Context Navigation

source: fedd/federation/emulab_access.py @ d3bbe6e

Last change on this file since d3bbe6e was 12aa3fe, checked in by Ted Faber <faber@…>, 10 years ago
Actually trim the code
Property mode set to `100644`
File size: 40.2 KB

Rev	Line
[19cc408]	1	#!/usr/local/bin/python
	2
	3	import os,sys
[eeb0088]	4	import stat # for chmod constants
[19cc408]	5	import re
[ab847bc]	6	import random
[19cc408]	7	import string
	8	import copy
[d81971a]	9	import pickle
[c971895]	10	import logging
[eeb0088]	11	import subprocess
[06cc65b]	12	import traceback
[9c3e77f]	13	import socket
[19cc408]	14
[f8582c9]	15	from threading import *
[8e6fe4d]	16	from M2Crypto.SSL import SSLError
[f8582c9]	17
[f771e2f]	18	from access import access_base
	19
[ec4fb42]	20	from util import *
[6bedbdba]	21	from deter import fedid, generate_fedid
[6e63513]	22	from authorizer import authorizer, abac_authorizer
[6a0c9f4]	23	from service_error import service_error
[9460b1e]	24	from remote_service import xmlrpc_handler, soap_handler, service_caller
[e83f2f2]	25	from proof import proof as access_proof
[11a08b0]	26
[6c57fe9]	27	import httplib
	28	import tempfile
	29	from urlparse import urlparse
	30
[6bedbdba]	31	from deter import topdl
[11860f52]	32	import list_log
[06c1dba]	33	import emulab_segment
[8fbef04]	34	import emulab_shared_nat_segment
[11860f52]	35
[0ea11af]	36
	37	# Make log messages disappear if noone configures a fedd logger
[11a08b0]	38	class nullHandler(logging.Handler):
	39	def emit(self, record): pass
	40
	41	fl = logging.getLogger("fedd.access")
	42	fl.addHandler(nullHandler())
[19cc408]	43
[ee950c2]	44	class access(access_base):
[19cc408]	45	"""
	46	The implementation of access control based on mapping users to projects.
	47
	48	Users can be mapped to existing projects or have projects created
	49	dynamically. This implements both direct requests and proxies.
	50	"""
	51
[53b5c18]	52	max_name_len = 19
	53
[3f6bc5f]	54	def __init__(self, config=None, auth=None):
[866c983]	55	"""
	56	Initializer. Pulls parameters out of the ConfigParser's access section.
	57	"""
	58
[f771e2f]	59	access_base.__init__(self, config, auth)
[866c983]	60
[53b5c18]	61	self.max_name_len = access.max_name_len
	62
[866c983]	63	self.allow_proxy = config.getboolean("access", "allow_proxy")
	64
	65	self.domain = config.get("access", "domain")
[eeb0088]	66	self.userconfdir = config.get("access","userconfdir")
	67	self.userconfcmd = config.get("access","userconfcmd")
[fe28bb2]	68	self.userconfurl = config.get("access","userconfurl")
[9b3627e]	69	self.federation_software = config.get("access", "federation_software")
	70	self.portal_software = config.get("access", "portal_software")
[e76f38a]	71	self.local_seer_software = config.get("access", "local_seer_software")
	72	self.local_seer_image = config.get("access", "local_seer_image")
	73	self.local_seer_start = config.get("access", "local_seer_start")
[49051fb]	74	self.seer_master_start = config.get("access", "seer_master_start")
[ecca6eb]	75	self.ssh_privkey_file = config.get("access","ssh_privkey_file")
[3bddd24]	76	self.ssh_pubkey_file = config.get("access","ssh_pubkey_file")
[6280b1f]	77	self.ssh_port = config.get("access","ssh_port") or "22"
[181aeb4]	78	self.boss = config.get("access", "boss")
[814b5e5]	79	self.ops = config.get("access", "ops")
[5e1fb7b]	80
	81	self.dragon_endpoint = config.get("access", "dragon")
	82	self.dragon_vlans = config.get("access", "dragon_vlans")
	83	self.deter_internal = config.get("access", "deter_internal")
	84
	85	self.tunnel_config = config.getboolean("access", "tunnel_config")
	86	self.portal_command = config.get("access", "portal_command")
	87	self.portal_image = config.get("access", "portal_image")
	88	self.portal_type = config.get("access", "portal_type") or "pc"
	89	self.portal_startcommand = config.get("access", "portal_startcommand")
	90	self.node_startcommand = config.get("access", "node_startcommand")
[4ffa6f8]	91	self.nat_portal = config.get("access", "nat_portal")
[8fbef04]	92	self.shared_nat = config.getboolean("access", "shared_nat")
[5e1fb7b]	93
[9c3e77f]	94	self.uri = 'https://%s:%d' % (socket.getfqdn(),
	95	self.get_port(config.get("globals", "services", "23235")))
	96
[f771e2f]	97	self.federation_software = self.software_list(self.federation_software)
	98	self.portal_software = self.software_list(self.portal_software)
	99	self.local_seer_software = self.software_list(self.local_seer_software)
[11860f52]	100
	101	self.access_type = self.access_type.lower()
[8fbef04]	102	if self.shared_nat:
	103	self.start_segment = emulab_shared_nat_segment.start_segment
	104	self.stop_segment = emulab_shared_nat_segment.stop_segment
	105	self.info_segment = emulab_shared_nat_segment.info_segment
	106	self.operation_segment = emulab_shared_nat_segment.operation_segment
	107	self.exports_segment = emulab_shared_nat_segment.exports_segment
	108	else:
	109	self.start_segment = emulab_segment.start_segment
	110	self.stop_segment = emulab_segment.stop_segment
	111	self.info_segment = emulab_segment.info_segment
	112	self.operation_segment = emulab_segment.operation_segment
	113	self.exports_segment = emulab_segment.exports_segment
[866c983]	114
	115	self.restricted = [ ]
	116
[6e63513]	117	# authorization information
	118	self.auth_type = config.get('access', 'auth_type') \
[ee950c2]	119	or 'abac'
[6e63513]	120	self.auth_dir = config.get('access', 'auth_dir')
	121	accessdb = config.get("access", "accessdb")
	122	# initialize the authorization system
[ee950c2]	123	if self.auth_type == 'abac':
[6e63513]	124	self.auth = abac_authorizer(load=self.auth_dir)
[c002cb2]	125	self.access = [ ]
[6e63513]	126	if accessdb:
[78f2668]	127	self.read_access(accessdb, self.access_tuple)
[6e63513]	128	else:
	129	raise service_error(service_error.internal,
	130	"Unknown auth_type: %s" % self.auth_type)
[f771e2f]	131
[06cc65b]	132	# read_state in the base_class
[f771e2f]	133	self.state_lock.acquire()
[ee950c2]	134	if 'allocation' not in self.state: self.state['allocation']= { }
[f771e2f]	135	self.allocation = self.state['allocation']
	136	self.state_lock.release()
[a20a20f]	137	self.exports = {
	138	'SMB': self.export_SMB,
	139	'seer': self.export_seer,
	140	'tmcd': self.export_tmcd,
	141	'userconfig': self.export_userconfig,
	142	'project_export': self.export_project_export,
	143	'local_seer_control': self.export_local_seer,
	144	'seer_master': self.export_seer_master,
	145	'hide_hosts': self.export_hide_hosts,
	146	}
	147
	148	if not self.local_seer_image or not self.local_seer_software or \
	149	not self.local_seer_start:
	150	if 'local_seer_control' in self.exports:
	151	del self.exports['local_seer_control']
	152
	153	if not self.local_seer_image or not self.local_seer_software or \
	154	not self.seer_master_start:
	155	if 'seer_master' in self.exports:
	156	del self.exports['seer_master']
[866c983]	157
	158
	159	self.soap_services = {\
	160	'RequestAccess': soap_handler("RequestAccess", self.RequestAccess),
	161	'ReleaseAccess': soap_handler("ReleaseAccess", self.ReleaseAccess),
[cc8d8e9]	162	'StartSegment': soap_handler("StartSegment", self.StartSegment),
[e76f38a]	163	'TerminateSegment': soap_handler("TerminateSegment",
	164	self.TerminateSegment),
[6e33086]	165	'InfoSegment': soap_handler("InfoSegment", self.InfoSegment),
[b709861]	166	'OperationSegment': soap_handler("OperationSegment",
	167	self.OperationSegment),
[866c983]	168	}
	169	self.xmlrpc_services = {\
	170	'RequestAccess': xmlrpc_handler('RequestAccess',
	171	self.RequestAccess),
	172	'ReleaseAccess': xmlrpc_handler('ReleaseAccess',
	173	self.ReleaseAccess),
[5ae3857]	174	'StartSegment': xmlrpc_handler("StartSegment", self.StartSegment),
	175	'TerminateSegment': xmlrpc_handler('TerminateSegment',
	176	self.TerminateSegment),
[6e33086]	177	'InfoSegment': xmlrpc_handler("InfoSegment", self.InfoSegment),
[b709861]	178	'OperationSegment': xmlrpc_handler("OperationSegment",
	179	self.OperationSegment),
[866c983]	180	}
	181
[68f03a6]	182	self.call_SetValue = service_caller('SetValue', log=self.log)
[2ee4226]	183	self.call_GetValue = service_caller('GetValue', log=self.log)
[866c983]	184
[9c3e77f]	185	@staticmethod
	186	def get_port(ps):
	187	'''
	188	Take a fedd service string and return the first port. Used in
	189	creating the testbed uri identifier.
	190	'''
	191	p = ps.split(',')
	192	smallport = p[0].split(':')
	193	try:
	194	rv = int(smallport[0])
	195	except ValueError:
	196	rv = 23235
	197	return rv
	198
[6e63513]	199	@staticmethod
[78f2668]	200	def access_tuple(str):
[6e63513]	201	"""
[f77a256]	202	Convert a string of the form (id, id, id) into an access_project. This
	203	is called by read_access to convert to local attributes. It returns a
	204	tuple of the form (project, user, certificate_file).
[6e63513]	205	"""
	206
	207	str = str.strip()
[f77a256]	208	if str.startswith('(') and str.endswith(')') and str.count(',') == 2:
[725c55d]	209	# The slice takes the parens off the string.
[f77a256]	210	proj, user, cert = str[1:-1].split(',')
	211	return (proj.strip(), user.strip(), cert.strip())
[6e63513]	212	else:
	213	raise self.parse_error(
[f77a256]	214	'Bad mapping (unbalanced parens or more than 2 commas)')
[6e63513]	215
[06cc65b]	216	# RequestAccess support routines
	217
[f77a256]	218	def save_project_state(self, aid, pname, uname, certf, owners):
[f771e2f]	219	"""
[ee950c2]	220	Save the project, user, and owners associated with this allocation.
	221	This creates the allocation entry.
[f771e2f]	222	"""
	223	self.state_lock.acquire()
	224	self.allocation[aid] = { }
[ee950c2]	225	self.allocation[aid]['project'] = pname
	226	self.allocation[aid]['user'] = uname
[f77a256]	227	self.allocation[aid]['cert'] = certf
[f771e2f]	228	self.allocation[aid]['owners'] = owners
	229	self.write_state()
	230	self.state_lock.release()
	231	return (pname, uname)
[19cc408]	232
[06cc65b]	233	# End of RequestAccess support routines
	234
[19cc408]	235	def RequestAccess(self, req, fid):
[866c983]	236	"""
	237	Handle the access request. Proxy if not for us.
	238
	239	Parse out the fields and make the allocations or rejections if for us,
	240	otherwise, assuming we're willing to proxy, proxy the request out.
	241	"""
	242
	243	def gateway_hardware(h):
[5e1fb7b]	244	if h == 'GWTYPE': return self.portal_type or 'GWTYPE'
[866c983]	245	else: return h
	246
[43197eb]	247	def get_export_project(svcs):
	248	"""
	249	if the service requests includes one to export a project, return
	250	that project.
	251	"""
	252	rv = None
	253	for s in svcs:
	254	if s.get('name', '') == 'project_export' and \
	255	s.get('visibility', '') == 'export':
	256	if not rv:
[1f6a573]	257	for a in s.get('fedAttr', []):
[43197eb]	258	if a.get('attribute', '') == 'project' \
	259	and 'value' in a:
	260	rv = a['value']
	261	else:
	262	raise service_error(service_error, access,
	263	'Requesting multiple project exports is ' + \
	264	'not supported');
	265	return rv
	266
[8cab4c2]	267	self.log.info("RequestAccess called by %s" % fid)
[866c983]	268	# The dance to get into the request body
	269	if req.has_key('RequestAccessRequestBody'):
	270	req = req['RequestAccessRequestBody']
	271	else:
	272	raise service_error(service_error.req, "No request!?")
	273
[1f6a573]	274	# if this includes a project export request, construct a filter such
	275	# that only the ABAC attributes mapped to that project are checked for
	276	# access.
	277	if 'service' in req:
	278	ep = get_export_project(req['service'])
[de86b35]	279	if ep: pf = lambda(a): a.value[0] == ep
	280	else: pf = None
[1f6a573]	281	else:
	282	ep = None
	283	pf = None
	284
[c573278]	285	if self.auth.import_credentials(
	286	data_list=req.get('abac_credential', [])):
	287	self.auth.save()
[cde9b98]	288	else:
	289	self.log.debug('failed to import incoming credentials')
[866c983]	290
[ee950c2]	291	if self.auth_type == 'abac':
	292	found, owners, proof = self.lookup_access(req, fid, filter=pf)
[6e63513]	293	else:
	294	raise service_error(service_error.internal,
	295	'Unknown auth_type: %s' % self.auth_type)
[f771e2f]	296	ap = None
[866c983]	297
[f771e2f]	298	# keep track of what's been added
	299	allocID, alloc_cert = generate_fedid(subj="alloc", log=self.log)
	300	aid = unicode(allocID)
	301
[f77a256]	302	pname, uname = self.save_project_state(aid, found[0], found[1],
	303	found[2], owners)
[f771e2f]	304
	305	services, svc_state = self.export_services(req.get('service',[]),
	306	pname, uname)
	307	self.state_lock.acquire()
	308	# Store services state in global state
	309	for k, v in svc_state.items():
	310	self.allocation[aid][k] = v
[c65b7e4]	311	self.append_allocation_authorization(aid,
	312	set([(o, allocID) for o in owners]), state_attr='allocation')
[f771e2f]	313	self.write_state()
	314	self.state_lock.release()
	315	try:
	316	f = open("%s/%s.pem" % (self.certdir, aid), "w")
	317	print >>f, alloc_cert
	318	f.close()
	319	except EnvironmentError, e:
[8cab4c2]	320	self.log.info("RequestAccess failed for by %s: internal error" \
	321	% fid)
[f771e2f]	322	raise service_error(service_error.internal,
	323	"Can't open %s/%s : %s" % (self.certdir, aid, e))
[8cab4c2]	324	self.log.debug('RequestAccess Returning allocation ID: %s' % allocID)
[f771e2f]	325	resp = self.build_access_response({ 'fedid': allocID } ,
[ee950c2]	326	pname, services, proof)
[f771e2f]	327	return resp
[d81971a]	328
	329	def ReleaseAccess(self, req, fid):
[8cab4c2]	330	self.log.info("ReleaseAccess called by %s" % fid)
[866c983]	331	# The dance to get into the request body
	332	if req.has_key('ReleaseAccessRequestBody'):
	333	req = req['ReleaseAccessRequestBody']
	334	else:
	335	raise service_error(service_error.req, "No request!?")
	336
[8cf2b90e]	337	try:
	338	if req['allocID'].has_key('localname'):
	339	auth_attr = aid = req['allocID']['localname']
	340	elif req['allocID'].has_key('fedid'):
	341	aid = unicode(req['allocID']['fedid'])
	342	auth_attr = req['allocID']['fedid']
	343	else:
	344	raise service_error(service_error.req,
	345	"Only localnames and fedids are understood")
	346	except KeyError:
	347	raise service_error(service_error.req, "Badly formed request")
	348
[725c55d]	349	self.log.debug("[access] deallocation requested for %s by %s" % \
	350	(aid, fid))
[e83f2f2]	351	access_ok, proof = self.auth.check_attribute(fid, auth_attr,
	352	with_proof=True)
	353	if not access_ok:
[8cf2b90e]	354	self.log.debug("[access] deallocation denied for %s", aid)
	355	raise service_error(service_error.access, "Access Denied")
	356
	357	self.state_lock.acquire()
	358	if aid in self.allocation:
	359	self.log.debug("Found allocation for %s" %aid)
[c65b7e4]	360	self.clear_allocation_authorization(aid, state_attr='allocation')
[8cf2b90e]	361	del self.allocation[aid]
	362	self.write_state()
	363	self.state_lock.release()
[ee950c2]	364	# Remove the access cert
[8cf2b90e]	365	cf = "%s/%s.pem" % (self.certdir, aid)
	366	self.log.debug("Removing %s" % cf)
	367	os.remove(cf)
[8cab4c2]	368	self.log.info("ReleaseAccess succeeded for %s" % fid)
[e83f2f2]	369	return { 'allocID': req['allocID'], 'proof': proof.to_dict() }
[8cf2b90e]	370	else:
	371	self.state_lock.release()
	372	raise service_error(service_error.req, "No such allocation")
[866c983]	373
[06cc65b]	374	# These are subroutines for StartSegment
[8cf2b90e]	375	def generate_ns2(self, topo, expfn, softdir, connInfo):
[06cc65b]	376	"""
	377	Convert topo into an ns2 file, decorated with appropriate commands for
	378	the particular testbed setup. Convert all requests for software, etc
	379	to point at the staged copies on this testbed and add the federation
	380	startcommands.
	381	"""
[617592b]	382	class dragon_commands:
	383	"""
	384	Functor to spit out approrpiate dragon commands for nodes listed in
	385	the connectivity description. The constructor makes a dict mapping
	386	dragon nodes to their parameters and the __call__ checks each
	387	element in turn for membership.
	388	"""
	389	def __init__(self, map):
	390	self.node_info = map
	391
	392	def __call__(self, e):
	393	s = ""
	394	if isinstance(e, topdl.Computer):
[49051fb]	395	if self.node_info.has_key(e.name):
[fefa026]	396	info = self.node_info[e.name]
	397	for ifname, vlan, type in info:
[617592b]	398	for i in e.interface:
	399	if i.name == ifname:
	400	addr = i.get_attribute('ip4_address')
	401	subs = i.substrate[0]
	402	break
	403	else:
	404	raise service_error(service_error.internal,
	405	"No interface %s on element %s" % \
[49051fb]	406	(ifname, e.name))
[1cf8e2c]	407	# XXX: do netmask right
[617592b]	408	if type =='link':
[06cc65b]	409	s = ("tb-allow-external ${%s} " + \
	410	"dragonportal ip %s vlan %s " + \
	411	"netmask 255.255.255.0\n") % \
[e07c8f3]	412	(topdl.to_tcl_name(e.name), addr, vlan)
[617592b]	413	elif type =='lan':
[06cc65b]	414	s = ("tb-allow-external ${%s} " + \
	415	"dragonportal " + \
[617592b]	416	"ip %s vlan %s usurp %s\n") % \
[e07c8f3]	417	(topdl.to_tcl_name(e.name), addr,
	418	vlan, subs)
[617592b]	419	else:
	420	raise service_error(service_error_internal,
	421	"Unknown DRAGON type %s" % type)
	422	return s
	423
	424	class not_dragon:
[06cc65b]	425	"""
	426	Return true if a node is in the given map of dragon nodes.
	427	"""
[617592b]	428	def __init__(self, map):
	429	self.nodes = set(map.keys())
	430
	431	def __call__(self, e):
[49051fb]	432	return e.name not in self.nodes
[69692a9]	433
[4d68ba6]	434	def have_portals(top):
	435	'''
	436	Return true if the topology has a portal node
	437	'''
	438	# The else is on the for
	439	for e in top.elements:
	440	if isinstance(e, topdl.Computer) and e.get_attribute('portal'):
	441	return True
	442	else:
	443	return False
	444
	445
[06cc65b]	446	# Main line of generate_ns2
[ecca6eb]	447	t = topo.clone()
	448
[06cc65b]	449	# Create the map of nodes that need direct connections (dragon
	450	# connections) from the connInfo
[617592b]	451	dragon_map = { }
	452	for i in [ i for i in connInfo if i['type'] == 'transit']:
	453	for a in i.get('fedAttr', []):
	454	if a['attribute'] == 'vlan_id':
	455	vlan = a['value']
	456	break
	457	else:
[8cf2b90e]	458	raise service_error(service_error.internal, "No vlan tag")
[617592b]	459	members = i.get('member', [])
	460	if len(members) > 1: type = 'lan'
	461	else: type = 'link'
	462
	463	try:
	464	for m in members:
[8cf2b90e]	465	if m['element'] in dragon_map:
[617592b]	466	dragon_map[m['element']].append(( m['interface'],
	467	vlan, type))
	468	else:
	469	dragon_map[m['element']] = [( m['interface'],
	470	vlan, type),]
	471	except KeyError:
	472	raise service_error(service_error.req,
	473	"Missing connectivity info")
	474
[319fb0a]	475	def output_fixed_filter(e):
	476	if not isinstance(e, topdl.Computer): return ""
	477	fn = e.get_attribute('fixed')
	478	if fn is None:
	479	return ""
	480	else:
[f725eda]	481	return 'tb-fix-node ${%s} %s\n' % (topdl.to_tcl_name(e.name), fn)
	482
	483	def output_external_access(e):
	484	'''
	485	Allow nodes that have explicit external access requests attached to
	486	have external access. This will be replaced by a real risky
	487	experiment filter.
	488	'''
	489	if not isinstance(e, topdl.Computer): return ""
	490	ex = e.get_attribute('containers:external')
	491	if ex is None:
	492	return ""
	493	else:
	494	return 'tb-allow-external ${%s}\n' % topdl.to_tcl_name(e.name)
[319fb0a]	495
[35aa3ae]	496	# Weed out the things we aren't going to instantiate: Segments, portal
	497	# substrates, and portal interfaces. (The copy in the for loop allows
	498	# us to delete from e.elements in side the for loop). While we're
	499	# touching all the elements, we also adjust paths from the original
	500	# testbed to local testbed paths and put the federation commands into
	501	# the start commands
[4d68ba6]	502	local = len(dragon_map) == 0 and not have_portals(t)
	503	if local: routing = 'Static'
	504	else: routing = 'Manual'
	505
[aada25c]	506	if local:
	507	self.log.debug("Local experiment.")
[35aa3ae]	508	for e in [e for e in t.elements]:
	509	if isinstance(e, topdl.Segment):
	510	t.elements.remove(e)
[43649f1]	511	if isinstance(e, topdl.Computer):
[e76f38a]	512	self.add_kit(e, self.federation_software)
[5e1fb7b]	513	if e.get_attribute('portal') and self.portal_startcommand:
[9b3627e]	514	# Add local portal support software
[e76f38a]	515	self.add_kit(e, self.portal_software)
[43649f1]	516	# Portals never have a user-specified start command
[5e1fb7b]	517	e.set_attribute('startup', self.portal_startcommand)
[4d68ba6]	518	elif not local and self.node_startcommand:
[43649f1]	519	if e.get_attribute('startup'):
[d87778f]	520	e.set_attribute('startup', "%s \\$USER '%s'" % \
[5e1fb7b]	521	(self.node_startcommand,
	522	e.get_attribute('startup')))
[43649f1]	523	else:
[5e1fb7b]	524	e.set_attribute('startup', self.node_startcommand)
[0297248]	525
[49051fb]	526	dinf = [i[0] for i in dragon_map.get(e.name, []) ]
[35aa3ae]	527	# Remove portal interfaces that do not connect to DRAGON
	528	e.interface = [i for i in e.interface \
[617592b]	529	if not i.get_attribute('portal') or i.name in dinf ]
[9b3627e]	530	# Fix software paths
	531	for s in getattr(e, 'software', []):
	532	s.location = re.sub("^.*/", softdir, s.location)
[35aa3ae]	533
	534	t.substrates = [ s.clone() for s in t.substrates ]
	535	t.incorporate_elements()
[ecca6eb]	536
	537	# Customize the ns2 output for local portal commands and images
[f725eda]	538	filters = [output_fixed_filter, output_external_access]
[ecca6eb]	539
[5e1fb7b]	540	if self.dragon_endpoint:
[617592b]	541	add_filter = not_dragon(dragon_map)
	542	filters.append(dragon_commands(dragon_map))
[69692a9]	543	else:
	544	add_filter = None
	545
[5e1fb7b]	546	if self.portal_command:
[8fbef04]	547	if self.shared_nat: suffix = 'shared nat 0/0/tcp rdr 22/tcp'
	548	else: suffix = ''
	549
[5e1fb7b]	550	filters.append(topdl.generate_portal_command_filter(
[8fbef04]	551	self.portal_command, add_filter=add_filter, suffix=suffix))
[ecca6eb]	552
[5e1fb7b]	553	if self.portal_image:
[ecca6eb]	554	filters.append(topdl.generate_portal_image_filter(
[5e1fb7b]	555	self.portal_image))
[ecca6eb]	556
[5e1fb7b]	557	if self.portal_type:
[ecca6eb]	558	filters.append(topdl.generate_portal_hardware_filter(
[5e1fb7b]	559	self.portal_type))
[ecca6eb]	560
	561	# Convert to ns and write it out
[4d68ba6]	562	expfile = topdl.topology_to_ns2(t, filters, routing=routing)
[ecca6eb]	563	try:
	564	f = open(expfn, "w")
	565	print >>f, expfile
	566	f.close()
[d3c8759]	567	except EnvironmentError:
[ecca6eb]	568	raise service_error(service_error.internal,
	569	"Cannot write experiment file %s: %s" % (expfn,e))
[f9ef40b]	570
[2c1fd21]	571	def export_store_info(self, cf, proj, ename, connInfo):
	572	"""
[26821ac]	573	For the export requests in the connection info, send out teh SetValue
	574	calls for parameters initialized by the segment's export_segment
	575	object. Values are all in the connInfo parameter's value fields.
[2c1fd21]	576	"""
	577
	578	for c in connInfo:
[26821ac]	579	for p in c.get('parameter', []):
	580	# Ignore non-output parameters
	581	if p.get('type', '') != 'output':
	582	continue
	583	# Sanity check store, key and value
	584	surl = p.get('store', None)
	585	key = p.get('key', None)
	586	value = p.get('value', None)
	587	if surl is None:
	588	self.log.error("Export parameter without store: %s" % \
	589	p.get('name'))
	590	continue
	591	if key is None:
	592	self.log.error("Export parameter without key: %s" % \
	593	p.get('name'))
	594	continue
	595	if value is None:
	596	self.log.error("Unknown (unset) export parameter: %s" % \
[2c1fd21]	597	p.get('name'))
	598	continue
[26821ac]	599	# Set the store value
	600	req = { 'name': key, 'value': value }
	601	self.call_SetValue(surl, req, cf)
[2c1fd21]	602
[49051fb]	603	def add_seer_node(self, topo, name, startup):
	604	"""
	605	Add a seer node to the given topology, with the startup command passed
[06cc65b]	606	in. Used by configure seer_services.
[49051fb]	607	"""
	608	c_node = topdl.Computer(
	609	name=name,
	610	os= topdl.OperatingSystem(
	611	attribute=[
	612	{ 'attribute': 'osid',
	613	'value': self.local_seer_image },
	614	]),
	615	attribute=[
	616	{ 'attribute': 'startup', 'value': startup },
	617	]
	618	)
	619	self.add_kit(c_node, self.local_seer_software)
	620	topo.elements.append(c_node)
	621
	622	def configure_seer_services(self, services, topo, softdir):
[8cf2b90e]	623	"""
	624	Make changes to the topology required for the seer requests being made.
	625	Specifically, add any control or master nodes required and set up the
	626	start commands on the nodes to interconnect them.
	627	"""
	628	local_seer = False # True if we need to add a control node
	629	collect_seer = False # True if there is a seer-master node
	630	seer_master= False # True if we need to add the seer-master
[49051fb]	631	for s in services:
	632	s_name = s.get('name', '')
	633	s_vis = s.get('visibility','')
	634
[8cf2b90e]	635	if s_name == 'local_seer_control' and s_vis == 'export':
[49051fb]	636	local_seer = True
	637	elif s_name == 'seer_master':
	638	if s_vis == 'import':
	639	collect_seer = True
	640	elif s_vis == 'export':
	641	seer_master = True
	642
	643	# We've got the whole picture now, so add nodes if needed and configure
	644	# them to interconnect properly.
	645	if local_seer or seer_master:
	646	# Copy local seer control node software to the tempdir
	647	for l, f in self.local_seer_software:
	648	base = os.path.basename(f)
	649	copy_file(f, "%s/%s" % (softdir, base))
	650	# If we're collecting seers somewhere the controllers need to talk to
	651	# the master. In testbeds that export the service, that will be a
	652	# local node that we'll add below. Elsewhere it will be the control
	653	# portal that will port forward to the exporting master.
	654	if local_seer:
	655	if collect_seer:
[acaa9b9]	656	startup = "%s -C %s" % (self.local_seer_start, "seer-master")
[49051fb]	657	else:
	658	startup = self.local_seer_start
	659	self.add_seer_node(topo, 'control', startup)
	660	# If this is the seer master, add that node, too.
	661	if seer_master:
[e07c8f3]	662	self.add_seer_node(topo, 'seer-master',
	663	"%s -R -n -R seer-master -R -A -R sink" % \
	664	self.seer_master_start)
[49051fb]	665
[06cc65b]	666	def retrieve_software(self, topo, certfile, softdir):
	667	"""
	668	Collect the software that nodes in the topology need loaded and stage
	669	it locally. This implies retrieving it from the experiment_controller
	670	and placing it into softdir. Certfile is used to prove that this node
	671	has access to that data (it's the allocation/segment fedid). Finally
	672	local portal and federation software is also copied to the same staging
	673	directory for simplicity - all software needed for experiment creation
	674	is in softdir.
	675	"""
	676	sw = set()
	677	for e in topo.elements:
	678	for s in getattr(e, 'software', []):
	679	sw.add(s.location)
	680	for s in sw:
	681	self.log.debug("Retrieving %s" % s)
	682	try:
[815cd26]	683	get_url(s, certfile, softdir, log=self.log)
[06cc65b]	684	except:
	685	t, v, st = sys.exc_info()
	686	raise service_error(service_error.internal,
	687	"Error retrieving %s: %s" % (s, v))
[49051fb]	688
[06cc65b]	689	# Copy local federation and portal node software to the tempdir
	690	for s in (self.federation_software, self.portal_software):
	691	for l, f in s:
	692	base = os.path.basename(f)
	693	copy_file(f, "%s/%s" % (softdir, base))
[49051fb]	694
[6c57fe9]	695
[06cc65b]	696	def initialize_experiment_info(self, attrs, aid, certfile, tmpdir):
	697	"""
	698	Gather common configuration files, retrieve or create an experiment
	699	name and project name, and return the ssh_key filenames. Create an
	700	allocation log bound to the state log variable as well.
	701	"""
[3df9b33]	702	configs = ('hosts', 'ssh_pubkey', 'ssh_secretkey',
[9a52a80]	703	'seer_ca_pem', 'seer_node_pem', 'route.tgz')
[06cc65b]	704	ename = None
	705	pubkey_base = None
	706	secretkey_base = None
	707	proj = None
	708	user = None
	709	alloc_log = None
[05c41f5]	710	nonce_experiment = False
[262328f]	711	vchars_re = '[^' + string.ascii_letters + string.digits + '-]'
[06cc65b]	712
[f3898f7]	713	self.state_lock.acquire()
	714	if aid in self.allocation:
	715	proj = self.allocation[aid].get('project', None)
	716	self.state_lock.release()
	717
	718	if not proj:
	719	raise service_error(service_error.internal,
	720	"Can't find project for %s" %aid)
	721
[06cc65b]	722	for a in attrs:
	723	if a['attribute'] in configs:
	724	try:
	725	self.log.debug("Retrieving %s from %s" % \
	726	(a['attribute'], a['value']))
[815cd26]	727	get_url(a['value'], certfile, tmpdir, log=self.log)
[06cc65b]	728	except:
	729	t, v, st = sys.exc_info()
	730	raise service_error(service_error.internal,
	731	"Error retrieving %s: %s" % (a.get('value', ""), v))
	732	if a['attribute'] == 'ssh_pubkey':
	733	pubkey_base = a['value'].rpartition('/')[2]
	734	if a['attribute'] == 'ssh_secretkey':
	735	secretkey_base = a['value'].rpartition('/')[2]
	736	if a['attribute'] == 'experiment_name':
	737	ename = a['value']
	738
[f3898f7]	739	# Names longer than the emulab max are discarded
[c167378]	740	if ename and len(ename) <= self.max_name_len:
[262328f]	741	# Clean up the experiment name so that emulab will accept it.
	742	ename = re.sub(vchars_re, '-', ename)
	743
	744	else:
[06cc65b]	745	ename = ""
	746	for i in range(0,5):
	747	ename += random.choice(string.ascii_letters)
[05c41f5]	748	nonce_experiment = True
[53b5c18]	749	self.log.warn("No experiment name or suggestion too long: " + \
	750	"picked one randomly: %s" % ename)
[06cc65b]	751
	752	if not pubkey_base:
	753	raise service_error(service_error.req,
	754	"No public key attribute")
	755
	756	if not secretkey_base:
	757	raise service_error(service_error.req,
	758	"No secret key attribute")
[6c57fe9]	759
[06cc65b]	760	self.state_lock.acquire()
	761	if aid in self.allocation:
	762	user = self.allocation[aid].get('user', None)
[f77a256]	763	cert = self.allocation[aid].get('cert', None)
[06cc65b]	764	self.allocation[aid]['experiment'] = ename
[05c41f5]	765	self.allocation[aid]['nonce'] = nonce_experiment
[06cc65b]	766	self.allocation[aid]['log'] = [ ]
	767	# Create a logger that logs to the experiment's state object as
	768	# well as to the main log file.
	769	alloc_log = logging.getLogger('fedd.access.%s' % ename)
	770	h = logging.StreamHandler(
	771	list_log.list_log(self.allocation[aid]['log']))
	772	# XXX: there should be a global one of these rather than
	773	# repeating the code.
	774	h.setFormatter(logging.Formatter(
	775	"%(asctime)s %(name)s %(message)s",
	776	'%d %b %y %H:%M:%S'))
	777	alloc_log.addHandler(h)
	778	self.write_state()
	779	self.state_lock.release()
	780
	781	if not user:
	782	raise service_error(service_error.internal,
	783	"Can't find creation user for %s" %aid)
	784
[f77a256]	785	return (ename, proj, user, cert, pubkey_base, secretkey_base, alloc_log)
[06cc65b]	786
[6e33086]	787	def decorate_topology(self, info, t):
[06cc65b]	788	"""
[6e33086]	789	Copy the physical mapping and status onto the topology. Used by
	790	StartSegment and InfoSegment
[06cc65b]	791	"""
[6e33086]	792	def add_new(ann, attr):
	793	for a in ann:
	794	if a not in attr: attr.append(a)
	795
[cebcdce]	796	def merge_os(os, e):
	797	if len(e.os) == 0:
	798	# No OS at all:
	799	if os.get_attribute('emulab_access:image'):
	800	os.set_attribute('emulab_access:initial_image',
	801	os.get_attribute('emulab_access:image'))
	802	e.os = [ os ]
	803	elif len(e.os) == 1:
	804	# There's one OS, copy the initial image and replace
	805	eos = e.os[0]
	806	initial = eos.get_attribute('emulab_access:initial_image')
	807	if initial:
	808	os.set_attribute('emulab_access:initial_image', initial)
	809	e.os = [ os]
	810	else:
	811	# Multiple OSes, replace or append
	812	for eos in e.os:
	813	if os.name == eos.name:
	814	eos.version = os.version
	815	eos.version = os.distribution
	816	eos.version = os.distributionversion
	817	for a in os.attribute:
	818	if eos.get_attribute(a.attribute):
	819	eos.remove_attribute(a.attribute)
	820	eos.set_attribute(a.attribute, a.value)
	821	break
	822	else:
	823	e.os.append(os)
	824
	825
	826	if t is None: return
[7653f01]	827	i = 0 # For fake debugging instantiation
[06cc65b]	828	# Copy the assigned names into the return topology
[c6f867c]	829	for e in t.elements:
[29d5f7c]	830	if isinstance(e, topdl.Computer):
	831	if not self.create_debug:
[6e33086]	832	if e.name in info.node:
[1ae1aa2]	833	add_new(("%s%s" %
	834	(info.node[e.name].pname, self.domain),),
	835	e.localname)
[6527d60]	836	add_new(("%s%s" %
	837	(info.node[e.name].lname, self.domain),),
	838	e.localname)
[1ae1aa2]	839	e.status = info.node[e.name].status
	840	os = info.node[e.name].getOS()
[cebcdce]	841	if os: merge_os(os, e)
[29d5f7c]	842	else:
	843	# Simple debugging assignment
[6e33086]	844	add_new(("node%d%s" % (i, self.domain),), e.localname)
[29d5f7c]	845	e.status = 'active'
[6e33086]	846	add_new(('testop1', 'testop2'), e.operation)
[29d5f7c]	847	i += 1
	848
[6527d60]	849	for s in t.substrates:
	850	if s.name in info.subs:
	851	sub = info.subs[s.name]
	852	if sub.cap is not None:
	853	s.capacity = topdl.Capacity(sub.cap, 'max')
	854	if sub.delay is not None:
	855	s.delay = topdl.Latency(sub.delay, 'max')
	856	# XXX interfaces
	857
[6e33086]	858
	859	def finalize_experiment(self, starter, topo, aid, alloc_id, proof):
	860	"""
	861	Store key bits of experiment state in the global repository, including
	862	the response that may need to be replayed, and return the response.
	863	"""
[9c3e77f]	864	def get_localnames(t):
	865	names = [ ]
	866	for e in t.elements:
	867	if isinstance(e, topdl.Computer):
	868	n = e.get_attribute('testbed')
	869	if n is not None and n not in names:
	870	names.append(n)
	871	return names
[6e33086]	872	i = 0
	873	t = topo.clone()
	874	self.decorate_topology(starter, t)
[06cc65b]	875	# Grab the log (this is some anal locking, but better safe than
	876	# sorry)
	877	self.state_lock.acquire()
[9c3e77f]	878	# Put information about this testbed into the topdl
	879	tb = topdl.Testbed(self.uri, "deter",
	880	localname=get_localnames(t),
	881	attribute=[
	882	{
	883	'attribute': 'project',
	884	'value': self.allocation[aid]['project']
	885	},
	886	{
	887	'attribute': 'experiment',
	888	'value': self.allocation[aid]['experiment']
	889	}])
	890	t.elements.append(tb)
[06cc65b]	891	logv = "".join(self.allocation[aid]['log'])
	892	# It's possible that the StartSegment call gets retried (!).
	893	# if the 'started' key is in the allocation, we'll return it rather
	894	# than redo the setup.
	895	self.allocation[aid]['started'] = {
	896	'allocID': alloc_id,
	897	'allocationLog': logv,
	898	'segmentdescription': {
[b709861]	899	'topdldescription': t.to_dict()
[06cc65b]	900	},
[e83f2f2]	901	'proof': proof.to_dict(),
[06cc65b]	902	}
[b709861]	903	self.allocation[aid]['topo'] = t
[06cc65b]	904	retval = copy.copy(self.allocation[aid]['started'])
	905	self.write_state()
	906	self.state_lock.release()
	907	return retval
	908
	909	# End of StartSegment support routines
	910
	911	def StartSegment(self, req, fid):
[b770aa0]	912	err = None # Any service_error generated after tmpdir is created
	913	rv = None # Return value from segment creation
	914
[8cab4c2]	915	self.log.info("StartSegment called by %s" % fid)
[cc8d8e9]	916	try:
	917	req = req['StartSegmentRequestBody']
[06cc65b]	918	auth_attr = req['allocID']['fedid']
	919	topref = req['segmentdescription']['topdldescription']
[cc8d8e9]	920	except KeyError:
	921	raise service_error(server_error.req, "Badly formed request")
[ecca6eb]	922
[e02cd14]	923	connInfo = req.get('connection', [])
	924	services = req.get('service', [])
[ecca6eb]	925	aid = "%s" % auth_attr
[6c57fe9]	926	attrs = req.get('fedAttr', [])
[e83f2f2]	927
	928	access_ok, proof = self.auth.check_attribute(fid, auth_attr,
	929	with_proof=True)
	930	if not access_ok:
[8cab4c2]	931	self.log.info("StartSegment for %s failed: access denied" % fid)
[ecca6eb]	932	raise service_error(service_error.access, "Access denied")
[cd06678]	933	else:
	934	# See if this is a replay of an earlier succeeded StartSegment -
	935	# sometimes SSL kills 'em. If so, replay the response rather than
	936	# redoing the allocation.
	937	self.state_lock.acquire()
	938	retval = self.allocation[aid].get('started', None)
	939	self.state_lock.release()
	940	if retval:
	941	self.log.warning("Duplicate StartSegment for %s: " % aid + \
	942	"replaying response")
	943	return retval
	944
	945	# A new request. Do it.
[6c57fe9]	946
[06cc65b]	947	if topref: topo = topdl.Topology(**topref)
[6c57fe9]	948	else:
	949	raise service_error(service_error.req,
	950	"Request missing segmentdescription'")
[2761484]	951
[6c57fe9]	952	certfile = "%s/%s.pem" % (self.certdir, auth_attr)
	953	try:
	954	tmpdir = tempfile.mkdtemp(prefix="access-")
[ecca6eb]	955	softdir = "%s/software" % tmpdir
[c23684d]	956	os.mkdir(softdir)
[d3c8759]	957	except EnvironmentError:
[8cab4c2]	958	self.log.info("StartSegment for %s failed: internal error" % fid)
[6c57fe9]	959	raise service_error(service_error.internal, "Cannot create tmp dir")
	960
[b770aa0]	961	# Try block alllows us to clean up temporary files.
	962	try:
[06cc65b]	963	self.retrieve_software(topo, certfile, softdir)
[f77a256]	964	ename, proj, user, xmlrpc_cert, pubkey_base, secretkey_base, \
	965	alloc_log = self.initialize_experiment_info(attrs, aid,
	966	certfile, tmpdir)
[c0f409a]	967	# A misconfigured cert in the ABAC map can be confusing...
	968	if not os.access(xmlrpc_cert, os.R_OK):
	969	self.log.error("Cannot open user's emulab SSL cert: %s" % \
	970	xmlrpc_cert)
	971	raise service_error(service_error.internal,
	972	"Cannot open user's emulab SSL cert: %s" % xmlrpc_cert)
	973
[9b3627e]	974
[f3898f7]	975	if '/' in proj: proj, gid = proj.split('/')
	976	else: gid = None
	977
	978
[06cc65b]	979	# Set up userconf and seer if needed
[c200d36]	980	self.configure_userconf(services, tmpdir)
[49051fb]	981	self.configure_seer_services(services, topo, softdir)
[06cc65b]	982	# Get and send synch store variables
[26821ac]	983	exporter = self.exports_segment(keyfile=self.ssh_privkey_file,
	984	debug=self.create_debug, log=alloc_log, boss=self.boss,
	985	ops=self.ops, cert=xmlrpc_cert)
[8fbef04]	986	if not exporter(self, ename, proj, user, connInfo, tmpdir, gid):
	987	raise service_error(service_error.internal,
	988	'Failed to gather export variables')
[2761484]	989	self.export_store_info(certfile, proj, ename, connInfo)
	990	self.import_store_info(certfile, connInfo)
	991
[b770aa0]	992	expfile = "%s/experiment.tcl" % tmpdir
	993
	994	self.generate_portal_configs(topo, pubkey_base,
[06cc65b]	995	secretkey_base, tmpdir, proj, ename, connInfo, services)
[b770aa0]	996	self.generate_ns2(topo, expfile,
[8cf2b90e]	997	"/proj/%s/software/%s/" % (proj, ename), connInfo)
[f07fa49]	998
[b770aa0]	999	starter = self.start_segment(keyfile=self.ssh_privkey_file,
[181aeb4]	1000	debug=self.create_debug, log=alloc_log, boss=self.boss,
[f77a256]	1001	ops=self.ops, cert=xmlrpc_cert)
[f3898f7]	1002	rv = starter(self, ename, proj, user, expfile, tmpdir, gid=gid)
[b770aa0]	1003	except service_error, e:
[8cab4c2]	1004	self.log.info("StartSegment for %s failed: %s" % (fid, e))
[b770aa0]	1005	err = e
[06cc65b]	1006	except:
	1007	t, v, st = sys.exc_info()
[5f6ebd0]	1008	self.log.info("StartSegment for %s failed:unexpected error: %s" \
	1009	% (fid, traceback.extract_tb(st)))
[06cc65b]	1010	err = service_error(service_error.internal, "%s: %s" % \
	1011	(v, traceback.extract_tb(st)))
[b770aa0]	1012
[574055e]	1013	# Walk up tmpdir, deleting as we go
[06cc65b]	1014	if self.cleanup: self.remove_dirs(tmpdir)
	1015	else: self.log.debug("[StartSegment]: not removing %s" % tmpdir)
[574055e]	1016
[fd556d1]	1017	if rv:
[8cab4c2]	1018	self.log.info("StartSegment for %s succeeded" % fid)
[e83f2f2]	1019	return self.finalize_experiment(starter, topo, aid, req['allocID'],
	1020	proof)
[b770aa0]	1021	elif err:
	1022	raise service_error(service_error.federant,
	1023	"Swapin failed: %s" % err)
[fd556d1]	1024	else:
	1025	raise service_error(service_error.federant, "Swapin failed")
[5ae3857]	1026
	1027	def TerminateSegment(self, req, fid):
[8cab4c2]	1028	self.log.info("TerminateSegment called by %s" % fid)
[5ae3857]	1029	try:
	1030	req = req['TerminateSegmentRequestBody']
	1031	except KeyError:
	1032	raise service_error(server_error.req, "Badly formed request")
	1033
	1034	auth_attr = req['allocID']['fedid']
	1035	aid = "%s" % auth_attr
	1036	attrs = req.get('fedAttr', [])
[e83f2f2]	1037
	1038	access_ok, proof = self.auth.check_attribute(fid, auth_attr,
	1039	with_proof=True)
	1040	if not access_ok:
[5ae3857]	1041	raise service_error(service_error.access, "Access denied")
	1042
	1043	self.state_lock.acquire()
[06cc65b]	1044	if aid in self.allocation:
[5ae3857]	1045	proj = self.allocation[aid].get('project', None)
	1046	user = self.allocation[aid].get('user', None)
[f77a256]	1047	xmlrpc_cert = self.allocation[aid].get('cert', None)
[5ae3857]	1048	ename = self.allocation[aid].get('experiment', None)
[05c41f5]	1049	nonce = self.allocation[aid].get('nonce', False)
[1d913e13]	1050	else:
	1051	proj = None
	1052	user = None
	1053	ename = None
[05c41f5]	1054	nonce = False
[f77a256]	1055	xmlrpc_cert = None
[5ae3857]	1056	self.state_lock.release()
	1057
	1058	if not proj:
[8cab4c2]	1059	self.log.info("TerminateSegment failed for %s: cannot find project"\
	1060	% fid)
[5ae3857]	1061	raise service_error(service_error.internal,
	1062	"Can't find project for %s" % aid)
[f3898f7]	1063	else:
	1064	if '/' in proj: proj, gid = proj.split('/')
	1065	else: gid = None
[5ae3857]	1066
	1067	if not user:
[8cab4c2]	1068	self.log.info("TerminateSegment failed for %s: cannot find user"\
	1069	% fid)
[5ae3857]	1070	raise service_error(service_error.internal,
	1071	"Can't find creation user for %s" % aid)
	1072	if not ename:
[8cab4c2]	1073	self.log.info(
	1074	"TerminateSegment failed for %s: cannot find experiment"\
	1075	% fid)
[5ae3857]	1076	raise service_error(service_error.internal,
	1077	"Can't find experiment name for %s" % aid)
[b90c44d]	1078
[fd556d1]	1079	stopper = self.stop_segment(keyfile=self.ssh_privkey_file,
[c7141dc]	1080	debug=self.create_debug, boss=self.boss, ops=self.ops,
[f77a256]	1081	cert=xmlrpc_cert)
[05c41f5]	1082	stopper(self, user, proj, ename, gid, nonce)
[8cab4c2]	1083	self.log.info("TerminateSegment succeeded for %s %s %s" % \
	1084	(fid, proj, ename))
[b90c44d]	1085	self.state_lock.acquire()
	1086	# Remove the started flag/info - the segment is no longer started
	1087	if aid in self.allocation:
[e62fb86]	1088	if 'started' in self.allocation[aid]:
	1089	del self.allocation[aid]['started']
[b90c44d]	1090	self.write_state()
	1091	self.state_lock.release()
[e83f2f2]	1092	return { 'allocID': req['allocID'], 'proof': proof.to_dict() }
[45e880d]	1093
	1094	def InfoSegment(self, req, fid):
[8cab4c2]	1095	self.log.info("InfoSegment called by %s" % fid)
[45e880d]	1096	try:
	1097	req = req['InfoSegmentRequestBody']
	1098	except KeyError:
	1099	raise service_error(server_error.req, "Badly formed request")
	1100
	1101	auth_attr = req['allocID']['fedid']
	1102	aid = "%s" % auth_attr
	1103
	1104	access_ok, proof = self.auth.check_attribute(fid, auth_attr,
	1105	with_proof=True)
	1106	if not access_ok:
	1107	raise service_error(service_error.access, "Access denied")
	1108
	1109	self.state_lock.acquire()
	1110	if aid in self.allocation:
	1111	topo = self.allocation[aid].get('topo', None)
	1112	if topo: topo = topo.clone()
	1113	proj = self.allocation[aid].get('project', None)
	1114	user = self.allocation[aid].get('user', None)
[f77a256]	1115	xmlrpc_cert = self.allocation[aid].get('cert', None)
[45e880d]	1116	ename = self.allocation[aid].get('experiment', None)
	1117	else:
	1118	proj = None
	1119	user = None
	1120	ename = None
[b709861]	1121	topo = None
[f77a256]	1122	xmlrpc_cert = None
[45e880d]	1123	self.state_lock.release()
	1124
	1125	if not proj:
[8cab4c2]	1126	self.log.info("InfoSegment failed for %s: cannot find project"% fid)
[45e880d]	1127	raise service_error(service_error.internal,
	1128	"Can't find project for %s" % aid)
	1129	else:
	1130	if '/' in proj: proj, gid = proj.split('/')
	1131	else: gid = None
	1132
	1133	if not user:
[8cab4c2]	1134	self.log.info("InfoSegment failed for %s: cannot find user"% fid)
[45e880d]	1135	raise service_error(service_error.internal,
	1136	"Can't find creation user for %s" % aid)
	1137	if not ename:
[8cab4c2]	1138	self.log.info("InfoSegment failed for %s: cannot find exp"% fid)
[45e880d]	1139	raise service_error(service_error.internal,
	1140	"Can't find experiment name for %s" % aid)
	1141	info = self.info_segment(keyfile=self.ssh_privkey_file,
[c7141dc]	1142	debug=self.create_debug, boss=self.boss, ops=self.ops,
[f77a256]	1143	cert=xmlrpc_cert)
[6e33086]	1144	info(self, user, proj, ename)
[8cab4c2]	1145	self.log.info("InfoSegment gathered info for %s %s %s %s" % \
	1146	(fid, user, proj, ename))
[6e33086]	1147	self.decorate_topology(info, topo)
[1ae1aa2]	1148	self.state_lock.acquire()
	1149	if aid in self.allocation:
	1150	self.allocation[aid]['topo'] = topo
	1151	self.write_state()
	1152	self.state_lock.release()
[8cab4c2]	1153	self.log.info("InfoSegment updated info for %s %s %s %s" % \
	1154	(fid, user, proj, ename))
[1ae1aa2]	1155
[7f57435]	1156	rv = {
[45e880d]	1157	'allocID': req['allocID'],
	1158	'proof': proof.to_dict(),
	1159	}
[8cab4c2]	1160	self.log.info("InfoSegment succeeded info for %s %s %s %s" % \
	1161	(fid, user, proj, ename))
[7f57435]	1162	if topo:
	1163	rv['segmentdescription'] = { 'topdldescription' : topo.to_dict() }
	1164	return rv
[b709861]	1165
	1166	def OperationSegment(self, req, fid):
	1167	def get_pname(e):
	1168	"""
	1169	Get the physical name of a node
	1170	"""
	1171	if e.localname:
	1172	return re.sub('\..*','', e.localname[0])
	1173	else:
	1174	return None
	1175
[8cab4c2]	1176	self.log.info("OperationSegment called by %s" % fid)
[b709861]	1177	try:
	1178	req = req['OperationSegmentRequestBody']
	1179	except KeyError:
	1180	raise service_error(server_error.req, "Badly formed request")
	1181
	1182	auth_attr = req['allocID']['fedid']
	1183	aid = "%s" % auth_attr
	1184
	1185	access_ok, proof = self.auth.check_attribute(fid, auth_attr,
	1186	with_proof=True)
	1187	if not access_ok:
[8cab4c2]	1188	self.log.info("OperationSegment failed for %s: access denied" % fid)
[b709861]	1189	raise service_error(service_error.access, "Access denied")
	1190
	1191	op = req.get('operation', None)
	1192	targets = req.get('target', None)
	1193	params = req.get('parameter', None)
	1194
	1195	if op is None :
[8cab4c2]	1196	self.log.info("OperationSegment failed for %s: no operation" % fid)
[b709861]	1197	raise service_error(service_error.req, "missing operation")
	1198	elif targets is None:
[8cab4c2]	1199	self.log.info("OperationSegment failed for %s: no targets" % fid)
[b709861]	1200	raise service_error(service_error.req, "no targets")
	1201
[f77a256]	1202	self.state_lock.acquire()
[b709861]	1203	if aid in self.allocation:
	1204	topo = self.allocation[aid].get('topo', None)
	1205	if topo: topo = topo.clone()
[f77a256]	1206	xmlrpc_cert = self.allocation[aid].get('cert', None)
[b709861]	1207	else:
	1208	topo = None
[f77a256]	1209	xmlrpc_cert = None
	1210	self.state_lock.release()
[b709861]	1211
	1212	targets = copy.copy(targets)
	1213	ptargets = { }
	1214	for e in topo.elements:
	1215	if isinstance(e, topdl.Computer):
	1216	if e.name in targets:
	1217	targets.remove(e.name)
	1218	pn = get_pname(e)
	1219	if pn: ptargets[e.name] = pn
	1220
	1221	status = [ operation_status(t, operation_status.no_target) \
	1222	for t in targets]
	1223
	1224	ops = self.operation_segment(keyfile=self.ssh_privkey_file,
[c7141dc]	1225	debug=self.create_debug, boss=self.boss, ops=self.ops,
[f77a256]	1226	cert=xmlrpc_cert)
[1ae1aa2]	1227	ops(self, op, ptargets, params, topo)
[8cab4c2]	1228	self.log.info("OperationSegment operated for %s" % fid)
[b709861]	1229
	1230	status.extend(ops.status)
[8cab4c2]	1231	self.log.info("OperationSegment succeed for %s" % fid)
[b709861]	1232
	1233	return {
	1234	'allocID': req['allocID'],
	1235	'status': [s.to_dict() for s in status],
	1236	'proof': proof.to_dict(),
	1237	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: