Context Navigation

deter_internal_access.py @ f4f036f

axis_examplecompt_changesinfo-ops

Last change on this file since f4f036f was dee164e, checked in by Ted Faber <faber@…>, 14 years ago

Looks like internal works now.

Had to add default entries to the access list to accomodate that, and discovered that ABAC requires strings - not unicode.

Moved lookup_access into the aceess class as most should be able to use it directly now.

Property mode set to 100644

File size: 12.0 KB

Rev	Line
[175b444]	1	#!/usr/local/bin/python
	2
	3	import os,sys
	4	import re
	5	import string
	6	import copy
	7	import pickle
	8	import logging
	9	import time
	10
	11	from threading import Thread, Lock
	12	from subprocess import Popen, call, PIPE, STDOUT
	13
	14	from util import *
	15	from allocate_project import allocate_project_local, allocate_project_remote
	16	from fedid import fedid, generate_fedid
[dee164e]	17	from authorizer import authorizer, abac_authorizer
[175b444]	18	from service_error import service_error
	19	from remote_service import xmlrpc_handler, soap_handler, service_caller
	20
	21	import httplib
	22	import tempfile
	23	from urlparse import urlparse
	24
	25	import topdl
	26	import list_log
	27	import proxy_emulab_segment
	28	import local_emulab_segment
	29
[fa4a4a8]	30	from access import access_base
[dee164e]	31	from legacy_access import legacy_access
[175b444]	32
	33	# Make log messages disappear if noone configures a fedd logger
	34	class nullHandler(logging.Handler):
	35	def emit(self, record): pass
	36
	37	fl = logging.getLogger("fedd.access")
	38	fl.addHandler(nullHandler())
	39
[dee164e]	40	class access(access_base, legacy_access):
[175b444]	41	@staticmethod
	42	def parse_vlans(v, log=None):
	43	"""
	44	Parse a vlan parameter into a set of vlan ids. Comma separated
	45	sequences of vlan ranges are acceptable.
	46	"""
	47	# the vlans can be a single integer, a comma separated list or a
	48	# comma separated lists of dashed ranges. E.g 100 or 100,300 or
	49	# 100,300-305,400
	50	vset = set()
	51	if v:
	52	for v in [ x.strip() for x in v.split(",") ]:
	53	try:
	54	if v.count("-") == 1:
	55	f, t = v.split("-", 1)
	56	for i in range(int(f), int(t)+1):
	57	vset.add(i)
	58	else:
	59	vset.add(int(v))
	60	except ValueError:
	61	if log:
	62	log.warn("Invalid expression in vlan list: %s" % v)
	63	return vset
	64
	65	def __init__(self, config=None, auth=None):
	66	"""
	67	Initializer. Pulls parameters out of the ConfigParser's access section.
	68	"""
	69
[fa4a4a8]	70	access_base.__init__(self, config, auth)
[175b444]	71	self.domain = config.get("access", "domain")
	72	vlan_str = config.get("access", "vlans")
	73	self.vlans = self.parse_vlans(vlan_str)
	74
	75	self.attrs = { }
	76	self.access = { }
	77	# State is a dict of dicts indexed by segment fedid that includes the
	78	# owners of the segment as fedids (who can manipulate it, key: owners),
	79	# the repo dir/user for the allocation (key: user), Current allocation
	80	# log (key: log), and GRI of the reservation once made (key: gri)
	81	self.log = logging.getLogger("fedd.access")
	82	set_log_level(config, "access", self.log)
	83
	84
[dee164e]	85	# authorization information
	86	self.auth_type = config.get('access', 'auth_type') \
	87	or 'legacy'
	88	self.auth_dir = config.get('access', 'auth_dir')
	89	accessdb = config.get("access", "accessdb")
	90	# initialize the authorization system
	91	if self.auth_type == 'legacy':
	92	self.access = { }
	93	if accessdb:
	94	self.legacy_read_access(accessdb)
	95	elif self.auth_type == 'abac':
	96	self.auth = abac_authorizer(load=self.auth_dir)
	97	self.access = [ ]
	98	if accessdb:
	99	self.read_access(accessdb, default=[('access', None)])
	100	else:
	101	raise service_error(service_error.internal,
	102	"Unknown auth_type: %s" % self.auth_type)
	103
	104	if self.auth_type == 'legacy':
	105	# Add the ownership attributes to the authorizer. Note that the
	106	# indices of the allocation dict are strings, but the attributes are
	107	# fedids, so there is a conversion.
	108	self.state_lock.acquire()
	109	for k in self.state.keys():
	110	for o in self.state[k].get('owners', []):
	111	self.auth.set_attribute(o, fedid(hexstr=k))
	112	self.auth.set_attribute(fedid(hexstr=k),fedid(hexstr=k))
	113	# If the allocation has a vlan assigned, remove it from the
	114	# available vlans
	115	v = self.state[k].get('vlan', None)
	116	if v:
	117	self.vlans.discard(v)
	118	self.state_lock.release()
	119
	120	self.lookup_access = self.legacy_lookup_access_base
	121	# under ABAC we use access.lookup_access
[fa4a4a8]	122
[175b444]	123
	124	self.call_GetValue= service_caller('GetValue')
	125	self.call_SetValue= service_caller('SetValue')
	126
	127	self.soap_services = {\
	128	'RequestAccess': soap_handler("RequestAccess", self.RequestAccess),
	129	'ReleaseAccess': soap_handler("ReleaseAccess", self.ReleaseAccess),
	130	'StartSegment': soap_handler("StartSegment", self.StartSegment),
	131	'TerminateSegment': soap_handler("TerminateSegment",
	132	self.TerminateSegment),
	133	}
	134	self.xmlrpc_services = {\
	135	'RequestAccess': xmlrpc_handler('RequestAccess',
	136	self.RequestAccess),
	137	'ReleaseAccess': xmlrpc_handler('ReleaseAccess',
	138	self.ReleaseAccess),
	139	'StartSegment': xmlrpc_handler("StartSegment", self.StartSegment),
	140	'TerminateSegment': xmlrpc_handler('TerminateSegment',
	141	self.TerminateSegment),
	142	}
	143
	144	def RequestAccess(self, req, fid):
	145	"""
	146	Handle the access request. Proxy if not for us.
	147
	148	Parse out the fields and make the allocations or rejections if for us,
	149	otherwise, assuming we're willing to proxy, proxy the request out.
	150	"""
	151
	152	# The dance to get into the request body
	153	if req.has_key('RequestAccessRequestBody'):
	154	req = req['RequestAccessRequestBody']
	155	else:
	156	raise service_error(service_error.req, "No request!?")
	157
[dee164e]	158	found, match, owners = self.lookup_access(req, fid)
[fa4a4a8]	159	# keep track of what's been added
	160	allocID, alloc_cert = generate_fedid(subj="alloc", log=self.log)
	161	aid = unicode(allocID)
	162
	163	self.state_lock.acquire()
	164	self.state[aid] = { }
	165	self.state[aid]['user'] = found
[dee164e]	166	self.state[aid]['owners'] = owners
[fa4a4a8]	167	self.state[aid]['vlan'] = None
	168	self.write_state()
	169	self.state_lock.release()
	170	self.auth.set_attribute(fid, allocID)
	171	self.auth.set_attribute(allocID, allocID)
[dee164e]	172	self.auth.save()
[fa4a4a8]	173
	174	try:
	175	f = open("%s/%s.pem" % (self.certdir, aid), "w")
	176	print >>f, alloc_cert
	177	f.close()
	178	except EnvironmentError, e:
	179	raise service_error(service_error.internal,
	180	"Can't open %s/%s : %s" % (self.certdir, aid, e))
	181	return { 'allocID': { 'fedid': allocID } }
[175b444]	182
	183	def ReleaseAccess(self, req, fid):
	184	# The dance to get into the request body
	185	if req.has_key('ReleaseAccessRequestBody'):
	186	req = req['ReleaseAccessRequestBody']
	187	else:
	188	raise service_error(service_error.req, "No request!?")
	189
[fa4a4a8]	190	# Local request
	191	try:
	192	if req['allocID'].has_key('localname'):
	193	auth_attr = aid = req['allocID']['localname']
	194	elif req['allocID'].has_key('fedid'):
	195	aid = unicode(req['allocID']['fedid'])
	196	auth_attr = req['allocID']['fedid']
	197	else:
	198	raise service_error(service_error.req,
	199	"Only localnames and fedids are understood")
	200	except KeyError:
	201	raise service_error(service_error.req, "Badly formed request")
[175b444]	202
[fa4a4a8]	203	self.log.debug("[access] deallocation requested for %s", aid)
	204	if not self.auth.check_attribute(fid, auth_attr):
	205	self.log.debug("[access] deallocation denied for %s", aid)
	206	raise service_error(service_error.access, "Access Denied")
[175b444]	207
[fa4a4a8]	208	self.state_lock.acquire()
	209	if self.state.has_key(aid):
	210	self.log.debug("Found allocation for %s" %aid)
	211	del self.state[aid]
	212	self.write_state()
	213	self.state_lock.release()
	214	# And remove the access cert
	215	cf = "%s/%s.pem" % (self.certdir, aid)
	216	self.log.debug("Removing %s" % cf)
	217	os.remove(cf)
	218	return { 'allocID': req['allocID'] }
	219	else:
	220	self.state_lock.release()
	221	raise service_error(service_error.req, "No such allocation")
[175b444]	222
	223	def extract_parameters(self, top):
	224	"""
[fa4a4a8]	225	DETER's internal networking currently supports a fixed capacity link
	226	between two endpoints. Those endpoints may specify a VPN (or list or
	227	range) to use. This extracts the and vpn preferences from the segments
	228	(as attributes) and the capacity of the connection as given by the
[175b444]	229	substrate. The two endpoints VLAN choices are intersected to get set
	230	of VLANs that are acceptable (no VLAN requiremnets means any is
	231	acceptable).
	232	"""
	233	segments = filter(lambda x: isinstance(x, topdl.Segment), top.elements)
	234
	235	if len(segments) != 2 or len(top.substrates) != 1:
	236	raise service_error(service_error.req,
	237	"Requests to DRAGON must have exactlty two segments " +\
	238	"and one substrate")
	239
	240	vlans = set()
	241	for s in segments:
	242	v = s.get_attribute('vlans')
	243	vlans &= self.parse_vlans(v)
	244
	245	if len(vlans) == 0:
	246	vlans = None
	247
	248	sub = top.substrates[0]
	249	if sub.capacity:
	250	cap = int(sub.capacity.rate / 1000.0)
	251	if cap < 1: cap = 1
	252	else:
	253	cap = 100
	254
	255	return cap, vlans
	256
	257	def export_store_info(self, cf, vlan, connInfo):
	258	"""
	259	For the export requests in the connection info, install the peer names
	260	at the experiment controller via SetValue calls.
	261	"""
	262
	263	for c in connInfo:
	264	for p in [ p for p in c.get('parameter', []) \
	265	if p.get('type', '') == 'output']:
	266
	267	if p.get('name', '') != 'vlan_id':
	268	self.log.error("Unknown export parameter: %s" % \
	269	p.get('name'))
	270	continue
	271
	272	k = p.get('key', None)
	273	surl = p.get('store', None)
	274	if surl and k:
	275	value = "%s" % vlan
	276	req = { 'name': k, 'value': value }
	277	self.call_SetValue(surl, req, cf)
	278	else:
	279	self.log.error("Bad export request: %s" % p)
	280
	281	def StartSegment(self, req, fid):
	282	err = None # Any service_error generated after tmpdir is created
	283	rv = None # Return value from segment creation
	284
	285	try:
	286	req = req['StartSegmentRequestBody']
[fa4a4a8]	287	topref = req['segmentdescription']['topdldescription']
[175b444]	288	except KeyError:
	289	raise service_error(server_error.req, "Badly formed request")
	290
	291	auth_attr = req['allocID']['fedid']
	292	aid = "%s" % auth_attr
	293	attrs = req.get('fedAttr', [])
	294	if not self.auth.check_attribute(fid, auth_attr):
	295	raise service_error(service_error.access, "Access denied")
	296	else:
	297	# See if this is a replay of an earlier succeeded StartSegment -
	298	# sometimes SSL kills 'em. If so, replay the response rather than
	299	# redoing the allocation.
	300	self.state_lock.acquire()
	301	retval = self.state[aid].get('started', None)
	302	self.state_lock.release()
	303	if retval:
	304	self.log.warning("Duplicate StartSegment for %s: " % aid + \
	305	"replaying response")
	306	return retval
	307
	308	certfile = "%s/%s.pem" % (self.certdir, aid)
	309
[fa4a4a8]	310	if topref: topo = topdl.Topology(**topref)
[175b444]	311	else:
	312	raise service_error(service_error.req,
	313	"Request missing segmentdescription'")
	314
	315	connInfo = req.get('connection', [])
	316
	317	cap, vlans = self.extract_parameters(topo)
	318
	319	# No vlans passes in, consider any vlan acceptable
	320	if not vlans:
	321	vlans = self.vlans
	322
	323	avail = self.vlans \| vlans
	324
	325	if len(avail) != 0:
	326	vlan_no = avail.pop()
	327	self.vlans.discard(vlan_no)
	328	else:
	329	raise service_error(service_error.federant, "No vlan available")
	330
	331	self.export_store_info(certfile, vlan_no, connInfo)
	332
	333
[fa4a4a8]	334	# This annotation isn't strictly necessary, but may help in debugging
[175b444]	335	rtopo = topo.clone()
	336	for s in rtopo.substrates:
	337	s.set_attribute('vlan', vlan_no)
	338
	339	# Grab the log (this is some anal locking, but better safe than
	340	# sorry)
	341	self.state_lock.acquire()
	342	self.state[aid]['vlan'] = vlan_no
	343	logv = "Allocated vlan: %d" % vlan_no
	344	# It's possible that the StartSegment call gets retried (!).
	345	# if the 'started' key is in the allocation, we'll return it rather
	346	# than redo the setup.
	347	self.state[aid]['started'] = {
	348	'allocID': req['allocID'],
	349	'allocationLog': logv,
[fa4a4a8]	350	'segmentdescription': { 'topdldescription': rtopo.to_dict() }
[175b444]	351	}
[8dbbdc5]	352	retval = copy.deepcopy(self.state[aid]['started'])
[175b444]	353	self.write_state()
	354	self.state_lock.release()
	355
	356	return retval
	357
	358	def TerminateSegment(self, req, fid):
	359	try:
	360	req = req['TerminateSegmentRequestBody']
	361	except KeyError:
	362	raise service_error(server_error.req, "Badly formed request")
	363
	364	auth_attr = req['allocID']['fedid']
	365	aid = "%s" % auth_attr
	366
	367	self.log.debug("Terminate request for %s" %aid)
	368	if not self.auth.check_attribute(fid, auth_attr):
	369	raise service_error(service_error.access, "Access denied")
	370
	371	self.state_lock.acquire()
	372	if self.state.has_key(aid):
	373	vlan_no = self.state[aid].get('vlan', None)
	374	else:
	375	vlan_no = None
	376	self.state_lock.release()
[7dbfaed]	377	self.log.debug("Stop segment for vlan: %s" % vlan_no)
[175b444]	378
	379	if not vlan_no:
	380	raise service_error(service_error.internal,
	381	"Can't find assigfned vlan for for %s" % aid)
	382
	383	self.vlans.add(vlan_no)
	384	self.state_lock.acquire()
	385	self.state[aid]['vlan'] = None
	386	self.state_lock.release()
	387	return { 'allocID': req['allocID'] }

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: fedd/federation/deter_internal_access.py @ f4f036f

Download in other formats: