def setup(self, **kwargs): self.logger.debug("ENTER: ID.setup()") if not self.is_local_myproxy(): print "Using MyProxy server on " \ + str(self.conf.get_myproxy_server()) self.logger.debug("No MyProxy configured for this host") return self.configure_credential(**kwargs) self.configure_myproxy_ca(**kwargs) self.configure_trust_roots(**kwargs) self.configure_myproxy_pam() self.configure_myproxy_mapapp() self.configure_myproxy_cred_repo() self.configure_myproxy_port() self.write_myproxy_conf() self.write_myproxy_init_conf() self.enable() self.restart() cadir = self.conf.get_myproxy_ca_directory() cert_path = os.path.join(cadir, "cacert.pem") print "Configured MyProxy server on " \ + self.conf.get_myproxy_server() + ":7512" print "CA DN: " + security.get_certificate_subject(cert_path) myproxy_dn = self.get_myproxy_dn_from_server() if myproxy_dn is not None: print "Service DN: " + myproxy_dn self.logger.debug("EXIT: ID.setup()")
def setup(self, **kwargs): self.logger.debug("ENTER: IO.setup()") if not self.is_local(): self.logger.debug("No GridFTP server to configure on this node") return self.configure_credential(**kwargs) self.configure_server(**kwargs) self.configure_sharing(**kwargs) self.configure_trust_roots(**kwargs) self.configure_authorization(**kwargs) self.restart(**kwargs) self.enable(**kwargs) self.bind_to_endpoint(**kwargs) print "Configured GridFTP server to run on " + self.conf.get_gridftp_server() print "Server DN: " + security.get_certificate_subject(self.conf.get_security_certificate_file()) print "Using Authentication Method " + self.conf.get_security_identity_method() print "Configured Endpoint " + self.conf.get_endpoint_name() self.logger.debug("EXIT: IO.setup()")
def configure_myproxy_mapapp(self, force=False): method = self.conf.get_security_authorization_method() if method != "MyProxyGridmapCallout": self.logger.debug("Not using MyProxy GridMap Callout, " + "nothing to configure") return cadir = self.conf.get_myproxy_ca_directory() mapapp = os.path.join(cadir, "mapapp") dn = security.get_certificate_subject(os.path.join(cadir, "cacert.pem")) mapapp_template = pkgutil.get_data("globus.connect.server", "mapapp-template") old_umask = os.umask(0o22) mapapp_file = file(mapapp, "w") try: mapapp_file.write(mapapp_template % {"dn": dn}) finally: mapapp_file.close() os.umask(old_umask) os.chmod(mapapp, 0o755) self.myproxy_mapapp_config = "certificate_mapapp " + mapapp + "\n"
def setup(self, **kwargs): self.logger.debug("ENTER: IO.setup()") if not self.is_local(): self.logger.debug("No GridFTP server to configure on this node") return self.configure_credential(**kwargs) self.configure_server(**kwargs) self.configure_sharing(**kwargs) self.configure_trust_roots(**kwargs) self.configure_authorization(**kwargs) self.restart(**kwargs) self.enable(**kwargs) self.bind_to_endpoint(**kwargs) print "Configured GridFTP server to run on " \ + self.conf.get_gridftp_server() print "Server DN: " + security.get_certificate_subject( self.conf.get_security_certificate_file()) print "Using Authentication Method " + \ self.conf.get_security_identity_method() print "Configured Endpoint " + self.conf.get_endpoint_name() self.logger.debug("EXIT: IO.setup()")
def configure_myproxy_mapapp(self, force=False): method = self.conf.get_security_authorization_method() if method != "MyProxyGridmapCallout": self.logger.debug("Not using MyProxy GridMap Callout, " + "nothing to configure") return cadir = self.conf.get_myproxy_ca_directory() mapapp = os.path.join(cadir, 'mapapp') dn = security.get_certificate_subject(os.path.join( cadir, "cacert.pem")) mapapp_template = pkgutil.get_data("globus.connect.server", "mapapp-template") old_umask = os.umask(022) mapapp_file = file(mapapp, "w") try: mapapp_file.write(mapapp_template % {'dn': dn}) finally: mapapp_file.close() os.umask(old_umask) os.chmod(mapapp, 0755) self.myproxy_mapapp_config = "certificate_mapapp " + mapapp + "\n"
def bind_to_endpoint(self, **kwargs): """ Adds this gridftp server to the endpoint named in the configuration file. If force=True is passed, then the endpoint is deleted prior to binding this gridftp server. If reset=True is passed, then all other GridFTP servers will be removed from this endpoint before adding this one. """ self.logger.debug("ENTER: IO.bind_to_endpoint()") endpoint_name = self.conf.get_endpoint_name() if endpoint_name is None: return if kwargs.get('force'): try: self.logger.debug("Removing old endpoint definition") self.api.endpoint_delete(endpoint_name) except: pass self.logger.debug("Configuring endpoint " + endpoint_name) endpoint_public = self.conf.get_endpoint_public() endpoint_default_dir = self.conf.get_endpoint_default_dir() server = self.conf.get_gridftp_server() scheme = "gsiftp" port = 2811 hostname = None if "://" in server: (scheme, server) = server.split("://", 1) if ":" in server: (hostname, port_s) = server.split(":", 1) port = int(port_s) else: hostname = server server = scheme + "://" + hostname + ":" + str(port) oauth_server = None myproxy_server = None myproxy_dn = None if self.conf.get_security_identity_method() == \ self.conf.IDENTITY_METHOD_OAUTH: oauth_server = self.conf.get_oauth_server() if oauth_server is None: raise Exception("Configured to use OAuth, but no OAuth server defined") elif self.conf.get_security_identity_method() == \ self.conf.IDENTITY_METHOD_CILOGON: oauth_server = "cilogon.org" else: myproxy_server = self.conf.get_myproxy_server() myproxy_dn = self.conf.get_myproxy_dn() if myproxy_dn is None: myproxy_dn = self.get_myproxy_dn_from_server() if myproxy_server is not None: myproxy_server = gcmu.to_unicode(myproxy_server) if myproxy_dn is not None: myproxy_dn = gcmu.to_unicode(myproxy_dn) if oauth_server is not None: if ":" in oauth_server: raise Exception("[OAuth] Server value must be a public host name only") oauth_server = gcmu.to_unicode(oauth_server) new_gridftp_server = { u'DATA_TYPE': u'server', u'uri': gcmu.to_unicode(server), u'scheme': gcmu.to_unicode(scheme), u'hostname': gcmu.to_unicode(hostname), u'port': port, u'is_connected': True, u'subject': gcmu.to_unicode(security.get_certificate_subject(self.conf.get_security_certificate_file())), u'update': True, } try: (status_code, status_reason, data) = \ self.api.endpoint(endpoint_name) old_default_dir = data.get("default_directory") changed = False if old_default_dir is None or \ old_default_dir != endpoint_default_dir: self.logger.debug("Changing default_directory on endpoint " \ "from [%(old)s] to [%(new)s]" % { 'old': str(old_default_dir), 'new': endpoint_default_dir }) data[u'default_directory'] = \ gcmu.to_unicode(endpoint_default_dir) old_public = data.get('public') if old_public is not None and old_public != endpoint_public: data[u'public'] = endpoint_public if kwargs.get("reset"): servers_filtered = [new_gridftp_server] else: servers_filtered = [x for x in data[u'DATA'] \ if x[u'hostname'] != None and x[u'hostname'] != \ u'relay-disconnected.globusonline.org' and \ x[u'uri'] != gcmu.to_unicode(server)] servers_filtered.append(new_gridftp_server) data[u'DATA'] = servers_filtered data[u'myproxy_server'] = myproxy_server data[u'myproxy_dn'] = myproxy_dn data[u'oauth_server'] = oauth_server self.api.endpoint_update(endpoint_name, data) except TransferAPIError, e: if e.status_code == 404: self.logger.debug("endpoint %s does not exist, creating" %(endpoint_name)) try: (status_code, status_reason, data) = \ self.api.endpoint_create( endpoint_name, default_directory = endpoint_default_dir, public = endpoint_public, is_globus_connect = False, hostname=new_gridftp_server[u'hostname'], scheme=new_gridftp_server[u'scheme'], port=new_gridftp_server[u'port'], subject=new_gridftp_server[u'subject'], myproxy_server=myproxy_server, myproxy_dn=myproxy_dn, oauth_server=oauth_server) except TransferAPIError, e: self.logger.error("endpoint create failed: %s" % \ (e.message)) self.errorcount += 1
def configure_gridmap_verify_myproxy_callout(self, conf_file_name, conf_link_name, **kwargs): self.logger.debug("ENTER: configure_gridmap_verify_myproxy_callout()") conf_file = file(conf_file_name, "w") try: conf_file.write("$GSI_AUTHZ_CONF \"%s\"\n" % ( os.path.join( self.conf.root, "etc", "gridmap_verify_myproxy_callout-gsi_authz.conf" ) ) ) myproxy_certpath = None myproxy_signing_policy = None myproxy_ca_dn = self.conf.get_myproxy_ca_subject_dn() myproxy_server = self.conf.get_myproxy_server() if myproxy_ca_dn is None and \ myproxy_server is not None and \ self.is_local_myproxy(): myproxy_ca_dir = self.conf.get_myproxy_ca_directory() myproxy_ca_dn = security.get_certificate_subject( os.path.join(myproxy_ca_dir, "cacert.pem")) else: # Assume the CA name is the same as the MyProxy server's # subject myproxy_ca_dn = self.conf.get_myproxy_dn() if myproxy_ca_dn is None: myproxy_ca_dn = self.get_myproxy_dn_from_server() cadir = self.conf.get_security_trusted_certificate_directory() self.logger.debug("MyProxy CA DN is " + str(myproxy_ca_dn)) self.logger.debug("CA dir is " + str(cadir)) if self.is_local_myproxy(): myproxy_certpath = os.path.join( self.conf.get_myproxy_ca_directory(), "cacert.pem") myproxy_signing_policy = os.path.join( self.conf.get_myproxy_ca_directory(), "signing-policy") elif myproxy_ca_dn is not None: self.logger.debug("Looking for MyProxy CA cert in " + cadir) for certfile in os.listdir(cadir): certpath = os.path.join(cadir, certfile) if certfile[-2:] == '.0': self.logger.debug("Checking to see if " + certfile + " matches MyProxyDN") if security.get_certificate_subject( certpath) == myproxy_ca_dn: myproxy_certpath = certpath (myproxy_signing_policy, _) = \ os.path.splitext( myproxy_certpath) myproxy_signing_policy += \ ".signing_policy" break if myproxy_certpath is None: raise Exception("ERROR: Unable to determine " + "path to MyProxy CA certificate, set " + \ "CaCert option in MyProxy section of config.\n") myproxy_ca_hash = security.get_certificate_hash( myproxy_certpath) cadir = \ self.conf.get_security_trusted_certificate_directory() installed_cert = os.path.join( cadir, myproxy_ca_hash + ".0") installed_signing_policy = os.path.join( cadir, myproxy_ca_hash + ".signing_policy") if not os.path.exists(installed_cert): self.logger.error("MyProxy CA not installed in trusted CA dir") if not os.path.exists(installed_signing_policy): self.logger.error("MyProxy CA signing policy not installed " + \ "in trusted CA dir") conf_file.write( "$GLOBUS_MYPROXY_CA_CERT \"%s\"\n" % installed_cert) os.symlink(conf_file_name, conf_link_name) finally: conf_file.close() self.logger.debug("EXIT: configure_gridmap_verify_myproxy_callout()")
def bind_to_endpoint(self, **kwargs): """ Adds this gridftp server to the endpoint named in the configuration file. If force=True is passed, then the endpoint is deleted prior to binding this gridftp server. If reset=True is passed, then all other GridFTP servers will be removed from this endpoint before adding this one. """ self.logger.debug("ENTER: IO.bind_to_endpoint()") endpoint_name = self.conf.get_endpoint_name() if endpoint_name is None: return if kwargs.get('force'): try: self.logger.debug("Removing old endpoint definition") self.api.endpoint_delete(endpoint_name) except: pass self.logger.debug("Configuring endpoint " + endpoint_name) endpoint_public = self.conf.get_endpoint_public() endpoint_default_dir = self.conf.get_endpoint_default_dir() server = self.conf.get_gridftp_server() scheme = "gsiftp" port = 2811 hostname = None if "://" in server: (scheme, server) = server.split("://", 1) if ":" in server: (hostname, port_s) = server.split(":", 1) port = int(port_s) else: hostname = server server = scheme + "://" + hostname + ":" + str(port) oauth_server = None myproxy_server = None myproxy_dn = None if self.conf.get_security_identity_method() == \ self.conf.IDENTITY_METHOD_OAUTH: oauth_server = self.conf.get_oauth_server() if oauth_server is None: raise Exception( "Configured to use OAuth, but no OAuth server defined") elif self.conf.get_security_identity_method() == \ self.conf.IDENTITY_METHOD_CILOGON: oauth_server = "cilogon.org" else: myproxy_server = self.conf.get_myproxy_server() myproxy_dn = self.conf.get_myproxy_dn() if myproxy_dn is None and myproxy_server is not None: myproxy_dn = self.get_myproxy_dn_from_server() if myproxy_server is not None: myproxy_server = gcmu.to_unicode(myproxy_server) if myproxy_dn is not None: myproxy_dn = gcmu.to_unicode(myproxy_dn) if oauth_server is not None: if ":" in oauth_server: raise Exception( "[OAuth] Server value must be a public host name only") oauth_server = gcmu.to_unicode(oauth_server) new_gridftp_server = { gcmu.to_unicode('DATA_TYPE'): gcmu.to_unicode('server'), gcmu.to_unicode('scheme'): gcmu.to_unicode(scheme), gcmu.to_unicode('hostname'): gcmu.to_unicode(hostname), gcmu.to_unicode('port'): port, gcmu.to_unicode('subject'): gcmu.to_unicode( security.get_certificate_subject( self.conf.get_security_certificate_file())) } try: new_endpoint = {'DATA_TYPE': 'endpoint'} (status_code, status_reason, data) = \ self.api.endpoint(endpoint_name) default_directory_key = gcmu.to_unicode('default_directory') public_key = gcmu.to_unicode('public') myproxy_server_key = gcmu.to_unicode('myproxy_server') myproxy_dn_key = gcmu.to_unicode('myproxy_dn') oauth_server_key = gcmu.to_unicode('oauth_server') hostname_key = gcmu.to_unicode('hostname') id_key = gcmu.to_unicode('id') data_key = gcmu.to_unicode('DATA') # Update any changed endpoint-level metadata if data.get(default_directory_key) != endpoint_default_dir: self.logger.debug("Changing default_directory on endpoint " \ "to [%(new)s]" % { 'new': endpoint_default_dir }) new_endpoint[default_directory_key] = \ gcmu.to_unicode(endpoint_default_dir) if data.get(public_key) != endpoint_public: self.logger.debug("Changing public to " + str(endpoint_public)) new_endpoint[public_key] = endpoint_public if data.get(myproxy_server_key) != myproxy_server: self.logger.debug("Changing myproxy_server to " + str(myproxy_server)) new_endpoint[myproxy_server_key] = myproxy_server if data.get(myproxy_dn_key) != myproxy_dn: self.logger.debug("Changing myproxy_dn to " + str(myproxy_dn)) new_endpoint[myproxy_dn_key] = myproxy_dn if data.get(oauth_server_key) != oauth_server: self.logger.debug("Changing oauth_server to " + str(oauth_server)) new_endpoint[oauth_server_key] = oauth_server if len(new_endpoint.keys()) > 1: self.logger.debug("Updating endpoint") (status_code, status, data) = \ self.api.endpoint_update(endpoint_name, new_endpoint) self.logger.debug("endpoint update result: " + str(status_code)) (status_code, status_reason, data) = \ self.api.endpoint_server_list(endpoint_name) self.logger.debug("Existing endpoint server list: " + str(data.get(data_key, []))) for server_item in data.get(data_key, []): self.logger.debug("existing server for endpoint: " + str(server_item.get(hostname_key, ""))) this_server_hostname = server_item.get(hostname_key) this_server_id = server_item.get(id_key) if kwargs.get('reset') or \ this_server_hostname == gcmu.to_unicode(hostname): self.logger.debug("deleting server entry for " + str(this_server_hostname) + " with id " + str(this_server_id)) self.api.endpoint_server_delete(endpoint_name, this_server_id) self.api.endpoint_server_add(endpoint_name, new_gridftp_server) except TransferAPIError as e: if e.status_code == 404: self.logger.debug("endpoint %s does not exist, creating" % (endpoint_name)) try: (status_code, status_reason, data) = \ self.api.endpoint_create( endpoint_name, default_directory = endpoint_default_dir, public = endpoint_public, is_globus_connect = False, hostname=new_gridftp_server['hostname'], scheme=new_gridftp_server['scheme'], port=new_gridftp_server['port'], subject=new_gridftp_server['subject'], myproxy_server=myproxy_server, myproxy_dn=myproxy_dn, oauth_server=oauth_server) except TransferAPIError as e: self.logger.error("endpoint create failed: %s" % \ (e.message)) self.errorcount += 1 else: self.logger.error("endpoint failed: %s" % (e.message)) self.errorcount += 1 self.logger.debug("EXIT: IO.bind_to_endpoint()")
def bind_to_endpoint(self, **kwargs): """ Adds this gridftp server to the endpoint named in the configuration file. If force=True is passed, then the endpoint is deleted prior to binding this gridftp server. If reset=True is passed, then all other GridFTP servers will be removed from this endpoint before adding this one. """ self.logger.debug("ENTER: IO.bind_to_endpoint()") endpoint_name = self.conf.get_endpoint_name() if endpoint_name is None: return if kwargs.get("force"): try: self.logger.debug("Removing old endpoint definition") self.api.endpoint_delete(endpoint_name) except: pass self.logger.debug("Configuring endpoint " + endpoint_name) endpoint_public = self.conf.get_endpoint_public() endpoint_default_dir = self.conf.get_endpoint_default_dir() server = self.conf.get_gridftp_server() scheme = "gsiftp" port = 2811 hostname = None if "://" in server: (scheme, server) = server.split("://", 1) if ":" in server: (hostname, port_s) = server.split(":", 1) port = int(port_s) else: hostname = server server = scheme + "://" + hostname + ":" + str(port) oauth_server = None myproxy_server = None myproxy_dn = None if self.conf.get_security_identity_method() == self.conf.IDENTITY_METHOD_OAUTH: oauth_server = self.conf.get_oauth_server() if oauth_server is None: raise Exception("Configured to use OAuth, but no OAuth server defined") elif self.conf.get_security_identity_method() == self.conf.IDENTITY_METHOD_CILOGON: oauth_server = "cilogon.org" else: myproxy_server = self.conf.get_myproxy_server() myproxy_dn = self.conf.get_myproxy_dn() if myproxy_dn is None: myproxy_dn = self.get_myproxy_dn_from_server() if myproxy_server is not None: myproxy_server = gcmu.to_unicode(myproxy_server) if myproxy_dn is not None: myproxy_dn = gcmu.to_unicode(myproxy_dn) if oauth_server is not None: if ":" in oauth_server: raise Exception("[OAuth] Server value must be a public host name only") oauth_server = gcmu.to_unicode(oauth_server) new_gridftp_server = { u"DATA_TYPE": u"server", u"uri": gcmu.to_unicode(server), u"scheme": gcmu.to_unicode(scheme), u"hostname": gcmu.to_unicode(hostname), u"port": port, u"is_connected": True, u"subject": gcmu.to_unicode(security.get_certificate_subject(self.conf.get_security_certificate_file())), u"update": True, } try: (status_code, status_reason, data) = self.api.endpoint(endpoint_name) old_default_dir = data.get("default_directory") changed = False if old_default_dir is None or old_default_dir != endpoint_default_dir: self.logger.debug( "Changing default_directory on endpoint " "from [%(old)s] to [%(new)s]" % {"old": str(old_default_dir), "new": endpoint_default_dir} ) data[u"default_directory"] = gcmu.to_unicode(endpoint_default_dir) old_public = data.get("public") if old_public is not None and old_public != endpoint_public: data[u"public"] = endpoint_public if kwargs.get("reset"): servers_filtered = [new_gridftp_server] else: servers_filtered = [ x for x in data[u"DATA"] if x[u"hostname"] != None and x[u"hostname"] != u"relay-disconnected.globusonline.org" and x[u"uri"] != gcmu.to_unicode(server) ] servers_filtered.append(new_gridftp_server) data[u"DATA"] = servers_filtered data[u"myproxy_server"] = myproxy_server data[u"myproxy_dn"] = myproxy_dn data[u"oauth_server"] = oauth_server self.api.endpoint_update(endpoint_name, data) except TransferAPIError, e: if e.status_code == 404: self.logger.debug("endpoint %s does not exist, creating" % (endpoint_name)) try: (status_code, status_reason, data) = self.api.endpoint_create( endpoint_name, default_directory=endpoint_default_dir, public=endpoint_public, is_globus_connect=False, hostname=new_gridftp_server[u"hostname"], scheme=new_gridftp_server[u"scheme"], port=new_gridftp_server[u"port"], subject=new_gridftp_server[u"subject"], myproxy_server=myproxy_server, myproxy_dn=myproxy_dn, oauth_server=oauth_server, ) except TransferAPIError, e: self.logger.error("endpoint create failed: %s" % (e.message)) self.errorcount += 1
def configure_gridmap_verify_myproxy_callout(self, conf_file_name, conf_link_name, **kwargs): self.logger.debug("ENTER: configure_gridmap_verify_myproxy_callout()") conf_file = file(conf_file_name, "w") try: conf_file.write( '$GSI_AUTHZ_CONF "%s"\n' % (os.path.join(self.conf.root, "etc", "gridmap_verify_myproxy_callout-gsi_authz.conf")) ) myproxy_certpath = None myproxy_signing_policy = None myproxy_ca_dn = self.conf.get_myproxy_ca_subject_dn() myproxy_server = self.conf.get_myproxy_server() if myproxy_ca_dn is None and myproxy_server is not None and self.is_local_myproxy(): myproxy_ca_dir = self.conf.get_myproxy_ca_directory() myproxy_ca_dn = security.get_certificate_subject(os.path.join(myproxy_ca_dir, "cacert.pem")) else: # Assume the CA name is the same as the MyProxy server's # subject myproxy_ca_dn = self.conf.get_myproxy_dn() if myproxy_ca_dn is None: myproxy_ca_dn = self.get_myproxy_dn_from_server() cadir = self.conf.get_security_trusted_certificate_directory() self.logger.debug("MyProxy CA DN is " + str(myproxy_ca_dn)) self.logger.debug("CA dir is " + str(cadir)) if self.is_local_myproxy(): myproxy_certpath = os.path.join(self.conf.get_myproxy_ca_directory(), "cacert.pem") myproxy_signing_policy = os.path.join(self.conf.get_myproxy_ca_directory(), "signing-policy") elif myproxy_ca_dn is not None: self.logger.debug("Looking for MyProxy CA cert in " + cadir) for certfile in os.listdir(cadir): certpath = os.path.join(cadir, certfile) if certfile[-2:] == ".0": self.logger.debug("Checking to see if " + certfile + " matches MyProxyDN") if security.get_certificate_subject(certpath) == myproxy_ca_dn: myproxy_certpath = certpath (myproxy_signing_policy, _) = os.path.splitext(myproxy_certpath) myproxy_signing_policy += ".signing_policy" break if myproxy_certpath is None: raise Exception( "ERROR: Unable to determine " + "path to MyProxy CA certificate, set " + "CaCert option in MyProxy section of config.\n" ) myproxy_ca_hash = security.get_certificate_hash(myproxy_certpath) cadir = self.conf.get_security_trusted_certificate_directory() installed_cert = os.path.join(cadir, myproxy_ca_hash + ".0") installed_signing_policy = os.path.join(cadir, myproxy_ca_hash + ".signing_policy") if not os.path.exists(installed_cert): self.logger.error("MyProxy CA not installed in trusted CA dir") if not os.path.exists(installed_signing_policy): self.logger.error("MyProxy CA signing policy not installed " + "in trusted CA dir") conf_file.write('$GLOBUS_MYPROXY_CA_CERT "%s"\n' % installed_cert) os.symlink(conf_file_name, conf_link_name) finally: conf_file.close() self.logger.debug("EXIT: configure_gridmap_verify_myproxy_callout()")
def configure_myproxy_ca(self, force=False): if not self.conf.get_myproxy_ca(): self.logger.debug("Not using MyProxy CA, nothing to configure") return cadir = self.conf.get_myproxy_ca_directory() if force: if cadir is not None and os.path.exists(cadir): shutil.rmtree(cadir, ignore_errors=True) if cadir is not None and not os.path.exists(cadir): ca_subject = self.conf.get_myproxy_ca_subject_dn() if ca_subject is None: ca_subject = security.get_certificate_subject( self.conf.get_security_certificate_file(), nameopt='RFC2253') try: args = [ 'grid-ca-create', '-nobuild', '-verbose', '-dir', self.conf.get_myproxy_ca_directory(), '-subject', ca_subject, '-noint'] if force: args.append('-force') ca_create = Popen(args, stdout = PIPE, stderr = PIPE) (out, err) = ca_create.communicate() out = "".join(s for s in out if s in string.printable) err = "".join(s for s in err if s in string.printable) self.logger.debug("ca create output: " + out) self.logger.debug("ca create stderr: " + err) finally: pass if ca_create.returncode != 0: raise Exception("Error creating CA: " + \ str(ca_create.returncode) + out + err) trustdir = self.conf.get_security_trusted_certificate_directory() if trustdir is not None: if not os.path.exists(trustdir): os.makedirs(trustdir, 0755) cert_path = os.path.join(cadir, "cacert.pem") signing_policy_path = os.path.join(cadir, "signing-policy") cahash = security.get_certificate_hash(cert_path) installed_cert_path = os.path.join(trustdir, cahash + ".0") installed_signing_policy = os.path.join( trustdir, cahash + ".signing_policy") shutil.copyfile(signing_policy_path, installed_signing_policy) os.chmod(installed_signing_policy, 0644) shutil.copyfile(cert_path, installed_cert_path) os.chmod(installed_cert_path, 0644) self.myproxy_ca_config = """ certificate_issuer_cert "%(cadir)s/cacert.pem" certificate_issuer_key "%(cadir)s/private/cakey.pem" certificate_issuer_key_passphrase "%(passphrase)s" certificate_serialfile "%(cadir)s/serial" certificate_out_dir "%(cadir)s/newcerts" certificate_issuer_subca_certfile "%(cadir)s/cacert.pem" max_cert_lifetime 168 cert_dir %(certdir)s """ % { 'cadir': cadir, 'passphrase': self.conf.get_myproxy_ca_passphrase(), 'certdir': \ self.conf.get_security_trusted_certificate_directory() }
def configure_myproxy_ca(self, force=False): if not self.conf.get_myproxy_ca(): self.logger.debug("Not using MyProxy CA, nothing to configure") return cadir = self.conf.get_myproxy_ca_directory() if force: if cadir is not None and os.path.exists(cadir): shutil.rmtree(cadir, ignore_errors=True) if cadir is not None and not os.path.exists(cadir): ca_subject = self.conf.get_myproxy_ca_subject_dn() if ca_subject is None: ca_subject = security.get_certificate_subject( self.conf.get_security_certificate_file(), nameopt='RFC2253') try: args = [ 'grid-ca-create', '-nobuild', '-verbose', '-dir', self.conf.get_myproxy_ca_directory(), '-subject', ca_subject, '-noint' ] if force: args.append('-force') ca_create = Popen(args, stdout=PIPE, stderr=PIPE) (out, err) = ca_create.communicate() out = "".join(s for s in out if s in string.printable) err = "".join(s for s in err if s in string.printable) self.logger.debug("ca create output: " + out) self.logger.debug("ca create stderr: " + err) finally: pass if ca_create.returncode != 0: raise Exception("Error creating CA: " + \ str(ca_create.returncode) + out + err) trustdir = self.conf.get_security_trusted_certificate_directory() if trustdir is not None: if not os.path.exists(trustdir): os.makedirs(trustdir, 0755) cert_path = os.path.join(cadir, "cacert.pem") signing_policy_path = os.path.join(cadir, "signing-policy") cahash = security.get_certificate_hash(cert_path) installed_cert_path = os.path.join(trustdir, cahash + ".0") installed_signing_policy = os.path.join(trustdir, cahash + ".signing_policy") shutil.copyfile(signing_policy_path, installed_signing_policy) os.chmod(installed_signing_policy, 0644) shutil.copyfile(cert_path, installed_cert_path) os.chmod(installed_cert_path, 0644) self.myproxy_ca_config = """ certificate_issuer_cert "%(cadir)s/cacert.pem" certificate_issuer_key "%(cadir)s/private/cakey.pem" certificate_issuer_key_passphrase "%(passphrase)s" certificate_serialfile "%(cadir)s/serial" certificate_out_dir "%(cadir)s/newcerts" certificate_issuer_subca_certfile "%(cadir)s/cacert.pem" max_cert_lifetime 168 cert_dir %(certdir)s """ % { 'cadir': cadir, 'passphrase': self.conf.get_myproxy_ca_passphrase(), 'certdir': \ self.conf.get_security_trusted_certificate_directory() }
def bind_to_endpoint(self, **kwargs): """ Adds this gridftp server to the endpoint named in the configuration file. If force=True is passed, then the endpoint is deleted prior to binding this gridftp server. If reset=True is passed, then all other GridFTP servers will be removed from this endpoint before adding this one. """ self.logger.debug("ENTER: IO.bind_to_endpoint()") endpoint_name = self.conf.get_endpoint_name() if endpoint_name is None: return if kwargs.get('force'): try: self.logger.debug("Removing old endpoint definition") self.api.endpoint_delete(endpoint_name) except: pass self.logger.debug("Configuring endpoint " + endpoint_name) endpoint_public = self.conf.get_endpoint_public() endpoint_default_dir = self.conf.get_endpoint_default_dir() server = self.conf.get_gridftp_server() scheme = "gsiftp" port = 2811 hostname = None if "://" in server: (scheme, server) = server.split("://", 1) if ":" in server: (hostname, port_s) = server.split(":", 1) port = int(port_s) else: hostname = server server = scheme + "://" + hostname + ":" + str(port) oauth_server = None myproxy_server = None myproxy_dn = None if self.conf.get_security_identity_method() == \ self.conf.IDENTITY_METHOD_OAUTH: oauth_server = self.conf.get_oauth_server() if oauth_server is None: raise Exception("Configured to use OAuth, but no OAuth server defined") elif self.conf.get_security_identity_method() == \ self.conf.IDENTITY_METHOD_CILOGON: oauth_server = "cilogon.org" else: myproxy_server = self.conf.get_myproxy_server() myproxy_dn = self.conf.get_myproxy_dn() if myproxy_dn is None: myproxy_dn = self.get_myproxy_dn_from_server() if myproxy_server is not None: myproxy_server = gcmu.to_unicode(myproxy_server) if myproxy_dn is not None: myproxy_dn = gcmu.to_unicode(myproxy_dn) if oauth_server is not None: if ":" in oauth_server: raise Exception("[OAuth] Server value must be a public host name only") oauth_server = gcmu.to_unicode(oauth_server) new_gridftp_server = { gcmu.to_unicode('DATA_TYPE'): gcmu.to_unicode('server'), gcmu.to_unicode('scheme'): gcmu.to_unicode(scheme), gcmu.to_unicode('hostname'): gcmu.to_unicode(hostname), gcmu.to_unicode('port'): port, gcmu.to_unicode('subject'): gcmu.to_unicode(security.get_certificate_subject(self.conf.get_security_certificate_file())) } try: new_endpoint = { 'DATA_TYPE': 'endpoint' } (status_code, status_reason, data) = \ self.api.endpoint(endpoint_name) default_directory_key = gcmu.to_unicode('default_directory') public_key = gcmu.to_unicode('public') myproxy_server_key = gcmu.to_unicode('myproxy_server') myproxy_dn_key = gcmu.to_unicode('myproxy_dn') oauth_server_key = gcmu.to_unicode('oauth_server') hostname_key = gcmu.to_unicode('hostname') id_key = gcmu.to_unicode('id') data_key = gcmu.to_unicode('DATA') # Update any changed endpoint-level metadata if data.get(default_directory_key) != endpoint_default_dir: self.logger.debug("Changing default_directory on endpoint " \ "to [%(new)s]" % { 'new': endpoint_default_dir }) new_endpoint[default_directory_key] = \ gcmu.to_unicode(endpoint_default_dir) if data.get(public_key) != endpoint_public: self.logger.debug("Changing public to " + str(endpoint_public)) new_endpoint[public_key] = endpoint_public if data.get(myproxy_server_key) != myproxy_server: self.logger.debug("Changing myproxy_server to " + str(myproxy_server)) new_endpoint[myproxy_server_key] = myproxy_server if data.get(myproxy_dn_key) != myproxy_dn: self.logger.debug("Changing myproxy_dn to " + str(myproxy_dn)) new_endpoint[myproxy_dn_key] = myproxy_dn if data.get(oauth_server_key) != oauth_server: self.logger.debug("Changing oauth_server to " + str(oauth_server)) new_endpoint[oauth_server_key] = oauth_server if len(new_endpoint.keys()) > 1: self.logger.debug("Updating endpoint") (status_code, status, data) = \ self.api.endpoint_update(endpoint_name, new_endpoint) self.logger.debug("endpoint update result: " + str(status_code)) (status_code, status_reason, data) = \ self.api.endpoint_server_list(endpoint_name) self.logger.debug("Existing endpoint server list: " + str(data.get(data_key, []))) for server_item in data.get(data_key, []): self.logger.debug("existing server for endpoint: " + str(server_item.get(hostname_key, ""))) this_server_hostname = server_item.get(hostname_key) this_server_id = server_item.get(id_key) if kwargs.get('reset') or \ this_server_hostname == gcmu.to_unicode(hostname): self.logger.debug("deleting server entry for " + str(this_server_hostname) + " with id " + str(this_server_id)) self.api.endpoint_server_delete(endpoint_name, this_server_id) self.api.endpoint_server_add(endpoint_name, new_gridftp_server) except TransferAPIError as e: if e.status_code == 404: self.logger.debug("endpoint %s does not exist, creating" %(endpoint_name)) try: (status_code, status_reason, data) = \ self.api.endpoint_create( endpoint_name, default_directory = endpoint_default_dir, public = endpoint_public, is_globus_connect = False, hostname=new_gridftp_server['hostname'], scheme=new_gridftp_server['scheme'], port=new_gridftp_server['port'], subject=new_gridftp_server['subject'], myproxy_server=myproxy_server, myproxy_dn=myproxy_dn, oauth_server=oauth_server) except TransferAPIError as e: self.logger.error("endpoint create failed: %s" % \ (e.message)) self.errorcount += 1 else: self.logger.error("endpoint failed: %s" % (e.message)) self.errorcount += 1 self.logger.debug("EXIT: IO.bind_to_endpoint()")
def bind_to_endpoint(self, **kwargs): """ Adds this gridftp server to the endpoint named in the configuration file. If force=True is passed, then the endpoint is deleted prior to binding this gridftp server. If reset=True is passed, then all other GridFTP servers will be removed from this endpoint before adding this one. """ self.logger.debug("ENTER: IO.bind_to_endpoint()") if self.endpoint_xid is None: return if kwargs.get('force'): try: self.logger.debug("Removing old endpoint definition") self.api.endpoint_delete(self.endpoint_xid) if os.path.exists(self.endpoint_id_file): os.remove(self.endpoint_id_file) self.endpoint_xid = urllib_parse.quote( self.conf.get_endpoint_name()) except: pass self.logger.debug("Configuring endpoint " + self.endpoint_xid) endpoint_public = self.conf.get_endpoint_public() endpoint_default_dir = self.conf.get_endpoint_default_dir() server = self.conf.get_gridftp_server() scheme = "gsiftp" port = 2811 hostname = None if "://" in server: (scheme, server) = server.split("://", 1) if ":" in server: (hostname, port_s) = server.split(":", 1) port = int(port_s) else: hostname = server server = scheme + "://" + hostname + ":" + str(port) oauth_server = None myproxy_server = None myproxy_dn = None if self.conf.get_security_identity_method() == \ self.conf.IDENTITY_METHOD_OAUTH: oauth_server = self.conf.get_oauth_server() if oauth_server is None: raise Exception("Configured to use OAuth, but no OAuth server defined") elif self.conf.get_security_identity_method() == \ self.conf.IDENTITY_METHOD_CILOGON: oauth_server = "cilogon.org" else: myproxy_server = self.conf.get_myproxy_server() myproxy_dn = self.conf.get_myproxy_dn() if myproxy_dn is None and myproxy_server is not None: myproxy_dn = self.get_myproxy_dn_from_server() if myproxy_server is not None: myproxy_server = gcmu.to_unicode(myproxy_server) if myproxy_dn is not None: myproxy_dn = gcmu.to_unicode(myproxy_dn) if oauth_server is not None: if ":" in oauth_server: raise Exception("[OAuth] Server value must be a public host name only") oauth_server = gcmu.to_unicode(oauth_server) new_gridftp_server = { gcmu.to_unicode('DATA_TYPE'): gcmu.to_unicode('server'), gcmu.to_unicode('scheme'): gcmu.to_unicode(scheme), gcmu.to_unicode('hostname'): gcmu.to_unicode(hostname), gcmu.to_unicode('port'): port, gcmu.to_unicode('subject'): gcmu.to_unicode(security.get_certificate_subject(self.conf.get_security_certificate_file())) } try: new_endpoint = { 'DATA_TYPE': 'endpoint' } result = self.api.get_endpoint(self.endpoint_xid) data = result.data default_directory_key = 'default_directory' public_key = 'public' myproxy_server_key = 'myproxy_server' myproxy_dn_key = 'myproxy_dn' oauth_server_key = 'oauth_server' hostname_key = 'hostname' id_key = 'id' data_key = 'DATA' # Update any changed endpoint-level metadata if data.get(default_directory_key) != endpoint_default_dir: self.logger.debug( "Changing default_directory on endpoint " "to [{}]".format(endpoint_default_dir)) new_endpoint[default_directory_key] = endpoint_default_dir if data.get(public_key) != endpoint_public: self.logger.debug("Changing public to " + str(endpoint_public)) new_endpoint[public_key] = endpoint_public if data.get(myproxy_server_key) != myproxy_server: self.logger.debug( "Changing myproxy_server to " + str(myproxy_server)) new_endpoint[myproxy_server_key] = myproxy_server if data.get(myproxy_dn_key) != myproxy_dn: self.logger.debug("Changing myproxy_dn to " + str(myproxy_dn)) new_endpoint[myproxy_dn_key] = myproxy_dn if data.get(oauth_server_key) != oauth_server: self.logger.debug( "Changing oauth_server to " + str(oauth_server)) new_endpoint[oauth_server_key] = oauth_server if len(new_endpoint.keys()) > 1: self.logger.debug("Updating endpoint") result = self.api.update_endpoint( self.endpoint_xid, new_endpoint) self.logger.debug("endpoint update result: {}".format( result.http_status)) self.logger.debug("endpoint update data: {}".format( result.data)) returned_id = result.data.get('resource', '').split('/')[-1] if self.endpoint_xid != returned_id and returned_id != '': self._update_xid(returned_id) result = self.api.endpoint_server_list(self.endpoint_xid) data = result.data self.logger.debug( "Existing endpoint server list: " + str(data.get(data_key, []))) for server_item in data.get(data_key, []): self.logger.debug( "existing server for endpoint: " + str(server_item.get(hostname_key, ""))) this_server_hostname = server_item.get(hostname_key) this_server_id = server_item.get(id_key) if (kwargs.get('reset') or this_server_hostname == gcmu.to_unicode(hostname)): self.logger.debug( "deleting server entry for " + str(this_server_hostname) + " with id " + str(this_server_id)) self.api.delete_endpoint_server( self.endpoint_xid, this_server_id) self.api.add_endpoint_server( self.endpoint_xid, new_gridftp_server) except GlobusAPIError as e: if e.http_status == 404: self.logger.debug( "endpoint {} does not exist, creating" .format( self.endpoint_xid)) try: result = self.api.create_endpoint(dict( canonical_name=self.conf.get_endpoint_name(), default_directory=endpoint_default_dir, public=endpoint_public, is_globus_connect=False, DATA=[dict( DATA_TYPE="server", hostname=new_gridftp_server['hostname'], scheme=new_gridftp_server['scheme'], port=new_gridftp_server['port'], subject=new_gridftp_server['subject'])], myproxy_server=myproxy_server, myproxy_dn=myproxy_dn, oauth_server=oauth_server)) if self.endpoint_xid != result.data['id']: self._update_xid(result.data['id']) except GlobusAPIError as e: self.logger.error("endpoint create failed: %s" % \ (e.message)) self.errorcount += 1 else: self.logger.error("endpoint failed: %s" % (e.message)) self.errorcount += 1 self.logger.debug("EXIT: IO.bind_to_endpoint()")