in the right palce
    records = registry.GetGids(hrns, cred)
    for record in records:
        # if this isnt a slice record skip it
        if not record['type'] == 'slice':
            continue
        slicename = hrn_to_pl_slicename(record['hrn'])
        # if this slice isnt really instatiated skip it
        if not os.path.exists("/vservers/%(slicename)s" % locals()):
            continue
       
        # save the slice gid in /etc/sfa/ in the vservers filesystem
        vserver_path = "/vservers/%(slicename)s" % locals()
        gid = record['gid']
        slice_gid_filename = os.sep.join([vserver_path, "etc", "slice.gid"])
        if verbose:
            print "Saving GID for %(slicename)s as %(slice_gid_filename)s" % locals()
        GID(string=gid).save_to_file(slice_gid_filename, save_parents=True)
        # save the node gid in /etc/sfa
        node_gid_filename = os.sep.join([vserver_path, "etc", "node.gid"])
        if verbose:
            print "Saving node GID for %(slicename)s as %(node_gid_filename)s" % locals()
        node_gid.save_to_file(node_gid_filename, save_parents=True)
Exemple #15
0
def main():

    process_options()
    config = Config()
    if not config.SFA_REGISTRY_ENABLED:
        sys.exit(0)
    root_auth = config.SFA_REGISTRY_ROOT_AUTH
    interface_hrn = config.SFA_INTERFACE_HRN
    keys_filename = config.config_path + os.sep + 'person_keys.py' 
    sfaImporter = sfaImport()
    if config.SFA_API_DEBUG: sfaImporter.logger.setLevelDebug()
    shell = sfaImporter.shell
    plc_auth = sfaImporter.plc_auth 
    
    # initialize registry db table
    table = SfaTable()
    if not table.exists():
       table.create()

    # create root authority 
    sfaImporter.create_top_level_auth_records(root_auth)
    if not root_auth == interface_hrn:
        sfaImporter.create_top_level_auth_records(interface_hrn)

    # create s user record for the slice manager
    sfaImporter.create_sm_client_record()

    # create interface records
    sfaImporter.logger.info("Import: creating interface records")
    sfaImporter.create_interface_records()

    # add local root authority's cert  to trusted list
    sfaImporter.logger.info("Import: adding " + interface_hrn + " to trusted list")
    authority = sfaImporter.AuthHierarchy.get_auth_info(interface_hrn)
    sfaImporter.TrustedRoots.add_gid(authority.get_gid_object())

    # special case for vini
    if ".vini" in interface_hrn and interface_hrn.endswith('vini'):
        # create a fake internet2 site first
        i2site = {'name': 'Internet2', 'abbreviated_name': 'I2',
                    'login_base': 'internet2', 'site_id': -1}
        sfaImporter.import_site(interface_hrn, i2site)
   
    # create dict of all existing sfa records
    existing_records = {}
    existing_hrns = []
    key_ids = []
    person_keys = {} 
    results = table.find()
    for result in results:
        existing_records[(result['hrn'], result['type'])] = result
        existing_hrns.append(result['hrn']) 
            
    # Get all plc sites
    sites = shell.GetSites(plc_auth, {'peer_id': None})
    sites_dict = {}
    for site in sites:
        sites_dict[site['login_base']] = site 
    
    # Get all plc users
    persons = shell.GetPersons(plc_auth, {'peer_id': None, 'enabled': True}, ['person_id', 'email', 'key_ids', 'site_ids'])
    persons_dict = {}
    for person in persons:
        persons_dict[person['person_id']] = person
        key_ids.extend(person['key_ids'])

    # Get all public keys
    keys = shell.GetKeys(plc_auth, {'peer_id': None, 'key_id': key_ids})
    keys_dict = {}
    for key in keys:
        keys_dict[key['key_id']] = key['key']

    # create a dict of person keys keyed on key_id 
    old_person_keys = load_keys(keys_filename)
    for person in persons:
        pubkeys = []
        for key_id in person['key_ids']:
            pubkeys.append(keys_dict[key_id])
        person_keys[person['person_id']] = pubkeys

    # Get all plc nodes  
    nodes = shell.GetNodes(plc_auth, {'peer_id': None}, ['node_id', 'hostname', 'site_id'])
    nodes_dict = {}
    for node in nodes:
        nodes_dict[node['node_id']] = node

    # Get all plc slices
    slices = shell.GetSlices(plc_auth, {'peer_id': None}, ['slice_id', 'name'])
    slices_dict = {}
    for slice in slices:
        slices_dict[slice['slice_id']] = slice
    # start importing 
    for site in sites:
        site_hrn = _get_site_hrn(interface_hrn, site)
        sfaImporter.logger.info("Importing site: %s" % site_hrn)

        # import if hrn is not in list of existing hrns or if the hrn exists
        # but its not a site record
        if site_hrn not in existing_hrns or \
           (site_hrn, 'authority') not in existing_records:
            sfaImporter.import_site(site_hrn, site)
             
        # import node records
        for node_id in site['node_ids']:
            if node_id not in nodes_dict:
                continue 
            node = nodes_dict[node_id]
            site_auth = get_authority(site_hrn)
            site_name = get_leaf(site_hrn)
            hrn =  hostname_to_hrn(site_auth, site_name, node['hostname'])
            if hrn not in existing_hrns or \
               (hrn, 'node') not in existing_records:
                sfaImporter.import_node(hrn, node)

        # import slices
        for slice_id in site['slice_ids']:
            if slice_id not in slices_dict:
                continue 
            slice = slices_dict[slice_id]
            hrn = slicename_to_hrn(interface_hrn, slice['name'])
            if hrn not in existing_hrns or \
               (hrn, 'slice') not in existing_records:
                sfaImporter.import_slice(site_hrn, slice)      

        # import persons
        for person_id in site['person_ids']:
            if person_id not in persons_dict:
                continue 
            person = persons_dict[person_id]
            hrn = email_to_hrn(site_hrn, person['email'])
            old_keys = []
            new_keys = []
            if person_id in old_person_keys:
                old_keys = old_person_keys[person_id]
            if person_id in person_keys:
                new_keys = person_keys[person_id]
            update_record = False
            for key in new_keys:
                if key not in old_keys:
                    update_record = True 

            if hrn not in existing_hrns or \
               (hrn, 'user') not in existing_records or update_record:
                sfaImporter.import_person(site_hrn, person)

    
    # remove stale records    
    system_records = [interface_hrn, root_auth, interface_hrn + '.slicemanager']
    for (record_hrn, type) in existing_records.keys():
        if record_hrn in system_records:
            continue
        
        record = existing_records[(record_hrn, type)]
        if record['peer_authority']:
            continue

        # dont delete vini's internet2 placeholdder record
        # normally this would be deleted becuase it does not have a plc record 
        if ".vini" in interface_hrn and interface_hrn.endswith('vini') and \
           record_hrn.endswith("internet2"):     
            continue

        found = False
        
        if type == 'authority':    
            for site in sites:
                site_hrn = interface_hrn + "." + site['login_base']
                if site_hrn == record_hrn and site['site_id'] == record['pointer']:
                    found = True
                    break

        elif type == 'user':
            login_base = get_leaf(get_authority(record_hrn))
            username = get_leaf(record_hrn)
            if login_base in sites_dict:
                site = sites_dict[login_base]
                for person in persons:
                    tmp_username = person['email'].split("@")[0]
                    alt_username = person['email'].split("@")[0].replace(".", "_").replace("+", "_")
                    if username in [tmp_username, alt_username] and \
                       site['site_id'] in person['site_ids'] and \
                       person['person_id'] == record['pointer']:
                        found = True
                        break
        
        elif type == 'slice':
            slicename = hrn_to_pl_slicename(record_hrn)
            for slice in slices:
                if slicename == slice['name'] and \
                   slice['slice_id'] == record['pointer']:
                    found = True
                    break    
 
        elif type == 'node':
            login_base = get_leaf(get_authority(record_hrn))
            nodename = Xrn.unescape(get_leaf(record_hrn))
            if login_base in sites_dict:
                site = sites_dict[login_base]
                for node in nodes:
                    tmp_nodename = node['hostname']
                    if tmp_nodename == nodename and \
                       node['site_id'] == site['site_id'] and \
                       node['node_id'] == record['pointer']:
                        found = True
                        break  
        else:
            continue 
        
        if not found:
            record_object = existing_records[(record_hrn, type)]
            sfaImporter.delete_record(record_hrn, type) 
                                   
    # save pub keys
    sfaImporter.logger.info('Import: saving current pub keys')
    save_keys(keys_filename, person_keys)