示例#1
0
 def getCredentials( self, ignoreDefault = False ):
   if not self.__loadedChain:
     return S_ERROR( "No chain loaded" )
   credDict = { 'subject' : self.__certList[0].get_subject().one_line(),
                'issuer' : self.__certList[0].get_issuer().one_line(),
                'secondsLeft' : self.getRemainingSecs()[ 'Value' ],
                'isProxy' : self.__isProxy,
                'isLimitedProxy' : self.__isProxy and self.__isLimitedProxy,
                'validDN' : False,
                'validGroup' : False,
                'groupProperties' : [] }
   if self.__isProxy:
     credDict[ 'identity'] = self.__certList[ self.__firstProxyStep + 1 ].get_subject().one_line()
     retVal = Registry.getUsernameForDN( credDict[ 'identity' ] )
     if retVal[ 'OK' ]:
       credDict[ 'username' ] = retVal[ 'Value' ]
       credDict[ 'validDN' ] = True
     retVal = self.getDIRACGroup( ignoreDefault = ignoreDefault )
     if retVal[ 'OK' ]:
       diracGroup = retVal[ 'Value' ]
       credDict[ 'group' ] = diracGroup
       retVal = Registry.getGroupsForUser( credDict[ 'username' ] )
       if retVal[ 'OK' ] and diracGroup in retVal[ 'Value' ]:
         credDict[ 'validGroup' ] = True
         credDict[ 'groupProperties' ] = Registry.getPropertiesForGroup( diracGroup )
   else:
     retVal = Registry.getHostnameForDN( credDict['subject'] )
     retVal[ 'group' ] = 'hosts'
     if retVal[ 'OK' ]:
       credDict[ 'hostname' ] = retVal[ 'Value' ]
       credDict[ 'validDN' ] = True
       credDict[ 'validGroup' ] = True
   return S_OK( credDict )
示例#2
0
def findGenericPilotCredentials(vo=False, group=False, pilotDN='', pilotGroup=''):
  """ Looks into the Operations/<>/Pilot section of CS to find the pilot credentials.
      Then check if the user has a registered proxy in ProxyManager.

      if pilotDN or pilotGroup are specified, use them
  """
  if not group and not vo:
    return S_ERROR("Need a group or a VO to determine the Generic pilot credentials")
  if not vo:
    vo = Registry.getVOForGroup(group)
    if not vo:
      return S_ERROR("Group %s does not have a VO associated" % group)
  opsHelper = Operations.Operations(vo=vo)
  if not pilotGroup:
    pilotGroup = opsHelper.getValue("Pilot/GenericPilotGroup", "")
  if not pilotDN:
    pilotDN = opsHelper.getValue("Pilot/GenericPilotDN", "")
  if not pilotDN:
    pilotUser = opsHelper.getValue("Pilot/GenericPilotUser", "")
    if pilotUser:
      result = Registry.getDNForUsername(pilotUser)
      if result['OK']:
        pilotDN = result['Value'][0]
  if pilotDN and pilotGroup:
    gLogger.verbose("Pilot credentials: %s@%s" % (pilotDN, pilotGroup))
    result = gProxyManager.userHasProxy(pilotDN, pilotGroup, 86400)
    if not result['OK']:
      return S_ERROR("%s@%s has no proxy in ProxyManager")
    return S_OK((pilotDN, pilotGroup))

  if pilotDN:
    return S_ERROR("DN %s does not have group %s" % (pilotDN, pilotGroup))
  return S_ERROR("No generic proxy in the Proxy Manager with groups %s" % pilotGroup)
示例#3
0
    def completeDelegation(self, requestId, userDN, delegatedPem):
        """
    Complete a delegation and store it in the db
    """
        retVal = self.retrieveDelegationRequest(requestId, userDN)
        if not retVal['OK']:
            return retVal
        request = retVal['Value']
        chain = X509Chain(keyObj=request.getPKey())
        retVal = chain.loadChainFromString(delegatedPem)
        if not retVal['OK']:
            return retVal
        retVal = chain.isValidProxy(ignoreDefault=True)
        noGroupFlag = False
        if not retVal['OK']:
            if DErrno.cmpError(retVal, DErrno.ENOGROUP):
                noGroupFlag = True
            else:
                return retVal

        result = chain.isVOMS()
        if result['OK'] and result['Value']:
            return S_ERROR(
                "Proxies with VOMS extensions are not allowed to be uploaded")

        retVal = request.checkChain(chain)
        if not retVal['OK']:
            return retVal
        if not retVal['Value']:
            return S_ERROR("Received chain does not match request: %s" %
                           retVal['Message'])

        retVal = chain.getDIRACGroup()
        if not retVal['OK']:
            return retVal
        userGroup = retVal['Value']
        if not userGroup:
            userGroup = Registry.getDefaultUserGroup()

        retVal = Registry.getGroupsForDN(userDN)
        if not retVal['OK']:
            return retVal
        if not userGroup in retVal['Value']:
            return S_ERROR("%s group is not valid for %s" %
                           (userGroup, userDN))

        # For proxies without embedded DIRAC group only one default is allowed
        # Cleaning all the proxies for this DN if any before uploading the new one.
        if noGroupFlag:
            retVal = self.deleteProxy(userDN)
            if not retVal['OK']:
                return retVal

        retVal = self.storeProxy(userDN, userGroup, chain)
        if not retVal['OK']:
            return retVal
        retVal = self.deleteRequest(requestId)
        if not retVal['OK']:
            return retVal
        return S_OK()
示例#4
0
def findGenericCloudCredentials(vo=False, group=False):
    """Get the cloud credentials to use for a specific VO and/or group."""
    if not group and not vo:
        return S_ERROR(
            "Need a group or a VO to determine the Generic cloud credentials")
    if not vo:
        vo = Registry.getVOForGroup(group)
        if not vo:
            return S_ERROR("Group %s does not have a VO associated" % group)
    opsHelper = Operations.Operations(vo=vo)
    cloudGroup = opsHelper.getValue("Cloud/GenericCloudGroup", "")
    cloudDN = opsHelper.getValue("Cloud/GenericCloudDN", "")
    if not cloudDN:
        cloudUser = opsHelper.getValue("Cloud/GenericCloudUser", "")
        if cloudUser:
            result = Registry.getDNForUsername(cloudUser)
            if result["OK"]:
                cloudDN = result["Value"][0]
            else:
                return S_ERROR("Failed to find suitable CloudDN")
    if cloudDN and cloudGroup:
        gLogger.verbose("Cloud credentials from CS: %s@%s" %
                        (cloudDN, cloudGroup))
        result = gProxyManager.userHasProxy(cloudDN, cloudGroup, 86400)
        if not result["OK"]:
            return result
        return S_OK((cloudDN, cloudGroup))
    return S_ERROR("Cloud credentials not found")
示例#5
0
    def addVOMSExtIfNeeded(self):
        addVOMS = self.__piParams.addVOMSExt or Registry.getGroupOption(
            self.__piParams.diracGroup, "AutoAddVOMS", False
        )
        if not addVOMS:
            return S_OK()

        vomsAttr = Registry.getVOMSAttributeForGroup(self.__piParams.diracGroup)
        if not vomsAttr:
            return S_ERROR(
                "Requested adding a VOMS extension but no VOMS attribute defined for group %s"
                % self.__piParams.diracGroup
            )

        result = VOMS.VOMS().setVOMSAttributes(
            self.__proxyGenerated, attribute=vomsAttr, vo=Registry.getVOForGroup(self.__piParams.diracGroup)
        )
        if not result["OK"]:
            return S_ERROR(
                "Could not add VOMS extensions to the proxy\nFailed adding VOMS attribute: %s" % result["Message"]
            )

        gLogger.notice("Added VOMS attribute %s" % vomsAttr)
        chain = result["Value"]
        chain.dumpAllToFile(self.__proxyGenerated)
        return S_OK()
示例#6
0
  def getUsername(self, credDict):
    """
    Discover the username associated to the DN. It will check if the selected group is valid.
    The username will be included in the credentials dictionary.

    :type  credDict: dictionary
    :param credDict: Credentials to check
    :return: Boolean specifying whether the username was found
    """
    if self.KW_DN not in credDict:
      return True
    if self.KW_GROUP not in credDict:
      result = Registry.findDefaultGroupForDN(credDict[self.KW_DN])
      if not result['OK']:
        return False
      credDict[self.KW_GROUP] = result['Value']
    credDict[self.KW_PROPERTIES] = Registry.getPropertiesForGroup(credDict[self.KW_GROUP], [])
    usersInGroup = Registry.getUsersInGroup(credDict[self.KW_GROUP], [])
    if not usersInGroup:
      return False
    retVal = Registry.getUsernameForDN(credDict[self.KW_DN], usersInGroup)
    if retVal['OK']:
      credDict[self.KW_USERNAME] = retVal['Value']
      return True
    return False
示例#7
0
    def addVOMSExtIfNeeded(self):
        addVOMS = self.__piParams.addVOMSExt or Registry.getGroupOption(
            self.__piParams.diracGroup, "AutoAddVOMS", False)
        if not addVOMS:
            return S_OK()

        vomsAttr = Registry.getVOMSAttributeForGroup(
            self.__piParams.diracGroup)
        if not vomsAttr:
            return S_ERROR(
                "Requested adding a VOMS extension but no VOMS attribute defined for group %s"
                % self.__piParams.diracGroup)

        resultVomsAttributes = VOMS.VOMS().setVOMSAttributes(
            self.__proxyGenerated,
            attribute=vomsAttr,
            vo=Registry.getVOMSVOForGroup(self.__piParams.diracGroup))
        if not resultVomsAttributes['OK']:
            return S_ERROR(
                "Could not add VOMS extensions to the proxy\nFailed adding VOMS attribute: %s"
                % resultVomsAttributes['Message'])

        gLogger.notice("Added VOMS attribute %s" % vomsAttr)
        chain = resultVomsAttributes['Value']
        result = chain.dumpAllToFile(self.__proxyGenerated)
        if not result["OK"]:
            return result
        return S_OK()
示例#8
0
  def getGroupsToUpload( self ):
    uploadGroups = []

    if self.__piParams.uploadProxy or Registry.getGroupOption( self.__piParams.diracGroup, "AutoUploadProxy", False ):
      uploadGroups.append( self.__piParams.diracGroup )

    if not self.__piParams.uploadPilot:
      if not Registry.getGroupOption( self.__piParams.diracGroup, "AutoUploadPilotProxy", False ):
        return uploadGroups

    issuerCert = self.getIssuerCert()
    resultUserDN = issuerCert.getSubjectDN() #pylint: disable=no-member
    if not resultUserDN['OK']:
      return resultUserDN
    userDN = resultUserDN[ 'Value' ]

    resultGroups = Registry.getGroupsForDN( userDN )
    if not resultGroups[ 'OK' ]:
      gLogger.error( "No groups defined for DN %s" % userDN )
      return []
    availableGroups = resultGroups[ 'Value' ]

    for group in availableGroups:
      groupProps = Registry.getPropertiesForGroup( group )
      if Properties.PILOT in groupProps or Properties.GENERIC_PILOT in groupProps:
        uploadGroups.append( group )
    return uploadGroups
示例#9
0
    def getGroupsToUpload(self):
        uploadGroups = []

        if self.__piParams.uploadProxy or Registry.getGroupOption(
                self.__piParams.diracGroup, "AutoUploadProxy", False):
            uploadGroups.append(self.__piParams.diracGroup)

        if not self.__piParams.uploadPilot:
            if not Registry.getGroupOption(self.__piParams.diracGroup,
                                           "AutoUploadPilotProxy", False):
                return uploadGroups

        issuerCert = self.getIssuerCert()
        resultUserDN = issuerCert.getSubjectDN()  #pylint: disable=no-member
        if not resultUserDN['OK']:
            return resultUserDN
        userDN = resultUserDN['Value']

        resultGroups = Registry.getGroupsForDN(userDN)
        if not resultGroups['OK']:
            gLogger.error("No groups defined for DN %s" % userDN)
            return []
        availableGroups = resultGroups['Value']

        for group in availableGroups:
            groupProps = Registry.getPropertiesForGroup(group)
            if Properties.PILOT in groupProps or Properties.GENERIC_PILOT in groupProps:
                uploadGroups.append(group)
        return uploadGroups
示例#10
0
    def export_getUsersTokensInfo(self, users: list):
        """Get the info about the user tokens in the database

        :param users: user names

        :return: S_OK(list) -- return list of tokens dictionaries
        """
        tokensInfo = []
        for user in users:
            # Find the user ID among his DNs
            result = Registry.getDNForUsername(user)
            if not result["OK"]:
                return result
            for dn in result["Value"]:
                uid = Registry.getIDFromDN(dn).get("Value")
                if uid:
                    result = self.__tokenDB.getTokensByUserID(uid)
                    if not result["OK"]:
                        self.log.error(result["Message"])
                    else:
                        for tokenDict in result["Value"]:
                            if tokenDict not in tokensInfo:
                                # The database does not contain a username,
                                # as it is a unique user ID exclusively for DIRAC
                                # and is not associated with a token.
                                tokenDict["username"] = user
                                tokensInfo.append(tokenDict)
        return S_OK(tokensInfo)
示例#11
0
    def __getPUSProxy(self,
                      userDN,
                      userGroup,
                      requiredLifetime,
                      requestedVOMSAttr=None):

        result = Registry.getGroupsForDN(userDN)
        if not result['OK']:
            return result

        validGroups = result['Value']
        if not userGroup in validGroups:
            return S_ERROR('Invalid group %s for user' % userGroup)

        voName = Registry.getVOForGroup(userGroup)
        if not voName:
            return S_ERROR('Can not determine VO for group %s' % userGroup)

        retVal = self.__getVOMSAttribute(userGroup, requestedVOMSAttr)
        if not retVal['OK']:
            return retVal
        vomsAttribute = retVal['Value']['attribute']
        vomsVO = retVal['Value']['VOMSVO']

        puspServiceURL = Registry.getVOOption(voName, 'PUSPServiceURL')
        if not puspServiceURL:
            return S_ERROR('Can not determine PUSP service URL for VO %s' %
                           voName)

        user = userDN.split(":")[-1]

        puspURL = "%s?voms=%s:%s&proxy-renewal=false&disable-voms-proxy=false" \
                  "&rfc-proxy=true&cn-label=user:%s" % ( puspServiceURL, vomsVO, vomsAttribute, user )

        try:
            proxy = urllib.urlopen(puspURL).read()
        except Exception as e:
            return S_ERROR('Failed to get proxy from the PUSP server')

        chain = X509Chain()
        chain.loadChainFromString(proxy)
        chain.loadKeyFromString(proxy)

        result = chain.getCredentials()
        if not result['OK']:
            return S_ERROR('Failed to get a valid PUSP proxy')
        credDict = result['Value']
        if credDict['identity'] != userDN:
            return S_ERROR(
                'Requested DN does not match the obtained one in the PUSP proxy'
            )
        timeLeft = credDict['secondsLeft']

        result = chain.generateProxyToString(lifeTime=timeLeft,
                                             diracGroup=userGroup)
        if not result['OK']:
            return result
        proxyString = result['Value']
        return S_OK((proxyString, timeLeft))
示例#12
0
文件: ProxyDB.py 项目: radonys/DIRAC
 def sendExpirationNotifications( self ):
   result = self.__cleanExpNotifs()
   if not result[ 'OK' ]:
     return result
   cmd = "SELECT UserDN, UserGroup, LifeLimit FROM `ProxyDB_ExpNotifs`"
   result = self._query( cmd )
   if not result[ 'OK' ]:
     return result
   notifDone = dict( [ ( ( row[0], row[1] ), row[2] ) for row in result[ 'Value' ] ] )
   notifLimits = sorted( [ int( x ) for x in self.getCSOption( "NotificationTimes", ProxyDB.NOTIFICATION_TIMES ) ] )
   sqlSel = "UserDN, UserGroup, TIMESTAMPDIFF( SECOND, UTC_TIMESTAMP(), ExpirationTime )"
   sqlCond = "TIMESTAMPDIFF( SECOND, UTC_TIMESTAMP(), ExpirationTime ) < %d" % max( notifLimits )
   cmd = "SELECT %s FROM `ProxyDB_Proxies` WHERE %s" % ( sqlSel, sqlCond )
   result = self._query( cmd )
   if not result[ 'OK' ]:
     return result
   pilotProps = ( Properties.GENERIC_PILOT, Properties.PILOT )
   data = result[ 'Value' ]
   sent = []
   for row in data:
     userDN, group, lTime = row
     #If it's a pilot proxy, skip it
     if Registry.groupHasProperties( group, pilotProps ):
       continue
     #IF it dosn't hace the auto upload proxy, skip it
     if not Registry.getGroupOption( group, "AutoUploadProxy", False ):
       continue
     notKey = ( userDN, group )
     for notifLimit in notifLimits:
       if notifLimit < lTime:
         #Not yet in this notification limit
         continue
       if notKey in notifDone and notifDone[ notKey ] <= notifLimit:
         #Already notified for this notification limit
         break
       if not self._notifyProxyAboutToExpire( userDN, group, lTime, notifLimit ):
         #Cannot send notification, retry later
         break
       try:
         sUserDN = self._escapeString( userDN )[ 'Value' ]
         sGroup = self._escapeString( group )[ 'Value' ]
       except KeyError:
         return S_ERROR( "OOPS" )
       if notKey not in notifDone:
         values = "( %s, %s, %d, TIMESTAMPADD( SECOND, %s, UTC_TIMESTAMP() ) )" % ( sUserDN, sGroup, notifLimit, lTime )
         cmd = "INSERT INTO `ProxyDB_ExpNotifs` ( UserDN, UserGroup, LifeLimit, ExpirationTime ) VALUES %s" % values
         result = self._update( cmd )
         if not result[ 'OK' ]:
           gLogger.error( "Could not mark notification as sent", result[ 'Message' ] )
       else:
         values = "LifeLimit = %d, ExpirationTime = TIMESTAMPADD( SECOND, %s, UTC_TIMESTAMP() )" % ( notifLimit, lTime )
         cmd = "UPDATE `ProxyDB_ExpNotifs` SET %s WHERE UserDN = %s AND UserGroup = %s" % ( values, sUserDN, sGroup )
         result = self._update( cmd )
         if not result[ 'OK' ]:
           gLogger.error( "Could not mark notification as sent", result[ 'Message' ] )
       sent.append( ( userDN, group, lTime ) )
       notifDone[ notKey ] = notifLimit
   return S_OK( sent )
示例#13
0
def findGenericPilotCredentials( vo = False, group = False ):
  if not group and not vo:
    return S_ERROR( "Need a group or a VO to determine the Generic pilot credentials" )
  if not vo:
    vo = Registry.getVOForGroup( group )
    if not vo:
      return S_ERROR( "Group %s does not have a VO associated" % group )
  opsHelper = Operations.Operations( vo = vo )
  pilotGroup = opsHelper.getValue( "Pilot/GenericPilotGroup", "" )
  pilotDN = opsHelper.getValue( "Pilot/GenericPilotDN", "" )
  if pilotDN and pilotGroup:
    gLogger.verbose( "Pilot credentials have been defined in the CS. Using %s@%s" % ( pilotDN, pilotGroup ) )
    result = gProxyManager.userHasProxy( pilotDN, pilotGroup, 86400 )
    if not result[ 'OK' ]:
      return S_ERROR( "%s@%s has no proxy uploaded to the ProxyManager" )
    return S_OK( ( pilotDN, pilotGroup ) )
  #Auto discover
  gLogger.verbose( "Pilot credentials are not defined. Autodiscovering..." )
  if pilotGroup:
    pilotGroups = [ pilotGroup ]
  else:
    result = Registry.getGroupsWithProperty( Properties.GENERIC_PILOT )
    if not result[ 'OK' ]:
      return result
    pilotGroups = []
    groups = result[ 'Value' ]
    if not groups:
      return S_ERROR( "No group with %s property defined" % Properties.GENERIC_PILOT )
    result = Registry.getGroupsForVO( vo )
    if not result[ 'OK' ]:
      return result
    for voGroup in result[ 'Value' ]:
      if voGroup in groups:
        pilotGroups.append( voGroup )
  if not pilotGroups:
    return S_ERROR( "No group for VO %s is a generic pilot group" % vo )
  for pilotGroup in pilotGroups:
    DNs = Registry.getDNsInGroup( pilotGroup )
    if not DNs:
      continue
    if pilotDN:
      if pilotDN not in DNs:
        continue
      result = gProxyManager.userHasProxy( pilotDN, pilotGroup, 86400 )
      if result[ 'OK' ] and result[ 'Value' ]:
        gLogger.verbose( "Discovered pilot credentials are %s@%s" % ( pilotDN, pilotGroup ) )
        return S_OK( ( pilotDN, pilotGroup ) )
    else:
      for DN in DNs:
        result = gProxyManager.userHasProxy( DN, pilotGroup, 86400 )
        if result[ 'OK' ] and result[ 'Value' ]:
          gLogger.verbose( "Discovered pilot credentials are %s@%s" % ( DN, pilotGroup ) )
          return S_OK( ( DN, pilotGroup ) )

  if pilotDN:
    return S_ERROR( "DN %s does not have group %s" % ( pilotDN, pilotGroups ) )
  return S_ERROR( "No generic proxy in the Proxy Manager with groups %s" % pilotGroups )
示例#14
0
  def completeDelegation( self, requestId, userDN, delegatedPem ):
    """
    Complete a delegation and store it in the db
    """
    retVal = self.retrieveDelegationRequest( requestId, userDN )
    if not retVal[ 'OK' ]:
      return retVal
    request = retVal[ 'Value' ]
    chain = X509Chain( keyObj = request.getPKey() )
    retVal = chain.loadChainFromString( delegatedPem )
    if not retVal[ 'OK' ]:
      return retVal
    retVal = chain.isValidProxy( ignoreDefault = True )
    noGroupFlag = False
    if not retVal[ 'OK' ]:
      if DErrno.cmpError( retVal, DErrno.ENOGROUP ):
        noGroupFlag = True
      else:
        return retVal

    result = chain.isVOMS()
    if result[ 'OK' ] and result[ 'Value' ]:
      return S_ERROR( "Proxies with VOMS extensions are not allowed to be uploaded" )

    retVal = request.checkChain( chain )
    if not retVal[ 'OK' ]:
      return retVal
    if not retVal[ 'Value' ]:
      return S_ERROR( "Received chain does not match request: %s" % retVal[ 'Message' ] )

    retVal = chain.getDIRACGroup()
    if not retVal[ 'OK' ]:
      return retVal
    userGroup = retVal[ 'Value' ]
    if not userGroup:
      userGroup = Registry.getDefaultUserGroup()

    retVal = Registry.getGroupsForDN( userDN )
    if not retVal[ 'OK' ]:
      return retVal
    if not userGroup in retVal[ 'Value' ]:
      return S_ERROR( "%s group is not valid for %s" % ( userGroup, userDN ) )

    # For proxies without embedded DIRAC group only one default is allowed
    # Cleaning all the proxies for this DN if any before uploading the new one.
    if noGroupFlag:
      retVal = self.deleteProxy( userDN )
      if not retVal[ 'OK' ]:
        return retVal

    retVal = self.storeProxy( userDN, userGroup, chain )
    if not retVal[ 'OK' ]:
      return retVal
    retVal = self.deleteRequest( requestId )
    if not retVal[ 'OK' ]:
      return retVal
    return S_OK()
示例#15
0
def findGenericPilotCredentials( vo = False, group = False ):
  if not group and not vo:
    return S_ERROR( "Need a group or a VO to determine the Generic pilot credentials" )
  if not vo:
    vo = Registry.getVOForGroup( group )
    if not vo:
      return S_ERROR( "Group %s does not have a VO associated" % group )
  opsHelper = Operations.Operations( vo = vo )
  pilotGroup = opsHelper.getValue( "Pilot/GenericPilotGroup", "" )
  pilotDN = opsHelper.getValue( "Pilot/GenericPilotDN", "" )
  if pilotDN and pilotGroup:
    gLogger.verbose( "Pilot credentials from CS: %s@%s" % ( pilotDN, pilotGroup ) )
    result = gProxyManager.userHasProxy( pilotDN, pilotGroup, 86400 )
    if not result[ 'OK' ]:
      return S_ERROR( "%s@%s has no proxy in ProxyManager" )
    return S_OK( ( pilotDN, pilotGroup ) )
  #Auto discover
  gLogger.verbose( "Pilot credentials are not defined. Autodiscovering..." )
  if pilotGroup:
    pilotGroups = [ pilotGroup ]
  else:
    result = Registry.getGroupsWithProperty( Properties.GENERIC_PILOT )
    if not result[ 'OK' ]:
      return result
    pilotGroups = []
    groups = result[ 'Value' ]
    if not groups:
      return S_ERROR( "No group with %s property defined" % Properties.GENERIC_PILOT )
    result = Registry.getGroupsForVO( vo )
    if not result[ 'OK' ]:
      return result
    for voGroup in result[ 'Value' ]:
      if voGroup in groups:
        pilotGroups.append( voGroup )
  if not pilotGroups:
    return S_ERROR( "No generic pilot group for VO %s" % vo )
  for pilotGroup in pilotGroups:
    DNs = Registry.getDNsInGroup( pilotGroup )
    if not DNs:
      continue
    if pilotDN:
      if pilotDN not in DNs:
        continue
      result = gProxyManager.userHasProxy( pilotDN, pilotGroup, 86400 )
      if result[ 'OK' ] and result[ 'Value' ]:
        gLogger.verbose( "Discovered pilot credentials: %s@%s" % ( pilotDN, pilotGroup ) )
        return S_OK( ( pilotDN, pilotGroup ) )
    else:
      for DN in DNs:
        result = gProxyManager.userHasProxy( DN, pilotGroup, 86400 )
        if result[ 'OK' ] and result[ 'Value' ]:
          gLogger.verbose( "Discovered pilot credentials: %s@%s" % ( DN, pilotGroup ) )
          return S_OK( ( DN, pilotGroup ) )

  if pilotDN:
    return S_ERROR( "DN %s does not have group %s" % ( pilotDN, pilotGroups ) )
  return S_ERROR( "No generic proxy in the Proxy Manager with groups %s" % pilotGroups )
示例#16
0
文件: ProxyDB.py 项目: radonys/DIRAC
  def __getVOMSAttribute( self, userGroup, requiredVOMSAttribute = False ):

    if requiredVOMSAttribute:
      return S_OK( { 'attribute' : requiredVOMSAttribute, 'VOMSVO' : Registry.getVOMSVOForGroup( userGroup ) } )

    csVOMSMapping = Registry.getVOMSAttributeForGroup( userGroup )
    if not csVOMSMapping:
      return S_ERROR( "No mapping defined for group %s in the CS" % userGroup )

    return S_OK( { 'attribute' : csVOMSMapping, 'VOMSVO' : Registry.getVOMSVOForGroup( userGroup ) } )
示例#17
0
文件: ProxyDB.py 项目: bmb/DIRAC
  def __getVOMSAttribute( self, userGroup, requiredVOMSAttribute = False ):

    if requiredVOMSAttribute:
      return S_OK( { 'attribute' : requiredVOMSAttribute, 'VOMSVO' : Registry.getVOMSVOForGroup( userGroup ) } )

    csVOMSMapping = Registry.getVOMSAttributeForGroup( userGroup )
    if not csVOMSMapping:
      return S_ERROR( "No mapping defined for group %s in the CS" % userGroup )

    return S_OK( { 'attribute' : csVOMSMapping, 'VOMSVO' : Registry.getVOMSVOForGroup( userGroup ) } )
示例#18
0
def getVOfromProxyGroup():
    """
    Return the VO associated to the group in the proxy
    """
    voName = Registry.getVOForGroup("NoneExistingGroup")
    ret = getProxyInfo(disableVOMS=True)
    if not ret["OK"]:
        return S_OK(voName)
    if "group" in ret["Value"]:
        voName = Registry.getVOForGroup(ret["Value"]["group"])
    return S_OK(voName)
示例#19
0
    def __setupManagerProxies(self):
        """setup grid proxy for all defined managers"""
        oHelper = Operations()
        shifters = oHelper.getSections("Shifter")
        if not shifters["OK"]:
            return shifters
        shifters = shifters["Value"]
        for shifter in shifters:
            shifterDict = oHelper.getOptionsDict("Shifter/%s" % shifter)
            if not shifterDict["OK"]:
                self.log.error("Cannot get options dict for shifter",
                               "%s: %s" % (shifter, shifterDict["Message"]))
                continue
            userName = shifterDict["Value"].get("User", "")
            userGroup = shifterDict["Value"].get("Group", "")

            userDN = Registry.getDNForUsername(userName)
            if not userDN["OK"]:
                self.log.error("Cannot get DN For Username",
                               "%s: %s" % (userName, userDN["Message"]))
                continue
            userDN = userDN["Value"][0]
            vomsAttr = Registry.getVOMSAttributeForGroup(userGroup)
            if vomsAttr:
                self.log.debug(
                    "getting VOMS [%s] proxy for shifter %s@%s (%s)" %
                    (vomsAttr, userName, userGroup, userDN))
                getProxy = gProxyManager.downloadVOMSProxyToFile(
                    userDN,
                    userGroup,
                    requiredTimeLeft=1200,
                    cacheTime=4 * 43200)
            else:
                self.log.debug("getting proxy for shifter %s@%s (%s)" %
                               (userName, userGroup, userDN))
                getProxy = gProxyManager.downloadProxyToFile(
                    userDN,
                    userGroup,
                    requiredTimeLeft=1200,
                    cacheTime=4 * 43200)
            if not getProxy["OK"]:
                return S_ERROR("unable to setup shifter proxy for %s: %s" %
                               (shifter, getProxy["Message"]))
            chain = getProxy["chain"]
            fileName = getProxy["Value"]
            self.log.debug("got %s: %s %s" % (shifter, userName, userGroup))
            self.__managersDict[shifter] = {
                "ShifterDN": userDN,
                "ShifterName": userName,
                "ShifterGroup": userGroup,
                "Chain": chain,
                "ProxyFile": fileName,
            }
        return S_OK()
示例#20
0
def getVOfromProxyGroup():
    """
  Return the VO associated to the group in the proxy
  """
    voName = Registry.getVOForGroup("NoneExistingGroup")
    ret = getProxyInfo(disableVOMS=True)
    if not ret["OK"]:
        return S_OK(voName)
    if "group" in ret["Value"]:
        voName = Registry.getVOForGroup(ret["Value"]["group"])
    return S_OK(voName)
示例#21
0
def getVOfromProxyGroup():
  """
  Return the VO associated to the group in the proxy
  """
  voName = Registry.getVOForGroup( 'NoneExistingGroup' )
  ret = getProxyInfo( disableVOMS = True )
  if not ret['OK']:
    return S_OK( voName )
  if 'group' in ret['Value']:
    voName = Registry.getVOForGroup( ret['Value']['group'] )
  return S_OK( voName )
示例#22
0
  def __getPUSProxy( self, userDN, userGroup, requiredLifetime, requestedVOMSAttr = None ):

    result = Registry.getGroupsForDN( userDN )
    if not result['OK']:
      return result

    validGroups = result['Value']
    if not userGroup in validGroups:
      return S_ERROR( 'Invalid group %s for user' % userGroup )

    voName = Registry.getVOForGroup( userGroup )
    if not voName:
      return S_ERROR( 'Can not determine VO for group %s' % userGroup )

    retVal = self.__getVOMSAttribute( userGroup, requestedVOMSAttr )
    if not retVal[ 'OK' ]:
      return retVal
    vomsAttribute = retVal[ 'Value' ][ 'attribute' ]
    vomsVO = retVal[ 'Value' ][ 'VOMSVO' ]

    puspServiceURL = Registry.getVOOption( voName, 'PUSPServiceURL' )
    if not puspServiceURL:
      return S_ERROR( 'Can not determine PUSP service URL for VO %s' % voName )

    user = userDN.split(":")[-1]

    puspURL = "%s?voms=%s:%s&proxy-renewal=false&disable-voms-proxy=false" \
              "&rfc-proxy=true&cn-label=user:%s" % ( puspServiceURL, vomsVO, vomsAttribute, user )

    try:
      proxy = urllib.urlopen( puspURL ).read()
    except Exception as e:
      return S_ERROR( 'Failed to get proxy from the PUSP server' )

    chain = X509Chain()
    chain.loadChainFromString( proxy )
    chain.loadKeyFromString( proxy )

    result = chain.getCredentials()
    if not result['OK']:
      return S_ERROR( 'Failed to get a valid PUSP proxy' )
    credDict = result['Value']
    if credDict['identity'] != userDN:
      return S_ERROR( 'Requested DN does not match the obtained one in the PUSP proxy' )
    timeLeft = credDict['secondsLeft']

    result = chain.generateProxyToString( lifeTime = timeLeft,
                                          diracGroup = userGroup )
    if not result['OK']:
      return result
    proxyString = result['Value']
    return S_OK( ( proxyString, timeLeft ) )
示例#23
0
文件: Shifter.py 项目: pmusset/DIRAC
def getShifterProxy(shifterType, fileName=False):
    """ This method returns a shifter's proxy

      :param str shifterType: ProductionManager / DataManager...
      :param str fileName: file name

      :return: S_OK(dict)/S_ERROR()
  """
    if fileName:
        mkDir(os.path.dirname(fileName))
    opsHelper = Operations()
    userName = opsHelper.getValue(cfgPath('Shifter', shifterType, 'User'), '')
    if not userName:
        return S_ERROR("No shifter User defined for %s" % shifterType)
    result = Registry.getDNForUsername(userName)
    if not result['OK']:
        return result
    userDN = result['Value'][0]
    result = Registry.findDefaultGroupForDN(userDN)
    if not result['OK']:
        return result
    defaultGroup = result['Value']
    userGroup = opsHelper.getValue(cfgPath('Shifter', shifterType, 'Group'),
                                   defaultGroup)
    vomsAttr = Registry.getVOMSAttributeForGroup(userGroup)
    if vomsAttr:
        gLogger.info("Getting VOMS [%s] proxy for shifter %s@%s (%s)" %
                     (vomsAttr, userName, userGroup, userDN))
        result = gProxyManager.downloadVOMSProxyToFile(userDN,
                                                       userGroup,
                                                       filePath=fileName,
                                                       requiredTimeLeft=86400,
                                                       cacheTime=86400)
    else:
        gLogger.info("Getting proxy for shifter %s@%s (%s)" %
                     (userName, userGroup, userDN))
        result = gProxyManager.downloadProxyToFile(userDN,
                                                   userGroup,
                                                   filePath=fileName,
                                                   requiredTimeLeft=86400,
                                                   cacheTime=86400)
    if not result['OK']:
        return result
    chain = result['chain']
    fileName = result['Value']
    return S_OK({
        'DN': userDN,
        'username': userName,
        'group': userGroup,
        'chain': chain,
        'proxyFile': fileName
    })
示例#24
0
    def completeDelegation(self, requestId, userDN, delegatedPem):
        """
    Complete a delegation and store it in the db
    """
        retVal = self.retrieveDelegationRequest(requestId, userDN)
        if not retVal['OK']:
            return retVal
        request = retVal['Value']
        chain = X509Chain(keyObj=request.getPKey())
        retVal = chain.loadChainFromString(delegatedPem)
        if not retVal['OK']:
            return retVal
        retVal = chain.isValidProxy()
        if not retVal['OK']:
            return retVal
        if not retVal['Value']:
            return S_ERROR("Chain received is not a valid proxy: %s" %
                           retVal['Message'])

        retVal = request.checkChain(chain)
        if not retVal['OK']:
            return retVal
        if not retVal['Value']:
            return S_ERROR("Received chain does not match request: %s" %
                           retVal['Message'])

        retVal = chain.getDIRACGroup()
        if not retVal['OK']:
            return retVal
        userGroup = retVal['Value']
        if not userGroup:
            userGroup = Registry.getDefaultUserGroup()

        retVal = Registry.getGroupsForDN(userDN)
        if not retVal['OK']:
            return retVal
        if not userGroup in retVal['Value']:
            return S_ERROR("%s group is not valid for %s" %
                           (userGroup, userDN))

        retVal = self.__checkVOMSisAlignedWithGroup(userGroup, chain)
        if not retVal['OK']:
            return retVal

        retVal = self.storeProxy(userDN, userGroup, chain)
        if not retVal['OK']:
            return retVal
        retVal = self.deleteRequest(requestId)
        if not retVal['OK']:
            return retVal
        return S_OK()
示例#25
0
    def completeDelegation(self, requestId, userDN, delegatedPem):
        """
    Complete a delegation and store it in the db
    """
        retVal = self.retrieveDelegationRequest(requestId, userDN)
        if not retVal['OK']:
            return retVal
        request = retVal['Value']
        chain = X509Chain(keyObj=request.getPKey())
        retVal = chain.loadChainFromString(delegatedPem)
        if not retVal['OK']:
            return retVal
        retVal = chain.isValidProxy(ignoreDefault=True)
        if not retVal['OK']:
            return retVal

        result = chain.isVOMS()
        if result['OK'] and result['Value']:
            return S_ERROR(
                "Proxies with VOMS extensions are not allowed to be uploaded")

        retVal = request.checkChain(chain)
        if not retVal['OK']:
            return retVal
        if not retVal['Value']:
            return S_ERROR("Received chain does not match request: %s" %
                           retVal['Message'])

        retVal = chain.getDIRACGroup()
        if not retVal['OK']:
            return retVal
        userGroup = retVal['Value']
        if not userGroup:
            userGroup = Registry.getDefaultUserGroup()

        retVal = Registry.getGroupsForDN(userDN)
        if not retVal['OK']:
            return retVal
        if not userGroup in retVal['Value']:
            return S_ERROR("%s group is not valid for %s" %
                           (userGroup, userDN))

        retVal = self.storeProxy(userDN, userGroup, chain)
        if not retVal['OK']:
            return retVal
        retVal = self.deleteRequest(requestId)
        if not retVal['OK']:
            return retVal
        return S_OK()
示例#26
0
  def completeDelegation( self, requestId, userDN, delegatedPem ):
    """
    Complete a delegation and store it in the db
    """
    retVal = self.retrieveDelegationRequest( requestId, userDN )
    if not retVal[ 'OK' ]:
      return retVal
    request = retVal[ 'Value' ]
    chain = X509Chain( keyObj = request.getPKey() )
    retVal = chain.loadChainFromString( delegatedPem )
    if not retVal[ 'OK' ]:
      return retVal
    retVal = chain.isValidProxy()
    if not retVal[ 'OK' ]:
      return retVal
    if not retVal[ 'Value' ]:
      return S_ERROR( "Chain received is not a valid proxy: %s" % retVal[ 'Message' ] )

    retVal = request.checkChain( chain )
    if not retVal[ 'OK' ]:
      return retVal
    if not retVal[ 'Value' ]:
      return S_ERROR( "Received chain does not match request: %s" % retVal[ 'Message' ] )

    retVal = chain.getDIRACGroup()
    if not retVal[ 'OK' ]:
      return retVal
    userGroup = retVal[ 'Value' ]
    if not userGroup:
      userGroup = Registry.getDefaultUserGroup()

    retVal = Registry.getGroupsForDN( userDN )
    if not retVal[ 'OK' ]:
      return retVal
    if not userGroup in retVal[ 'Value' ]:
      return S_ERROR( "%s group is not valid for %s" % ( userGroup, userDN ) )

    retVal = self.__checkVOMSisAlignedWithGroup( userGroup, chain )
    if not retVal[ 'OK' ]:
      return retVal

    retVal = self.storeProxy( userDN, userGroup, chain )
    if not retVal[ 'OK' ]:
      return retVal
    retVal = self.deleteRequest( requestId )
    if not retVal[ 'OK' ]:
      return retVal
    return S_OK()
示例#27
0
    def getPilotProxyFromVOMSGroup(self,
                                   userDN,
                                   vomsAttr,
                                   requiredTimeLeft=43200,
                                   proxyToConnect=None):
        """ Download a pilot proxy with VOMS extensions depending on the group

        :param basestring userDN: user DN
        :param basestring vomsAttr: VOMS attribute
        :param int requiredTimeLeft: required proxy live time in a seconds
        :param X509Chain proxyToConnect: proxy as a chain

        :return: S_OK(X509Chain)/S_ERROR()
    """
        groups = Registry.getGroupsWithVOMSAttribute(vomsAttr)
        if not groups:
            return S_ERROR("No group found that has %s as voms attrs" %
                           vomsAttr)

        for userGroup in groups:
            result = self.downloadVOMSProxy(userDN,
                                            userGroup,
                                            limited=False,
                                            requiredTimeLeft=requiredTimeLeft,
                                            requiredVOMSAttribute=vomsAttr,
                                            proxyToConnect=proxyToConnect)
            if result['OK']:
                return result
        return result
示例#28
0
 def __addUserNameToTable(self, tableName):
     result = self._update(
         "ALTER TABLE `%s` ADD COLUMN UserName VARCHAR(64) NOT NULL" %
         tableName)
     if not result['OK']:
         return result
     result = self._query("SELECT DISTINCT UserName, UserDN FROM `%s`" %
                          tableName)
     if not result['OK']:
         return result
     data = result['Value']
     for userName, userDN in data:
         if not userName:
             result = Registry.getUsernameForDN(userDN)
             if not result['OK']:
                 self.log.error("Could not retrieve username for DN %s" %
                                userDN)
                 continue
             userName = result['Value']
             result = self._escapeString(userName)
             if not result['OK']:
                 self.log.error("Could not escape username %s" % userName)
                 continue
             userName = result['Value']
             result = self._update(
                 "UPDATE `%s` SET UserName=%s WHERE UserDN='%s'" %
                 (tableName, userName, userDN))
             if not result['OK']:
                 self.log.error("Could update username for DN %s: %s" %
                                (userDN, result['Message']))
                 continue
             self.log.info("UserDN %s has user %s" % (userDN, userName))
     return S_OK()
示例#29
0
    def getPilotProxyFromDIRACGroup(self,
                                    userDN,
                                    userGroup,
                                    requiredTimeLeft=43200,
                                    proxyToConnect=None):
        """ Download a pilot proxy with VOMS extensions depending on the group

        :param basestring userDN: user DN
        :param basestring userGroup: user group
        :param int requiredTimeLeft: required proxy live time in a seconds
        :param X509Chain proxyToConnect: proxy as a chain

        :return: S_OK(X509Chain)/S_ERROR()
    """
        # Assign VOMS attribute
        vomsAttr = Registry.getVOMSAttributeForGroup(userGroup)
        if not vomsAttr:
            gLogger.verbose(
                "No voms attribute assigned to group %s when requested pilot proxy"
                % userGroup)
            return self.downloadProxy(userDN,
                                      userGroup,
                                      limited=False,
                                      requiredTimeLeft=requiredTimeLeft,
                                      proxyToConnect=proxyToConnect)
        else:
            return self.downloadVOMSProxy(userDN,
                                          userGroup,
                                          limited=False,
                                          requiredTimeLeft=requiredTimeLeft,
                                          requiredVOMSAttribute=vomsAttr,
                                          proxyToConnect=proxyToConnect)
示例#30
0
 def __filterEntitiesByRequester(self, entitiesList, entitiesSetup,
                                 requesterName, requesterGroup):
     """
 Given a list of entities and a requester, return the ones that the requester is allowed to modify
 """
     sqlCond = [
         "s.OwnerId=o.OwnerId", "s.SBId=e.SBId",
         "e.EntitySetup=%s" % entitiesSetup
     ]
     requesterProps = Registry.getPropertiesForEntity(requesterGroup,
                                                      name=requesterName)
     if Properties.JOB_ADMINISTRATOR in requesterProps:
         # Do nothing, just ensure it doesn't fit in the other cases
         pass
     elif Properties.JOB_SHARING in requesterProps:
         sqlCond.append("o.OwnerGroup='%s'" % requesterGroup)
     elif Properties.NORMAL_USER in requesterProps:
         sqlCond.append("o.OwnerGroup='%s'" % requesterGroup)
         sqlCond.append("o.Owner='%s'" % requesterName)
     else:
         return S_ERROR("Not authorized to access sandbox")
     for i in range(len(entitiesList)):
         entitiesList[i] = self._escapeString(entitiesList[i])['Value']
     if len(entitiesList) == 1:
         sqlCond.append("e.EntityId = %s" % entitiesList[0])
     else:
         sqlCond.append("e.EntityId in ( %s )" % ", ".join(entitiesList))
     sqlCmd = "SELECT DISTINCT e.EntityId FROM `sb_EntityMapping` e, `sb_SandBoxes` s, `sb_Owners` o WHERE"
     sqlCmd = "%s %s" % (sqlCmd, " AND ".join(sqlCond))
     result = self._query(sqlCmd)
     if not result['OK']:
         return result
     return S_OK([row[0] for row in result['Value']])
示例#31
0
 def getSandboxesAssignedToEntity(self, entityId, entitySetup,
                                  requesterName, requesterGroup):
     """
 Get the sandboxes and the type of assignation to the jobId
 """
     sqlTables = ["`sb_SandBoxes` s", "`sb_EntityMapping` e"]
     sqlCond = [
         "s.SBId = e.SBId",
         "e.EntityId = %s" % self._escapeString(entityId)['Value'],
         "e.EntitySetup = %s" % self._escapeString(entitySetup)['Value']
     ]
     requesterProps = Registry.getPropertiesForEntity(requesterGroup,
                                                      name=requesterName)
     if Properties.JOB_ADMINISTRATOR in requesterProps or Properties.JOB_MONITOR in requesterProps:
         # Do nothing, just ensure it doesn't fit in the other cases
         pass
     elif Properties.JOB_SHARING in requesterProps:
         sqlTables.append("`sb_Owners` o")
         sqlCond.append("o.OwnerGroup='%s'" % requesterGroup)
         sqlCond.append("s.OwnerId=o.OwnerId")
     elif Properties.NORMAL_USER in requesterProps:
         sqlTables.append("`sb_Owners` o")
         sqlCond.append("o.OwnerGroup='%s'" % requesterGroup)
         sqlCond.append("o.Owner='%s'" % requesterName)
         sqlCond.append("s.OwnerId=o.OwnerId")
     else:
         return S_ERROR("Not authorized to access sandbox")
     sqlCmd = "SELECT DISTINCT s.SEName, s.SEPFN, e.Type FROM  %s WHERE %s" % (
         ", ".join(sqlTables), " AND ".join(sqlCond))
     return self._query(sqlCmd)
示例#32
0
  def addVomsExt( self, proxy ):
    retVal = self.getEnv( "group_name" )
    if not retVal[ "OK" ]:
      raise Exception( result[ "Message" ] )

    group = retVal[ "Value" ]
    vomsAttr = Registry.getVOMSAttributeForGroup( group )
    if not vomsAttr:
      raise Exception( "Requested adding a VOMS extension but no VOMS attribute defined for group %s" % group )

    result = VOMS.VOMS( ).setVOMSAttributes( proxy, attribute = vomsAttr, vo = Registry.getVOForGroup( group ))
    if not result[ 'OK' ]:
      raise Exception( "Could not add VOMS extensions to the proxy\nFailed adding VOMS attribute: %s" % result[ 'Message' ] )

    chain = result[ 'Value' ]
    chain.dumpAllToFile( proxy )
示例#33
0
 def __processCredentials( self ):
   """
   Extract the user credentials based on the certificate or what comes from the balancer
   """
   self.__credDict = {}
   #NGINX
   if Conf.balancer() == "nginx":
     headers = self.request.headers
     if headers[ 'X-Scheme' ] == "https" and headers[ 'X-Ssl_client_verify' ] == 'SUCCESS':
       DN = headers[ 'X-Ssl_client_s_dn' ]
       self.__credDict[ 'subject' ] = DN
       self.__credDict[ 'issuer' ] = headers[ 'X-Ssl_client_i_dn' ]
       result = Registry.getUsernameForDN( DN )
       if not result[ 'OK' ]:
         self.__credDict[ 'validDN' ] = False
       else:
         self.__credDict[ 'validDN' ] = True
         self.__credDict[ 'username' ] = result[ 'Value' ]
     return
   #TORNADO
   if not self.request.protocol == "https":
     return
   derCert = self.request.get_ssl_certificate( binary_form = True )
   if not derCert:
     return
   pemCert = ssl.DER_cert_to_PEM_cert( derCert )
   chain = X509Chain()
   chain.loadChainFromString( pemCert )
   result = chain.getCredentials()
   if not result[ 'OK' ]:
     self.log.error( "Could not get client credentials %s" % result[ 'Message' ] )
     return
   self.__credDict = result[ 'Value' ]
示例#34
0
    def getPayloadProxyFromVOMSGroup(self,
                                     userDN,
                                     vomsAttr,
                                     token,
                                     requiredTimeLeft,
                                     proxyToConnect=None):
        """ Download a payload proxy with VOMS extensions depending on the VOMS attr

        :param basestring userDN: user DN
        :param basestring vomsAttr: VOMS attribute
        :param basestring token: valid token to get a proxy
        :param int requiredTimeLeft: required proxy live time in a seconds
        :param X509Chain proxyToConnect: proxy as a chain

        :return: S_OK(X509Chain)/S_ERROR()
    """
        groups = Registry.getGroupsWithVOMSAttribute(vomsAttr)
        if not groups:
            return S_ERROR("No group found that has %s as voms attrs" %
                           vomsAttr)
        userGroup = groups[0]

        return self.downloadVOMSProxy(userDN,
                                      userGroup,
                                      limited=True,
                                      requiredTimeLeft=requiredTimeLeft,
                                      requiredVOMSAttribute=vomsAttr,
                                      proxyToConnect=proxyToConnect,
                                      token=token)
示例#35
0
文件: ProxyDB.py 项目: bmb/DIRAC
 def __addUserNameToTable( self, tableName ):
   result = self._update( "ALTER TABLE `%s` ADD COLUMN UserName VARCHAR(64) NOT NULL" % tableName )
   if not result[ 'OK' ]:
     return result
   result = self._query( "SELECT DISTINCT UserName, UserDN FROM `%s`" % tableName )
   if not result[ 'OK' ]:
     return result
   data = result[ 'Value' ]
   for userName, userDN in data:
     if not userName:
       result = Registry.getUsernameForDN( userDN )
       if not result[ 'OK' ]:
         self.log.error( "Could not retrieve username for DN %s" % userDN )
         continue
       userName = result[ 'Value' ]
       result = self._escapeString( userName )
       if not result[ 'OK' ]:
         self.log.error( "Could not escape username %s" % userName )
         continue
       userName = result[ 'Value' ]
       result = self._update( "UPDATE `%s` SET UserName=%s WHERE UserDN='%s'" % ( tableName, userName, userDN ) )
       if not result[ 'OK' ]:
         self.log.error( "Could update username for DN %s: %s" % ( userDN, result[ 'Message' ] ) )
         continue
       self.log.info( "UserDN %s has user %s" % ( userDN, userName ) )
   return S_OK()
示例#36
0
    def addDataset(self, name, datasetDict, numericid):
        """Pretty print of the dataset ls output"""
        perm = datasetDict["Mode"]
        date = datasetDict["ModificationDate"]
        size = datasetDict["TotalSize"]
        if "Owner" in datasetDict:
            uname = datasetDict["Owner"]
        elif "OwnerDN" in datasetDict:
            result = Registry.getUsernameForDN(datasetDict["OwnerDN"])
            if result["OK"]:
                uname = result["Value"]
            else:
                uname = "unknown"
        else:
            uname = "unknown"
        if numericid:
            uname = str(datasetDict["UID"])

        gname = "unknown"
        if "OwnerGroup" in datasetDict:
            gname = datasetDict["OwnerGroup"]
        if numericid:
            gname = str(datasetDict["GID"])

        numberOfFiles = datasetDict["NumberOfFiles"]

        self.entries.append(("s" + self.__getModeString(perm), numberOfFiles,
                             uname, gname, size, date, name))
示例#37
0
 def __executeClient(self, host, method, *parms, **kwargs):
     """Execute RPC method on a given host"""
     hostName = Registry.getHostOption(host, "Host", host)
     client = SystemAdministratorClient(hostName, **self.__kwargs)
     result = getattr(client, method)(*parms, **kwargs)
     result["Host"] = host
     return result
示例#38
0
 def _addPilotsAccountingReport(self, pilotsData):
   """ fill accounting data
   """
   for pRef in pilotsData:
     pData = pilotsData[pRef]
     pA = PilotAccounting()
     pA.setEndTime(pData['LastUpdateTime'])
     pA.setStartTime(pData['SubmissionTime'])
     retVal = Registry.getUsernameForDN(pData['OwnerDN'])
     if not retVal['OK']:
       userName = '******'
       self.log.error("Can't determine username for dn:", pData['OwnerDN'])
     else:
       userName = retVal['Value']
     pA.setValueByKey('User', userName)
     pA.setValueByKey('UserGroup', pData['OwnerGroup'])
     result = getCESiteMapping(pData['DestinationSite'])
     if result['OK'] and pData['DestinationSite'] in result['Value']:
       pA.setValueByKey('Site', result['Value'][pData['DestinationSite']].strip())
     else:
       pA.setValueByKey('Site', 'Unknown')
     pA.setValueByKey('GridCE', pData['DestinationSite'])
     pA.setValueByKey('GridMiddleware', pData['GridType'])
     pA.setValueByKey('GridResourceBroker', pData['Broker'])
     pA.setValueByKey('GridStatus', pData['Status'])
     if 'Jobs' not in pData:
       pA.setValueByKey('Jobs', 0)
     else:
       pA.setValueByKey('Jobs', len(pData['Jobs']))
     self.log.verbose("Added accounting record for pilot %s" % pData['PilotID'])
     retVal = gDataStoreClient.addRegister(pA)
     if not retVal['OK']:
       return retVal
   return S_OK()
示例#39
0
 def export_requestDelegationUpload( self, requestedUploadTime, userGroup ):
   """ Request a delegation. Send a delegation request to client
   """
   credDict = self.getRemoteCredentials()
   userDN = credDict[ 'DN' ]
   userName = credDict[ 'username' ]
   if not userGroup:
     userGroup = credDict[ 'group' ]
   retVal = Registry.getGroupsForUser( credDict[ 'username' ] )
   if not retVal[ 'OK' ]:
     return retVal
   groupsAvailable = retVal[ 'Value' ]
   if userGroup not in groupsAvailable:
     return S_ERROR( "%s is not a valid group for user %s" % ( userGroup, userName ) )
   clientChain = credDict[ 'x509Chain' ]
   clientSecs = clientChain.getIssuerCert()[ 'Value' ].getRemainingSecs()[ 'Value' ]
   requestedUploadTime = min( requestedUploadTime, clientSecs )
   retVal = self.__proxyDB.getRemainingTime( userDN, userGroup )
   if not retVal[ 'OK' ]:
     return retVal
   remainingSecs = retVal[ 'Value' ]
   # If we have a proxy longer than the one uploading it's not needed
   # ten minute margin to compensate just in case
   if remainingSecs >= requestedUploadTime - 600:
     gLogger.info( "Upload request not necessary by %s:%s" % ( userName, userGroup ) )
     return self.__addKnownUserProxiesInfo( S_OK() )
   result = self.__proxyDB.generateDelegationRequest( credDict[ 'x509Chain' ], userDN )
   if result[ 'OK' ]:
     gLogger.info( "Upload request by %s:%s given id %s" % ( userName, userGroup, result['Value']['id'] ) )
   else:
     gLogger.error( "Upload request failed", "by %s:%s : %s" % ( userName, userGroup, result['Message'] ) )
   return result
示例#40
0
    def __generateUserProxiesInfo(self):
        """ Generate information dict about user proxies

        :return: dict
    """
        proxiesInfo = {}
        credDict = self.getRemoteCredentials()
        result = Registry.getDNForUsername(credDict['username'])
        if not result['OK']:
            return result
        selDict = {'UserDN': result['Value']}
        result = self.__proxyDB.getProxiesContent(selDict, {})
        if not result['OK']:
            return result
        contents = result['Value']
        userDNIndex = contents['ParameterNames'].index("UserDN")
        userGroupIndex = contents['ParameterNames'].index("UserGroup")
        expirationIndex = contents['ParameterNames'].index("ExpirationTime")
        for record in contents['Records']:
            userDN = record[userDNIndex]
            if userDN not in proxiesInfo:
                proxiesInfo[userDN] = {}
            userGroup = record[userGroupIndex]
            proxiesInfo[userDN][userGroup] = record[expirationIndex]
        return proxiesInfo
示例#41
0
  def __discoverExtraCredentials(self):
    """ Add extra credentials informations.
        * self.__extraCredentials
          -> if KW_EXTRA_CREDENTIALS in kwargs, we set it
          -> Otherwise, if we use the server certificate, we set it to VAL_EXTRA_CREDENTIALS_HOST
          -> If we have a delegation (see bellow), we set it to (delegatedDN, delegatedGroup)
          -> otherwise it is an empty string
        * delegation:
          -> if KW_DELEGATED_DN in kwargs, or delegatedDN in threadConfig, put in in self.kwargs
          -> if KW_DELEGATED_GROUP in kwargs or delegatedGroup in threadConfig, put it in self.kwargs
          -> If we have a delegated DN but not group, we find the corresponding group in the CS

        :return: S_OK()/S_ERROR()
    """
    # which extra credentials to use?
    self.__extraCredentials = self.VAL_EXTRA_CREDENTIALS_HOST if self.__useCertificates else ""
    if self.KW_EXTRA_CREDENTIALS in self.kwargs:
      self.__extraCredentials = self.kwargs[self.KW_EXTRA_CREDENTIALS]

    # Are we delegating something?
    delegatedDN = self.kwargs.get(self.KW_DELEGATED_DN) or self.__threadConfig.getDN()
    delegatedGroup = self.kwargs.get(self.KW_DELEGATED_GROUP) or self.__threadConfig.getGroup()
    if delegatedDN:
      self.kwargs[self.KW_DELEGATED_DN] = delegatedDN
      if not delegatedGroup:
        result = Registry.findDefaultGroupForDN(delegatedDN)
        if not result['OK']:
          return result
        delegatedGroup = result['Value']
      self.kwargs[self.KW_DELEGATED_GROUP] = delegatedGroup
      self.__extraCredentials = (delegatedDN, delegatedGroup)
    return S_OK()
  def addVOMSExtIfNeeded( self ):
    addVOMS = Registry.getGroupOption( self.__piParams.diracGroup, "AutoAddVOMS", self.__piParams.addVOMSExt )
    if not addVOMS:
      return

    vomsAttr = Registry.getVOMSAttributeForGroup( self.__piParams.diracGroup )
    if not vomsAttr:
      gLogger.error( "Requested adding a VOMS extension but no VOMS attribute defined for group %s" % self.__piParams.diracGroup )
      return

    result = VOMS.VOMS().setVOMSAttributes( vomsAttr, vo = Registry.getVOForGroup( self.__piParams.diracGroup ) )
    if not result[ 'OK' ]:
      gLogger.error( "Failed adding VOMS attribute:", result[ 'Message' ] )
      return False
    else:
      gLogger.notice( "Added VOMS attribute %s" % vomsAttr )
示例#43
0
 def export_requestDelegationUpload(self, requestedUploadTime, userGroup):
     """ Request a delegation. Send a delegation request to client
 """
     credDict = self.getRemoteCredentials()
     userDN = credDict['DN']
     userName = credDict['username']
     if not userGroup:
         userGroup = credDict['group']
     retVal = Registry.getGroupsForUser(credDict['username'])
     if not retVal['OK']:
         return retVal
     groupsAvailable = retVal['Value']
     if userGroup not in groupsAvailable:
         return S_ERROR("%s is not a valid group for user %s" %
                        (userGroup, userName))
     clientChain = credDict['x509Chain']
     clientSecs = clientChain.getIssuerCert()['Value'].getRemainingSecs(
     )['Value']
     requestedUploadTime = min(requestedUploadTime,
                               clientSecs)  # FIXME: this is useless now...
     result = self.__proxyDB.generateDelegationRequest(
         credDict['x509Chain'], userDN)
     if result['OK']:
         gLogger.info("Upload request by %s:%s given id %s" %
                      (userName, userGroup, result['Value']['id']))
     else:
         gLogger.error(
             "Upload request failed",
             "by %s:%s : %s" % (userName, userGroup, result['Message']))
     return result
  def __init__( self, **kwargs ):
    """ Constructor  
    """
    if 'hosts' in kwargs:
      self.__hosts = kwargs['hosts']
      del kwargs['hosts']
    else:  
      result = Registry.getHosts()
      if result['OK']:
        self.__hosts = result['Value']
      else:
        self.__hosts = []
      # Excluded hosts
      if 'exclude' in kwargs:
        self.__hosts = list ( set( self.__hosts ) - set( kwargs[ 'exclude' ] ) )

    # Ping the hosts to remove those that don't have a SystemAdministrator service
    sysAdminHosts = []
    for host in self.__hosts:
      client = SystemAdministratorClient( host )
      result = client.ping()
      if result[ 'OK' ]:
        sysAdminHosts.append( host )
    self.__hosts = sysAdminHosts
      
    self.__kwargs = dict( kwargs )  
    self.__pool = ThreadPool( len( self.__hosts ) )  
    self.__resultDict = {}
示例#45
0
 def addNotificationForUser(self, user, message, lifetime=0, deferToMail=1):
     if user not in Registry.getAllUsers():
         return S_ERROR("%s is an unknown user" % user)
     self.log.info("Adding a notification for user %s (msg is %s chars)" % (user, len(message)))
     result = self._escapeString(user)
     if not result["OK"]:
         return result
     user = result["Value"]
     result = self._escapeString(message)
     if not result["OK"]:
         return result
     message = result["Value"]
     sqlFields = ["User", "Message", "Timestamp"]
     sqlValues = [user, message, "UTC_TIMESTAMP()"]
     if not deferToMail:
         sqlFields.append("DeferToMail")
         sqlValues.append("0")
     if lifetime:
         sqlFields.append("Expiration")
         sqlValues.append("TIMESTAMPADD( SECOND, %d, UTC_TIMESTAMP() )" % int(lifetime))
     sqlInsert = "INSERT INTO `ntf_Notifications` (%s) VALUES (%s) " % (",".join(sqlFields), ",".join(sqlValues))
     result = self._update(sqlInsert)
     if not result["OK"]:
         return result
     return S_OK(result["lastRowId"])
示例#46
0
  def completeDelegation( self, requestId, userDN, delegatedPem ):
    """
    Complete a delegation and store it in the db
    """
    retVal = self.retrieveDelegationRequest( requestId, userDN )
    if not retVal[ 'OK' ]:
      return retVal
    request = retVal[ 'Value' ]
    chain = X509Chain( keyObj = request.getPKey() )
    retVal = chain.loadChainFromString( delegatedPem )
    if not retVal[ 'OK' ]:
      return retVal
    retVal = chain.isValidProxy( ignoreDefault = True )
    if not retVal[ 'OK' ]:
      return retVal

    result = chain.isVOMS()
    if result[ 'OK' ] and result[ 'Value' ]:
      return S_ERROR( "Proxies with VOMS extensions are not allowed to be uploaded" )

    retVal = request.checkChain( chain )
    if not retVal[ 'OK' ]:
      return retVal
    if not retVal[ 'Value' ]:
      return S_ERROR( "Received chain does not match request: %s" % retVal[ 'Message' ] )

    retVal = chain.getDIRACGroup()
    if not retVal[ 'OK' ]:
      return retVal
    userGroup = retVal[ 'Value' ]
    if not userGroup:
      userGroup = Registry.getDefaultUserGroup()

    retVal = Registry.getGroupsForDN( userDN )
    if not retVal[ 'OK' ]:
      return retVal
    if not userGroup in retVal[ 'Value' ]:
      return S_ERROR( "%s group is not valid for %s" % ( userGroup, userDN ) )

    retVal = self.storeProxy( userDN, userGroup, chain )
    if not retVal[ 'OK' ]:
      return retVal
    retVal = self.deleteRequest( requestId )
    if not retVal[ 'OK' ]:
      return retVal
    return S_OK()
示例#47
0
 def userName( self ):
   DN = self.__inTokenData( 'userDN' )
   if not DN:
     return False
   result = Registry.getUsernameForDN( DN )
   if not result[ 'OK' ]:
     return False
   return result[ 'Value' ]
示例#48
0
 def __getCredDict( self, DN, group ):
   """
   Generate a credDict based on the credentials
   """
   if not group or not DN:
     return {}
   users = Registry.getUsersInGroup( group )
   if not users:
     gLogger.error( "Group %s does not have any user!" % group )
     return {}
   result = Registry.getUsernameForDN( DN )
   if not result[ 'OK' ]:
     return {}
   user = result[ 'Value' ]
   if user not in users:
     return {}
   return { 'DN' : DN, 'group' : group, 'username' : user }
示例#49
0
 def __checkStageAllowed( self, jobState):
   """Check if the job credentials allow to stage date """
   result = jobState.getAttribute( "OwnerGroup" )
   if not result[ 'OK' ]:
     self.jobLog.error( "Cannot retrieve OwnerGroup from DB: %s" % result[ 'Message' ] )
     return S_ERROR( "Cannot get OwnerGroup" )
   group = result[ 'Value' ]
   return Properties.STAGE_ALLOWED in Registry.getPropertiesForGroup( group )
示例#50
0
 def export_getVOByGroup(self, group):
   """
   Returns the vo which the group belongs to.
   """
 
   gLogger.info('getVOByGroup')
   
   return S_OK(Registry.getVOMSVOForGroup(group))
示例#51
0
 def export_getVOs(self):
   """
   Returns the list of all VOs.
   """
   
   gLogger.info('getVOs')
   
   return Registry.getVOs()
 def __executeClient( self, host, method, *parms, **kwargs ):
   """ Execute RPC method on a given host 
   """        
   hostName = Registry.getHostOption( host, 'Host', host)
   client = SystemAdministratorClient( hostName, **self.__kwargs )
   result = getattr( client, method )( *parms, **kwargs )
   result['Host'] = host   
   return result
示例#53
0
 def __getOpsHelper( self, setup = False, vo = False ):
   if not setup:
     setup = self.srv_getClientSetup()
   if not vo:
     vo = Registry.getVOForGroup( self.getRemoteCredentials()[ 'group' ] )
   cKey = ( vo, setup )
   if cKey not in MatcherHandler.__opsCache:
     MatcherHandler.__opsCache[ cKey ] = Operations.Operations( vo = vo, setup = setup )
   return MatcherHandler.__opsCache[ cKey ]
示例#54
0
def mapVoToGroups( voname ):
  """
  Returns all groups available for a given VO as a set.
  """

  vo_dict =  Registry.getGroupsForVO( voname )
  if not vo_dict[ 'OK' ]:
    raise RuntimeError( 'Could not retrieve groups for vo %s.' % voname )

  return set( vo_dict[ 'Value' ] )
示例#55
0
  def _checkCredentials(self, resourceDict, credDict):
    """ Check if we can get a job given the passed credentials
    """
    if Properties.GENERIC_PILOT in credDict['properties']:
      # You can only match groups in the same VO
      if credDict['group'] == "hosts":
        # for the host case the VirtualOrganization parameter
        # is mandatory in resourceDict
        vo = resourceDict.get('VirtualOrganization', '')
      else:
        vo = Registry.getVOForGroup(credDict['group'])
      if 'OwnerGroup' not in resourceDict:
        result = Registry.getGroupsForVO(vo)
        if result['OK']:
          resourceDict['OwnerGroup'] = result['Value']
        else:
          raise RuntimeError(result['Message'])
    else:
      # If it's a private pilot, the DN has to be the same
      if Properties.PILOT in credDict['properties']:
        self.log.notice("Setting the resource DN to the credentials DN")
        resourceDict['OwnerDN'] = credDict['DN']
      # If it's a job sharing. The group has to be the same and just check that the DN (if any)
      # belongs to the same group
      elif Properties.JOB_SHARING in credDict['properties']:
        resourceDict['OwnerGroup'] = credDict['group']
        self.log.notice("Setting the resource group to the credentials group")
        if 'OwnerDN' in resourceDict and resourceDict['OwnerDN'] != credDict['DN']:
          ownerDN = resourceDict['OwnerDN']
          result = Registry.getGroupsForDN(resourceDict['OwnerDN'])
          if not result['OK']:
            raise RuntimeError(result['Message'])
          if credDict['group'] not in result['Value']:
            # DN is not in the same group! bad boy.
            self.log.notice("You cannot request jobs from DN %s. It does not belong to your group!" % ownerDN)
            resourceDict['OwnerDN'] = credDict['DN']
      # Nothing special, group and DN have to be the same
      else:
        resourceDict['OwnerDN'] = credDict['DN']
        resourceDict['OwnerGroup'] = credDict['group']

    return resourceDict
  def getPilotGroupsToUpload( self ):
    pilotUpload = Registry.getGroupOption( self.__piParams.diracGroup, "AutoUploadPilotProxy", self.__piParams.uploadPilot )
    if not pilotUpload:
      return []

    issuerCert = self.getIssuerCert()
    userDN = issuerCert.getSubjectDN()[ 'Value' ]

    result = Registry.getGroupsForDN( userDN )
    if not result[ 'OK' ]:
      gLogger.error( "No groups defined for DN %s" % userDN )
      return []
    availableGroups = result[ 'Value' ]

    pilotGroups = []
    for group in availableGroups:
      groupProps = Registry.getPropertiesForGroup( group )
      if Properties.PILOT in groupProps or Properties.GENERIC_PILOT in groupProps:
        pilotGroups.append( group )
    return pilotGroups
示例#57
0
 def __discoverSettings( self ):
   #Set the VO
   globalVO = CSGlobals.getVO()
   if globalVO:
     self.__vo = globalVO
   elif self.__uVO:
     self.__vo = self.__uVO
   else:
     self.__vo = Registry.getVOForGroup( self.__uGroup )
     if not self.__vo:
       self.__vo = None