def authorize(self, method, caller, creds, args, opts, requested_allocation_state): if self._logger: caller_urn = gid.GID(string=caller).get_urn() template = "Authorizing %s %s #Creds = %s Args = %s Opts =%s" self._logger.info(template % \ (method, caller_urn, len(creds), \ args.keys(), opts.keys()))
def exercise_am(ch_server, am_server, certfile): # Get UUID out of certfile user_certstr = file(certfile, 'r').read() user_gid = gid.GID(string=user_certstr) user_uuid = str(uuid.UUID(int=user_gid.get_uuid())); # Create a project at the clearinghouse project_name = "Proj-" + str(uuid.uuid4()); lead_id = user_uuid; project_purpose = "DUMMY"; project_result = ch_server.CreateProject(project_name, lead_id, project_purpose); if(project_result['code'] != 0): print "Failed to create project " + str(project_result); return project_id = project_result['value']; print("PROJECT_RESULT = " + str(project_id)); # Create a slice at the clearinghouse slice_name = "Slice-" + str(uuid.uuid4()); slice_name = slice_name[:15]; # Can't have slice names too big slice_result = ch_server.CreateSlice(slice_name, project_id, user_uuid) if (slice_result['code'] != 0): print "Failed to create slice " + str(slice_result); return; slice_info = slice_result['value'] slice_id = slice_info['slice_id'] slice_credential_result = ch_server.GetSliceCredential(slice_id, user_certstr) if(slice_credential_result['code'] != 0): print "Failed to get slice credential " + str(slice_credential_result); return slice_cred_string = slice_credential_result['value']['slice_credential'] slice_credential = cred.Credential(string=slice_cred_string) slice_gid = slice_credential.get_gid_object() slice_urn = slice_gid.get_urn() print 'Slice Creation SUCCESS: URN = %s' % (slice_urn) # Set up the array of credentials as just the slice credential credentials = [slice_cred_string] test_get_version(am_server) dom = test_list_resources(am_server, credentials) test_create_sliver(am_server, slice_urn, credentials, dom) test_sliver_status(am_server, slice_urn, credentials) test_list_resources(am_server, credentials, slice_urn=slice_urn) expiration = datetime.datetime.utcnow() + datetime.timedelta(days=1) test_renew_sliver(am_server, slice_urn, credentials, expiration) test_delete_sliver(am_server, slice_urn, credentials) # Test compression on list resources dom = test_list_resources(am_server, credentials, compressed=True, available=False) # Now create a slice and shut it down instead of deleting it. slice_name = "Slice-" + str(uuid.uuid4()); slice_name = slice_name[:15]; # Can't have slice names too big slice_result = ch_server.CreateSlice(slice_name, project_id, user_uuid) if(slice_result['code'] != 0): print "Failed to create slice " + str(slice_result); return slice_info = slice_result['value']; sllice_id = slice_info['slice_id'] slice_credential_result = ch_server.GetSliceCredential(slice_id, user_certstr) if(slice_credential_result['code'] != 0): print "Failed to get slice credential " + str(slice_credential_result) return slice_cred_string = slice_credential_result['value']['slice_credential'] slice_credential = cred.Credential(string=slice_cred_string) slice_gid = slice_credential.get_gid_object() slice_urn = slice_gid.get_urn() print 'Second Slice URN = %s' % (slice_urn) credentials = [slice_cred_string] dom = test_list_resources(am_server, credentials) test_create_sliver(am_server, slice_urn, credentials, dom) test_shutdown(am_server, slice_urn, credentials)
def Resolve(self, client_cert, args): # Omni uses this, Flack may not need it # ID may be a uuid, hrn, or urn # Omni uses hrn for type=User, urn for type=Slice # type is Slice or User # args: credential, hrn, urn, uuid, type # Return is dict: #When the type is Slice: # #{ # "urn" : "URN of the slice", # "uuid" : "rfc4122 universally unique identifier", # "creator_uuid" : "UUID of the user who created the slice", # "creator_urn" : "URN of the user who created the slice", # "gid" : "ProtoGENI Identifier (an x509 certificate)", # "component_managers" : "List of CM URNs which are known to contain slivers or tickets in this slice. May be stale" #} #When the type is User: # #{ # "uid" : "login (Emulab) ID of the user.", # "hrn" : "Human Readable Name (HRN)", # "uuid" : "rfc4122 universally unique identifier", # "email": "registered email address", # "gid" : "ProtoGENI Identifier (an x509 certificate)", # "name" : "common name", #} user_email = get_email_from_cert(client_cert) type = None if 'type' in args: type = args['type'].lower() if type not in ('slice', 'user'): raise CHAPIv1ArgumentError("Unknown type for PGH.Resolve: %s" % str(type)) uuid = None if 'uuid' in args: uuid = args['uuid'] urn = None if 'urn' in args: urn = args['urn'] hrn = None if 'hrn' in args: hrn = args['hrn'] if not hrn and not urn and not uuid: raise CHAPIv1ArgumentError( "No UUID, URN or HRN identifier provided") if hrn and not urn: urn = gcf.sfa.util.xrn.hrn_to_urn(hrn, type) if type == 'user': # User ma = self._ma_handler match_clause = {'MEMBER_URN': urn} if not urn: match_clause = {'MEMBER_UID': uuid} public_filter_clause = [ 'MEMBER_UID', 'MEMBER_URN', 'MEMBER_USERNAME', '_GENI_MEMBER_SSL_CERTIFICATE' ] public_options = { "match": match_clause, "filter": public_filter_clause } creds = [] lookup_public_return = \ ma.lookup_public_member_info(creds, public_options) if lookup_public_return['code'] != NO_ERROR: return lookup_public_return public_info = lookup_public_return['value'] if not public_info or len(public_info.keys()) == 0 or \ (urn and not public_info.has_key(urn)): # no user by that urn or uuid msg = "" if urn: msg = "User requested not found: %s" % urn else: msg = "User requested not found: %s" % uuid chapi_info(PGCH_LOG_PREFIX, msg, {'user': user_email}) # Return an error with this message return {'code': ARGUMENT_ERROR, 'value': {}, 'output': msg} this_urn = public_info.keys()[0] public_info = public_info[this_urn] # to get a proper display name we need the following identifying_filter_clause = [ 'MEMBER_EMAIL', '_GENI_MEMBER_DISPLAYNAME', 'MEMBER_FIRSTNAME', 'MEMBER_LASTNAME' ] identifying_options = { 'match': match_clause, 'filter': identifying_filter_clause } lookup_identifying_return = \ ma.lookup_identifying_member_info(creds, identifying_options) if lookup_identifying_return['code'] != NO_ERROR: return lookup_identifying_return identifying_info = lookup_identifying_return['value'] identifying_info = identifying_info[this_urn] member_uid = public_info['MEMBER_USERNAME'] member_hrn = gcf.sfa.util.xrn.urn_to_hrn( public_info['MEMBER_URN'])[0] member_uuid = public_info['MEMBER_UID'] member_email = identifying_info['MEMBER_EMAIL'] member_gid = None if public_info.has_key('_GENI_MEMBER_SSL_CERTIFICATE'): member_gid = public_info['_GENI_MEMBER_SSL_CERTIFICATE'] member_name = get_member_display_name(identifying_info, public_info['MEMBER_URN']) # Slices sa = self._sa_handler lookup_slices_return = sa.lookup_slices_for_member(urn, [], {}) if lookup_slices_return['code'] != NO_ERROR: return lookup_slices_return slice_info = lookup_slices_return['value'] slices = [] for s in slice_info: if s['EXPIRED'] == True: continue slices.append(s['SLICE_URN']) resolve = {'uid' : member_uid, # login(Emulab) ID of user \ 'hrn' : member_hrn, \ 'uuid' : member_uuid, \ 'email' : member_email, \ 'gid' : member_gid, 'name' : member_name, # Common Name 'slices' : slices } else: # Slice match_clause = {'SLICE_URN': urn, 'SLICE_EXPIRED': 'f'} if not urn: match_clause = {'SLICE_UID': uuid} filter_clause = ["SLICE_UID", "SLICE_URN", "SLICE_NAME", \ "_GENI_SLICE_OWNER"] options = {'match': match_clause, 'filter': filter_clause} creds = [] lookup_slices_return = \ self._sa_handler.lookup_slices(creds, options) if lookup_slices_return['code'] != NO_ERROR: if lookup_slices_return['code'] == AUTHORIZATION_ERROR: # Only slice members or operators can look up a # slice # So this might mean you are not in the slice, or # not in the project, or the slice does not exist msg = "" if urn: msg = "No slice found or authorization failed (URN %s)" % str( urn) else: msg = "No slice found or authorization failed (UID %s)" % str( uuid) chapi_info(PGCH_LOG_PREFIX, msg, {'user': user_email}) return { 'code': 12, 'value': {}, 'output': msg } # 12 is what Flack expects for a nonexistent slice return lookup_slices_return slice_info_dict = lookup_slices_return['value'] if len(slice_info_dict.keys()) == 0: msg = "" if urn: msg = "No slice found URN %s" % str(urn) else: msg = "No slice found UID %s" % str(uuid) chapi_info(PGCH_LOG_PREFIX, msg, {'user': user_email}) return {'code': ARGUMENT_ERROR, 'value': {}, 'output': msg} slice_key = slice_info_dict.keys()[0] slice_info = slice_info_dict[slice_key] slice_name = slice_info['SLICE_NAME'] slice_urn = slice_info['SLICE_URN'] slice_uuid = slice_info['SLICE_UID'] creator_uuid = slice_info['_GENI_SLICE_OWNER'] match_clause = {'MEMBER_UID': creator_uuid} filter_clause = ['MEMBER_URN'] options = {'match': match_clause, 'filter': filter_clause} lookup_member_return = \ self._ma_handler.lookup_public_member_info(creds, options) if lookup_member_return['code'] != NO_ERROR: return lookup_member_return # If the slice owner listed is not in the DB this will # give an error, but that is also a DB error creator_urn = lookup_member_return['value'].keys()[0] options = {} get_credentials_return = \ self._sa_handler.get_credentials(slice_urn, \ [], options) if get_credentials_return['code'] == AUTHORIZATION_ERROR: msg = "No slice found for urn %s" % slice_urn chapi_info(PGCH_LOG_PREFIX, msg, {'user': user_email}) # Return an error with this message return {'code': ARGUMENT_ERROR, 'value': "", 'output': msg} if get_credentials_return['code'] != NO_ERROR: return get_credentials_return if not get_credentials_return['value'] or \ len(get_credentials_return['value']) == 0: msg = "No slice found for urn %s" % slice_urn chapi_info(PGCH_LOG_PREFIX, msg, {'user': user_email}) # Return an error with this message return {'code': ARGUMENT_ERROR, 'value': "", 'output': msg} slice_cred = get_credentials_return['value'][0]['geni_value'] slice_gid = gid.GID(slice_cred) resolve = {'urn' : slice_urn, \ 'uuid' : slice_uuid, \ 'creator_uuid' : creator_uuid, \ 'creator_urn' : creator_urn, \ # PG Identifier (an x509 cert) 'gid' : slice_gid.save_to_string(), \ 'component_managers' : [] } return self._successReturn(resolve)
def main(argv=None): if argv is None: argv = sys.argv (opts, args) = parse_args(argv) # Ignore args, appease eclipse. _ = args global config, CERT_AUTHORITY optspath = None if not opts.configfile is None: optspath = os.path.expanduser(opts.configfile) config = read_config(optspath) CERT_AUTHORITY = config['global']['base_name'] username = "******" if opts.username: # We'll check this is legal once we have a full URN username = opts.username dir = "." if opts.directory: dir = opts.directory if not opts.authority is None: # FIXME: Check it's legal? Should be 'an internationalized # domain name' CERT_AUTHORITY = opts.authority global CH_CERT_FILE, CH_KEY_FILE, AM_CERT_FILE, AM_KEY_FILE, USER_CERT_FILE, USER_KEY_FILE CH_CERT_FILE = getAbsPath(config['clearinghouse']['certfile']) CH_KEY_FILE = getAbsPath(config['clearinghouse']['keyfile']) AM_CERT_FILE = getAbsPath(config['aggregate_manager']['certfile']) AM_KEY_FILE = getAbsPath(config['aggregate_manager']['keyfile']) USER_CERT_FILE = getAbsPath(config['gcf-test']['certfile']) USER_KEY_FILE = getAbsPath(config['gcf-test']['keyfile']) # If username != alice then substitute actual username # in user_cert_file and user_key_file as appropriate # like USER_CERT_FILE = s/alice/$username/ # Of course if the user edits the file to have something # other than alice in the filename then this does something odd if username != 'alice': USER_CERT_FILE = string.replace(USER_CERT_FILE, 'alice', username) USER_KEY_FILE = string.replace(USER_KEY_FILE, 'alice', username) try: for p in [ CH_CERT_FILE, CH_KEY_FILE, AM_CERT_FILE, AM_KEY_FILE, USER_CERT_FILE, USER_KEY_FILE ]: if '/' in p: os.mkdir(p[:p.rfind('/')]) except: pass ch_keys = None ch_cert = None if not opts.notAll or opts.ch: (ch_keys, ch_cert) = make_ch_cert(dir) else: if not opts.notAll or opts.exp: try: ch_cert = gid.GID(filename=os.path.join(dir, CH_CERT_FILE)) ch_keys = cert.Keypair(filename=os.path.join(dir, CH_KEY_FILE)) except Exception, exc: sys.exit( "Failed to read CH(SA) cert/key from %s/%s and %s: %s" % (dir, CH_CERT_FILE, CH_KEY_FILE, exc))
def get_requested_allocation_state(self, aggregate_manager, method_name, arguments, options, credentials): resource_info = [] amd = aggregate_manager._delegate if method_name in [ AM_Methods.CREATE_SLIVER_V2, AM_Methods.ALLOCATE_V3 ]: creds = [credential.Credential(string=c) for c in credentials] # Grab info about current slivers slices = SliceURNtoSliceObject._slices for slice_urn in slices: slice_obj = slices[slice_urn] slivers = slice_obj.getSlivers() for sliver_urn, sliver_obj in slivers.items(): user_urn = sliver_obj.getUserURN() start_time = str(datetime.datetime.utcnow()) end_time = str(sliver_obj.getExpiration()) if isinstance(sliver_obj, VirtualMachine): sliver_info = { 'sliver_urn': sliver_urn, 'slice_urn': slice_urn, 'user_urn': user_urn, 'start_time': start_time, 'end_time': end_time, 'measurements': { "NODE": 1 } } resource_info.append(sliver_info) elif isinstance(sliver_obj, NetworkLink): self.processCapacity(resource_info, slice_obj.getRequestRspec(), sliver_urn, slice_urn, user_urn, start_time, end_time) # Grab all nodes from request rspec if 'rspec' in arguments and 'slice_urn' in arguments: rspec_raw = arguments['rspec'] slice_urn = arguments['slice_urn'] user_urn = gid.GID( string=options['geni_true_caller_cert']).get_urn() start_time = datetime.datetime.utcnow() if 'geni_start_time' in options: raw_start_time = options['geni_start_time'] start_time = amd._nativeUTC( dateutil.parse.parse(raw_start_time)) if 'geni_end_time' in options: raw_end_time = options['geni_end_time'] end_time = amd.min_expire(creds, requested=raw_end_time) else: end_time = amd.min_expire(creds) rspec = xml.dom.minidom.parseString(rspec_raw) nodes = rspec.getElementsByTagName('node') for node in nodes: entry = { 'sliver_urn': 'not_set_yet', 'slice_urn': slice_urn, 'user_urn': user_urn, 'start_time': str(start_time), 'end_time': str(end_time), 'measurements': { "NODE": 1 } } resource_info.append(entry) self.processCapacity(resource_info, rspec, 'not_set_yet', slice_urn, user_urn, start_time, end_time) elif method_name in [AM_Methods.RENEW_SLIVER_V2, AM_Methods.RENEW_V3]: # Grab the current slivers (as if we were calling createsliver/allocate with no new rspec resource_info = self.get_requested_allocation_state( aggregate_manager, AM_Methods.ALLOCATE_V3, {}, {}, []) creds = [credential.Credential(string=c) for c in credentials] expiration = amd.min_expire(creds, max_duration=amd.max_lease) requested_str = arguments['expiration_time'] requested = dateutil.parser.parse(requested_str, tzinfos=tzd) requested = amd._naiveUTC(requested) if 'geni_extend_alap' in options: requested = min(expiration, requested) requested = str(requested) if method_name == AM_Methods.RENEW_SLIVER_V2: the_slice_urn = arguments['slice_urn'] the_slice = SliceURNtoSliceObject._slices[the_slice_urn] slivers = the_slice.getSlivers().values() else: urns = arguments['urns'] the_slice, slivers = amd.decode_urns(urns) sliver_urns = [the_sliver.getSliverURN() for the_sliver in slivers] for entry in resource_info: if entry['sliver_urn'] in sliver_urns: entry['end_time'] = requested else: pass return resource_info