Context Navigation

source: fedd/federation/emulab_access.py @ 6af3226

axis_examplecompt_changesinfo-opsversion-3.01version-3.02

Last change on this file since 6af3226 was 6af3226, checked in by Ted Faber <faber@…>, 14 years ago
remove some debugging
Property mode set to `100644`
File size: 51.5 KB

Line
1	#!/usr/local/bin/python
2
3	import os,sys
4	import stat # for chmod constants
5	import re
6	import string
7	import copy
8	import pickle
9	import logging
10	import subprocess
11
12	from threading import *
13
14	from util import *
15	from allocate_project import allocate_project_local, allocate_project_remote
16	from access_project import access_project
17	from fedid import fedid, generate_fedid
18	from authorizer import authorizer
19	from service_error import service_error
20	from remote_service import xmlrpc_handler, soap_handler, service_caller
21
22	import httplib
23	import tempfile
24	from urlparse import urlparse
25
26	import topdl
27	import list_log
28	import proxy_emulab_segment
29	import local_emulab_segment
30
31
32	# Make log messages disappear if noone configures a fedd logger
33	class nullHandler(logging.Handler):
34	def emit(self, record): pass
35
36	fl = logging.getLogger("fedd.access")
37	fl.addHandler(nullHandler())
38
39	class access:
40	"""
41	The implementation of access control based on mapping users to projects.
42
43	Users can be mapped to existing projects or have projects created
44	dynamically. This implements both direct requests and proxies.
45	"""
46
47	class parse_error(RuntimeError): pass
48
49
50	proxy_RequestAccess= service_caller('RequestAccess')
51	proxy_ReleaseAccess= service_caller('ReleaseAccess')
52
53	def __init__(self, config=None, auth=None):
54	"""
55	Initializer. Pulls parameters out of the ConfigParser's access section.
56	"""
57
58	# Make sure that the configuration is in place
59	if not config:
60	raise RunTimeError("No config to fedd.access")
61
62	self.project_priority = config.getboolean("access", "project_priority")
63	self.allow_proxy = config.getboolean("access", "allow_proxy")
64
65	self.boss = config.get("access", "boss")
66	self.ops = config.get("access", "ops")
67	self.domain = config.get("access", "domain")
68	self.fileserver = config.get("access", "fileserver")
69	self.eventserver = config.get("access", "eventserver")
70	self.certdir = config.get("access","certdir")
71	self.userconfdir = config.get("access","userconfdir")
72	self.userconfcmd = config.get("access","userconfcmd")
73	self.userconfurl = config.get("access","userconfurl")
74	self.ssh_privkey_file = config.get("access","ssh_privkey_file")
75	self.ssh_pubkey_file = config.get("access","ssh_pubkey_file")
76	self.create_debug = config.getboolean("access", "create_debug")
77	self.cleanup = not config.getboolean("access", "leave_tmpfiles")
78	self.access_type = config.get("access", "type")
79
80	self.access_type = self.access_type.lower()
81	if self.access_type == 'remote_emulab':
82	self.start_segment = proxy_emulab_segment.start_segment
83	self.stop_segment = proxy_emulab_segment.stop_segment
84	elif self.access_type == 'local_emulab':
85	self.start_segment = local_emulab_segment.start_segment
86	self.stop_segment = local_emulab_segment.stop_segment
87	else:
88	self.start_segment = None
89	self.stop_segment = None
90
91	self.attrs = { }
92	self.access = { }
93	self.restricted = [ ]
94	self.projects = { }
95	self.keys = { }
96	self.types = { }
97	self.allocation = { }
98	self.state = {
99	'projects': self.projects,
100	'allocation' : self.allocation,
101	'keys' : self.keys,
102	'types': self.types
103	}
104	self.log = logging.getLogger("fedd.access")
105	set_log_level(config, "access", self.log)
106	self.state_lock = Lock()
107	# XXX: Configurable
108	self.exports = set(('SMB', 'seer', 'tmcd', 'userconfig'))
109	self.imports = set(('SMB', 'seer', 'userconfig'))
110
111	if auth: self.auth = auth
112	else:
113	self.log.error(\
114	"[access]: No authorizer initialized, creating local one.")
115	auth = authorizer()
116
117	tb = config.get('access', 'testbed')
118	if tb: self.testbed = [ t.strip() for t in tb.split(',') ]
119	else: self.testbed = [ ]
120
121	if config.has_option("access", "accessdb"):
122	self.read_access(config.get("access", "accessdb"))
123
124	self.state_filename = config.get("access", "access_state")
125	self.read_state()
126
127	# Keep cert_file and cert_pwd coming from the same place
128	self.cert_file = config.get("access", "cert_file")
129	if self.cert_file:
130	self.sert_pwd = config.get("access", "cert_pw")
131	else:
132	self.cert_file = config.get("globals", "cert_file")
133	self.sert_pwd = config.get("globals", "cert_pw")
134
135	self.trusted_certs = config.get("access", "trusted_certs") or \
136	config.get("globals", "trusted_certs")
137
138	self.soap_services = {\
139	'RequestAccess': soap_handler("RequestAccess", self.RequestAccess),
140	'ReleaseAccess': soap_handler("ReleaseAccess", self.ReleaseAccess),
141	'StartSegment': soap_handler("StartSegment", self.StartSegment),
142	'TerminateSegment': soap_handler("TerminateSegment", self.TerminateSegment),
143	}
144	self.xmlrpc_services = {\
145	'RequestAccess': xmlrpc_handler('RequestAccess',
146	self.RequestAccess),
147	'ReleaseAccess': xmlrpc_handler('ReleaseAccess',
148	self.ReleaseAccess),
149	'StartSegment': xmlrpc_handler("StartSegment", self.StartSegment),
150	'TerminateSegment': xmlrpc_handler('TerminateSegment',
151	self.TerminateSegment),
152	}
153
154
155	if not config.has_option("allocate", "uri"):
156	self.allocate_project = \
157	allocate_project_local(config, auth)
158	else:
159	self.allocate_project = \
160	allocate_project_remote(config, auth)
161
162	# If the project allocator exports services, put them in this object's
163	# maps so that classes that instantiate this can call the services.
164	self.soap_services.update(self.allocate_project.soap_services)
165	self.xmlrpc_services.update(self.allocate_project.xmlrpc_services)
166
167
168	def read_access(self, config):
169	"""
170	Read a configuration file and set internal parameters.
171
172	The format is more complex than one might hope. The basic format is
173	attribute value pairs separated by colons(:) on a signle line. The
174	attributes in bool_attrs, emulab_attrs and id_attrs can all be set
175	directly using the name: value syntax. E.g.
176	boss: hostname
177	sets self.boss to hostname. In addition, there are access lines of the
178	form (tb, proj, user) -> (aproj, auser) that map the first tuple of
179	names to the second for access purposes. Names in the key (left side)
180	can include "<NONE> or <ANY>" to act as wildcards or to require the
181	fields to be empty. Similarly aproj or auser can be <SAME> or
182	<DYNAMIC> indicating that either the matching key is to be used or a
183	dynamic user or project will be created. These names can also be
184	federated IDs (fedid's) if prefixed with fedid:. Finally, the aproj
185	can be followed with a colon-separated list of node types to which that
186	project has access (or will have access if dynamic).
187	Testbed attributes outside the forms above can be given using the
188	format attribute: name value: value. The name is a single word and the
189	value continues to the end of the line. Empty lines and lines startin
190	with a # are ignored.
191
192	Parsing errors result in a self.parse_error exception being raised.
193	"""
194	lineno=0
195	name_expr = "["+string.ascii_letters + string.digits + "\.\-_]+"
196	fedid_expr = "fedid:[" + string.hexdigits + "]+"
197	key_name = "(<ANY>\|<NONE>\|"+fedid_expr + "\|"+ name_expr + ")"
198	access_proj = "(<DYNAMIC>(?::" + name_expr +")*\|"+ \
199	"<SAME>" + "(?::" + name_expr + ")*\|" + \
200	fedid_expr + "(?::" + name_expr + ")*\|" + \
201	name_expr + "(?::" + name_expr + ")*)"
202	access_name = "(<DYNAMIC>\|<SAME>\|" + fedid_expr + "\|"+ name_expr + ")"
203
204	restricted_re = re.compile("restricted:\s(.)", re.IGNORECASE)
205	attr_re = re.compile('attribute:\s([\._\-a-z0-9]+)\s+value:\s(.*)',
206	re.IGNORECASE)
207	access_re = re.compile('\('+key_name+'\s,\s'+key_name+'\s,\s'+
208	key_name+'\s\)\s->\s\('+access_proj + '\s,\s*' +
209	access_name + '\s,\s' + access_name + '\s*\)', re.IGNORECASE)
210
211	def parse_name(n):
212	if n.startswith('fedid:'): return fedid(hexstr=n[len('fedid:'):])
213	else: return n
214
215	def auth_name(n):
216	if isinstance(n, basestring):
217	if n =='<any>' or n =='<none>': return None
218	else: return unicode(n)
219	else:
220	return n
221
222	f = open(config, "r");
223	for line in f:
224	lineno += 1
225	line = line.strip();
226	if len(line) == 0 or line.startswith('#'):
227	continue
228
229	# Extended (attribute: x value: y) attribute line
230	m = attr_re.match(line)
231	if m != None:
232	attr, val = m.group(1,2)
233	self.attrs[attr] = val
234	continue
235
236	# Restricted entry
237	m = restricted_re.match(line)
238	if m != None:
239	val = m.group(1)
240	self.restricted.append(val)
241	continue
242
243	# Access line (t, p, u) -> (ap, cu, su) line
244	m = access_re.match(line)
245	if m != None:
246	access_key = tuple([ parse_name(x) for x in m.group(1,2,3)])
247	auth_key = tuple([ auth_name(x) for x in access_key])
248	aps = m.group(4).split(":");
249	if aps[0] == 'fedid:':
250	del aps[0]
251	aps[0] = fedid(hexstr=aps[0])
252
253	cu = parse_name(m.group(5))
254	su = parse_name(m.group(6))
255
256	access_val = (access_project(aps[0], aps[1:]),
257	parse_name(m.group(5)), parse_name(m.group(6)))
258
259	self.access[access_key] = access_val
260	self.auth.set_attribute(auth_key, "access")
261	continue
262
263	# Nothing matched to here: unknown line - raise exception
264	f.close()
265	raise self.parse_error("Unknown statement at line %d of %s" % \
266	(lineno, config))
267	f.close()
268
269	def get_users(self, obj):
270	"""
271	Return a list of the IDs of the users in dict
272	"""
273	if obj.has_key('user'):
274	return [ unpack_id(u['userID']) \
275	for u in obj['user'] if u.has_key('userID') ]
276	else:
277	return None
278
279	def write_state(self):
280	if self.state_filename:
281	try:
282	f = open(self.state_filename, 'w')
283	pickle.dump(self.state, f)
284	except IOError, e:
285	self.log.error("Can't write file %s: %s" % \
286	(self.state_filename, e))
287	except pickle.PicklingError, e:
288	self.log.error("Pickling problem: %s" % e)
289	except TypeError, e:
290	self.log.error("Pickling problem (TypeError): %s" % e)
291
292
293	def read_state(self):
294	"""
295	Read a new copy of access state. Old state is overwritten.
296
297	State format is a simple pickling of the state dictionary.
298	"""
299	if self.state_filename:
300	try:
301	f = open(self.state_filename, "r")
302	self.state = pickle.load(f)
303
304	self.allocation = self.state['allocation']
305	self.projects = self.state['projects']
306	self.keys = self.state['keys']
307	self.types = self.state['types']
308
309	self.log.debug("[read_state]: Read state from %s" % \
310	self.state_filename)
311	except IOError, e:
312	self.log.warning(("[read_state]: No saved state: " +\
313	"Can't open %s: %s") % (self.state_filename, e))
314	except EOFError, e:
315	self.log.warning(("[read_state]: " +\
316	"Empty or damaged state file: %s:") % \
317	self.state_filename)
318	except pickle.UnpicklingError, e:
319	self.log.warning(("[read_state]: No saved state: " + \
320	"Unpickling failed: %s") % e)
321
322	# Add the ownership attributes to the authorizer. Note that the
323	# indices of the allocation dict are strings, but the attributes are
324	# fedids, so there is a conversion.
325	for k in self.allocation.keys():
326	for o in self.allocation[k].get('owners', []):
327	self.auth.set_attribute(o, fedid(hexstr=k))
328	if self.allocation[k].has_key('userconfig'):
329	sfid = self.allocation[k]['userconfig']
330	fid = fedid(hexstr=sfid)
331	self.auth.set_attribute(fid, "/%s" % sfid)
332
333
334	def permute_wildcards(self, a, p):
335	"""Return a copy of a with various fields wildcarded.
336
337	The bits of p control the wildcards. A set bit is a wildcard
338	replacement with the lowest bit being user then project then testbed.
339	"""
340	if p & 1: user = ["<any>"]
341	else: user = a[2]
342	if p & 2: proj = "<any>"
343	else: proj = a[1]
344	if p & 4: tb = "<any>"
345	else: tb = a[0]
346
347	return (tb, proj, user)
348
349	def find_access(self, search):
350	"""
351	Search the access DB for a match on this tuple. Return the matching
352	access tuple and the user that matched.
353
354	NB, if the initial tuple fails to match we start inserting wildcards in
355	an order determined by self.project_priority. Try the list of users in
356	order (when wildcarded, there's only one user in the list).
357	"""
358	if self.project_priority: perm = (0, 1, 2, 3, 4, 5, 6, 7)
359	else: perm = (0, 2, 1, 3, 4, 6, 5, 7)
360
361	for p in perm:
362	s = self.permute_wildcards(search, p)
363	# s[2] is None on an anonymous, unwildcarded request
364	if s[2] != None:
365	for u in s[2]:
366	if self.access.has_key((s[0], s[1], u)):
367	return (self.access[(s[0], s[1], u)], u)
368	else:
369	if self.access.has_key(s):
370	return (self.access[s], None)
371	return None, None
372
373	def lookup_access(self, req, fid):
374	"""
375	Determine the allowed access for this request. Return the access and
376	which fields are dynamic.
377
378	The fedid is needed to construct the request
379	"""
380	user_re = re.compile("user:\s(.*)")
381	project_re = re.compile("project:\s(.*)")
382
383	# Search keys
384	tb = None
385	project = None
386	user = None
387	# Return values
388	rp = access_project(None, ())
389	ru = None
390
391	user = [ user_re.findall(x)[0] for x in req.get('credential', []) \
392	if user_re.match(x)]
393	project = [ project_re.findall(x)[0] \
394	for x in req.get('credential', []) \
395	if project_re.match(x)]
396
397	if len(project) == 1: project = project[0]
398	elif len(project) == 0: project = None
399	else:
400	raise service_error(service_error.req,
401	"More than one project credential")
402
403
404	user_fedids = [ u for u in user if isinstance(u, fedid)]
405	# Determine how the caller is representing itself. If its fedid shows
406	# up as a project or a singleton user, let that stand. If neither the
407	# usernames nor the project name is a fedid, the caller is a testbed.
408	if project and isinstance(project, fedid):
409	if project == fid:
410	# The caller is the project (which is already in the tuple
411	# passed in to the authorizer)
412	owners = user_fedids
413	owners.append(project)
414	else:
415	raise service_error(service_error.req,
416	"Project asserting different fedid")
417	else:
418	if fid not in user_fedids:
419	tb = fid
420	owners = user_fedids
421	owners.append(fid)
422	else:
423	if len(fedids) > 1:
424	raise service_error(service_error.req,
425	"User asserting different fedid")
426	else:
427	# Which is a singleton
428	owners = user_fedids
429	# Confirm authorization
430
431	for u in user:
432	self.log.debug("[lookup_access] Checking access for %s" % \
433	((tb, project, u),))
434	if self.auth.check_attribute((tb, project, u), 'access'):
435	self.log.debug("[lookup_access] Access granted")
436	break
437	else:
438	self.log.debug("[lookup_access] Access Denied")
439	else:
440	raise service_error(service_error.access, "Access denied")
441
442	# This maps a valid user to the Emulab projects and users to use
443	found, user_match = self.find_access((tb, project, user))
444
445	if found == None:
446	raise service_error(service_error.access,
447	"Access denied - cannot map access")
448
449	# resolve <dynamic> and <same> in found
450	dyn_proj = False
451	dyn_create_user = False
452	dyn_service_user = False
453
454	if found[0].name == "<same>":
455	if project != None:
456	rp.name = project
457	else :
458	raise service_error(\
459	service_error.server_config,
460	"Project matched <same> when no project given")
461	elif found[0].name == "<dynamic>":
462	rp.name = None
463	dyn_proj = True
464	else:
465	rp.name = found[0].name
466	rp.node_types = found[0].node_types;
467
468	if found[1] == "<same>":
469	if user_match == "<any>":
470	if user != None: rcu = user[0]
471	else: raise service_error(\
472	service_error.server_config,
473	"Matched <same> on anonymous request")
474	else:
475	rcu = user_match
476	elif found[1] == "<dynamic>":
477	rcu = None
478	dyn_create_user = True
479	else:
480	rcu = found[1]
481
482	if found[2] == "<same>":
483	if user_match == "<any>":
484	if user != None: rsu = user[0]
485	else: raise service_error(\
486	service_error.server_config,
487	"Matched <same> on anonymous request")
488	else:
489	rsu = user_match
490	elif found[2] == "<dynamic>":
491	rsu = None
492	dyn_service_user = True
493	else:
494	rsu = found[2]
495
496	return (rp, rcu, rsu), (dyn_create_user, dyn_service_user, dyn_proj),\
497	owners
498
499	def get_handler(self, path, fid):
500	self.log.info("Get handler %s %s" % (path, fid))
501	if self.auth.check_attribute(fid, path) and self.userconfdir:
502	return ("%s/%s" % (self.userconfdir, path), "application/binary")
503	else:
504	return (None, None)
505
506	def export_userconf(self, project):
507	dev_null = None
508	confid, confcert = generate_fedid("test", dir=self.userconfdir,
509	log=self.log)
510	conffilename = "%s/%s" % (self.userconfdir, str(confid))
511	cf = None
512	try:
513	cf = open(conffilename, "w")
514	os.chmod(conffilename, stat.S_IRUSR \| stat.S_IWUSR)
515	except IOError, e:
516	raise service_error(service_error.internal,
517	"Cannot create user configuration data")
518
519	try:
520	dev_null = open("/dev/null", "a")
521	except IOError, e:
522	self.log.error("export_userconf: can't open /dev/null: %s" % e)
523
524	cmd = "%s %s" % (self.userconfcmd, project)
525	conf = subprocess.call(cmd.split(" "),
526	stdout=cf, stderr=dev_null, close_fds=True)
527
528	self.auth.set_attribute(confid, "/%s" % str(confid))
529
530	return confid, confcert
531
532
533	def export_services(self, sreq, project, user):
534	exp = [ ]
535	state = { }
536	# XXX: Filthy shortcut here using http: so urlparse will give the right
537	# answers.
538	for s in sreq:
539	sname = s.get('name', '')
540	svis = s.get('visibility', '')
541	if svis == 'export':
542	if sname in self.exports:
543	outs = s.copy()
544	if sname == 'SMB':
545	outs = s.copy()
546	outs['server'] = "http://fs:139"
547	outs['fedAttr'] = [
548	{ 'attribute': 'SMBSHARE', 'value': 'USERS' },
549	{ 'attribute': 'SMBUSER', 'value': user },
550	{ 'attribute': 'SMBPROJ', 'value': project },
551	]
552	elif sname == 'seer':
553	outs['server'] = "http://control:16606"
554	elif sname == 'tmcd':
555	outs['server'] = "http://boss:7777"
556	elif sname == 'userconfig':
557	if self.userconfdir and self.userconfcmd \
558	and self.userconfurl:
559	cid, cert = self.export_userconf(project)
560	outs['server'] = "%s/%s" % \
561	(self.userconfurl, str(cid))
562	outs['fedAttr'] = [
563	{ 'attribute': 'cert', 'value': cert },
564	]
565	state['userconfig'] = unicode(cid)
566	exp.append(outs)
567	return (exp, state)
568
569	def build_response(self, alloc_id, ap, services):
570	"""
571	Create the SOAP response.
572
573	Build the dictionary description of the response and use
574	fedd_utils.pack_soap to create the soap message. ap is the allocate
575	project message returned from a remote project allocation (even if that
576	allocation was done locally).
577	"""
578	# Because alloc_id is already a fedd_services_types.IDType_Holder,
579	# there's no need to repack it
580	msg = {
581	'allocID': alloc_id,
582	'fedAttr': [
583	{ 'attribute': 'domain', 'value': self.domain } ,
584	{ 'attribute': 'project', 'value':
585	ap['project'].get('name', {}).get('localname', "???") },
586	]
587	}
588	if len(self.attrs) > 0:
589	msg['fedAttr'].extend(
590	[ { 'attribute': x, 'value' : y } \
591	for x,y in self.attrs.iteritems()])
592
593	if services:
594	msg['service'] = services
595	return msg
596
597	def RequestAccess(self, req, fid):
598	"""
599	Handle the access request. Proxy if not for us.
600
601	Parse out the fields and make the allocations or rejections if for us,
602	otherwise, assuming we're willing to proxy, proxy the request out.
603	"""
604
605	def gateway_hardware(h):
606	if h == 'GWTYPE': return self.attrs.get('connectorType', 'GWTYPE')
607	else: return h
608
609	# The dance to get into the request body
610	if req.has_key('RequestAccessRequestBody'):
611	req = req['RequestAccessRequestBody']
612	else:
613	raise service_error(service_error.req, "No request!?")
614
615	if req.has_key('destinationTestbed'):
616	dt = unpack_id(req['destinationTestbed'])
617
618	if dt == None or dt in self.testbed:
619	# Request for this fedd
620	found, dyn, owners = self.lookup_access(req, fid)
621	restricted = None
622	ap = None
623
624	# If this is a request to export a project and the access project
625	# is not the project to export, access denied.
626	if req.has_key('exportProject'):
627	ep = unpack_id(req['exportProject'])
628	if ep != found[0].name:
629	raise service_error(service_error.access,
630	"Cannot export %s" % ep)
631
632	# Check for access to restricted nodes
633	if req.has_key('resources') and req['resources'].has_key('node'):
634	resources = req['resources']
635	restricted = [ gateway_hardware(t) for n in resources['node'] \
636	if n.has_key('hardware') \
637	for t in n['hardware'] \
638	if gateway_hardware(t) \
639	in self.restricted ]
640	inaccessible = [ t for t in restricted \
641	if t not in found[0].node_types]
642	if len(inaccessible) > 0:
643	raise service_error(service_error.access,
644	"Access denied (nodetypes %s)" % \
645	str(', ').join(inaccessible))
646
647	# These were passed around before, but now are hidden from users
648	# and configurators alike, beyond a configuration file entry.
649	create_ssh = [ self.ssh_pubkey_file ]
650	service_ssh = [ self.ssh_pubkey_file ]
651
652	if len(create_ssh) > 0 and len(service_ssh) >0:
653	if dyn[1]:
654	# Compose the dynamic project request
655	# (only dynamic, dynamic currently allowed)
656	preq = { 'AllocateProjectRequestBody': \
657	{ 'project' : {\
658	'user': [ \
659	{ \
660	'access': [ { 'sshPubkey': s } \
661	for s in service_ssh ],
662	'role': "serviceAccess",\
663	}, \
664	{ \
665	'access': [ { 'sshPubkey': s } \
666	for s in create_ssh ],
667	'role': "experimentCreation",\
668	}, \
669	], \
670	}\
671	}\
672	}
673	if restricted != None and len(restricted) > 0:
674	preq['AllocateProjectRequestBody']['resources'] = \
675	{'node': [ { 'hardware' : [ h ] } \
676	for h in restricted ] }
677	ap = self.allocate_project.dynamic_project(preq)
678	else:
679	preq = {'StaticProjectRequestBody' : \
680	{ 'project': \
681	{ 'name' : { 'localname' : found[0].name },\
682	'user' : [ \
683	{\
684	'userID': { 'localname' : found[1] }, \
685	'access': [ { 'sshPubkey': s }
686	for s in create_ssh ],
687	'role': 'experimentCreation'\
688	},\
689	{\
690	'userID': { 'localname' : found[2] }, \
691	'access': [ { 'sshPubkey': s }
692	for s in service_ssh ],
693	'role': 'serviceAccess'\
694	},\
695	]}\
696	}\
697	}
698	if restricted != None and len(restricted) > 0:
699	preq['StaticProjectRequestBody']['resources'] = \
700	{'node': [ { 'hardware' : [ h ] } \
701	for h in restricted ] }
702	ap = self.allocate_project.static_project(preq)
703	else:
704	raise service_error(service_error.req,
705	"SSH access parameters required")
706	# keep track of what's been added
707	allocID, alloc_cert = generate_fedid(subj="alloc", log=self.log)
708	aid = unicode(allocID)
709
710	self.state_lock.acquire()
711	self.allocation[aid] = { }
712	try:
713	pname = ap['project']['name']['localname']
714	except KeyError:
715	pname = None
716
717	if dyn[1]:
718	if not pname:
719	self.state_lock.release()
720	raise service_error(service_error.internal,
721	"Misformed allocation response?")
722	if self.projects.has_key(pname): self.projects[pname] += 1
723	else: self.projects[pname] = 1
724	self.allocation[aid]['project'] = pname
725	else:
726	# sproject is a static project associated with this allocation.
727	self.allocation[aid]['sproject'] = pname
728
729	if ap.has_key('resources'):
730	if not pname:
731	self.state_lock.release()
732	raise service_error(service_error.internal,
733	"Misformed allocation response?")
734	self.allocation[aid]['types'] = set()
735	nodes = ap['resources'].get('node', [])
736	for n in nodes:
737	for h in n.get('hardware', []):
738	if self.types.has_key((pname, h)):
739	self.types[(pname, h)] += 1
740	else:
741	self.types[(pname, h)] = 1
742	self.allocation[aid]['types'].add((pname,h))
743
744
745	self.allocation[aid]['keys'] = [ ]
746
747	try:
748	for u in ap['project']['user']:
749	uname = u['userID']['localname']
750	if u['role'] == 'experimentCreation':
751	self.allocation[aid]['user'] = uname
752	for k in [ k['sshPubkey'] for k in u['access'] \
753	if k.has_key('sshPubkey') ]:
754	kv = "%s:%s" % (uname, k)
755	if self.keys.has_key(kv): self.keys[kv] += 1
756	else: self.keys[kv] = 1
757	self.allocation[aid]['keys'].append((uname, k))
758	except KeyError:
759	self.state_lock.release()
760	raise service_error(service_error.internal,
761	"Misformed allocation response?")
762
763	self.allocation[aid]['owners'] = owners
764	services, svc_state = self.export_services(req.get('service',[]),
765	pname, uname)
766	# Store services state in global state
767	for k, v in svc_state.items():
768	self.allocation[aid][k] = v
769	self.write_state()
770	self.state_lock.release()
771	for o in owners:
772	self.auth.set_attribute(o, allocID)
773	try:
774	f = open("%s/%s.pem" % (self.certdir, aid), "w")
775	print >>f, alloc_cert
776	f.close()
777	except IOError, e:
778	raise service_error(service_error.internal,
779	"Can't open %s/%s : %s" % (self.certdir, aid, e))
780	resp = self.build_response({ 'fedid': allocID } , ap, services)
781	return resp
782	else:
783	if self.allow_proxy:
784	resp = self.proxy_RequestAccess.call_service(dt, req,
785	self.cert_file, self.cert_pwd,
786	self.trusted_certs)
787	if resp.has_key('RequestAccessResponseBody'):
788	return resp['RequestAccessResponseBody']
789	else:
790	return None
791	else:
792	raise service_error(service_error.access,
793	"Access proxying denied")
794
795	def ReleaseAccess(self, req, fid):
796	# The dance to get into the request body
797	if req.has_key('ReleaseAccessRequestBody'):
798	req = req['ReleaseAccessRequestBody']
799	else:
800	raise service_error(service_error.req, "No request!?")
801
802	if req.has_key('destinationTestbed'):
803	dt = unpack_id(req['destinationTestbed'])
804	else:
805	dt = None
806
807	if dt == None or dt in self.testbed:
808	# Local request
809	try:
810	if req['allocID'].has_key('localname'):
811	auth_attr = aid = req['allocID']['localname']
812	elif req['allocID'].has_key('fedid'):
813	aid = unicode(req['allocID']['fedid'])
814	auth_attr = req['allocID']['fedid']
815	else:
816	raise service_error(service_error.req,
817	"Only localnames and fedids are understood")
818	except KeyError:
819	raise service_error(service_error.req, "Badly formed request")
820
821	self.log.debug("[access] deallocation requested for %s", aid)
822	if not self.auth.check_attribute(fid, auth_attr):
823	self.log.debug("[access] deallocation denied for %s", aid)
824	raise service_error(service_error.access, "Access Denied")
825
826	# If we know this allocation, reduce the reference counts and
827	# remove the local allocations. Otherwise report an error. If
828	# there is an allocation to delete, del_users will be a dictonary
829	# of sets where the key is the user that owns the keys in the set.
830	# We use a set to avoid duplicates. del_project is just the name
831	# of any dynamic project to delete. We're somewhat lazy about
832	# deleting authorization attributes. Having access to something
833	# that doesn't exist isn't harmful.
834	del_users = { }
835	del_project = None
836	del_types = set()
837
838	if self.allocation.has_key(aid):
839	self.log.debug("Found allocation for %s" %aid)
840	self.state_lock.acquire()
841	for k in self.allocation[aid]['keys']:
842	kk = "%s:%s" % k
843	self.keys[kk] -= 1
844	if self.keys[kk] == 0:
845	if not del_users.has_key(k[0]):
846	del_users[k[0]] = set()
847	del_users[k[0]].add(k[1])
848	del self.keys[kk]
849
850	if self.allocation[aid].has_key('project'):
851	pname = self.allocation[aid]['project']
852	self.projects[pname] -= 1
853	if self.projects[pname] == 0:
854	del_project = pname
855	del self.projects[pname]
856
857	if self.allocation[aid].has_key('types'):
858	for t in self.allocation[aid]['types']:
859	self.types[t] -= 1
860	if self.types[t] == 0:
861	if not del_project: del_project = t[0]
862	del_types.add(t[1])
863	del self.types[t]
864
865	del self.allocation[aid]
866	self.write_state()
867	self.state_lock.release()
868	# If we actually have resources to deallocate, prepare the call.
869	if del_project or del_users:
870	msg = { 'project': { }}
871	if del_project:
872	msg['project']['name']= {'localname': del_project}
873	users = [ ]
874	for u in del_users.keys():
875	users.append({ 'userID': { 'localname': u },\
876	'access' : \
877	[ {'sshPubkey' : s } for s in del_users[u]]\
878	})
879	if users:
880	msg['project']['user'] = users
881	if len(del_types) > 0:
882	msg['resources'] = { 'node': \
883	[ {'hardware': [ h ] } for h in del_types ]\
884	}
885	if self.allocate_project.release_project:
886	msg = { 'ReleaseProjectRequestBody' : msg}
887	self.allocate_project.release_project(msg)
888	# And remove the access cert
889	cf = "%s/%s.pem" % (self.certdir, aid)
890	self.log.debug("Removing %s" % cf)
891	os.remove(cf)
892	return { 'allocID': req['allocID'] }
893	else:
894	raise service_error(service_error.req, "No such allocation")
895
896	else:
897	if self.allow_proxy:
898	resp = self.proxy_ReleaseAccess.call_service(dt, req,
899	self.cert_file, self.cert_pwd,
900	self.trusted_certs)
901	if resp.has_key('ReleaseAccessResponseBody'):
902	return resp['ReleaseAccessResponseBody']
903	else:
904	return None
905	else:
906	raise service_error(service_error.access,
907	"Access proxying denied")
908
909	def generate_portal_configs(self, topo, pubkey_base, secretkey_base,
910	tmpdir, master, lproj, leid, connInfo, services):
911
912	def conninfo_to_dict(key, info):
913	"""
914	Make a cpoy of the connection information about key, and flatten it
915	into a single dict by parsing out any feddAttrs.
916	"""
917
918	rv = None
919	for i in info:
920	if key == i.get('portal', "") or \
921	key in [e.get('element', "") \
922	for e in i.get('member', [])]:
923	rv = i.copy()
924	break
925
926	else:
927	return rv
928
929	if 'fedAttr' in rv:
930	for a in rv['fedAttr']:
931	attr = a.get('attribute', "")
932	val = a.get('value', "")
933	if attr and attr not in rv:
934	rv[attr] = val
935	del rv['fedAttr']
936	return rv
937
938	# XXX: un hardcode this
939	def client_null(f, s):
940	print >>f, "Service: %s" % s['name']
941
942	def client_smb(f, s):
943	print >>f, "Service: %s" % s['name']
944	smbshare = None
945	smbuser = None
946	smbproj = None
947	for a in s.get('fedAttr', []):
948	if a.get('attribute', '') == 'SMBSHARE':
949	smbshare = a.get('value', None)
950	elif a.get('attribute', '') == 'SMBUSER':
951	smbuser = a.get('value', None)
952	elif a.get('attribute', '') == 'SMBPROJ':
953	smbproj = a.get('value', None)
954
955	if all((smbshare, smbuser, smbproj)):
956	print >>f, "SMBshare: %s" % smbshare
957	print >>f, "ProjectUser: %s" % smbuser
958	print >>f, "ProjectName: %s" % smbproj
959
960	client_service_out = {
961	'SMB': client_smb,
962	'tmcd': client_null,
963	'seer': client_null,
964	'userconfig': client_null,
965	}
966	# XXX: end un hardcode this
967
968
969	seer_out = False
970	client_out = False
971	for e in [ e for e in topo.elements \
972	if isinstance(e, topdl.Computer) and e.get_attribute('portal')]:
973	myname = e.name[0]
974	type = e.get_attribute('portal_type')
975
976	info = conninfo_to_dict(myname, connInfo)
977
978	if not info:
979	raise service_error(service_error.req,
980	"No connectivity info for %s" % myname)
981
982	peer = info.get('peer', "")
983	ldomain = self.domain;
984
985	mexp = info.get('masterexperiment',"")
986	mproj, meid = mexp.split("/", 1)
987	mdomain = info.get('masterdomain',"")
988	muser = info.get('masteruser','root')
989	smbshare = info.get('smbshare', 'USERS')
990
991	active = info.get('active', 'False')
992
993	cfn = "%s/%s.gw.conf" % (tmpdir, myname.lower())
994	tunnelconfig = self.attrs.has_key('TunnelCfg')
995	try:
996	f = open(cfn, "w")
997	if active == 'True':
998	print >>f, "active: True"
999	if type in ('control', 'both'):
1000	for s in [s for s in services \
1001	if s.get('name', "") in self.imports]:
1002	p = urlparse(s.get('server', 'http://localhost'))
1003	print >>f, 'port: remote:%s:%s:%s' % \
1004	(p.port, p.hostname, p.port)
1005
1006	if tunnelconfig:
1007	print >>f, "tunnelip: %s" % tunnelconfig
1008	# XXX: send this an fedattr
1009	#print >>f, "seercontrol: control.%s.%s%s" % \
1010	#(meid.lower(), mproj.lower(), mdomain)
1011	print >>f, "peer: %s" % peer.lower()
1012	print >>f, "ssh_pubkey: /proj/%s/exp/%s/tmp/%s" % \
1013	(lproj, leid, pubkey_base)
1014	print >>f, "ssh_privkey: /proj/%s/exp/%s/tmp/%s" % \
1015	(lproj, leid, secretkey_base)
1016	f.close()
1017	except IOError, e:
1018	raise service_error(service_error.internal,
1019	"Can't write protal config %s: %s" % (cfn, e))
1020
1021	# XXX: This little seer config file needs to go away.
1022	if not seer_out:
1023	try:
1024	seerfn = "%s/seer.conf" % tmpdir
1025	f = open(seerfn, "w")
1026	if not master:
1027	print >>f, "ControlNode: control.%s.%s%s" % \
1028	(meid.lower(), mproj.lower(), mdomain)
1029	print >>f, "ExperimentID: %s" % mexp
1030	f.close()
1031	except IOError, e:
1032	raise service_error(service_error.internal,
1033	"Can't write seer.conf: %s" %e)
1034	seer_out = True
1035
1036	if not client_out and type in ('control', 'both'):
1037	try:
1038	f = open("%s/client.conf" % tmpdir, "w")
1039	print >>f, "ControlGateway: %s.%s.%s%s" % \
1040	(myname.lower(), leid.lower(), lproj.lower(),
1041	ldomain.lower())
1042	for s in services:
1043	if s.get('name',"") in self.imports:
1044	client_service_out[s['name']](f, s)
1045	# Does seer need this?
1046	# print >>f, "ExperimentID: %s/%s" % (mproj, meid)
1047	f.close()
1048	except IOError, e:
1049	raise service_error(service_error.internal,
1050	"Cannot write client.conf: %s" %s)
1051	client_out = True
1052
1053
1054	def generate_ns2(self, topo, expfn, softdir, master, connInfo):
1055	class dragon_commands:
1056	"""
1057	Functor to spit out approrpiate dragon commands for nodes listed in
1058	the connectivity description. The constructor makes a dict mapping
1059	dragon nodes to their parameters and the __call__ checks each
1060	element in turn for membership.
1061	"""
1062	def __init__(self, map):
1063	self.node_info = map
1064
1065	def __call__(self, e):
1066	s = ""
1067	if isinstance(e, topdl.Computer):
1068	if self.node_info.has_key(e.name[0]):
1069	i = self.node_info[e.name[0]]
1070	for ifname, vlan, type in i:
1071	for i in e.interface:
1072	if i.name == ifname:
1073	addr = i.get_attribute('ip4_address')
1074	subs = i.substrate[0]
1075	break
1076	else:
1077	raise service_error(service_error.internal,
1078	"No interface %s on element %s" % \
1079	(ifname, e.name[0]))
1080	if type =='link':
1081	s = ("tb-allow-external $%s dragonportal " + \
1082	"ip %s vlan %s\n") % \
1083	(e.name[0], addr, vlan)
1084	elif type =='lan':
1085	s = ("tb-allow-external $%s dragonportal " + \
1086	"ip %s vlan %s usurp %s\n") % \
1087	(e.name[0], addr, vlan, subs)
1088	else:
1089	raise service_error(service_error_internal,
1090	"Unknown DRAGON type %s" % type)
1091	return s
1092
1093	class not_dragon:
1094	def __init__(self, map):
1095	self.nodes = set(map.keys())
1096
1097	def __call__(self, e):
1098	return e.name[0] not in self.nodes
1099
1100	t = topo.clone()
1101
1102	dragon_map = { }
1103	for i in [ i for i in connInfo if i['type'] == 'transit']:
1104	for a in i.get('fedAttr', []):
1105	if a['attribute'] == 'vlan_id':
1106	vlan = a['value']
1107	break
1108	else:
1109	raise service_error(service_error.internal,
1110	"No vlan tag")
1111	members = i.get('member', [])
1112	if len(members) > 1: type = 'lan'
1113	else: type = 'link'
1114
1115	try:
1116	for m in members:
1117	if dragon_map.has_key(m['element']):
1118	dragon_map[m['element']].append(( m['interface'],
1119	vlan, type))
1120	else:
1121	dragon_map[m['element']] = [( m['interface'],
1122	vlan, type),]
1123	except KeyError:
1124	raise service_error(service_error.req,
1125	"Missing connectivity info")
1126
1127	# The startcmds for master and slave testbeds
1128	if master:
1129	gate_cmd = self.attrs.get('MasterConnectorStartCmd', '/bin/true')
1130	node_cmd = self.attrs.get('MasterNodeStartCmd', 'bin/true')
1131	else:
1132	gate_cmd = self.attrs.get('SlaveConnectorStartCmd', '/bin/true')
1133	node_cmd = self.attrs.get('SlaveNodeStartCmd', 'bin/true')
1134
1135	# Weed out the things we aren't going to instantiate: Segments, portal
1136	# substrates, and portal interfaces. (The copy in the for loop allows
1137	# us to delete from e.elements in side the for loop). While we're
1138	# touching all the elements, we also adjust paths from the original
1139	# testbed to local testbed paths and put the federation commands into
1140	# the start commands
1141	for e in [e for e in t.elements]:
1142	if isinstance(e, topdl.Segment):
1143	t.elements.remove(e)
1144	# Fix software paths
1145	for s in getattr(e, 'software', []):
1146	s.location = re.sub("^.*/", softdir, s.location)
1147	if isinstance(e, topdl.Computer):
1148	if e.get_attribute('portal') and gate_cmd:
1149	# Portals never have a user-specified start command
1150	e.set_attribute('startup', gate_cmd)
1151	elif node_cmd:
1152	if e.get_attribute('startup'):
1153	e.set_attribute('startup', "%s \\$USER '%s'" % \
1154	(node_cmd, e.get_attribute('startup')))
1155	else:
1156	e.set_attribute('startup', node_cmd)
1157
1158	dinf = [i[0] for i in dragon_map.get(e.name[0], []) ]
1159	# Remove portal interfaces that do not connect to DRAGON
1160	e.interface = [i for i in e.interface \
1161	if not i.get_attribute('portal') or i.name in dinf ]
1162
1163	t.substrates = [ s.clone() for s in t.substrates ]
1164	t.incorporate_elements()
1165
1166	# Customize the ns2 output for local portal commands and images
1167	filters = []
1168
1169	# NB: these are extra commands issued for the node, not the startcmds
1170	if master: cmd = self.attrs.get('MasterConnectorCmd', '')
1171	else: cmd = self.attrs.get('SlaveConnectorCmd', '')
1172
1173	if self.attrs.has_key('dragon'):
1174	add_filter = not_dragon(dragon_map)
1175	filters.append(dragon_commands(dragon_map))
1176	else:
1177	add_filter = None
1178
1179	if cmd:
1180	filters.append(topdl.generate_portal_command_filter(cmd,
1181	add_filter=add_filter))
1182
1183	if self.attrs.has_key('connectorImage'):
1184	filters.append(topdl.generate_portal_image_filter(
1185	self.attrs.get('connectorImage')))
1186
1187	if self.attrs.has_key('connectorType'):
1188	filters.append(topdl.generate_portal_hardware_filter(
1189	self.attrs.get('connectorType')))
1190
1191	# Convert to ns and write it out
1192	expfile = topdl.topology_to_ns2(t, filters)
1193	try:
1194	f = open(expfn, "w")
1195	print >>f, expfile
1196	f.close()
1197	except IOError:
1198	raise service_error(service_error.internal,
1199	"Cannot write experiment file %s: %s" % (expfn,e))
1200
1201	def StartSegment(self, req, fid):
1202	def get_url(url, cf, destdir, fn=None):
1203	po = urlparse(url)
1204	if not fn:
1205	fn = po.path.rpartition('/')[2]
1206	try:
1207	conn = httplib.HTTPSConnection(po.hostname, port=po.port,
1208	cert_file=cf, key_file=cf)
1209	conn.putrequest('GET', po.path)
1210	conn.endheaders()
1211	response = conn.getresponse()
1212
1213	lf = open("%s/%s" % (destdir, fn), "w")
1214	buf = response.read(4096)
1215	while buf:
1216	lf.write(buf)
1217	buf = response.read(4096)
1218	lf.close()
1219	except IOError, e:
1220	print e
1221	raise service_error(service_error.internal,
1222	"Error writing tempfile: %s" %e)
1223	except httplib.HTTPException, e:
1224	print e
1225	raise service_error(service_error.internal,
1226	"Error retrieving data: %s" % e)
1227
1228	configs = set(('hosts', 'ssh_pubkey', 'ssh_secretkey'))
1229
1230	err = None # Any service_error generated after tmpdir is created
1231	rv = None # Return value from segment creation
1232
1233	try:
1234	req = req['StartSegmentRequestBody']
1235	except KeyError:
1236	raise service_error(server_error.req, "Badly formed request")
1237
1238	connInfo = req.get('connection', [])
1239	services = req.get('service', [])
1240	auth_attr = req['allocID']['fedid']
1241	aid = "%s" % auth_attr
1242	attrs = req.get('fedAttr', [])
1243	if not self.auth.check_attribute(fid, auth_attr):
1244	raise service_error(service_error.access, "Access denied")
1245
1246	if req.has_key('segmentdescription') and \
1247	req['segmentdescription'].has_key('topdldescription'):
1248	topo = \
1249	topdl.Topology(**req['segmentdescription']['topdldescription'])
1250	else:
1251	raise service_error(service_error.req,
1252	"Request missing segmentdescription'")
1253
1254	master = req.get('master', False)
1255
1256	certfile = "%s/%s.pem" % (self.certdir, auth_attr)
1257	try:
1258	tmpdir = tempfile.mkdtemp(prefix="access-")
1259	softdir = "%s/software" % tmpdir
1260	except IOError:
1261	raise service_error(service_error.internal, "Cannot create tmp dir")
1262
1263	# Try block alllows us to clean up temporary files.
1264	try:
1265	sw = set()
1266	for e in topo.elements:
1267	for s in getattr(e, 'software', []):
1268	sw.add(s.location)
1269	if len(sw) > 0:
1270	os.mkdir(softdir)
1271	for s in sw:
1272	self.log.debug("Retrieving %s" % s)
1273	get_url(s, certfile, softdir)
1274
1275	for a in attrs:
1276	if a['attribute'] in configs:
1277	get_url(a['value'], certfile, tmpdir)
1278	if a['attribute'] == 'ssh_pubkey':
1279	pubkey_base = a['value'].rpartition('/')[2]
1280	if a['attribute'] == 'ssh_secretkey':
1281	secretkey_base = a['value'].rpartition('/')[2]
1282	if a['attribute'] == 'experiment_name':
1283	ename = a['value']
1284
1285	# If the userconf service was imported, collect the configuration
1286	# data.
1287	for s in services:
1288	if s.get("name", "") == 'userconfig' \
1289	and s.get('visibility',"") == 'import':
1290
1291	# Collect ther server and certificate info.
1292	u = s.get('server', None)
1293	for a in s.get('fedAttr', []):
1294	if a.get('attribute',"") == 'cert':
1295	cert = a.get('value', None)
1296	break
1297	else:
1298	cert = None
1299
1300	if cert:
1301	# Make a temporary certificate file for get_url. The
1302	# finally clause removes it whether something goes
1303	# wrong (including an exception from get_url) or not.
1304	try:
1305	tfos, tn = tempfile.mkstemp(suffix=".pem")
1306	tf = os.fdopen(tfos, 'w')
1307	print >>tf, cert
1308	tf.close()
1309	get_url(u, tn, tmpdir, "userconf")
1310	except IOError, e:
1311	raise service_error(service.error.internal,
1312	"Cannot create temp file for " +
1313	"userconfig certificates: %s e")
1314	finally:
1315	if tn: os.remove(tn)
1316	else:
1317	raise service_error(service_error.req,
1318	"No certificate for retreiving userconfig")
1319	break
1320
1321
1322
1323	proj = None
1324	user = None
1325	self.state_lock.acquire()
1326	if self.allocation.has_key(aid):
1327	proj = self.allocation[aid].get('project', None)
1328	if not proj:
1329	proj = self.allocation[aid].get('sproject', None)
1330	user = self.allocation[aid].get('user', None)
1331	self.allocation[aid]['experiment'] = ename
1332	self.allocation[aid]['log'] = [ ]
1333	# Create a logger that logs to the experiment's state object as
1334	# well as to the main log file.
1335	alloc_log = logging.getLogger('fedd.access.%s' % ename)
1336	h = logging.StreamHandler(
1337	list_log.list_log(self.allocation[aid]['log']))
1338	# XXX: there should be a global one of these rather than
1339	# repeating the code.
1340	h.setFormatter(logging.Formatter(
1341	"%(asctime)s %(name)s %(message)s",
1342	'%d %b %y %H:%M:%S'))
1343	alloc_log.addHandler(h)
1344	self.write_state()
1345	self.state_lock.release()
1346
1347	if not proj:
1348	raise service_error(service_error.internal,
1349	"Can't find project for %s" %aid)
1350
1351	if not user:
1352	raise service_error(service_error.internal,
1353	"Can't find creation user for %s" %aid)
1354
1355	expfile = "%s/experiment.tcl" % tmpdir
1356
1357	self.generate_portal_configs(topo, pubkey_base,
1358	secretkey_base, tmpdir, master, proj, ename, connInfo,
1359	services)
1360	self.generate_ns2(topo, expfile,
1361	"/proj/%s/software/%s/" % (proj, ename), master, connInfo)
1362
1363	starter = self.start_segment(keyfile=self.ssh_privkey_file,
1364	debug=self.create_debug, log=alloc_log)
1365	rv = starter(self, ename, proj, user, expfile, tmpdir)
1366	except service_error, e:
1367	err = e
1368	except e:
1369	err = service_error(service_error.internal, str(e))
1370
1371	# Walk up tmpdir, deleting as we go
1372	if self.cleanup:
1373	self.log.debug("[StartSegment]: removing %s" % tmpdir)
1374	for path, dirs, files in os.walk(tmpdir, topdown=False):
1375	for f in files:
1376	os.remove(os.path.join(path, f))
1377	for d in dirs:
1378	os.rmdir(os.path.join(path, d))
1379	os.rmdir(tmpdir)
1380	else:
1381	self.log.debug("[StartSegment]: not removing %s" % tmpdir)
1382
1383	if rv:
1384	# Grab the log (this is some anal locking, but better safe than
1385	# sorry)
1386	self.state_lock.acquire()
1387	logv = "".join(self.allocation[aid]['log'])
1388	self.state_lock.release()
1389
1390	return { 'allocID': req['allocID'], 'allocationLog': logv }
1391	elif err:
1392	raise service_error(service_error.federant,
1393	"Swapin failed: %s" % err)
1394	else:
1395	raise service_error(service_error.federant, "Swapin failed")
1396
1397	def TerminateSegment(self, req, fid):
1398	try:
1399	req = req['TerminateSegmentRequestBody']
1400	except KeyError:
1401	raise service_error(server_error.req, "Badly formed request")
1402
1403	auth_attr = req['allocID']['fedid']
1404	aid = "%s" % auth_attr
1405	attrs = req.get('fedAttr', [])
1406	if not self.auth.check_attribute(fid, auth_attr):
1407	raise service_error(service_error.access, "Access denied")
1408
1409	self.state_lock.acquire()
1410	if self.allocation.has_key(aid):
1411	proj = self.allocation[aid].get('project', None)
1412	if not proj:
1413	proj = self.allocation[aid].get('sproject', None)
1414	user = self.allocation[aid].get('user', None)
1415	ename = self.allocation[aid].get('experiment', None)
1416	else:
1417	proj = None
1418	user = None
1419	ename = None
1420	self.state_lock.release()
1421
1422	if not proj:
1423	raise service_error(service_error.internal,
1424	"Can't find project for %s" % aid)
1425
1426	if not user:
1427	raise service_error(service_error.internal,
1428	"Can't find creation user for %s" % aid)
1429	if not ename:
1430	raise service_error(service_error.internal,
1431	"Can't find experiment name for %s" % aid)
1432	stopper = self.stop_segment(keyfile=self.ssh_privkey_file,
1433	debug=self.create_debug)
1434	stopper(self, user, proj, ename)
1435	return { 'allocID': req['allocID'] }

Note: See TracBrowser for help on using the repository browser.

Download in other formats: