Changeset 353db8c for fedd/fedd_create.py
- Timestamp:
- Nov 23, 2010 5:00:48 PM (13 years ago)
- Branches:
- axis_example, compt_changes, info-ops, master
- Children:
- 6e63513
- Parents:
- 3ff5e2a
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
fedd/fedd_create.py
r3ff5e2a r353db8c 6 6 from federation.remote_service import service_caller 7 7 from federation.client_lib import client_opts, exit_with_fault, RPCException, \ 8 wrangle_standard_options, do_rpc, get_experiment_names, save_certfile 8 wrangle_standard_options, do_rpc, get_experiment_names, save_certfile, 9 get_abac_certs 10 from federation.util import abac_split_cert 9 11 10 12 class fedd_create_opts(client_opts): … … 32 34 help="Explicit map from testbed label to URI - " + \ 33 35 "deter:https://users.isi.deterlab/net:13232") 36 self.add_option('--gen_cert', action='store_true', dest='gen_cert', 37 default=False, 38 help='generate a cert to which to delegate rights') 39 self.add_option('--delegate', action='store_true', dest='generate', 40 help='Delegate rights to a generated cert (default)') 41 self.add_option('--no-delegate', action='store_true', dest='generate', 42 help='Do not delegate rights to a generated cert') 43 44 self.set_defaults('delegate'=True) 34 45 35 46 def parse_service(svc): … … 78 89 } 79 90 91 def delegate(fedid, cert, dir, name=None, debug=False, 92 creddy='/usr/local/bin/creddy'): 93 ''' 94 Make the creddy call to create an attribute delegating rights to the new 95 experiment. The cert parameter points to a conventional cert & key combo, 96 which we split out into tempfiles, which we delete on return. The return 97 value if the filename in which the certificate was stored. 98 ''' 99 100 certfile = keyfile = None 101 expid = "%s" % fedid 102 103 # Trim the "fedid:" 104 if expid.startswith("fedid:"): expid = expid[6:] 105 106 try: 107 keyfile, certfile = abac_split(cert) 108 109 rv = 0 110 if name: fn = '%s/%s_attr.der' % (dir, name) 111 else: fn = '%s/%s_attr.der' % (dir, expid) 112 113 cmd = [creddy, '--attribute', '--issuer=%s' % certfile, 114 '--key=%s' % keyfile, 115 '--role=acting_for', '--subject-id=%s' % expid, 116 '--out=%s' % fn ] 117 if debug: 118 print join(cmd) 119 return fn 120 else: 121 if subprocess.call(cmd) == 0: return fn 122 else: return None 123 finally: 124 if keyfile: os.unlink(keyfile) 125 if certfile: os.unlink(certfile) 126 80 127 # Main line 81 128 service_re = re.compile('^\\s*#\\s*SERVICE:\\s*([\\S]+)') … … 83 130 (opts, args) = parser.parse_args() 84 131 85 132 # Option processing 86 133 cert, fid, url = wrangle_standard_options(opts) 87 134 … … 97 144 out_certfile = opts.out_certfile 98 145 146 # If there is no abac directory in which to store a delegated credential, don't 147 # delegate. 148 if not opts.abac_dir and opts.delegate: 149 opts.delegate = False 150 151 # Load ABAC certs 152 if opts.abac_dir: 153 try: 154 acerts = get_abac_certs(opts.abac_dir) 155 except EnvironmentError, e: 156 sys.exit('%s: %s' % (e.filename, e.strerror)) 157 99 158 # Fill in services 100 159 svcs = [] … … 102 161 svcs.append(project_export_service(opts.master, opts.project)) 103 162 svcs.extend([ parse_service(s) for s in opts.service]) 163 104 164 # Parse all the strings that we can pull out of the file using the service_re. 105 165 svcs.extend([parse_service(service_re.match(l).group(1)) \ … … 117 177 print >>sys.stderr, "Warning:Neither master/project nor services requested" 118 178 119 179 # Construct the New experiment request 120 180 msg = { } 181 182 183 # Generate a certificate if requested and put it into the message 184 if opts.gen_cert: 185 expid, expcert = generate_fedid(opts.exp_name or 'dummy') 186 msg['experimentAccess'] = { 'X509': expcert } 187 else: 188 expid = expcert = None 121 189 122 190 if opts.exp_name: 123 191 msg['experimentID'] = { 'localname': opts.exp_name } 124 192 193 if acerts: 194 msg['credential'] = acerts 195 125 196 if opts.debug > 1: print >>sys.stderr, msg 126 197 198 # The New call 127 199 try: 128 200 resp_dict = do_rpc(msg, … … 138 210 if opts.debug > 1: print >>sys.stderr, resp_dict 139 211 212 # Save the experiment ID certificate if we need it 140 213 try: 141 214 save_certfile(opts.out_certfile, resp_dict.get('experimentAccess', None)) … … 147 220 e_local = "serialize" 148 221 222 # If delegation is requested and we have a target, make the delegation, and add 223 # the credential to acerts. 224 if e_fedid and opts.delegate: 225 new_cert_fn = delegate(e_fedid, cert, key, dir, opts.exp_name) 226 if new_cert_fn is not None: 227 try: 228 f = open(new_cert_fn, 'r') 229 acerts.add(f.read()) 230 f.close() 231 except EnvironmentError, e: 232 sys.exit("Cannot read delegation cert in %s: %s" % \ 233 (e.filename, e.strerror)); 234 else: 235 sys.exit("Cannot delegate rights to new experiment: %s/%s" %\ 236 (expid, opts.exp_name)) 237 238 # Construct the Create message 149 239 msg = { 'experimentdescription': { 'ns2description': exp_desc }, } 150 240 … … 159 249 sys.exit("New did not return an experiment ID??") 160 250 251 if acerts: 252 msg['credential'] = acerts 253 161 254 if tbmap: 162 255 msg['testbedmap'] = [ { 'testbed': t, 'uri': u } for t, u in tbmap.items() ] … … 164 257 if opts.debug > 1: print >>sys.stderr, msg 165 258 259 # make the call 166 260 try: 167 261 resp_dict = do_rpc(msg, … … 177 271 if opts.debug > 1: print >>sys.stderr, resp_dict 178 272 273 # output 179 274 e_fedid, e_local = get_experiment_names(resp_dict.get('experimentID', None)) 180 275 st = resp_dict.get('experimentStatus', None)
Note: See TracChangeset
for help on using the changeset viewer.