Changeset 66bb590 for fedd/federation

Timestamp:

Dec 10, 2010 9:03:35 AM (13 years ago)

Author:

Ted Faber <faber@…>

Branches:

axis_example, compt_changes, info-ops, master

Children:

52b6ebc

Parents:

913dc7a (diff), 8d5394e (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.

Message:

Merge branch 'master' of tardis.deterlab.net:/var/local/git/fedd

Location:

fedd/federation

Files:

• client_lib.py (modified) (4 diffs)
• experiment_control.py (modified) (12 diffs)
• server.py (modified) (1 diff)
• util.py (modified) (2 diffs)

fedd/federation/client_lib.py

@@ -10 +10 @@
 
 from fedid import fedid
-from util import fedd_ssl_context
+from util import fedd_ssl_context, file_expanding_opts
 from remote_service import service_caller
 from service_error import service_error
@@ -17 +17 @@
 
 
-class client_opts(OptionParser):
+class client_opts(file_expanding_opts):
     """
     Standatd set of options that all clients talking to fedd can probably use.
     Client code usually specializes this.
     """
+
     def __init__(self):
-        OptionParser.__init__(self, usage="%prog [opts] (--help for details)",
+        file_expanding_opts.__init__(self,
+                usage="%prog [opts] (--help for details)",
                 version="0.1")
 
-        self.add_option("--cert", action="store", dest="cert",
+        self.add_option("--cert", action="callback", dest="cert", 
+                callback=self.expand_file,
                 type="string", help="my certificate file")
-        self.add_option("--abac", action="store", dest="abac_dir",
-                type="string", help="Directory with abac certs")
+        self.add_option("--abac", action="callback", dest="abac_dir",
+                callback=self.expand_file,
+                type="string", default=os.path.expanduser('~/.abac'), 
+                help="Directory with abac certs")
+        self.add_option('--no_abac', action='store_const', const=None, 
+                dest='abac_dir', help='Do not use abac authorization')
         self.add_option( "--debug", action="count", dest="debug", 
                 default=0, help="Set debug.  Repeat for more information")
@@ -35 +42 @@
                 dest="serialize_only", default=False,
                 help="Print the SOAP request that would be sent and exit")
-        self.add_option("--trusted", action="store", dest="trusted",
+        self.add_option("--trusted", action="callback", dest="trusted",
+                callback=self.expand_file,
                 type="string", help="Trusted certificates (required)")
         self.add_option("--url", action="store", dest="url",
@@ -98 +106 @@
     '''
     rv = [ ]
-    if dir:
+    if dir and os.path.isdir(dir):
         for fn in ["%s/%s" % (dir, p) for p in os.listdir(dir) \
                 if os.path.isfile("%s/%s" % (dir,p))]:

fedd/federation/experiment_control.py

@@ -1062 +1062 @@
         else: e.software = s 
 
+    def append_experiment_authorization(self, expid, attrs, 
+            need_state_lock=True):
+        """
+        Append the authorization information to system state
+        """
+
+        for p, a in attrs:
+            self.auth.set_attribute(p, a)
+        self.auth.save()
+
+        if need_state_lock: self.state_lock.acquire()
+        self.state[expid]['auth'].update(attrs)
+        if self.state_filename: self.write_state()
+        if need_state_lock: self.state_lock.release()
+
+    def clear_experiment_authorizaton(self, expid, need_state_lock=True):
+        """
+        Attrs is a set of attribute principal pairs that need to be removed
+        from the authenticator.  Remove them and save the authenticator.
+        """
+
+        for p, a in attrs:
+            self.auth.unset_attribute(p, a)
+        self.auth.save()
+
+        if need_state_lock: self.state_lock.acquire()
+        self.state[expid]['auth'] = set()
+        if self.state_filename: self.write_state()
+        if need_state_lock: self.state_lock.release()
+
 
     def create_experiment_state(self, fid, req, expid, expcert,
@@ -1087 +1117 @@
                 status = self.state[eid].get('experimentStatus', None)
                 if status and status == 'failed':
-                    # remove the old access attribute
-                    self.auth.unset_attribute(fid, old_expid)
-                    self.auth.save()
+                    # remove the old access attributes
+                    self.clear_experiment_authorization(self.state[eid]['auth'],
+                            need_state_lock=False)
                     overwrite = True
                     del self.state[eid]
@@ -1105 +1135 @@
                     'owner': fid,
                     'log' : [],
+                    'auth': set(),
                 }
             self.state[expid] = self.state[eid]
-            if self.state_filename: self.write_state()
-            self.state_lock.release()
+            if self.state_filename: self.write_state()
+            self.state_lock.release()
         else:
             eid = self.exp_stem
@@ -1126 +1157 @@
                     'owner': fid,
                     'log' : [],
+                    'auth': set(),
                 }
             self.state[expid] = self.state[eid]
-            if self.state_filename: self.write_state()
-            self.state_lock.release()
+            if self.state_filename: self.write_state()
+            self.state_lock.release()
+
+        # Let users touch the state.  Authorize this fid and the expid itself
+        # to touch the experiment, as well as allowing th eoverrides.
+        self.append_experiment_authorization(eid, 
+                set([(fid, expid), (expid,expid)] + \
+                        [ (o, expid) for o in self.overrides]))
 
         return eid
@@ -1362 +1400 @@
                     "Cannot create software directory: %s" % e)
         # The actual copying.  Everything's converted into a url for copying.
+        auth_attrs = set()
         for pkg in pkgs:
             loc = pkg
@@ -1394 +1433 @@
                     ( self.repo_url, path, dest)
 
-            # Allow the individual segments to access the software.
-            for tb in tbparams.keys():
-                self.auth.set_attribute(tbparams[tb]['allocID']['fedid'], 
-                        "/%s/%s" % ( path, dest))
-            self.auth.save()
+            # Allow the individual segments to access the software by assigning
+            # an attribute to each testbed allocation that encodes the data to
+            # be released.  This expression collects the data for each run of
+            # the loop.
+            auth_attrs.update([
+                (tbparams[tb]['allocID']['fedid'], "/%s/%s" % ( path, dest)) \
+                        for tb in tbparams.keys()])
+
+        self.append_experiment_authorization(expid, auth_attrs)
 
         # Convert the software locations in the segments into the local
@@ -1467 +1510 @@
         eid = self.create_experiment_state(fid, req, expid, expcert, 
                 state='empty')
-
-        # Let users touch the state
-        self.auth.set_attribute(fid, expid)
-        self.auth.set_attribute(expid, expid)
-        # Override fedids can manipulate state as well
-        for o in self.overrides:
-            self.auth.set_attribute(o, expid)
-        self.auth.save()
 
         rv = {
@@ -1700 +1735 @@
                     "Cannot copy keyfiles: %s" % e)
 
-        # Allow the individual testbeds to access the configuration files.
-        for tb in tbparams.keys():
-            asignee = tbparams[tb]['allocID']['fedid']
-            for f in ("hosts", gw_secretkey_base, gw_pubkey_base):
-                self.auth.set_attribute(asignee, "%s/%s" % \
-                        (configpath, f))
-            self.auth.save()
+        # Allow the individual testbeds to access the configuration files,
+        # again by setting an attribute for the relevant pathnames on each
+        # allocation principal.  Yeah, that's a long list comprehension.
+        self.append_experiment_authorization(expid, set([
+            (tbparams[tb]['allocID']['fedid'], "%s/%s" % (configpath, f)) \
+                    for tb in tbparams.keys() \
+                        for f in ("hosts", gw_secretkey_base, gw_pubkey_base)]))
 
         attrs = [ 
@@ -1940 +1975 @@
             part.add_portals(top, topo, eid, pmasters, tbparams, ip_allocator,
                     connInfo, expid)
+
+            auth_attrs = set()
             # Now get access to the dynamic testbeds (those added above)
             for tb in [ t for t in topo if t not in allocated]:
@@ -1948 +1985 @@
                 # Give the testbed access to keys it exports or imports
                 if store_keys:
-                    for sk in store_keys.split(" "):
-                        self.auth.set_attribute(\
-                                tbparams[tb]['allocID']['fedid'], sk)
-            self.auth.save()
+                    auth_keys.update(set([
+                        (tbparams[tb]['allocID']['fedid'], sk) \
+                                for sk in store_keys.split(" ")]))
+
+            if auth_attrs:
+                self.append_experiment_authorization(expid, auth_attrs)
 
             # transit and disconnected testbeds may not have a connInfo entry.
@@ -1976 +2015 @@
         # here on out, the state will stick around a while.
 
+        # XXX: I think this is redundant
         # Let users touch the state
-        self.auth.set_attribute(fid, expid)
-        self.auth.set_attribute(expid, expid)
+        # self.auth.set_attribute(fid, expid)
+        # self.auth.set_attribute(expid, expid)
         # Override fedids can manipulate state as well
-        for o in self.overrides:
-            self.auth.set_attribute(o, expid)
-        self.auth.save()
+        # for o in self.overrides:
+            # self.auth.set_attribute(o, expid)
+        # self.auth.save()
 
         # Create a logger that logs to the experiment's state object as well as
@@ -2077 +2117 @@
         # Remove the owner info (should always be there, but...)
         if rv.has_key('owner'): del rv['owner']
+        if 'auth' in rv: del rv['auth']
 
         # Convert the log into the allocationLog parameter and remove the

fedd/federation/server.py

@@ -13 +13 @@
 
 from fedid import fedid
+
+# ZSI uses a deprecated multifile interface.  This shuts the warning system up.
+from warnings import filterwarnings
+filterwarnings("ignore", ".*multifile.*", DeprecationWarning, "ZSI")
+
 try:
     from fedd_services import ns0

fedd/federation/util.py

@@ -8 +8 @@
 
 import httplib
+
+from optparse import OptionParser
 
 from socket import sslerror
@@ -95 +97 @@
             self.set_allow_unknown_ca(True)
             self.set_verify(SSL.verify_peer, 10, callback=callb)
+
+class file_expanding_opts(OptionParser):
+    def expand_file(self, option, opt_str, v, p):
+        """
+        Store the given value to the given destination after expanding home
+        directories.
+        """
+        setattr(p.values, option.dest, os.path.expanduser(v))
+
+    def __init__(self, usage=None, version=None):
+        OptionParser.__init__(self)
+
 
 def read_simple_accessdb(fn, auth, mask=[]):