def _get_registry_objects(self, slice_xrn, creds, users): """ """ hrn, _ = urn_to_hrn(slice_xrn) #hrn_auth = get_authority(hrn) # Build up objects that an SFA registry would return if SFA # could contact the slice's registry directly reg_objects = None if users: # dont allow special characters in the site login base #only_alphanumeric = re.compile('[^a-zA-Z0-9]+') #login_base = only_alphanumeric.sub('', hrn_auth[:20]).lower() slicename = hrn_to_pl_slicename(hrn) login_base = slicename.split('_')[0] reg_objects = {} site = {} site['site_id'] = 0 site['name'] = 'geni.%s' % login_base site['enabled'] = True site['max_slices'] = 100 # Note: # Is it okay if this login base is the same as one already at this myplc site? # Do we need uniqueness? Should use hrn_auth instead of just the leaf perhaps? site['login_base'] = login_base site['abbreviated_name'] = login_base site['max_slivers'] = 1000 reg_objects['site'] = site slice = {} # get_expiration always returns a normalized datetime - no need to utcparse extime = Credential(string=creds[0]).get_expiration() # If the expiration time is > 60 days from now, set the expiration time to 60 days from now if extime > datetime.datetime.utcnow() + datetime.timedelta( days=60): extime = datetime.datetime.utcnow() + datetime.timedelta( days=60) slice['expires'] = int(time.mktime(extime.timetuple())) slice['hrn'] = hrn slice['name'] = hrn_to_pl_slicename(hrn) slice['url'] = hrn slice['description'] = hrn slice['pointer'] = 0 reg_objects['slice_record'] = slice reg_objects['users'] = {} for user in users: user['key_ids'] = [] hrn, _ = urn_to_hrn(user['urn']) user['email'] = hrn_to_pl_slicename(hrn) + "@geni.net" user['first_name'] = hrn user['last_name'] = hrn reg_objects['users'][user['email']] = user return reg_objects
def GetSelfCredential(certificate, xnr, type): if type: hrn = urn_to_hrn(xrn)[0] else: hrn, type = urn_to_hrn(xrn) origin_hrn = Certificate(string=cert).get_subject() ### authenticate the gid # import here so we can load this module at build-time for sfa2wsdl #from sfa.storage.alchemy import dbsession from sfa.storage.model import RegRecord # xxx-local - the current code runs Resolve, which would forward to # another registry if needed # I wonder if this is truly the intention, or shouldn't we instead # only look in the local db ? records = self.api.manager.Resolve(self.api, xrn, type, details=False) if not records: raise RecordNotFound(hrn) record_obj = RegRecord (dict=records[0]) # xxx-local the local-only version would read #record_obj = dbsession.query(RegRecord).filter_by(hrn=hrn).first() #if not record_obj: raise RecordNotFound(hrn) gid = record_obj.get_gid_object() gid_str = gid.save_to_string(save_parents=True) self.api.auth.authenticateGid(gid_str, [cert, type, hrn]) # authenticate the certificate against the gid in the db certificate = Certificate(string=cert) if not certificate.is_pubkey(gid.get_pubkey()): for (obj,name) in [ (certificate,"CERT"), (gid,"GID"), ]: if hasattr (obj,'filename'): raise ConnectionKeyGIDMismatch(gid.get_subject()) return self.api.manager.GetCredential(self.api, xrn, type)
def GetCredential(self, api, xrn, type, caller_xrn=None): # convert xrn to hrn if type: hrn = urn_to_hrn(xrn)[0] else: hrn, type = urn_to_hrn(xrn) # Is this a root or sub authority auth_hrn = api.auth.get_authority(hrn) if not auth_hrn or hrn == api.config.SFA_INTERFACE_HRN: auth_hrn = hrn auth_info = api.auth.get_auth_info(auth_hrn) # get record info record=dbsession.query(RegRecord).filter_by(type=type,hrn=hrn).first() if not record: raise RecordNotFound("hrn=%s, type=%s"%(hrn,type)) # get the callers gid # if caller_xrn is not specified assume the caller is the record # object itself. if not caller_xrn: caller_hrn = hrn caller_gid = record.get_gid_object() else: caller_hrn, caller_type = urn_to_hrn(caller_xrn) if caller_type: caller_record = dbsession.query(RegRecord).filter_by(hrn=caller_hrn,type=caller_type).first() else: caller_record = dbsession.query(RegRecord).filter_by(hrn=caller_hrn).first() if not caller_record: raise RecordNotFound("Unable to associated caller (hrn=%s, type=%s) with credential for (hrn: %s, type: %s)"%(caller_hrn, caller_type, hrn, type)) caller_gid = GID(string=caller_record.gid)i object_hrn = record.get_gid_object().get_hrn() # call the builtin authorization/credential generation engine rights = api.auth.determine_user_rights(caller_hrn, record) # make sure caller has rights to this object if rights.is_empty(): raise PermissionError("%s has no rights to %s (%s)" % \ (caller_hrn, object_hrn, xrn)) object_gid = GID(string=record.gid) new_cred = Credential(subject = object_gid.get_subject()) new_cred.set_gid_caller(caller_gid) new_cred.set_gid_object(object_gid) new_cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename()) #new_cred.set_pubkey(object_gid.get_pubkey()) new_cred.set_privileges(rights) new_cred.get_privileges().delegate_all_privileges(True) if hasattr(record,'expires'): date = utcparse(record.expires) expires = datetime_to_epoch(date) new_cred.set_expiration(int(expires)) auth_kind = "authority,ma,sa" # Parent not necessary, verify with certs #new_cred.set_parent(api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind)) new_cred.encode() new_cred.sign() return new_cred.save_to_string(save_parents=True)
def GetCredential(self, api, xrn, type, caller_xrn=None): # convert xrn to hrn if type: hrn = urn_to_hrn(xrn)[0] else: hrn, type = urn_to_hrn(xrn) # Is this a root or sub authority auth_hrn = api.auth.get_authority(hrn) if not auth_hrn or hrn == api.config.SFA_INTERFACE_HRN: auth_hrn = hrn auth_info = api.auth.get_auth_info(auth_hrn) # get record info record=dbsession.query(RegRecord).filter_by(type=type,hrn=hrn).first() if not record: raise RecordNotFound("hrn=%s, type=%s"%(hrn,type)) # get the callers gid # if caller_xrn is not specified assume the caller is the record # object itself. if not caller_xrn: caller_hrn = hrn caller_gid = record.get_gid_object() else: caller_hrn, caller_type = urn_to_hrn(caller_xrn) if caller_type: caller_record = dbsession.query(RegRecord).filter_by(hrn=caller_hrn,type=caller_type).first() else: caller_record = dbsession.query(RegRecord).filter_by(hrn=caller_hrn).first() if not caller_record: raise RecordNotFound("Unable to associated caller (hrn=%s, type=%s) with credential for (hrn: %s, type: %s)"%(caller_hrn, caller_type, hrn, type)) caller_gid = GID(string=caller_record.gid) object_hrn = record.get_gid_object().get_hrn() # call the builtin authorization/credential generation engine rights = api.auth.determine_user_rights(caller_hrn, record) # make sure caller has rights to this object if rights.is_empty(): raise PermissionError("%s has no rights to %s (%s)" % \ (caller_hrn, object_hrn, xrn)) object_gid = GID(string=record.gid) new_cred = Credential(subject = object_gid.get_subject()) new_cred.set_gid_caller(caller_gid) new_cred.set_gid_object(object_gid) new_cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename()) #new_cred.set_pubkey(object_gid.get_pubkey()) new_cred.set_privileges(rights) new_cred.get_privileges().delegate_all_privileges(True) if hasattr(record,'expires'): date = utcparse(record.expires) expires = datetime_to_epoch(date) new_cred.set_expiration(int(expires)) auth_kind = "authority,ma,sa" # Parent not necessary, verify with certs #new_cred.set_parent(api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind)) new_cred.encode() new_cred.sign() return new_cred.save_to_string(save_parents=True)
def _get_registry_objects(self, slice_xrn, creds, users): """ """ hrn, _ = urn_to_hrn(slice_xrn) #hrn_auth = get_authority(hrn) # Build up objects that an SFA registry would return if SFA # could contact the slice's registry directly reg_objects = None if users: # dont allow special characters in the site login base #only_alphanumeric = re.compile('[^a-zA-Z0-9]+') #login_base = only_alphanumeric.sub('', hrn_auth[:20]).lower() slicename = hrn_to_pl_slicename(hrn) login_base = slicename.split('_')[0] reg_objects = {} site = {} site['site_id'] = 0 site['name'] = 'geni.%s' % login_base site['enabled'] = True site['max_slices'] = 100 # Note: # Is it okay if this login base is the same as one already at this myplc site? # Do we need uniqueness? Should use hrn_auth instead of just the leaf perhaps? site['login_base'] = login_base site['abbreviated_name'] = login_base site['max_slivers'] = 1000 reg_objects['site'] = site slice = {} # get_expiration always returns a normalized datetime - no need to utcparse extime = Credential(string=creds[0]).get_expiration() # If the expiration time is > 60 days from now, set the expiration time to 60 days from now if extime > datetime.datetime.utcnow() + datetime.timedelta(days=60): extime = datetime.datetime.utcnow() + datetime.timedelta(days=60) slice['expires'] = int(time.mktime(extime.timetuple())) slice['hrn'] = hrn slice['name'] = hrn_to_pl_slicename(hrn) slice['url'] = hrn slice['description'] = hrn slice['pointer'] = 0 reg_objects['slice_record'] = slice reg_objects['users'] = {} for user in users: user['key_ids'] = [] hrn, _ = urn_to_hrn(user['urn']) user['email'] = hrn_to_pl_slicename(hrn) + "@geni.net" user['first_name'] = hrn user['last_name'] = hrn reg_objects['users'][user['email']] = user return reg_objects
def get_credential(api, xrn, type, is_self=False): # convert xrn to hrn if type: hrn = urn_to_hrn(xrn)[0] else: hrn, type = urn_to_hrn(xrn) # Is this a root or sub authority auth_hrn = api.auth.get_authority(hrn) if not auth_hrn or hrn == api.config.SFA_INTERFACE_HRN: auth_hrn = hrn # get record info auth_info = api.auth.get_auth_info(auth_hrn) table = SfaTable() records = table.findObjects({'type': type, 'hrn': hrn}) if not records: raise RecordNotFound(hrn) record = records[0] # verify_cancreate_credential requires that the member lists # (researchers, pis, etc) be filled in api.fill_record_info(record) if record['type']=='user': if not record['enabled']: raise AccountNotEnabled(": PlanetLab account %s is not enabled. Please contact your site PI" %(record['email'])) # get the callers gid # if this is a self cred the record's gid is the caller's gid if is_self: caller_hrn = hrn caller_gid = record.get_gid_object() else: caller_gid = api.auth.client_cred.get_gid_caller() caller_hrn = caller_gid.get_hrn() object_hrn = record.get_gid_object().get_hrn() rights = api.auth.determine_user_rights(caller_hrn, record) # make sure caller has rights to this object if rights.is_empty(): raise PermissionError(caller_hrn + " has no rights to " + record['name']) object_gid = GID(string=record['gid']) new_cred = Credential(subject = object_gid.get_subject()) new_cred.set_gid_caller(caller_gid) new_cred.set_gid_object(object_gid) new_cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename()) #new_cred.set_pubkey(object_gid.get_pubkey()) new_cred.set_privileges(rights) new_cred.get_privileges().delegate_all_privileges(True) if 'expires' in record: new_cred.set_expiration(int(record['expires'])) auth_kind = "authority,ma,sa" # Parent not necessary, verify with certs #new_cred.set_parent(api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind)) new_cred.encode() new_cred.sign() return new_cred.save_to_string(save_parents=True)
def call(self, cert, xrn, type): """ GetSelfCredential a degenerate version of GetCredential used by a client to get his initial credential when de doesnt have one. This is the same as GetCredential(..., cred = None, ...) The registry ensures that the client is the principal that is named by (type, name) by comparing the public key in the record's GID to the private key used to encrypt the client side of the HTTPS connection. Thus it is impossible for one principal to retrieve another principal's credential without having the appropriate private key. @param type type of object (user | slice | sa | ma | node) @param hrn human readable name of authority to list @return string representation of a credential object """ if type: hrn = urn_to_hrn(xrn)[0] else: hrn, type = urn_to_hrn(xrn) self.api.auth.verify_object_belongs_to_me(hrn) origin_hrn = Certificate(string=cert).get_subject() self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name)) ### authenticate the gid # import here so we can load this module at build-time for sfa2wsdl #from sfa.storage.alchemy import dbsession from sfa.storage.model import RegRecord # xxx-local - the current code runs Resolve, which would forward to # another registry if needed # I wonder if this is truly the intention, or shouldn't we instead # only look in the local db ? records = self.api.manager.Resolve(self.api, xrn, type, details=False) if not records: raise RecordNotFound(hrn) record_obj = RegRecord (dict=records[0]) # xxx-local the local-only version would read #record_obj = dbsession.query(RegRecord).filter_by(hrn=hrn).first() #if not record_obj: raise RecordNotFound(hrn) gid = record_obj.get_gid_object() gid_str = gid.save_to_string(save_parents=True) self.api.auth.authenticateGid(gid_str, [cert, type, hrn]) # authenticate the certificate against the gid in the db certificate = Certificate(string=cert) if not certificate.is_pubkey(gid.get_pubkey()): for (obj,name) in [ (certificate,"CERT"), (gid,"GID"), ]: self.api.logger.debug("ConnectionKeyGIDMismatch, %s pubkey: %s"%(name,obj.get_pubkey().get_pubkey_string())) self.api.logger.debug("ConnectionKeyGIDMismatch, %s dump: %s"%(name,obj.dump_string())) if hasattr (obj,'filename'): self.api.logger.debug("ConnectionKeyGIDMismatch, %s filename: %s"%(name,obj.filename)) raise ConnectionKeyGIDMismatch(gid.get_subject()) return self.api.manager.GetCredential(self.api, xrn, type)
def resolve(api, xrns, type=None, full=True): # load all known registry names into a prefix tree and attempt to find # the longest matching prefix if not isinstance(xrns, types.ListType): if not type: type = Xrn(xrns).get_type() xrns = [xrns] hrns = [urn_to_hrn(xrn)[0] for xrn in xrns] # create a dict where key is a registry hrn and its value is a # hrns at that registry (determined by the known prefix tree). xrn_dict = {} registries = api.registries tree = prefixTree() registry_hrns = registries.keys() tree.load(registry_hrns) for xrn in xrns: registry_hrn = tree.best_match(urn_to_hrn(xrn)[0]) if registry_hrn not in xrn_dict: xrn_dict[registry_hrn] = [] xrn_dict[registry_hrn].append(xrn) records = [] for registry_hrn in xrn_dict: # skip the hrn without a registry hrn # XX should we let the user know the authority is unknown? if not registry_hrn: continue # if the best match (longest matching hrn) is not the local registry, # forward the request xrns = xrn_dict[registry_hrn] if registry_hrn != api.hrn: credential = api.getCredential() peer_records = registries[registry_hrn].Resolve(xrns, credential) records.extend([SfaRecord(dict=record).as_dict() for record in peer_records]) # try resolving the remaining unfound records at the local registry remaining_hrns = set(hrns).difference([record['hrn'] for record in records]) # convert set to list remaining_hrns = [hrn for hrn in remaining_hrns] table = SfaTable() local_records = table.findObjects({'hrn': remaining_hrns}) if full: api.fill_record_info(local_records) # convert local record objects to dicts records.extend([dict(record) for record in local_records]) if not records: raise RecordNotFound(str(hrns)) if type: records = filter(lambda rec: rec['type'] in [type], records) return records
def DeleteSliver(api, xrn, creds, call_id): def _DeleteSliver(server, xrn, creds, call_id): server_version = api.get_cached_server_version(server) args = [xrn, creds] if _call_id_supported(api, server): args.append(call_id) return server.DeleteSliver(*args) if Callids().already_handled(call_id): return "" (hrn, type) = urn_to_hrn(xrn) # get the callers hrn valid_cred = api.auth.checkCredentials(creds, 'deletesliver', hrn)[0] caller_hrn = Credential(string=valid_cred).get_gid_caller().get_hrn() # attempt to use delegated credential first cred = api.getDelegatedCredential(creds) if not cred: cred = api.getCredential() threads = ThreadManager() for aggregate in api.aggregates: # prevent infinite loop. Dont send request back to caller # unless the caller is the aggregate's SM if caller_hrn == aggregate and aggregate != api.hrn: continue interface = api.aggregates[aggregate] server = api.get_server(interface, cred) threads.run(_DeleteSliver, server, xrn, [cred], call_id) threads.get_results() return 1
def get_slice_and_slivers(self, slice_xrn, login=None): """ Returns a dict of slivers keyed on the sliver's node_id """ slivers = {} sfa_slice = None if not slice_xrn: return (sfa_slice, slivers) slice_urn = hrn_to_urn(slice_xrn, 'slice') slice_hrn, _ = urn_to_hrn(slice_xrn) slice_name = slice_hrn slices = self.driver.GetSlices(slice_filter= str(slice_name), \ slice_filter_type = 'slice_hrn', login=login) logger.debug("Slabaggregate api \tget_slice_and_slivers \ sfa_slice %s \r\n slices %s self.driver.hrn %s" \ %(sfa_slice, slices, self.driver.hrn)) if not slices: return (sfa_slice, slivers) #if isinstance(sfa_slice, list): #sfa_slice = slices[0] #else: #sfa_slice = slices # sort slivers by node id , if there is a job #and therfore, node allocated to this slice for sfa_slice in slices: try: node_ids_list = sfa_slice['node_ids'] except KeyError: logger.log_exc("SLABAGGREGATE \t \ get_slice_and_slivers KeyError ") continue for node in node_ids_list: sliver_xrn = Xrn(slice_urn, type='sliver', id=node) sliver_xrn.set_authority(self.driver.hrn) #node_id = self.driver.root_auth + '.' + node_id sliver = Sliver({'sliver_id':sliver_xrn.urn, 'name': sfa_slice['hrn'], 'type': 'slab-node', 'tags': []}) slivers[node] = sliver #Add default sliver attribute : #connection information for senslab if get_authority (sfa_slice['hrn']) == self.driver.root_auth: tmp = sfa_slice['hrn'].split('.') ldap_username = tmp[1].split('_')[0] vmaddr = 'ssh ' + ldap_username + '@grenoble.senslab.info' slivers['default_sliver'] = {'vm': vmaddr , 'login': ldap_username} #TODO get_slice_and_slivers Find the login of the external user logger.debug("SLABAGGREGATE api get_slice_and_slivers slivers %s "\ %(slivers)) return (slices, slivers)
def get_peer(self, xrn): hrn, hrn_type = urn_to_hrn(xrn) #Does this slice belong to a local site or a peer senslab site? peer = None # get this slice's authority (site) slice_authority = get_authority(hrn) site_authority = slice_authority # get this site's authority (sfa root authority or sub authority) #site_authority = get_authority(slice_authority).lower() logger.debug("SLABSLICES \ get_peer slice_authority %s \ site_authority %s hrn %s" %(slice_authority, \ site_authority, hrn)) #This slice belongs to the current site if site_authority == self.driver.root_auth : return None # check if we are already peered with this site_authority, if so #peers = self.driver.GetPeers({}) peers = self.driver.GetPeers(peer_filter = slice_authority) for peer_record in peers: if site_authority == peer_record.hrn: peer = peer_record logger.debug(" SLABSLICES \tget_peer peer %s " %(peer)) return peer
def call(self, cred, xrn = None): hrn, type = urn_to_hrn(xrn) self.api.auth.check(cred, 'list') registries = Registries(self.api).interfaces.values() if hrn: registries = [reg for reg in registries if reg['hrn'] == hrn] return registries
def call(self, slice_xrn, creds, rspec, users, options): hrn, type = urn_to_hrn(slice_xrn) self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s" % (self.api.interface, hrn, self.name)) # Find the valid credentials valid_creds = self.api.auth.checkCredentials(creds, "createsliver", hrn) origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn() # make sure users info is specified if not users: msg = "'users' must be specified and cannot be null. You may need to update your client." raise SfaInvalidArgument(name="users", extra=msg) # flter rspec through sfatables if self.api.interface in ["aggregate"]: chain_name = "INCOMING" elif self.api.interface in ["slicemgr"]: chain_name = "FORWARD-INCOMING" self.api.logger.debug("CreateSliver: sfatables on chain %s" % chain_name) rspec = run_sfatables(chain_name, hrn, origin_hrn, rspec) slivers = RSpec(rspec).version.get_nodes_with_slivers() if not slivers: raise InvalidRSpec( "Missing <sliver_type> or <sliver> element. Request rspec must explicitly allocate slivers" ) result = self.api.manager.CreateSliver(self.api, slice_xrn, creds, rspec, users, options) return result
def call(self, xrn, creds, rspec, options): xrn = Xrn(xrn, type='slice') self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, xrn.get_hrn(), self.name)) (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) # Find the valid credentials valid_creds = self.api.auth.checkCredentials(creds, 'createsliver', xrn.get_hrn(), speaking_for_hrn=speaking_for) # use the expiration from the first valid credential to determine when # the slivers should expire. expiration = datetime_to_string(Credential(cred=valid_creds[0]).expiration) # make sure request is not empty slivers = RSpec(rspec).version.get_nodes_with_slivers() if not slivers: raise InvalidRSpec("Missing <sliver_type> or <sliver> element. Request rspec must explicitly allocate slivers") # flter rspec through sfatables if self.api.interface in ['aggregate']: chain_name = 'INCOMING' elif self.api.interface in ['slicemgr']: chain_name = 'FORWARD-INCOMING' self.api.logger.debug("Allocate: sfatables on chain %s"%chain_name) origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, xrn, self.name)) rspec = run_sfatables(chain_name, xrn.get_hrn(), origin_hrn, rspec) slivers = RSpec(rspec).version.get_nodes_with_slivers() if not slivers: raise SfatablesRejected(slice_xrn) result = self.api.manager.Allocate(self.api, xrn.get_urn(), creds, rspec, expiration, options) return result
def call(self, creds, xrn, type): if type: hrn = urn_to_hrn(xrn)[0] else: hrn, type = urn_to_hrn(xrn) # check creds valid_creds = self.api.auth.checkCredentials(creds, 'getcredential') self.api.auth.verify_object_belongs_to_me(hrn) #log the call origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name)) return self.api.manager.GetCredential(self.api, xrn, type, self.api.auth.client_gid.get_urn())
def __init__(self, create=False, subject=None, string=None, filename=None, uuid=None, hrn=None, urn=None, lifeDays=1825, email=None): self.uuid = None self.hrn = None self.urn = None self.email = None # for adding to the SubjectAltName Certificate.__init__(self, lifeDays, create, subject, string, filename) if subject: logger.debug("Creating GID for subject: %s" % subject) if uuid: self.uuid = int(uuid) if hrn: self.hrn = hrn self.urn = hrn_to_urn(hrn, 'unknown') if urn: self.urn = urn self.hrn, type = urn_to_hrn(urn) if email: self.set_email(email)
def list(api, xrn, origin_hrn=None): hrn, type = urn_to_hrn(xrn) # load all know registry names into a prefix tree and attempt to find # the longest matching prefix records = [] registries = api.registries registry_hrns = registries.keys() tree = prefixTree() tree.load(registry_hrns) registry_hrn = tree.best_match(hrn) #if there was no match then this record belongs to an unknow registry if not registry_hrn: raise MissingAuthority(xrn) # if the best match (longest matching hrn) is not the local registry, # forward the request records = [] if registry_hrn != api.hrn: credential = api.getCredential() record_list = registries[registry_hrn].List(xrn, credential) records = [SfaRecord(dict=record).as_dict() for record in record_list] # if we still have not found the record yet, try the local registry if not records: if not api.auth.hierarchy.auth_exists(hrn): raise MissingAuthority(hrn) table = SfaTable() records = table.find({'authority': hrn}) return records
def call(self, creds, options, call_id=""): self.api.logger.info("interface: %s\tmethod-name: %s" % (self.api.interface, self.name)) # get slice's hrn from options xrn = options.get('geni_slice_urn', '') (hrn, _) = urn_to_hrn(xrn) # Find the valid credentials valid_creds = self.api.auth.checkCredentials(creds, 'listnodes', hrn) # get hrn of the original caller origin_hrn = options.get('origin_hrn', None) if not origin_hrn: origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn() # get manager for this interface manager = self.api.get_interface_manager() rspec = manager.ListResources(self.api, creds, options, call_id) # filter rspec through sfatables if self.api.interface in ['aggregate']: chain_name = 'OUTGOING' elif self.api.interface in ['slicemgr']: chain_name = 'FORWARD-OUTGOING' self.api.logger.debug("ListResources: sfatables on chain %s"%chain_name) filtered_rspec = run_sfatables(chain_name, hrn, origin_hrn, rspec) if options.has_key('geni_compressed') and options['geni_compressed'] == True: filtered_rspec = zlib.compress(filtered_rspec).encode('base64') return filtered_rspec
def add_slivers(self, hostnames, attributes=[], sliver_urn=None, append=False): # add slice name to network tag network_tags = self.xml.xpath('//network') if network_tags: network_tag = network_tags[0] network_tag.set('slice', urn_to_hrn(sliver_urn)[0]) # add slivers sliver = {'name': sliver_urn, 'pl_tags': attributes} for hostname in hostnames: if sliver_urn: sliver['name'] = sliver_urn node_elems = self.get_nodes({'component_id': '*%s*' % hostname}) if not node_elems: continue node_elem = node_elems[0] SFAv1Sliver.add_slivers(node_elem.element, sliver) # remove all nodes without slivers if not append: for node_elem in self.get_nodes(): if not node_elem['slivers']: parent = node_elem.element.getparent() parent.remove(node_elem.element)
def rspec_add_resources(cls, rspec, resources, lease_map): for resource in resources: if isinstance(resource, StringTypes): urn = resource hrn, type = urn_to_hrn(urn) resource = { 'urn': urn, 'hrn': hrn, 'type': type, } # What information do we need in resources for REQUEST ? resource_type = resource.pop('type') # We add lease_ref wrt to each lease_id (old leases) and each client_id (new leases) lease_dicts = lease_map.get(resource['urn']) # NOTE : Shall we ignore reservation of resources without leases ? lease_ids = list() if lease_dicts: for lease_dict in lease_dicts: lease_id = lease_dict.get('lease_id') if not lease_id: lease_id = lease_dict.get('client_id') lease_ids.append(lease_id) if resource_type == 'node': cls.rspec_add_node(rspec, resource, lease_ids) elif resource_type == 'link': cls.rspec_add_link(rspec, resource, lease_ids) elif resource_type == 'channel': cls.rspec_add_channel(rspec, resource, lease_ids)
def Delete(self, api, xrn, creds, options): call_id = options.get('call_id') if Callids().already_handled(call_id): return "" def _Delete(server, xrn, creds, options): return server.Delete(xrn, creds, options) (hrn, type) = urn_to_hrn(xrn[0]) # get the callers hrn valid_cred = api.auth.checkCredentials(creds, 'deletesliver', hrn)[0] caller_hrn = Credential(cred=valid_cred).get_gid_caller().get_hrn() # attempt to use delegated credential first cred = api.getDelegatedCredential(creds) if not cred: cred = api.getCredential() multiclient = MultiClient() for aggregate in api.aggregates: # prevent infinite loop. Dont send request back to caller # unless the caller is the aggregate's SM if caller_hrn == aggregate and aggregate != api.hrn: continue interface = api.aggregates[aggregate] server = api.server_proxy(interface, cred) multiclient.run(_Delete, server, xrn, [cred], options) results = [] for result in multiclient.get_results(): results += ReturnValue.get_value(result) return results
def verify_users(self, slice_hrn, slice_record, users, sfa_peer, options={}): # get slice info slicename = hrn_to_nitos_slicename(slice_hrn) slices = self.driver.shell.getSlices({}, []) slice = self.driver.filter_nitos_results(slices, {"slice_name": slicename})[0] added_users = [] # get users info users_info = [] for user in users: user_urn = user["urn"] user_hrn, type = urn_to_hrn(user_urn) username = str(user_hrn).split(".")[-1] email = user["email"] # look for the user according to his username, email... nitos_users = self.driver.filter_nitos_results(self.driver.shell.getUsers(), {"username": username}) if not nitos_users: nitos_users = self.driver.filter_nitos_results(self.driver.shell.getUsers(), {"email": email}) if not nitos_users: # create the user user_id = self.driver.shell.addUser({"username": email.split("@")[0], "email": email}) added_users.append(user_id) # add user keys for key in user["keys"]: self.driver.shell.addUserKey({"user_id": user_id, "key": key, "slice_id": slice["slice_id"]}) # add the user to the slice self.driver.shell.addUserToSlice({"slice_id": slice["slice_id"], "user_id": user_id}) else: # check if the users are in the slice for user in nitos_users: if not user["user_id"] in slice["user_ids"]: self.driver.shell.addUserToSlice({"slice_id": slice["slice_id"], "user_id": user["user_id"]}) return added_users
def ListResources(api, creds, options, call_id): if Callids().already_handled(call_id): return "" # get slice's hrn from options xrn = options.get('geni_slice_urn', None) (hrn, type) = urn_to_hrn(xrn) version_manager = VersionManager() # get the rspec's return format from options rspec_version = version_manager.get_version(options.get('rspec_version')) version_string = "rspec_%s" % (rspec_version.to_string()) #panos adding the info option to the caching key (can be improved) if options.get('info'): version_string = version_string + "_"+options.get('info', 'default') # look in cache first if caching and api.cache and not xrn: rspec = api.cache.get(version_string) if rspec: api.logger.info("aggregate.ListResources: returning cached value for hrn %s"%hrn) return rspec #panos: passing user-defined options #print "manager options = ",options aggregate = Aggregate(api, options) rspec = aggregate.get_rspec(slice_xrn=xrn, version=rspec_version) # cache the result if caching and api.cache and not xrn: api.cache.add(version_string, rspec) return rspec
def get_auth_cred(self, xrn, kind="authority"): hrn, type = urn_to_hrn(xrn) auth_info = self.get_auth_info(hrn) gid = auth_info.get_gid_object() cred = Credential(subject=hrn) cred.set_gid_caller(gid) cred.set_gid_object(gid) cred.set_privileges(kind) cred.get_privileges().delegate_all_privileges(True) #cred.set_pubkey(auth_info.get_gid_object().get_pubkey()) parent_hrn = get_authority(hrn) if not parent_hrn or hrn == self.config.SFA_INTERFACE_HRN: # if there is no parent hrn, then it must be self-signed. this # is where we terminate the recursion cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename()) else: # we need the parent's private key in order to sign this GID parent_auth_info = self.get_auth_info(parent_hrn) cred.set_issuer_keys(parent_auth_info.get_privkey_filename(), parent_auth_info.get_gid_filename()) cred.set_parent(self.get_auth_cred(parent_hrn, kind)) cred.encode() cred.sign() return cred
def get_slice_and_slivers(self, slice_xrn): """ Returns a dict of slivers keyed on the sliver's node_id """ slivers = {} slice = None if not slice_xrn: return (slice, slivers) slice_urn = hrn_to_urn(slice_xrn, 'slice') slice_hrn, _ = urn_to_hrn(slice_xrn) slice_name = hrn_to_unigetestbed_slicename(slice_hrn) slices = self.driver.shell.GetSlices({'slice_name': slice_name}) if not slices: return (slice, slivers) slice = slices[0] # sort slivers by node id slice_nodes = [] if 'node_ids' in slice.keys(): slice_nodes = self.driver.shell.GetNodes( {'node_ids': slice['node_ids']}) for node in slice_nodes: slivers[node['node_id']] = node return (slice, slivers)
def get_auth_ticket(self, xrn): hrn, type = urn_to_hrn(xrn) auth_info = self.get_auth_info(hrn) gid = auth_info.get_gid_object() ticket = SfaTicket(subject=hrn) ticket.set_gid_caller(gid) ticket.set_gid_object(gid) ticket.set_delegate(True) ticket.set_pubkey(auth_info.get_gid_object().get_pubkey()) parent_hrn = get_authority(hrn) if not parent_hrn: # if there is no parent hrn, then it must be self-signed. this # is where we terminate the recursion ticket.set_issuer(auth_info.get_pkey_object(), hrn) else: # we need the parent's private key in order to sign this GID parent_auth_info = self.get_auth_info(parent_hrn) ticket.set_issuer(parent_auth_info.get_pkey_object(), parent_auth_info.hrn) ticket.set_parent(self.get_auth_cred(parent_hrn)) ticket.encode() ticket.sign() return ticket
def verify_users(self, slice_hrn, slice_record, users, options={}): slice_name = hrn_to_unigetestbed_slicename(slice_hrn) users_by_email = {} for user in users: user['urn'] = user['urn'].lower() hrn, type = urn_to_hrn(user['urn']) username = get_leaf(hrn) user['username'] = username if 'email' in user: user['email'] = user['email'].lower() users_by_email[user['email']] = user # start building a list of existing users existing_users_by_email = {} existing_slice_users_by_email = {} existing_users = self.driver.shell.GetUsers() existing_slice_users_ids = self.driver.shell.GetSlices( {'slice_name': slice_name})[0]['user_ids'] for user in existing_users: existing_users_by_email[user['email']] = user if user['user_id'] in existing_slice_users_ids: existing_slice_users_by_email[user['email']] = user add_users_by_email = set(users_by_email).difference( existing_slice_user_by_email) delete_users_by_email = set(existing_slice_user_by_email).difference( users_by_email) try: for user in add_users_by_email: self.driver.shell.AddUser() except: pass
def call(self, creds, options): self.api.logger.info("interface: %s\tmethod-name: %s" % (self.api.interface, self.name)) # client must specify a version if not options.get('geni_rspec_version'): if options.get('rspec_version'): options['geni_rspec_version'] = options['rspec_version'] else: raise SfaInvalidArgument('Must specify an rspec version option. geni_rspec_version cannot be null') # get slice's hrn from options xrn = options.get('geni_slice_urn', '') (hrn, _) = urn_to_hrn(xrn) # Find the valid credentials valid_creds = self.api.auth.checkCredentials(creds, 'listnodes', hrn) # get hrn of the original caller origin_hrn = options.get('origin_hrn', None) if not origin_hrn: origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn() rspec = self.api.manager.ListResources(self.api, creds, options) # filter rspec through sfatables if self.api.interface in ['aggregate']: chain_name = 'OUTGOING' elif self.api.interface in ['slicemgr']: chain_name = 'FORWARD-OUTGOING' self.api.logger.debug("ListResources: sfatables on chain %s"%chain_name) filtered_rspec = run_sfatables(chain_name, hrn, origin_hrn, rspec) if options.has_key('geni_compressed') and options['geni_compressed'] == True: filtered_rspec = zlib.compress(filtered_rspec).encode('base64') return filtered_rspec
def verify_users(self, slice_hrn, slice_record, users, options={}): slice_name = hrn_to_dummy_slicename(slice_hrn) users_by_email = {} for user in users: user['urn'] = user['urn'].lower() hrn, type = urn_to_hrn(user['urn']) username = get_leaf(hrn) user['username'] = username if 'email' in user: user['email'] = user['email'].lower() users_by_email[user['email']] = user # start building a list of existing users existing_users_by_email = {} existing_slice_users_by_email = {} existing_users = self.driver.shell.GetUsers() existing_slice_users_ids = self.driver.shell.GetSlices({'slice_name': slice_name})[0]['user_ids'] for user in existing_users: existing_users_by_email[user['email']] = user if user['user_id'] in existing_slice_users_ids: existing_slice_users_by_email[user['email']] = user add_users_by_email = set(users_by_email).difference(existing_slice_user_by_email) delete_users_by_email = set(existing_slice_user_by_email).difference(users_by_email) try: for user in add_users_by_email: self.driver.shell.AddUser() except: pass
def _process_node(cls, node): node['type'] = 'node' node['network_hrn'] = Xrn(node['component_id']).authority[0] # network ? XXX node['hrn'] = urn_to_hrn(node['component_id'])[0] node['urn'] = node['component_id'] node['hostname'] = node['component_name'] node['initscripts'] = node.pop('pl_initscripts') # All Labora nodes are exclusive = true node['exclusive'] = 'true' if 'granularity' in node: node['granularity'] = node['granularity']['grain'] # XXX This should use a MAP as before if 'position' in node: # iotlab node['x'] = node['position']['posx'] node['y'] = node['position']['posy'] node['z'] = node['position']['posz'] del node['position'] if 'location' in node: if node['location']: node['latitude'] = node['location']['latitude'] node['longitude'] = node['location']['longitude'] del node['location'] # Flatten tags if 'tags' in node: if node['tags']: for tag in node['tags']: node[tag['tagname']] = tag['value'] del node['tags'] return node
def call(self, urns, creds, options): self.api.logger.info("interface: %s\tmethod-name: %s" % (self.api.interface, self.name)) # client must specify a version if not options.get('geni_rspec_version'): if options.get('rspec_version'): options['geni_rspec_version'] = options['rspec_version'] else: raise SfaInvalidArgument('Must specify an rspec version option. geni_rspec_version cannot be null') (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) valid_creds = self.api.auth.checkCredentials(creds, 'listnodes', urns, \ check_sliver_callback = self.api.driver.check_sliver_credentials, speaking_for_hrn=speaking_for) # get hrn of the original caller origin_hrn = options.get('origin_hrn', None) if not origin_hrn: origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn() desc = self.api.manager.Describe(self.api, creds, urns, options) # filter rspec through sfatables if self.api.interface in ['aggregate']: chain_name = 'OUTGOING' elif self.api.interface in ['slicemgr']: chain_name = 'FORWARD-OUTGOING' self.api.logger.debug("ListResources: sfatables on chain %s"%chain_name) desc['geni_rspec'] = run_sfatables(chain_name, '', origin_hrn, desc['geni_rspec']) if options.has_key('geni_compressed') and options['geni_compressed'] == True: desc['geni_rspec'] = zlib.compress(desc['geni_rspec']).encode('base64') return desc
def call(self, cred, xrn = None): hrn, type = urn_to_hrn(xrn) self.api.auth.check(cred, 'list') aggregates = Aggregates(self.api).interfaces.values() if hrn: aggregates = [agg for agg in aggregates if agg['hrn'] == hrn] return aggregates
def add_slivers(self, hostnames, attributes=[], sliver_urn=None, append=False): # add slice name to network tag network_tags = self.xml.xpath('//network') if network_tags: network_tag = network_tags[0] network_tag.set('slice', urn_to_hrn(sliver_urn)[0]) # add slivers sliver = {'name':sliver_urn, 'pl_tags': attributes} for hostname in hostnames: if sliver_urn: sliver['name'] = sliver_urn node_elems = self.get_nodes({'component_id': '*%s*' % hostname}) if not node_elems: continue node_elem = node_elems[0] SFAv1Sliver.add_slivers(node_elem.element, sliver) # remove all nodes without slivers if not append: for node_elem in self.get_nodes(): if not node_elem['slivers']: parent = node_elem.element.getparent() parent.remove(node_elem.element)
def add_slivers(self, slivers, network=None, sliver_urn=None, no_dupes=False): # add slice name to network tag network_tags = self.xml.xpath('//network') if network_tags: network_tag = network_tags[0] network_tag.set('slice', urn_to_hrn(sliver_urn)[0]) all_nodes = self.get_nodes() nodes_with_slivers = [sliver['hostname'] for sliver in slivers] nodes_without_slivers = set(all_nodes).difference(nodes_with_slivers) # add slivers for sliver in slivers: node_elem = self.get_node_element(sliver['hostname'], network) if not node_elem: continue sliver_elem = etree.SubElement(node_elem, 'sliver') if 'tags' in sliver: for tag in sliver['tags']: etree.SubElement(sliver_elem, tag['tagname']).text = value=tag['value'] # remove all nodes without slivers for node in nodes_without_slivers: node_elem = self.get_node_element(node, network) parent = node_elem.getparent() parent.remove(node_elem)
def ListResources(api, creds, options,call_id): if Callids().already_handled(call_id): return "" # get slice's hrn from options xrn = options.get('geni_slice_urn', '') hrn, type = urn_to_hrn(xrn) version_manager = VersionManager() # get the rspec's return format from options rspec_version = version_manager.get_version(options.get('rspec_version')) version_string = "rspec_%s" % (rspec_version.to_string()) # look in cache first if api.cache and not xrn: rspec = api.cache.get(version_string) if rspec: api.logger.info("aggregate.ListResources: returning cached value for hrn %s"%hrn) return rspec aggregate = ViniAggregate(api, options) rspec = aggregate.get_rspec(slice_xrn=xrn, version=rspec_version) # cache the result if api.cache and not xrn: api.cache.add('nodes', rspec) return rspec
def verify_users(self, slice_hrn, slice_record, users, sfa_peer, options=None): if options is None: options={} # get slice info slicename = hrn_to_nitos_slicename(slice_hrn) slices = self.driver.shell.getSlices({}, []) slice = self.driver.filter_nitos_results(slices, {'slice_name': slicename})[0] added_users = [] #get users info users_info = [] for user in users: user_urn = user['urn'] user_hrn, type = urn_to_hrn(user_urn) username = str(user_hrn).split('.')[-1] email = user['email'] # look for the user according to his username, email... nitos_users = self.driver.filter_nitos_results(self.driver.shell.getUsers(), {'username': username}) if not nitos_users: nitos_users = self.driver.filter_nitos_results(self.driver.shell.getUsers(), {'email': email}) if not nitos_users: # create the user user_id = self.driver.shell.addUser({'username': email.split('@')[0], 'email': email}) added_users.append(user_id) # add user keys for key in user['keys']: self.driver.shell.addUserKey({'user_id': user_id, 'key': key, 'slice_id': slice['slice_id']}) # add the user to the slice self.driver.shell.addUserToSlice({'slice_id': slice['slice_id'], 'user_id': user_id}) else: # check if the users are in the slice for user in nitos_users: if not user['user_id'] in slice['user_ids']: self.driver.shell.addUserToSlice({'slice_id': slice['slice_id'], 'user_id': user['user_id']}) return added_users
def get_slice_and_slivers(self, slice_xrn): """ Returns a dict of slivers keyed on the sliver's node_id """ slivers = {} slice = None if not slice_xrn: return (slice, slivers) slice_urn = hrn_to_urn(slice_xrn, 'slice') slice_hrn, _ = urn_to_hrn(slice_xrn) slice_name = hrn_to_nitos_slicename(slice_hrn) slices = self.driver.shell.getSlices({'slice_name': slice_name}, []) #filter results for slc in slices: if slc['slice_name'] == slice_name: slice = slc break if not slice: return (slice, slivers) reserved_nodes = self.driver.shell.getReservedNodes({'slice_id': slice['slice_id']}, []) reserved_node_ids = [] # filter on the slice for node in reserved_nodes: if node['slice_id'] == slice['slice_id']: reserved_node_ids.append(node['node_id']) #get all the nodes all_nodes = self.driver.shell.getNodes({}, []) for node in all_nodes: if node['node_id'] in reserved_node_ids: slivers[node['node_id']] = node return (slice, slivers)
def call(self, slice_xrn, creds, rspec, users, call_id=""): hrn, type = urn_to_hrn(slice_xrn) self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, hrn, self.name)) # Find the valid credentials valid_creds = self.api.auth.checkCredentials(creds, 'createsliver', hrn) origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn() # make sure users info is specified if not users: msg = "'users' musst be specified and cannot be null. You may need to update your client." raise SfaInvalidArgument(name='users', extra=msg) manager = self.api.get_interface_manager() # flter rspec through sfatables if self.api.interface in ['aggregate']: chain_name = 'INCOMING' elif self.api.interface in ['slicemgr']: chain_name = 'FORWARD-INCOMING' self.api.logger.debug("CreateSliver: sfatables on chain %s"%chain_name) rspec = run_sfatables(chain_name, hrn, origin_hrn, rspec) return manager.CreateSliver(self.api, slice_xrn, creds, rspec, users, call_id)
def verify_users(self, slice_hrn, slice_record, users, sfa_peer, options={}): # get slice info slicename = hrn_to_nitos_slicename(slice_hrn) slices = self.driver.shell.getSlices({}, []) slice = self.driver.filter_nitos_results(slices, {'slice_name': slicename})[0] added_users = [] #get users info users_info = [] for user in users: user_urn = user['urn'] user_hrn, type = urn_to_hrn(user_urn) username = str(user_hrn).split('.')[-1] email = user['email'] # look for the user according to his username, email... nitos_users = self.driver.filter_nitos_results( self.driver.shell.getUsers(), {'username': username}) if not nitos_users: nitos_users = self.driver.filter_nitos_results( self.driver.shell.getUsers(), {'email': email}) if not nitos_users: # create the user user_id = self.driver.shell.addUser({ 'username': email.split('@')[0], 'email': email }) added_users.append(user_id) # add user keys for key in user['keys']: self.driver.shell.addUserKey({ 'user_id': user_id, 'key': key, 'slice_id': slice['slice_id'] }) # add the user to the slice self.driver.shell.addUserToSlice({ 'slice_id': slice['slice_id'], 'user_id': user_id }) else: # check if the users are in the slice for user in nitos_users: if not user['user_id'] in slice['user_ids']: self.driver.shell.addUserToSlice({ 'slice_id': slice['slice_id'], 'user_id': user['user_id'] }) return added_users
def xrn_hook(resource): urn = resource.get('component_id') if not urn: Log.warning('No urn !!!') return resource resource['urn'] = urn resource['hrn'] = urn_to_hrn(urn)[0] return resource
def List(self, api, xrn, origin_hrn=None, options={}): dbsession = api.dbsession() # load all know registry names into a prefix tree and attempt to find # the longest matching prefix hrn, type = urn_to_hrn(xrn) registries = api.registries registry_hrns = registries.keys() tree = prefixTree() tree.load(registry_hrns) registry_hrn = tree.best_match(hrn) #if there was no match then this record belongs to an unknow registry if not registry_hrn: raise MissingAuthority(xrn) # if the best match (longest matching hrn) is not the local registry, # forward the request record_dicts = [] if registry_hrn != api.hrn: credential = api.getCredential() interface = api.registries[registry_hrn] server_proxy = api.server_proxy(interface, credential) record_list = server_proxy.List(xrn, credential, options) # same as above, no need to process what comes from through xmlrpc # pass foreign records as-is record_dicts = record_list # if we still have not found the record yet, try the local registry # logger.debug("before trying local records, %d foreign records"% len(record_dicts)) if not record_dicts: recursive = False if ('recursive' in options and options['recursive']): recursive = True elif hrn.endswith('*'): hrn = hrn[:-1] recursive = True if not api.auth.hierarchy.auth_exists(hrn): raise MissingAuthority(hrn) if recursive: records = dbsession.query(RegRecord).filter( RegRecord.hrn.startswith(hrn)).all() # logger.debug("recursive mode, found %d local records"%(len(records))) else: records = dbsession.query(RegRecord).filter_by( authority=hrn).all() # logger.debug("non recursive mode, found %d local records"%(len(records))) # so that sfi list can show more than plain names... for record in records: augment_with_sfa_builtins(record) record_dicts = [ record.todict(exclude_types=[InstrumentedList]) for record in records ] return record_dicts
def get_plc_slice_id(self, cred, xrn): (hrn, type) = urn_to_hrn(xrn) slice_id = hrn.find(':') sep = '.' if hrn.find(':') != -1: sep = ':' elif hrn.find('+') != -1: sep = '+' else: sep = '.' slice_id = hrn.split(sep)[-2] + '_' + hrn.split(sep)[-1] return slice_id
def get_sfa_peer(self, xrn): hrn, type = urn_to_hrn(xrn) # return the authority for this hrn or None if we are the authority sfa_peer = None slice_authority = get_authority(hrn) site_authority = get_authority(slice_authority) if site_authority != self.driver.hrn: sfa_peer = site_authority return sfa_peer
def call(self, xrns, creds, options): (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) valid_creds = self.api.auth.checkCredentials( creds, 'sliverstatus', xrns, check_sliver_callback=self.api.driver.check_sliver_credentials, speaking_for_hrn=speaking_for) self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s" % (self.api.interface, xrns, self.name)) return self.api.manager.Status(self.api, xrns, creds, options)
def call(self, xrn, creds, options={}): hrn, type = urn_to_hrn(xrn) valid_creds = self.api.auth.checkCredentials(creds, 'list') #log the call origin_hrn = Credential( string=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info( "interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s" % (self.api.interface, origin_hrn, hrn, self.name)) return self.api.manager.List(self.api, xrn, options=options)
def __init__(self, create=False, subject=None, string=None, filename=None, uuid=None, hrn=None, urn=None, lifeDays=1825): Certificate.__init__(self, lifeDays, create, subject, string, filename) if subject: logger.debug("Creating GID for subject: %s" % subject) if uuid: self.uuid = int(uuid) if hrn: self.hrn = hrn self.urn = hrn_to_urn(hrn, 'unknown') if urn: self.urn = urn self.hrn, type = urn_to_hrn(urn)
def sfa_client(request, method, hrn=None, urn=None, object_type=None, rspec=None, recursive=False, options=None, platforms=None, output_format=None, admin=False): Config = ConfigParser.ConfigParser() monitor_file = os.path.abspath( os.path.dirname(__file__) + '/../myslice/monitor.ini') Config.read(monitor_file) if admin: user_email, admin_password = config.manifold_admin_user_password() else: #logger.debug(request.session['user']['email']) user_email = request.session['user']['email'] results = dict() if hrn is None: hrn = '' if urn is None: urn = '' if object_type is None: object_type = '' if rspec is None: rspec = '' else: logger.debug("RSPEC = %s" % rspec) if recursive is None: recursive = False if options is None: options = dict() if platforms is None: platforms = list() if method not in ['GetVersion', 'ListResources']: try: if not hrn: hrn = urn_to_hrn(urn) else: urn = hrn_to_urn(hrn, object_type) except Exception, e: logger.error(e) raise Exception, "Provide urn OR hrn + type as parameters of method %s" % method
def get_auth_filenames(self, xrn): hrn, type = urn_to_hrn(xrn) if '\\' in hrn: hrn = hrn.replace('\\', '') leaf = hrn else: leaf = get_leaf(hrn) parent_hrn = get_authority(hrn) directory = os.path.join(self.basedir, hrn.replace(".", "/")) gid_filename = os.path.join(directory, leaf+".gid") privkey_filename = os.path.join(directory, leaf+".pkey") return (directory, gid_filename, privkey_filename)
def call(self, creds, xrn, cert=None): # TODO: is there a better right to check for or is 'update good enough? valid_creds = self.api.auth.checkCredentials(creds, 'update') # verify permissions hrn, type = urn_to_hrn(xrn) self.api.auth.verify_object_permission(hrn) #log the call origin_hrn = Credential( string=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info( "interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s" % (self.api.interface, origin_hrn, xrn, self.name)) return self.api.manager.CreateGid(self.api, xrn, cert)
def call(self, xrns, creds, options): (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) valid_creds = self.api.auth.checkCredentials( creds, 'deletesliver', xrns, check_sliver_callback=self.api.driver.check_sliver_credentials, speaking_for_hrn=speaking_for) #log the call origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info( "interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s" % (self.api.interface, origin_hrn, xrns, self.name)) return self.api.manager.Delete(self.api, xrns, creds, options)
def prepare_slice(self, api, slice_xrn, creds, users): reg_objects = self._get_registry_objects(slice_xrn, creds, users) (hrn, type) = urn_to_hrn(slice_xrn) slices = PlSlices(self.driver) peer = slices.get_peer(hrn) sfa_peer = slices.get_sfa_peer(hrn) slice_record = None if users: slice_record = users[0].get('slice_record', {}) registry = api.registries[api.hrn] credential = api.getCredential() # ensure site record exists site = slices.verify_site(hrn, slice_record, peer, sfa_peer) # ensure slice record exists slice = slices.verify_slice(hrn, slice_record, peer, sfa_peer) # ensure person records exists persons = slices.verify_persons(hrn, slice, users, peer, sfa_peer)
def _process_resource(cls, resource): """ Postprocess resources read from the RSpec. This applies to nodes, channels and links. In particular, it sets the urn, hrn, network_hrn, facility_name and testbed_name fields. """ urn = resource['component_id'] hrn, type = urn_to_hrn(resource['component_id']) resource['urn'] = urn resource['hrn'] = hrn resource['network_hrn'] = Xrn(resource['component_id']).authority[0] # network ? XXX # We also add 'facility' and 'testbed' fields resource['facility_name'] = cls.get_resource_facility_name(urn) resource['testbed_name'] = cls.get_resource_testbed_name(urn) return resource
def get_auth_info(self, xrn): hrn, type = urn_to_hrn(xrn) if not self.auth_exists(hrn): logger.warning("Hierarchy: missing authority - xrn=%s, hrn=%s"%(xrn,hrn)) raise MissingAuthority(hrn) (directory, gid_filename, privkey_filename, ) = \ self.get_auth_filenames(hrn) auth_info = AuthInfo(hrn, gid_filename, privkey_filename) # check the GID and see if it needs to be refreshed gid = auth_info.get_gid_object() gid_refreshed = self.refresh_gid(gid) if gid != gid_refreshed: auth_info.update_gid_object(gid_refreshed) return auth_info
def _process_resource(cls, resource): """ Postprocess resources read from the RSpec. This applies to nodes, channels and links. In particular, it sets the urn, hrn, network_hrn, facility_name and testbed_name fields. """ urn = resource['component_id'] hrn, type = urn_to_hrn(resource['component_id']) resource['urn'] = urn resource['hrn'] = hrn resource['network_hrn'] = Xrn(resource['component_id']).authority[0] # network ? XXX # We also add 'facility' and 'testbed' fields resource['facility_name'] = cls.get_resource_facility_name(urn) resource['testbed_name'] = cls.get_resource_testbed_name(urn) if 'exclusive' not in resource: resource['exclusive'] = 'true' elif resource['exclusive'] is None: resource['exclusive'] = 'true' else: Log.warning("EXCLUSIVE = ",resource['exclusive']) #if 'location' in node: # if node['location']: # node['latitude'] = node['location']['latitude'] # node['longitude'] = node['location']['longitude'] # del node['location'] #else: # if the location is not provided, aproximate it from the city t_urn = resource['urn'].split('+') city = t_urn[3].split('.')[1] if city == 'iii': city = 'Institute for Information Industry, Taïwan 106' resource['country'] = 'Taiwan' else: resource['country'] = 'France' location = cls.get_location(city) if location is not None: resource['latitude'] = str(location.latitude) resource['longitude'] = str(location.longitude) return resource