Context Navigation

source: fedd/federation/emulab_access.py @ f00fb7d

axis_examplecompt_changesinfo-opsversion-3.01version-3.02

Last change on this file since f00fb7d was d2c2315, checked in by Ted Faber <faber@…>, 15 years ago
Specify local SEER node image correctly
Property mode set to `100644`
File size: 60.0 KB

Line
1	#!/usr/local/bin/python
2
3	import os,sys
4	import stat # for chmod constants
5	import re
6	import random
7	import string
8	import copy
9	import pickle
10	import logging
11	import subprocess
12
13	from threading import *
14	from M2Crypto.SSL import SSLError
15
16	from util import *
17	from allocate_project import allocate_project_local, allocate_project_remote
18	from access_project import access_project
19	from fedid import fedid, generate_fedid
20	from authorizer import authorizer
21	from service_error import service_error
22	from remote_service import xmlrpc_handler, soap_handler, service_caller
23
24	import httplib
25	import tempfile
26	from urlparse import urlparse
27
28	import topdl
29	import list_log
30	import proxy_emulab_segment
31	import local_emulab_segment
32
33
34	# Make log messages disappear if noone configures a fedd logger
35	class nullHandler(logging.Handler):
36	def emit(self, record): pass
37
38	fl = logging.getLogger("fedd.access")
39	fl.addHandler(nullHandler())
40
41	class access:
42	"""
43	The implementation of access control based on mapping users to projects.
44
45	Users can be mapped to existing projects or have projects created
46	dynamically. This implements both direct requests and proxies.
47	"""
48
49	class parse_error(RuntimeError): pass
50
51
52	proxy_RequestAccess= service_caller('RequestAccess')
53	proxy_ReleaseAccess= service_caller('ReleaseAccess')
54
55	def __init__(self, config=None, auth=None):
56	"""
57	Initializer. Pulls parameters out of the ConfigParser's access section.
58	"""
59
60	def software_list(v):
61	l = [ ]
62	if v:
63	ps = v.split(" ")
64	while len(ps):
65	loc, file = ps[0:2]
66	del ps[0:2]
67	l.append((loc, file))
68	return l
69
70
71	# Make sure that the configuration is in place
72	if not config:
73	raise RunTimeError("No config to fedd.access")
74
75	self.project_priority = config.getboolean("access", "project_priority")
76	self.allow_proxy = config.getboolean("access", "allow_proxy")
77
78	self.boss = config.get("access", "boss")
79	self.ops = config.get("access", "ops")
80	self.domain = config.get("access", "domain")
81	self.fileserver = config.get("access", "fileserver")
82	self.eventserver = config.get("access", "eventserver")
83	self.certdir = config.get("access","certdir")
84	self.userconfdir = config.get("access","userconfdir")
85	self.userconfcmd = config.get("access","userconfcmd")
86	self.userconfurl = config.get("access","userconfurl")
87	self.federation_software = config.get("access", "federation_software")
88	self.portal_software = config.get("access", "portal_software")
89	self.local_seer_software = config.get("access", "local_seer_software")
90	self.local_seer_image = config.get("access", "local_seer_image")
91	self.local_seer_start = config.get("access", "local_seer_start")
92	self.ssh_privkey_file = config.get("access","ssh_privkey_file")
93	self.ssh_pubkey_file = config.get("access","ssh_pubkey_file")
94	self.ssh_port = config.get("access","ssh_port") or "22"
95	self.create_debug = config.getboolean("access", "create_debug")
96	self.cleanup = not config.getboolean("access", "leave_tmpfiles")
97	self.access_type = config.get("access", "type")
98
99	self.federation_software = software_list(self.federation_software)
100	self.portal_software = software_list(self.portal_software)
101	self.local_seer_software = software_list(self.local_seer_software)
102
103	self.access_type = self.access_type.lower()
104	if self.access_type == 'remote_emulab':
105	self.start_segment = proxy_emulab_segment.start_segment
106	self.stop_segment = proxy_emulab_segment.stop_segment
107	elif self.access_type == 'local_emulab':
108	self.start_segment = local_emulab_segment.start_segment
109	self.stop_segment = local_emulab_segment.stop_segment
110	else:
111	self.start_segment = None
112	self.stop_segment = None
113
114	self.attrs = { }
115	self.access = { }
116	self.restricted = [ ]
117	self.projects = { }
118	self.keys = { }
119	self.types = { }
120	self.allocation = { }
121	self.state = {
122	'projects': self.projects,
123	'allocation' : self.allocation,
124	'keys' : self.keys,
125	'types': self.types
126	}
127	self.log = logging.getLogger("fedd.access")
128	set_log_level(config, "access", self.log)
129	self.state_lock = Lock()
130	# XXX: Configurable
131	self.exports = set(('SMB', 'seer', 'tmcd', 'userconfig',
132	'project_export', 'local_seer_control'))
133	self.imports = set(('SMB', 'seer', 'userconfig'))
134
135	if not self.local_seer_image or not self.local_seer_software or \
136	not self.local_seer_start:
137	self.exports.discard('local_seer_control')
138
139	if auth: self.auth = auth
140	else:
141	self.log.error(\
142	"[access]: No authorizer initialized, creating local one.")
143	auth = authorizer()
144
145	tb = config.get('access', 'testbed')
146	if tb: self.testbed = [ t.strip() for t in tb.split(',') ]
147	else: self.testbed = [ ]
148
149	if config.has_option("access", "accessdb"):
150	self.read_access(config.get("access", "accessdb"))
151
152	self.state_filename = config.get("access", "access_state")
153	self.read_state()
154
155	# Keep cert_file and cert_pwd coming from the same place
156	self.cert_file = config.get("access", "cert_file")
157	if self.cert_file:
158	self.sert_pwd = config.get("access", "cert_pw")
159	else:
160	self.cert_file = config.get("globals", "cert_file")
161	self.sert_pwd = config.get("globals", "cert_pw")
162
163	self.trusted_certs = config.get("access", "trusted_certs") or \
164	config.get("globals", "trusted_certs")
165
166	self.soap_services = {\
167	'RequestAccess': soap_handler("RequestAccess", self.RequestAccess),
168	'ReleaseAccess': soap_handler("ReleaseAccess", self.ReleaseAccess),
169	'StartSegment': soap_handler("StartSegment", self.StartSegment),
170	'TerminateSegment': soap_handler("TerminateSegment",
171	self.TerminateSegment),
172	}
173	self.xmlrpc_services = {\
174	'RequestAccess': xmlrpc_handler('RequestAccess',
175	self.RequestAccess),
176	'ReleaseAccess': xmlrpc_handler('ReleaseAccess',
177	self.ReleaseAccess),
178	'StartSegment': xmlrpc_handler("StartSegment", self.StartSegment),
179	'TerminateSegment': xmlrpc_handler('TerminateSegment',
180	self.TerminateSegment),
181	}
182
183	self.call_SetValue = service_caller('SetValue')
184	self.call_GetValue = service_caller('GetValue', log=self.log)
185
186	if not config.has_option("allocate", "uri"):
187	self.allocate_project = \
188	allocate_project_local(config, auth)
189	else:
190	self.allocate_project = \
191	allocate_project_remote(config, auth)
192
193
194	# If the project allocator exports services, put them in this object's
195	# maps so that classes that instantiate this can call the services.
196	self.soap_services.update(self.allocate_project.soap_services)
197	self.xmlrpc_services.update(self.allocate_project.xmlrpc_services)
198
199	@staticmethod
200	def add_kit(e, kit):
201	"""
202	Add a Software object created from the list of (install, location)
203	tuples passed as kit to the software attribute of an object e. We
204	do this enough to break out the code, but it's kind of a hack to
205	avoid changing the old tuple rep.
206	"""
207
208	s = [ topdl.Software(install=i, location=l) for i, l in kit]
209
210	if isinstance(e.software, list): e.software.extend(s)
211	else: e.software = s
212
213
214	def read_access(self, config):
215	"""
216	Read a configuration file and set internal parameters.
217
218	The format is more complex than one might hope. The basic format is
219	attribute value pairs separated by colons(:) on a signle line. The
220	attributes in bool_attrs, emulab_attrs and id_attrs can all be set
221	directly using the name: value syntax. E.g.
222	boss: hostname
223	sets self.boss to hostname. In addition, there are access lines of the
224	form (tb, proj, user) -> (aproj, auser) that map the first tuple of
225	names to the second for access purposes. Names in the key (left side)
226	can include "<NONE> or <ANY>" to act as wildcards or to require the
227	fields to be empty. Similarly aproj or auser can be <SAME> or
228	<DYNAMIC> indicating that either the matching key is to be used or a
229	dynamic user or project will be created. These names can also be
230	federated IDs (fedid's) if prefixed with fedid:. Finally, the aproj
231	can be followed with a colon-separated list of node types to which that
232	project has access (or will have access if dynamic).
233	Testbed attributes outside the forms above can be given using the
234	format attribute: name value: value. The name is a single word and the
235	value continues to the end of the line. Empty lines and lines startin
236	with a # are ignored.
237
238	Parsing errors result in a self.parse_error exception being raised.
239	"""
240	lineno=0
241	name_expr = "["+string.ascii_letters + string.digits + "\.\-_]+"
242	fedid_expr = "fedid:[" + string.hexdigits + "]+"
243	key_name = "(<ANY>\|<NONE>\|"+fedid_expr + "\|"+ name_expr + ")"
244	access_proj = "(<DYNAMIC>(?::" + name_expr +")*\|"+ \
245	"<SAME>" + "(?::" + name_expr + ")*\|" + \
246	fedid_expr + "(?::" + name_expr + ")*\|" + \
247	name_expr + "(?::" + name_expr + ")*)"
248	access_name = "(<DYNAMIC>\|<SAME>\|" + fedid_expr + "\|"+ name_expr + ")"
249
250	restricted_re = re.compile("restricted:\s(.)", re.IGNORECASE)
251	attr_re = re.compile('attribute:\s([\._\-a-z0-9]+)\s+value:\s(.*)',
252	re.IGNORECASE)
253	access_re = re.compile('\('+key_name+'\s,\s'+key_name+'\s,\s'+
254	key_name+'\s\)\s->\s\('+access_proj + '\s,\s*' +
255	access_name + '\s,\s' + access_name + '\s*\)', re.IGNORECASE)
256
257	def parse_name(n):
258	if n.startswith('fedid:'): return fedid(hexstr=n[len('fedid:'):])
259	else: return n
260
261	def auth_name(n):
262	if isinstance(n, basestring):
263	if n =='<any>' or n =='<none>': return None
264	else: return unicode(n)
265	else:
266	return n
267
268	f = open(config, "r");
269	for line in f:
270	lineno += 1
271	line = line.strip();
272	if len(line) == 0 or line.startswith('#'):
273	continue
274
275	# Extended (attribute: x value: y) attribute line
276	m = attr_re.match(line)
277	if m != None:
278	attr, val = m.group(1,2)
279	self.attrs[attr] = val
280	continue
281
282	# Restricted entry
283	m = restricted_re.match(line)
284	if m != None:
285	val = m.group(1)
286	self.restricted.append(val)
287	continue
288
289	# Access line (t, p, u) -> (ap, cu, su) line
290	m = access_re.match(line)
291	if m != None:
292	access_key = tuple([ parse_name(x) for x in m.group(1,2,3)])
293	auth_key = tuple([ auth_name(x) for x in access_key])
294	aps = m.group(4).split(":");
295	if aps[0] == 'fedid:':
296	del aps[0]
297	aps[0] = fedid(hexstr=aps[0])
298
299	cu = parse_name(m.group(5))
300	su = parse_name(m.group(6))
301
302	access_val = (access_project(aps[0], aps[1:]),
303	parse_name(m.group(5)), parse_name(m.group(6)))
304
305	self.access[access_key] = access_val
306	self.auth.set_attribute(auth_key, "access")
307	continue
308
309	# Nothing matched to here: unknown line - raise exception
310	f.close()
311	raise self.parse_error("Unknown statement at line %d of %s" % \
312	(lineno, config))
313	f.close()
314
315	def get_users(self, obj):
316	"""
317	Return a list of the IDs of the users in dict
318	"""
319	if obj.has_key('user'):
320	return [ unpack_id(u['userID']) \
321	for u in obj['user'] if u.has_key('userID') ]
322	else:
323	return None
324
325	def write_state(self):
326	if self.state_filename:
327	try:
328	f = open(self.state_filename, 'w')
329	pickle.dump(self.state, f)
330	except IOError, e:
331	self.log.error("Can't write file %s: %s" % \
332	(self.state_filename, e))
333	except pickle.PicklingError, e:
334	self.log.error("Pickling problem: %s" % e)
335	except TypeError, e:
336	self.log.error("Pickling problem (TypeError): %s" % e)
337
338
339	def read_state(self):
340	"""
341	Read a new copy of access state. Old state is overwritten.
342
343	State format is a simple pickling of the state dictionary.
344	"""
345	if self.state_filename:
346	try:
347	f = open(self.state_filename, "r")
348	self.state = pickle.load(f)
349
350	self.allocation = self.state['allocation']
351	self.projects = self.state['projects']
352	self.keys = self.state['keys']
353	self.types = self.state['types']
354
355	self.log.debug("[read_state]: Read state from %s" % \
356	self.state_filename)
357	except IOError, e:
358	self.log.warning(("[read_state]: No saved state: " +\
359	"Can't open %s: %s") % (self.state_filename, e))
360	except EOFError, e:
361	self.log.warning(("[read_state]: " +\
362	"Empty or damaged state file: %s:") % \
363	self.state_filename)
364	except pickle.UnpicklingError, e:
365	self.log.warning(("[read_state]: No saved state: " + \
366	"Unpickling failed: %s") % e)
367
368	# Add the ownership attributes to the authorizer. Note that the
369	# indices of the allocation dict are strings, but the attributes are
370	# fedids, so there is a conversion.
371	for k in self.allocation.keys():
372	for o in self.allocation[k].get('owners', []):
373	self.auth.set_attribute(o, fedid(hexstr=k))
374	if self.allocation[k].has_key('userconfig'):
375	sfid = self.allocation[k]['userconfig']
376	fid = fedid(hexstr=sfid)
377	self.auth.set_attribute(fid, "/%s" % sfid)
378
379
380	def permute_wildcards(self, a, p):
381	"""Return a copy of a with various fields wildcarded.
382
383	The bits of p control the wildcards. A set bit is a wildcard
384	replacement with the lowest bit being user then project then testbed.
385	"""
386	if p & 1: user = ["<any>"]
387	else: user = a[2]
388	if p & 2: proj = "<any>"
389	else: proj = a[1]
390	if p & 4: tb = "<any>"
391	else: tb = a[0]
392
393	return (tb, proj, user)
394
395	def find_access(self, search):
396	"""
397	Search the access DB for a match on this tuple. Return the matching
398	access tuple and the user that matched.
399
400	NB, if the initial tuple fails to match we start inserting wildcards in
401	an order determined by self.project_priority. Try the list of users in
402	order (when wildcarded, there's only one user in the list).
403	"""
404	if self.project_priority: perm = (0, 1, 2, 3, 4, 5, 6, 7)
405	else: perm = (0, 2, 1, 3, 4, 6, 5, 7)
406
407	for p in perm:
408	s = self.permute_wildcards(search, p)
409	# s[2] is None on an anonymous, unwildcarded request
410	if s[2] != None:
411	for u in s[2]:
412	if self.access.has_key((s[0], s[1], u)):
413	return (self.access[(s[0], s[1], u)], u)
414	else:
415	if self.access.has_key(s):
416	return (self.access[s], None)
417	return None, None
418
419	def lookup_access(self, req, fid):
420	"""
421	Determine the allowed access for this request. Return the access and
422	which fields are dynamic.
423
424	The fedid is needed to construct the request
425	"""
426	user_re = re.compile("user:\s(.*)")
427	project_re = re.compile("project:\s(.*)")
428
429	# Search keys
430	tb = None
431	project = None
432	user = None
433	# Return values
434	rp = access_project(None, ())
435	ru = None
436
437	user = [ user_re.findall(x)[0] for x in req.get('credential', []) \
438	if user_re.match(x)]
439	project = [ project_re.findall(x)[0] \
440	for x in req.get('credential', []) \
441	if project_re.match(x)]
442
443	if len(project) == 1: project = project[0]
444	elif len(project) == 0: project = None
445	else:
446	raise service_error(service_error.req,
447	"More than one project credential")
448
449
450	user_fedids = [ u for u in user if isinstance(u, fedid)]
451	# Determine how the caller is representing itself. If its fedid shows
452	# up as a project or a singleton user, let that stand. If neither the
453	# usernames nor the project name is a fedid, the caller is a testbed.
454	if project and isinstance(project, fedid):
455	if project == fid:
456	# The caller is the project (which is already in the tuple
457	# passed in to the authorizer)
458	owners = user_fedids
459	owners.append(project)
460	else:
461	raise service_error(service_error.req,
462	"Project asserting different fedid")
463	else:
464	if fid not in user_fedids:
465	tb = fid
466	owners = user_fedids
467	owners.append(fid)
468	else:
469	if len(fedids) > 1:
470	raise service_error(service_error.req,
471	"User asserting different fedid")
472	else:
473	# Which is a singleton
474	owners = user_fedids
475	# Confirm authorization
476
477	for u in user:
478	self.log.debug("[lookup_access] Checking access for %s" % \
479	((tb, project, u),))
480	if self.auth.check_attribute((tb, project, u), 'access'):
481	self.log.debug("[lookup_access] Access granted")
482	break
483	else:
484	self.log.debug("[lookup_access] Access Denied")
485	else:
486	raise service_error(service_error.access, "Access denied")
487
488	# This maps a valid user to the Emulab projects and users to use
489	found, user_match = self.find_access((tb, project, user))
490
491	if found == None:
492	raise service_error(service_error.access,
493	"Access denied - cannot map access")
494
495	# resolve <dynamic> and <same> in found
496	dyn_proj = False
497	dyn_create_user = False
498	dyn_service_user = False
499
500	if found[0].name == "<same>":
501	if project != None:
502	rp.name = project
503	else :
504	raise service_error(\
505	service_error.server_config,
506	"Project matched <same> when no project given")
507	elif found[0].name == "<dynamic>":
508	rp.name = None
509	dyn_proj = True
510	else:
511	rp.name = found[0].name
512	rp.node_types = found[0].node_types;
513
514	if found[1] == "<same>":
515	if user_match == "<any>":
516	if user != None: rcu = user[0]
517	else: raise service_error(\
518	service_error.server_config,
519	"Matched <same> on anonymous request")
520	else:
521	rcu = user_match
522	elif found[1] == "<dynamic>":
523	rcu = None
524	dyn_create_user = True
525	else:
526	rcu = found[1]
527
528	if found[2] == "<same>":
529	if user_match == "<any>":
530	if user != None: rsu = user[0]
531	else: raise service_error(\
532	service_error.server_config,
533	"Matched <same> on anonymous request")
534	else:
535	rsu = user_match
536	elif found[2] == "<dynamic>":
537	rsu = None
538	dyn_service_user = True
539	else:
540	rsu = found[2]
541
542	return (rp, rcu, rsu), (dyn_create_user, dyn_service_user, dyn_proj),\
543	owners
544
545	def get_handler(self, path, fid):
546	self.log.info("Get handler %s %s" % (path, fid))
547	if self.auth.check_attribute(fid, path) and self.userconfdir:
548	return ("%s/%s" % (self.userconfdir, path), "application/binary")
549	else:
550	return (None, None)
551
552	def export_userconf(self, project):
553	dev_null = None
554	confid, confcert = generate_fedid("test", dir=self.userconfdir,
555	log=self.log)
556	conffilename = "%s/%s" % (self.userconfdir, str(confid))
557	cf = None
558	try:
559	cf = open(conffilename, "w")
560	os.chmod(conffilename, stat.S_IRUSR \| stat.S_IWUSR)
561	except IOError, e:
562	raise service_error(service_error.internal,
563	"Cannot create user configuration data")
564
565	try:
566	dev_null = open("/dev/null", "a")
567	except IOError, e:
568	self.log.error("export_userconf: can't open /dev/null: %s" % e)
569
570	cmd = "%s %s" % (self.userconfcmd, project)
571	conf = subprocess.call(cmd.split(" "),
572	stdout=cf, stderr=dev_null, close_fds=True)
573
574	self.auth.set_attribute(confid, "/%s" % str(confid))
575
576	return confid, confcert
577
578	def export_SMB(self, id, state, project, user):
579	return {
580	'id': id,
581	'name': 'SMB',
582	'visibility': 'export',
583	'server': 'http://fs:139',
584	'fedAttr': [
585	{ 'attribute': 'SMBSHARE', 'value': 'USERS' },
586	{ 'attribute': 'SMBUSER', 'value': user },
587	{ 'attribute': 'SMBPROJ', 'value': project },
588	]
589	}
590
591	def export_seer(self, id, state, project, user):
592	return {
593	'id': id,
594	'name': 'seer',
595	'visibility': 'export',
596	'server': 'http://control:16606',
597	}
598
599	def export_local_seer(self, id, state, project, user):
600	return {
601	'id': id,
602	'name': 'local_seer_control',
603	'visibility': 'export',
604	'server': 'http://control:16606',
605	}
606
607	def export_tmcd(self, id, state, project, user):
608	return {
609	'id': id,
610	'name': 'seer',
611	'visibility': 'export',
612	'server': 'http://boss:7777',
613	}
614
615	def export_userconfig(self, id, state, project, user):
616	if self.userconfdir and self.userconfcmd \
617	and self.userconfurl:
618	cid, cert = self.export_userconf(project)
619	state['userconfig'] = unicode(cid)
620	return {
621	'id': id,
622	'name': 'userconfig',
623	'visibility': 'export',
624	'server': "%s/%s" % (self.userconfurl, str(cid)),
625	'fedAttr': [
626	{ 'attribute': 'cert', 'value': cert },
627	]
628	}
629	else:
630	return None
631
632	def export_services(self, sreq, project, user):
633	exp = [ ]
634	state = { }
635	# XXX: Filthy shortcut here using http: so urlparse will give the right
636	# answers.
637	for s in sreq:
638	sname = s.get('name', '')
639	svis = s.get('visibility', '')
640	if svis == 'export':
641	if sname in self.exports:
642	id = s.get('id', 'no_id')
643	if sname == 'SMB':
644	exp.append(self.export_SMB(id, state, project, user))
645	elif sname == 'seer':
646	exp.append(self.export_seer(id, state, project, user))
647	elif sname == 'tmcd':
648	exp.append(self.export_tmcd(id, state, project, user))
649	elif sname == 'userconfig':
650	exp.append(self.export_userconfig(id, state,
651	project, user))
652	elif sname == 'project_export':
653	exp.append(self.export_SMB(id, state, project, user))
654	exp.append(self.export_seer(id, state, project, user))
655	exp.append(self.export_userconfig(id, state,
656	project, user))
657	elif sname == 'local_seer_control':
658	exp.append(self.export_local_seer(id, state, project,
659	user))
660	return (exp, state)
661
662	def build_response(self, alloc_id, ap, services):
663	"""
664	Create the SOAP response.
665
666	Build the dictionary description of the response and use
667	fedd_utils.pack_soap to create the soap message. ap is the allocate
668	project message returned from a remote project allocation (even if that
669	allocation was done locally).
670	"""
671	# Because alloc_id is already a fedd_services_types.IDType_Holder,
672	# there's no need to repack it
673	msg = {
674	'allocID': alloc_id,
675	'fedAttr': [
676	{ 'attribute': 'domain', 'value': self.domain } ,
677	{ 'attribute': 'project', 'value':
678	ap['project'].get('name', {}).get('localname', "???") },
679	]
680	}
681	if len(self.attrs) > 0:
682	msg['fedAttr'].extend(
683	[ { 'attribute': x, 'value' : y } \
684	for x,y in self.attrs.iteritems()])
685
686	if services:
687	msg['service'] = services
688	return msg
689
690	def RequestAccess(self, req, fid):
691	"""
692	Handle the access request. Proxy if not for us.
693
694	Parse out the fields and make the allocations or rejections if for us,
695	otherwise, assuming we're willing to proxy, proxy the request out.
696	"""
697
698	def gateway_hardware(h):
699	if h == 'GWTYPE': return self.attrs.get('connectorType', 'GWTYPE')
700	else: return h
701
702	def get_export_project(svcs):
703	"""
704	if the service requests includes one to export a project, return
705	that project.
706	"""
707	rv = None
708	for s in svcs:
709	if s.get('name', '') == 'project_export' and \
710	s.get('visibility', '') == 'export':
711	if not rv:
712	for a in s.get('feddAttr', []):
713	if a.get('attribute', '') == 'project' \
714	and 'value' in a:
715	rv = a['value']
716	else:
717	raise service_error(service_error, access,
718	'Requesting multiple project exports is ' + \
719	'not supported');
720	return rv
721
722	# The dance to get into the request body
723	if req.has_key('RequestAccessRequestBody'):
724	req = req['RequestAccessRequestBody']
725	else:
726	raise service_error(service_error.req, "No request!?")
727
728	if req.has_key('destinationTestbed'):
729	dt = unpack_id(req['destinationTestbed'])
730
731	if dt == None or dt in self.testbed:
732	# Request for this fedd
733	found, dyn, owners = self.lookup_access(req, fid)
734	restricted = None
735	ap = None
736
737	# if this includes a project export request and the exported
738	# project is not the access project, access denied.
739	if 'service' in req:
740	ep = get_export_project(req['service'])
741	if ep and ep != found[0].name:
742	raise service_error(service_error.access,
743	"Cannot export %s" % ep)
744
745	# XXX
746	# Check for access to restricted nodes
747	if req.has_key('resources') and req['resources'].has_key('node'):
748	resources = req['resources']
749	restricted = [ gateway_hardware(t) for n in resources['node'] \
750	if n.has_key('hardware') \
751	for t in n['hardware'] \
752	if gateway_hardware(t) \
753	in self.restricted ]
754	inaccessible = [ t for t in restricted \
755	if t not in found[0].node_types]
756	if len(inaccessible) > 0:
757	raise service_error(service_error.access,
758	"Access denied (nodetypes %s)" % \
759	str(', ').join(inaccessible))
760	# XXX
761
762	# These were passed around before, but now are hidden from users
763	# and configurators alike, beyond a configuration file entry.
764	create_ssh = [ self.ssh_pubkey_file ]
765	service_ssh = [ self.ssh_pubkey_file ]
766
767	if len(create_ssh) > 0 and len(service_ssh) >0:
768	if dyn[1]:
769	# Compose the dynamic project request
770	# (only dynamic, dynamic currently allowed)
771	preq = { 'AllocateProjectRequestBody': \
772	{ 'project' : {\
773	'user': [ \
774	{ \
775	'access': [ { 'sshPubkey': s } \
776	for s in service_ssh ],
777	'role': "serviceAccess",\
778	}, \
779	{ \
780	'access': [ { 'sshPubkey': s } \
781	for s in create_ssh ],
782	'role': "experimentCreation",\
783	}, \
784	], \
785	}\
786	}\
787	}
788	if restricted != None and len(restricted) > 0:
789	preq['AllocateProjectRequestBody']['resources'] = \
790	{'node': [ { 'hardware' : [ h ] } \
791	for h in restricted ] }
792	ap = self.allocate_project.dynamic_project(preq)
793	else:
794	preq = {'StaticProjectRequestBody' : \
795	{ 'project': \
796	{ 'name' : { 'localname' : found[0].name },\
797	'user' : [ \
798	{\
799	'userID': { 'localname' : found[1] }, \
800	'access': [ { 'sshPubkey': s }
801	for s in create_ssh ],
802	'role': 'experimentCreation'\
803	},\
804	{\
805	'userID': { 'localname' : found[2] }, \
806	'access': [ { 'sshPubkey': s }
807	for s in service_ssh ],
808	'role': 'serviceAccess'\
809	},\
810	]}\
811	}\
812	}
813	if restricted != None and len(restricted) > 0:
814	preq['StaticProjectRequestBody']['resources'] = \
815	{'node': [ { 'hardware' : [ h ] } \
816	for h in restricted ] }
817	ap = self.allocate_project.static_project(preq)
818	else:
819	raise service_error(service_error.req,
820	"SSH access parameters required")
821	# keep track of what's been added
822	allocID, alloc_cert = generate_fedid(subj="alloc", log=self.log)
823	aid = unicode(allocID)
824
825	self.state_lock.acquire()
826	self.allocation[aid] = { }
827	try:
828	pname = ap['project']['name']['localname']
829	except KeyError:
830	pname = None
831
832	if dyn[1]:
833	if not pname:
834	self.state_lock.release()
835	raise service_error(service_error.internal,
836	"Misformed allocation response?")
837	if self.projects.has_key(pname): self.projects[pname] += 1
838	else: self.projects[pname] = 1
839	self.allocation[aid]['project'] = pname
840	else:
841	# sproject is a static project associated with this allocation.
842	self.allocation[aid]['sproject'] = pname
843
844	if ap.has_key('resources'):
845	if not pname:
846	self.state_lock.release()
847	raise service_error(service_error.internal,
848	"Misformed allocation response?")
849	self.allocation[aid]['types'] = set()
850	nodes = ap['resources'].get('node', [])
851	for n in nodes:
852	for h in n.get('hardware', []):
853	if self.types.has_key((pname, h)):
854	self.types[(pname, h)] += 1
855	else:
856	self.types[(pname, h)] = 1
857	self.allocation[aid]['types'].add((pname,h))
858
859
860	self.allocation[aid]['keys'] = [ ]
861
862	try:
863	for u in ap['project']['user']:
864	uname = u['userID']['localname']
865	if u['role'] == 'experimentCreation':
866	self.allocation[aid]['user'] = uname
867	for k in [ k['sshPubkey'] for k in u['access'] \
868	if k.has_key('sshPubkey') ]:
869	kv = "%s:%s" % (uname, k)
870	if self.keys.has_key(kv): self.keys[kv] += 1
871	else: self.keys[kv] = 1
872	self.allocation[aid]['keys'].append((uname, k))
873	except KeyError:
874	self.state_lock.release()
875	raise service_error(service_error.internal,
876	"Misformed allocation response?")
877
878	self.allocation[aid]['owners'] = owners
879	services, svc_state = self.export_services(req.get('service',[]),
880	pname, uname)
881	# Store services state in global state
882	for k, v in svc_state.items():
883	self.allocation[aid][k] = v
884	self.write_state()
885	self.state_lock.release()
886	for o in owners:
887	self.auth.set_attribute(o, allocID)
888	try:
889	f = open("%s/%s.pem" % (self.certdir, aid), "w")
890	print >>f, alloc_cert
891	f.close()
892	except IOError, e:
893	raise service_error(service_error.internal,
894	"Can't open %s/%s : %s" % (self.certdir, aid, e))
895	resp = self.build_response({ 'fedid': allocID } , ap, services)
896	return resp
897	else:
898	if self.allow_proxy:
899	resp = self.proxy_RequestAccess.call_service(dt, req,
900	self.cert_file, self.cert_pwd,
901	self.trusted_certs)
902	if resp.has_key('RequestAccessResponseBody'):
903	return resp['RequestAccessResponseBody']
904	else:
905	return None
906	else:
907	raise service_error(service_error.access,
908	"Access proxying denied")
909
910	def ReleaseAccess(self, req, fid):
911	# The dance to get into the request body
912	if req.has_key('ReleaseAccessRequestBody'):
913	req = req['ReleaseAccessRequestBody']
914	else:
915	raise service_error(service_error.req, "No request!?")
916
917	if req.has_key('destinationTestbed'):
918	dt = unpack_id(req['destinationTestbed'])
919	else:
920	dt = None
921
922	if dt == None or dt in self.testbed:
923	# Local request
924	try:
925	if req['allocID'].has_key('localname'):
926	auth_attr = aid = req['allocID']['localname']
927	elif req['allocID'].has_key('fedid'):
928	aid = unicode(req['allocID']['fedid'])
929	auth_attr = req['allocID']['fedid']
930	else:
931	raise service_error(service_error.req,
932	"Only localnames and fedids are understood")
933	except KeyError:
934	raise service_error(service_error.req, "Badly formed request")
935
936	self.log.debug("[access] deallocation requested for %s", aid)
937	if not self.auth.check_attribute(fid, auth_attr):
938	self.log.debug("[access] deallocation denied for %s", aid)
939	raise service_error(service_error.access, "Access Denied")
940
941	# If we know this allocation, reduce the reference counts and
942	# remove the local allocations. Otherwise report an error. If
943	# there is an allocation to delete, del_users will be a dictonary
944	# of sets where the key is the user that owns the keys in the set.
945	# We use a set to avoid duplicates. del_project is just the name
946	# of any dynamic project to delete. We're somewhat lazy about
947	# deleting authorization attributes. Having access to something
948	# that doesn't exist isn't harmful.
949	del_users = { }
950	del_project = None
951	del_types = set()
952
953	if self.allocation.has_key(aid):
954	self.log.debug("Found allocation for %s" %aid)
955	self.state_lock.acquire()
956	for k in self.allocation[aid]['keys']:
957	kk = "%s:%s" % k
958	self.keys[kk] -= 1
959	if self.keys[kk] == 0:
960	if not del_users.has_key(k[0]):
961	del_users[k[0]] = set()
962	del_users[k[0]].add(k[1])
963	del self.keys[kk]
964
965	if self.allocation[aid].has_key('project'):
966	pname = self.allocation[aid]['project']
967	self.projects[pname] -= 1
968	if self.projects[pname] == 0:
969	del_project = pname
970	del self.projects[pname]
971
972	if self.allocation[aid].has_key('types'):
973	for t in self.allocation[aid]['types']:
974	self.types[t] -= 1
975	if self.types[t] == 0:
976	if not del_project: del_project = t[0]
977	del_types.add(t[1])
978	del self.types[t]
979
980	del self.allocation[aid]
981	self.write_state()
982	self.state_lock.release()
983	# If we actually have resources to deallocate, prepare the call.
984	if del_project or del_users:
985	msg = { 'project': { }}
986	if del_project:
987	msg['project']['name']= {'localname': del_project}
988	users = [ ]
989	for u in del_users.keys():
990	users.append({ 'userID': { 'localname': u },\
991	'access' : \
992	[ {'sshPubkey' : s } for s in del_users[u]]\
993	})
994	if users:
995	msg['project']['user'] = users
996	if len(del_types) > 0:
997	msg['resources'] = { 'node': \
998	[ {'hardware': [ h ] } for h in del_types ]\
999	}
1000	if self.allocate_project.release_project:
1001	msg = { 'ReleaseProjectRequestBody' : msg}
1002	self.allocate_project.release_project(msg)
1003	# And remove the access cert
1004	cf = "%s/%s.pem" % (self.certdir, aid)
1005	self.log.debug("Removing %s" % cf)
1006	os.remove(cf)
1007	return { 'allocID': req['allocID'] }
1008	else:
1009	raise service_error(service_error.req, "No such allocation")
1010
1011	else:
1012	if self.allow_proxy:
1013	resp = self.proxy_ReleaseAccess.call_service(dt, req,
1014	self.cert_file, self.cert_pwd,
1015	self.trusted_certs)
1016	if resp.has_key('ReleaseAccessResponseBody'):
1017	return resp['ReleaseAccessResponseBody']
1018	else:
1019	return None
1020	else:
1021	raise service_error(service_error.access,
1022	"Access proxying denied")
1023
1024	def generate_portal_configs(self, topo, pubkey_base, secretkey_base,
1025	tmpdir, master, lproj, leid, connInfo, services):
1026
1027	def conninfo_to_dict(key, info):
1028	"""
1029	Make a cpoy of the connection information about key, and flatten it
1030	into a single dict by parsing out any feddAttrs.
1031	"""
1032
1033	rv = None
1034	for i in info:
1035	if key == i.get('portal', "") or \
1036	key in [e.get('element', "") \
1037	for e in i.get('member', [])]:
1038	rv = i.copy()
1039	break
1040
1041	else:
1042	return rv
1043
1044	if 'fedAttr' in rv:
1045	for a in rv['fedAttr']:
1046	attr = a.get('attribute', "")
1047	val = a.get('value', "")
1048	if attr and attr not in rv:
1049	rv[attr] = val
1050	del rv['fedAttr']
1051	return rv
1052
1053	# XXX: un hardcode this
1054	def client_null(f, s):
1055	print >>f, "Service: %s" % s['name']
1056
1057	def client_smb(f, s):
1058	print >>f, "Service: %s" % s['name']
1059	smbshare = None
1060	smbuser = None
1061	smbproj = None
1062	for a in s.get('fedAttr', []):
1063	if a.get('attribute', '') == 'SMBSHARE':
1064	smbshare = a.get('value', None)
1065	elif a.get('attribute', '') == 'SMBUSER':
1066	smbuser = a.get('value', None)
1067	elif a.get('attribute', '') == 'SMBPROJ':
1068	smbproj = a.get('value', None)
1069
1070	if all((smbshare, smbuser, smbproj)):
1071	print >>f, "SMBshare: %s" % smbshare
1072	print >>f, "ProjectUser: %s" % smbuser
1073	print >>f, "ProjectName: %s" % smbproj
1074
1075	client_service_out = {
1076	'SMB': client_smb,
1077	'tmcd': client_null,
1078	'seer': client_null,
1079	'userconfig': client_null,
1080	'project_export': client_null,
1081	}
1082
1083	def server_port(f, s):
1084	p = urlparse(s.get('server', 'http://localhost'))
1085	print >>f, 'port: remote:%s:%s:%s' % (p.port, p.hostname, p.port)
1086
1087	def server_null(f,s): pass
1088
1089	def server_seer(f, s):
1090	print >>f, 'seer: True'
1091
1092	server_service_out = {
1093	'SMB': server_port,
1094	'tmcd': server_port,
1095	'userconfig': server_null,
1096	'project_export': server_null,
1097	'seer': server_seer,
1098	}
1099	# XXX: end un hardcode this
1100
1101
1102	seer_out = False
1103	client_out = False
1104	mproj = None
1105	mexp = None
1106	control_gw = None
1107	testbed = ""
1108	# Create configuration files for the portals
1109	for e in [ e for e in topo.elements \
1110	if isinstance(e, topdl.Computer) and e.get_attribute('portal')]:
1111	myname = e.name[0]
1112	type = e.get_attribute('portal_type')
1113
1114	info = conninfo_to_dict(myname, connInfo)
1115
1116	if not info:
1117	raise service_error(service_error.req,
1118	"No connectivity info for %s" % myname)
1119
1120	peer = info.get('peer', "")
1121	ldomain = self.domain;
1122	ssh_port = info.get('ssh_port', 22)
1123
1124	# Collect this for the client.conf file
1125	if 'masterexperiment' in info:
1126	mproj, meid = info['masterexperiment'].split("/", 1)
1127
1128	if type in ('control', 'both'):
1129	testbed = e.get_attribute('testbed')
1130	control_gw = myname
1131
1132	active = info.get('active', 'False')
1133
1134	cfn = "%s/%s.gw.conf" % (tmpdir, myname.lower())
1135	tunnelconfig = self.attrs.has_key('TunnelCfg')
1136	try:
1137	f = open(cfn, "w")
1138	if active == 'True':
1139	print >>f, "active: True"
1140	print >>f, "ssh_port: %s" % ssh_port
1141	if type in ('control', 'both'):
1142	for s in [s for s in services \
1143	if s.get('name', "") in self.imports]:
1144	server_service_out[s['name']](f, s)
1145
1146	if tunnelconfig:
1147	print >>f, "tunnelip: %s" % tunnelconfig
1148	print >>f, "peer: %s" % peer.lower()
1149	print >>f, "ssh_pubkey: /proj/%s/exp/%s/tmp/%s" % \
1150	(lproj, leid, pubkey_base)
1151	print >>f, "ssh_privkey: /proj/%s/exp/%s/tmp/%s" % \
1152	(lproj, leid, secretkey_base)
1153	f.close()
1154	except IOError, e:
1155	raise service_error(service_error.internal,
1156	"Can't write protal config %s: %s" % (cfn, e))
1157
1158	# Done with portals, write the client config file.
1159	try:
1160	f = open("%s/client.conf" % tmpdir, "w")
1161	if control_gw:
1162	print >>f, "ControlGateway: %s.%s.%s%s" % \
1163	(myname.lower(), leid.lower(), lproj.lower(),
1164	ldomain.lower())
1165	for s in services:
1166	if s.get('name',"") in self.imports and \
1167	s.get('visibility','') == 'import':
1168	client_service_out[s['name']](f, s)
1169	# Seer uses this.
1170	if mproj and meid:
1171	print >>f, "ExperimentID: %s/%s" % (mproj, meid)
1172	# Better way...
1173	if testbed == master:
1174	print >>f, "SEERBase: True"
1175	f.close()
1176	except IOError, e:
1177	raise service_error(service_error.internal,
1178	"Cannot write client.conf: %s" %s)
1179
1180	def generate_ns2(self, topo, expfn, softdir, master, connInfo):
1181	class dragon_commands:
1182	"""
1183	Functor to spit out approrpiate dragon commands for nodes listed in
1184	the connectivity description. The constructor makes a dict mapping
1185	dragon nodes to their parameters and the __call__ checks each
1186	element in turn for membership.
1187	"""
1188	def __init__(self, map):
1189	self.node_info = map
1190
1191	def __call__(self, e):
1192	s = ""
1193	if isinstance(e, topdl.Computer):
1194	if self.node_info.has_key(e.name[0]):
1195	i = self.node_info[e.name[0]]
1196	for ifname, vlan, type in i:
1197	for i in e.interface:
1198	if i.name == ifname:
1199	addr = i.get_attribute('ip4_address')
1200	subs = i.substrate[0]
1201	break
1202	else:
1203	raise service_error(service_error.internal,
1204	"No interface %s on element %s" % \
1205	(ifname, e.name[0]))
1206	# XXX: do netmask right
1207	if type =='link':
1208	s = ("tb-allow-external $%s dragonportal " + \
1209	"ip %s vlan %s netmask 255.255.255.0\n") % \
1210	(e.name[0], addr, vlan)
1211	elif type =='lan':
1212	s = ("tb-allow-external $%s dragonportal " + \
1213	"ip %s vlan %s usurp %s\n") % \
1214	(e.name[0], addr, vlan, subs)
1215	else:
1216	raise service_error(service_error_internal,
1217	"Unknown DRAGON type %s" % type)
1218	return s
1219
1220	class not_dragon:
1221	def __init__(self, map):
1222	self.nodes = set(map.keys())
1223
1224	def __call__(self, e):
1225	return e.name[0] not in self.nodes
1226
1227
1228	t = topo.clone()
1229
1230	dragon_map = { }
1231	for i in [ i for i in connInfo if i['type'] == 'transit']:
1232	for a in i.get('fedAttr', []):
1233	if a['attribute'] == 'vlan_id':
1234	vlan = a['value']
1235	break
1236	else:
1237	raise service_error(service_error.internal,
1238	"No vlan tag")
1239	members = i.get('member', [])
1240	if len(members) > 1: type = 'lan'
1241	else: type = 'link'
1242
1243	try:
1244	for m in members:
1245	if dragon_map.has_key(m['element']):
1246	dragon_map[m['element']].append(( m['interface'],
1247	vlan, type))
1248	else:
1249	dragon_map[m['element']] = [( m['interface'],
1250	vlan, type),]
1251	except KeyError:
1252	raise service_error(service_error.req,
1253	"Missing connectivity info")
1254
1255	# The startcmds for master and slave testbeds
1256	if master:
1257	gate_cmd = self.attrs.get('MasterConnectorStartCmd', '/bin/true')
1258	node_cmd = self.attrs.get('MasterNodeStartCmd', 'bin/true')
1259	else:
1260	gate_cmd = self.attrs.get('SlaveConnectorStartCmd', '/bin/true')
1261	node_cmd = self.attrs.get('SlaveNodeStartCmd', 'bin/true')
1262
1263	# Weed out the things we aren't going to instantiate: Segments, portal
1264	# substrates, and portal interfaces. (The copy in the for loop allows
1265	# us to delete from e.elements in side the for loop). While we're
1266	# touching all the elements, we also adjust paths from the original
1267	# testbed to local testbed paths and put the federation commands into
1268	# the start commands
1269	for e in [e for e in t.elements]:
1270	if isinstance(e, topdl.Segment):
1271	t.elements.remove(e)
1272	if isinstance(e, topdl.Computer):
1273	self.add_kit(e, self.federation_software)
1274	if e.get_attribute('portal') and gate_cmd:
1275	# Add local portal support software
1276	self.add_kit(e, self.portal_software)
1277	# Portals never have a user-specified start command
1278	e.set_attribute('startup', gate_cmd)
1279	elif node_cmd:
1280	if e.get_attribute('startup'):
1281	e.set_attribute('startup', "%s \\$USER '%s'" % \
1282	(node_cmd, e.get_attribute('startup')))
1283	else:
1284	e.set_attribute('startup', node_cmd)
1285
1286	dinf = [i[0] for i in dragon_map.get(e.name[0], []) ]
1287	# Remove portal interfaces that do not connect to DRAGON
1288	e.interface = [i for i in e.interface \
1289	if not i.get_attribute('portal') or i.name in dinf ]
1290	# Fix software paths
1291	for s in getattr(e, 'software', []):
1292	s.location = re.sub("^.*/", softdir, s.location)
1293
1294	t.substrates = [ s.clone() for s in t.substrates ]
1295	t.incorporate_elements()
1296
1297	# Customize the ns2 output for local portal commands and images
1298	filters = []
1299
1300	# NB: these are extra commands issued for the node, not the startcmds
1301	if master: cmd = self.attrs.get('MasterConnectorCmd', '')
1302	else: cmd = self.attrs.get('SlaveConnectorCmd', '')
1303
1304	if self.attrs.has_key('dragon'):
1305	add_filter = not_dragon(dragon_map)
1306	filters.append(dragon_commands(dragon_map))
1307	else:
1308	add_filter = None
1309
1310	if cmd:
1311	filters.append(topdl.generate_portal_command_filter(cmd,
1312	add_filter=add_filter))
1313
1314	if self.attrs.has_key('connectorImage'):
1315	filters.append(topdl.generate_portal_image_filter(
1316	self.attrs.get('connectorImage')))
1317
1318	if self.attrs.has_key('connectorType'):
1319	filters.append(topdl.generate_portal_hardware_filter(
1320	self.attrs.get('connectorType')))
1321
1322	# Convert to ns and write it out
1323	expfile = topdl.topology_to_ns2(t, filters)
1324	try:
1325	f = open(expfn, "w")
1326	print >>f, expfile
1327	f.close()
1328	except IOError:
1329	raise service_error(service_error.internal,
1330	"Cannot write experiment file %s: %s" % (expfn,e))
1331
1332	def export_store_info(self, cf, proj, ename, connInfo):
1333	"""
1334	For the export requests in the connection info, install the peer names
1335	at the experiment controller via SetValue calls.
1336	"""
1337
1338	for c in connInfo:
1339	for p in [ p for p in c.get('parameter', []) \
1340	if p.get('type', '') == 'output']:
1341
1342	if p.get('name', '') == 'peer':
1343	k = p.get('key', None)
1344	surl = p.get('store', None)
1345	if surl and k and k.index('/') != -1:
1346	value = "%s.%s.%s%s" % \
1347	(k[k.index('/')+1:], ename, proj, self.domain)
1348	req = { 'name': k, 'value': value }
1349	self.log.debug("Setting %s to %s on %s" % \
1350	(k, value, surl))
1351	self.call_SetValue(surl, req, cf)
1352	else:
1353	self.log.error("Bad export request: %s" % p)
1354	elif p.get('name', '') == 'ssh_port':
1355	k = p.get('key', None)
1356	surl = p.get('store', None)
1357	if surl and k:
1358	req = { 'name': k, 'value': self.ssh_port }
1359	self.log.debug("Setting %s to %s on %s" % \
1360	(k, self.ssh_port, surl))
1361	self.call_SetValue(surl, req, cf)
1362	else:
1363	self.log.error("Bad export request: %s" % p)
1364	else:
1365	self.log.error("Unknown export parameter: %s" % \
1366	p.get('name'))
1367	continue
1368
1369	def import_store_info(self, cf, connInfo):
1370	"""
1371	Pull any import parameters in connInfo in. We translate them either
1372	into known member names or fedAddrs.
1373	"""
1374
1375	for c in connInfo:
1376	for p in [ p for p in c.get('parameter', []) \
1377	if p.get('type', '') == 'input']:
1378	name = p.get('name', None)
1379	key = p.get('key', None)
1380	store = p.get('store', None)
1381
1382	if name and key and store :
1383	req = { 'name': key, 'wait': True }
1384	self.log.debug("Waiting for %s (%s) from %s" % \
1385	(name, key, store))
1386	r = self.call_GetValue(store, req, cf)
1387	r = r.get('GetValueResponseBody', None)
1388	if r :
1389	if r.get('name', '') == key:
1390	v = r.get('value', None)
1391	if v is not None:
1392	if name == 'peer':
1393	self.log.debug("Got peer %s" % v)
1394	c['peer'] = v
1395	else:
1396	self.log.debug("Got %s %s" % (name, v))
1397	if c.has_key('fedAttr'):
1398	c['fedAttr'].append({
1399	'attribute': name, 'value': v})
1400	else:
1401	c['fedAttr']= [{
1402	'attribute': name, 'value': v}]
1403	else:
1404	raise service_error(service_error.internal,
1405	'None value exported for %s' % key)
1406	else:
1407	raise service_error(service_error.internal,
1408	'Different name returned for %s: %s' \
1409	% (key, r.get('name','')))
1410	else:
1411	raise service_error(service_error.internal,
1412	'Badly formatted response: no GetValueResponseBody')
1413	else:
1414	raise service_error(service_error.internal,
1415	'Bad Services missing info for import %s' % c)
1416
1417	def StartSegment(self, req, fid):
1418
1419	configs = set(('hosts', 'ssh_pubkey', 'ssh_secretkey'))
1420
1421	err = None # Any service_error generated after tmpdir is created
1422	rv = None # Return value from segment creation
1423
1424	try:
1425	req = req['StartSegmentRequestBody']
1426	except KeyError:
1427	raise service_error(server_error.req, "Badly formed request")
1428
1429	connInfo = req.get('connection', [])
1430	services = req.get('service', [])
1431	auth_attr = req['allocID']['fedid']
1432	aid = "%s" % auth_attr
1433	attrs = req.get('fedAttr', [])
1434	if not self.auth.check_attribute(fid, auth_attr):
1435	raise service_error(service_error.access, "Access denied")
1436	else:
1437	# See if this is a replay of an earlier succeeded StartSegment -
1438	# sometimes SSL kills 'em. If so, replay the response rather than
1439	# redoing the allocation.
1440	self.state_lock.acquire()
1441	retval = self.allocation[aid].get('started', None)
1442	self.state_lock.release()
1443	if retval:
1444	self.log.warning("Duplicate StartSegment for %s: " % aid + \
1445	"replaying response")
1446	return retval
1447
1448	# A new request. Do it.
1449
1450	if req.has_key('segmentdescription') and \
1451	req['segmentdescription'].has_key('topdldescription'):
1452	topo = \
1453	topdl.Topology(**req['segmentdescription']['topdldescription'])
1454	else:
1455	raise service_error(service_error.req,
1456	"Request missing segmentdescription'")
1457
1458	master = req.get('master', False)
1459
1460	certfile = "%s/%s.pem" % (self.certdir, auth_attr)
1461	try:
1462	tmpdir = tempfile.mkdtemp(prefix="access-")
1463	softdir = "%s/software" % tmpdir
1464	os.mkdir(softdir)
1465	except IOError:
1466	raise service_error(service_error.internal, "Cannot create tmp dir")
1467
1468	# Try block alllows us to clean up temporary files.
1469	try:
1470	sw = set()
1471	for e in topo.elements:
1472	for s in getattr(e, 'software', []):
1473	sw.add(s.location)
1474	for s in sw:
1475	self.log.debug("Retrieving %s" % s)
1476	try:
1477	get_url(s, certfile, softdir)
1478	except:
1479	t, v, st = sys.exc_info()
1480	raise service_error(service_error.internal,
1481	"Error retrieving %s: %s" % (s, v))
1482
1483	# Copy local federation and portal node software to the tempdir
1484	for s in (self.federation_software, self.portal_software):
1485	for l, f in s:
1486	base = os.path.basename(f)
1487	copy_file(f, "%s/%s" % (softdir, base))
1488
1489	ename = None
1490	pubkey_base = None
1491	secretkey_base = None
1492	for a in attrs:
1493	if a['attribute'] in configs:
1494	try:
1495	self.log.debug("Retrieving %s from %s" % \
1496	(a['attribute'], a['value']))
1497	get_url(a['value'], certfile, tmpdir)
1498	except:
1499	t, v, st = sys.exc_info()
1500	raise service_error(service_error.internal,
1501	"Error retrieving %s: %s" % (s, v))
1502	if a['attribute'] == 'ssh_pubkey':
1503	pubkey_base = a['value'].rpartition('/')[2]
1504	if a['attribute'] == 'ssh_secretkey':
1505	secretkey_base = a['value'].rpartition('/')[2]
1506	if a['attribute'] == 'experiment_name':
1507	ename = a['value']
1508
1509	if not ename:
1510	ename = ""
1511	for i in range(0,5):
1512	ename += random.choice(string.ascii_letters)
1513	self.log.warn("No experiment name: picked one randomly: %s" \
1514	% ename)
1515
1516	if not pubkey_base:
1517	raise service_error(service_error.req,
1518	"No public key attribute")
1519
1520	if not secretkey_base:
1521	raise service_error(service_error.req,
1522	"No secret key attribute")
1523
1524	# If the userconf service was imported, collect the configuration
1525	# data.
1526	for s in services:
1527	s_name = s.get('name', '')
1528	s_vis = s.get('visibility','')
1529	if s_name == 'userconfig' and s_vis == 'import':
1530	# Collect ther server and certificate info.
1531	u = s.get('server', None)
1532	for a in s.get('fedAttr', []):
1533	if a.get('attribute',"") == 'cert':
1534	cert = a.get('value', None)
1535	break
1536	else:
1537	cert = None
1538
1539	if cert:
1540	# Make a temporary certificate file for get_url. The
1541	# finally clause removes it whether something goes
1542	# wrong (including an exception from get_url) or not.
1543	try:
1544	tfos, tn = tempfile.mkstemp(suffix=".pem")
1545	tf = os.fdopen(tfos, 'w')
1546	print >>tf, cert
1547	tf.close()
1548	self.log.debug("Getting userconf info: %s" % u)
1549	get_url(u, tn, tmpdir, "userconf")
1550	self.log.debug("Got userconf info: %s" % u)
1551	except IOError, e:
1552	raise service_error(service.error.internal,
1553	"Cannot create temp file for " +
1554	"userconfig certificates: %s e")
1555	except:
1556	t, v, st = sys.exc_info()
1557	raise service_error(service_error.internal,
1558	"Error retrieving %s: %s" % (s, v))
1559	finally:
1560	if tn: os.remove(tn)
1561	else:
1562	raise service_error(service_error.req,
1563	"No certificate for retreiving userconfig")
1564	break
1565	if s_name == 'local_seer_control' and s_vis == 'export':
1566	# Copy local seer control node software to the tempdir
1567	for l, f in self.local_seer_software:
1568	base = os.path.basename(f)
1569	copy_file(f, "%s/%s" % (softdir, base))
1570
1571	# Add a control node to the local topology
1572	c_node = topdl.Computer(
1573	name='control',
1574	os= topdl.OperatingSystem(
1575	attribute=[
1576	{ 'attribute': 'osid',
1577	'value': self.local_seer_image },
1578	]),
1579	attribute=[
1580	{ 'attribute': 'startup',
1581	'value': self.local_seer_start },
1582	]
1583	)
1584	self.add_kit(c_node, self.local_seer_software)
1585	topo.elements.append(c_node)
1586
1587	proj = None
1588	user = None
1589	self.state_lock.acquire()
1590	if self.allocation.has_key(aid):
1591	proj = self.allocation[aid].get('project', None)
1592	if not proj:
1593	proj = self.allocation[aid].get('sproject', None)
1594	user = self.allocation[aid].get('user', None)
1595	self.allocation[aid]['experiment'] = ename
1596	self.allocation[aid]['log'] = [ ]
1597	# Create a logger that logs to the experiment's state object as
1598	# well as to the main log file.
1599	alloc_log = logging.getLogger('fedd.access.%s' % ename)
1600	h = logging.StreamHandler(
1601	list_log.list_log(self.allocation[aid]['log']))
1602	# XXX: there should be a global one of these rather than
1603	# repeating the code.
1604	h.setFormatter(logging.Formatter(
1605	"%(asctime)s %(name)s %(message)s",
1606	'%d %b %y %H:%M:%S'))
1607	alloc_log.addHandler(h)
1608	self.write_state()
1609	self.state_lock.release()
1610
1611	if not proj:
1612	raise service_error(service_error.internal,
1613	"Can't find project for %s" %aid)
1614
1615	if not user:
1616	raise service_error(service_error.internal,
1617	"Can't find creation user for %s" %aid)
1618
1619	self.export_store_info(certfile, proj, ename, connInfo)
1620	self.import_store_info(certfile, connInfo)
1621
1622	expfile = "%s/experiment.tcl" % tmpdir
1623
1624	self.generate_portal_configs(topo, pubkey_base,
1625	secretkey_base, tmpdir, master, proj, ename, connInfo,
1626	services)
1627	self.generate_ns2(topo, expfile,
1628	"/proj/%s/software/%s/" % (proj, ename), master, connInfo)
1629
1630	starter = self.start_segment(keyfile=self.ssh_privkey_file,
1631	debug=self.create_debug, log=alloc_log)
1632	rv = starter(self, ename, proj, user, expfile, tmpdir)
1633	# Copy the assigned names into the return topology
1634	rvtopo = topo.clone()
1635	for e in [ e for e in rvtopo.elements \
1636	if isinstance(e, topdl.Computer)]:
1637	for n in e.name:
1638	if n in starter.node:
1639	e.set_attribute('hostname', "%s%s" % \
1640	(starter.node[n], self.domain))
1641	except service_error, e:
1642	err = e
1643	except e:
1644	err = service_error(service_error.internal, str(e))
1645
1646	# Walk up tmpdir, deleting as we go
1647	if self.cleanup:
1648	self.log.debug("[StartSegment]: removing %s" % tmpdir)
1649	for path, dirs, files in os.walk(tmpdir, topdown=False):
1650	for f in files:
1651	os.remove(os.path.join(path, f))
1652	for d in dirs:
1653	os.rmdir(os.path.join(path, d))
1654	os.rmdir(tmpdir)
1655	else:
1656	self.log.debug("[StartSegment]: not removing %s" % tmpdir)
1657
1658	if rv:
1659	# Grab the log (this is some anal locking, but better safe than
1660	# sorry)
1661	self.state_lock.acquire()
1662	logv = "".join(self.allocation[aid]['log'])
1663	# It's possible that the StartSegment call gets retried (!).
1664	# if the 'started' key is in the allocation, we'll return it rather
1665	# than redo the setup.
1666	self.allocation[aid]['started'] = {
1667	'allocID': req['allocID'],
1668	'allocationLog': logv,
1669	}
1670	retval = copy.copy(self.allocation[aid]['started'])
1671	self.write_state()
1672	self.state_lock.release()
1673	retval['segmentdescription'] = \
1674	{ 'topdldescription': rvtopo.to_dict() }
1675	return retval
1676	elif err:
1677	raise service_error(service_error.federant,
1678	"Swapin failed: %s" % err)
1679	else:
1680	raise service_error(service_error.federant, "Swapin failed")
1681
1682	def TerminateSegment(self, req, fid):
1683	try:
1684	req = req['TerminateSegmentRequestBody']
1685	except KeyError:
1686	raise service_error(server_error.req, "Badly formed request")
1687
1688	auth_attr = req['allocID']['fedid']
1689	aid = "%s" % auth_attr
1690	attrs = req.get('fedAttr', [])
1691	if not self.auth.check_attribute(fid, auth_attr):
1692	raise service_error(service_error.access, "Access denied")
1693
1694	self.state_lock.acquire()
1695	if self.allocation.has_key(aid):
1696	proj = self.allocation[aid].get('project', None)
1697	if not proj:
1698	proj = self.allocation[aid].get('sproject', None)
1699	user = self.allocation[aid].get('user', None)
1700	ename = self.allocation[aid].get('experiment', None)
1701	else:
1702	proj = None
1703	user = None
1704	ename = None
1705	self.state_lock.release()
1706
1707	if not proj:
1708	raise service_error(service_error.internal,
1709	"Can't find project for %s" % aid)
1710
1711	if not user:
1712	raise service_error(service_error.internal,
1713	"Can't find creation user for %s" % aid)
1714	if not ename:
1715	raise service_error(service_error.internal,
1716	"Can't find experiment name for %s" % aid)
1717	stopper = self.stop_segment(keyfile=self.ssh_privkey_file,
1718	debug=self.create_debug)
1719	stopper(self, user, proj, ename)
1720	return { 'allocID': req['allocID'] }

Note: See TracBrowser for help on using the repository browser.

Download in other formats: