Changeset 2dc99e3
- Timestamp:
- Jan 18, 2013 3:33:04 PM (12 years ago)
- Branches:
- master
- Children:
- 5dbcc93
- Parents:
- 1819839
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
fedd/federation/desktop_access.py
r1819839 r2dc99e3 138 138 self.call_GetValue = service_caller('GetValue', log=self.log) 139 139 140 # RequestAccess and ReleaseAccess come from the base class 140 # ReleaseAccess come from the base class, this is a slightly modified 141 # RequestAccess from the base that includes a fedAttr to force this side to 142 # be active. 143 def RequestAccess(self, req, fid): 144 """ 145 Handle an access request. Success here maps the requester into the 146 local access control space and establishes state about that user keyed 147 to a fedid. We also save a copy of the certificate underlying that 148 fedid so this allocation can access configuration information and 149 shared parameters on the experiment controller. 150 """ 151 152 self.log.info("RequestAccess called by %s" % fid) 153 # The dance to get into the request body 154 if req.has_key('RequestAccessRequestBody'): 155 req = req['RequestAccessRequestBody'] 156 else: 157 raise service_error(service_error.req, "No request!?") 158 159 # Base class lookup routine. If this fails, it throws a service 160 # exception denying access that triggers a fault response back to the 161 # caller. 162 found, owners, proof = self.lookup_access(req, fid) 163 self.log.info( 164 "[RequestAccess] Access granted local creds %s" % found) 165 # Make a fedid for this allocation 166 allocID, alloc_cert = generate_fedid(subj="alloc", log=self.log) 167 aid = unicode(allocID) 168 169 # Store the data about this allocation: 170 self.state_lock.acquire() 171 self.state[aid] = { } 172 self.state[aid]['user'] = found 173 self.state[aid]['owners'] = owners 174 self.state[aid]['auth'] = set() 175 # Authorize the creating fedid and the principal representing the 176 # allocation to manipulate it. 177 self.append_allocation_authorization(aid, 178 ((fid, allocID), (allocID, allocID))) 179 self.write_state() 180 self.state_lock.release() 181 182 # Create a directory to stash the certificate in, ans stash it. 183 try: 184 f = open("%s/%s.pem" % (self.certdir, aid), "w") 185 print >>f, alloc_cert 186 f.close() 187 except EnvironmentError, e: 188 raise service_error(service_error.internal, 189 "Can't open %s/%s : %s" % (self.certdir, aid, e)) 190 self.log.debug('[RequestAccess] Returning allocation ID: %s' % allocID) 191 msg = { 192 'allocID': { 'fedid': allocID }, 193 'fedAttr': [{ 'attribute': 'nat_portals', 'value': 'True' }], 194 'proof': proof.to_dict() 195 } 196 return msg 141 197 142 198 def validate_topology(self, top): … … 241 297 print >>script, 'sudo ip route delete %s' % dest 242 298 299 def find_a_peer(self, addr): 300 ''' 301 Find another node in the experiment that's on our subnet. This is a 302 hack to handle the problem that we really cannot require the desktop to 303 dynamically route. Will be improved by distributing static routes. 304 ''' 305 306 peer = None 307 hosts = os.path.join(self.localdir, 'hosts') 308 p = addr.rfind('.') 309 if p == -1: 310 raise service_error(service_error.req, 'bad address in topology') 311 prefix = addr[0:p] 312 addr_re = re.compile('(%s.\\d+)' % prefix) 313 try: 314 f = open(hosts, 'r') 315 for line in f: 316 m = addr_re.search(line) 317 if m is not None and m.group(1) != addr: 318 peer = m.group(1) 319 break 320 else: 321 raise service_error(service_error.req, 322 'No other nodes in this subnet??') 323 except EnvironmentError, e: 324 raise service_error(service_error.internal, 325 'Cannot open %s: %s' % (e.filename, e.strerror)) 326 return peer 327 328 243 329 244 330 … … 278 364 'Cannot find all config parameters %s %s %s' % (peer, port, my_addr)) 279 365 366 exp_peer = self.find_a_peer(my_addr) 367 280 368 cscript = os.path.join(self.localdir, 'connect') 281 369 dscript = os.path.join(self.localdir, 'disconnect') … … 289 377 # a file this end can access into its local file system. Try once 290 378 # a minute. 291 print >>f,'while ! /usr/bin/scp -i"StrictHostKeyChecking no" -i %s %s:/usr/local/federation/etc/prep_done /dev/null; do' % (self.ssh_identity, peer)379 print >>f,'while ! /usr/bin/scp -o "StrictHostKeyChecking no" -i %s %s:/usr/local/federation/etc/prep_done /dev/null; do' % (self.ssh_identity, peer) 292 380 print >>f, 'sleep 60; done' 293 381 print >>f, ('sudo ssh -w 0:0 -p %s -o "Tunnel ethernet" ' + \ 294 '-o "StrictHostKeyChecking no" -i %s -N%s &') % \295 (port, self.ssh_identity, peer )382 '-o "StrictHostKeyChecking no" -i %s %s perl -I/usr/local/federation/lib /usr/local/federation/bin/setup_bridge.pl --tapno=0 --addr=%s &') % \ 383 (port, self.ssh_identity, peer, my_addr) 296 384 # This should give the tap a a chance to come up 297 385 print >>f,'sleep 10' … … 299 387 print >>f, 'sudo ifconfig tap0 %s netmask 255.255.255.0 up' % \ 300 388 my_addr 301 self.set_route('10.0.0.0/8', f, peer)389 self.set_route('10.0.0.0/8', f, exp_peer) 302 390 f.close() 303 391 os.chmod(cscript, 0755)
Note: See TracChangeset
for help on using the changeset viewer.