Changeset 7206e5a
- Timestamp:
- Sep 23, 2010 5:44:47 PM (14 years ago)
- Branches:
- axis_example, compt_changes, info-ops, master
- Children:
- 835cf55
- Parents:
- 09b1e9d
- Location:
- fedd
- Files:
-
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
fedd/fedd_new.py
r09b1e9d r7206e5a 3 3 import sys 4 4 5 from federation.fedid import fedid, generate_fedid 5 6 from federation.remote_service import service_caller 6 7 from federation.client_lib import client_opts, exit_with_fault, RPCException, \ 7 wrangle_standard_options, do_rpc, get_experiment_names, save_certfile 8 wrangle_standard_options, do_rpc, get_experiment_names, \ 9 save_certfile, get_abac_certs 8 10 9 11 … … 15 17 self.add_option("--experiment_name", dest="exp_name", 16 18 type="string", help="Suggested experiment name") 19 self.add_option('--gen-cert', action='store_true', dest='gen_cert', 20 default=False, 21 help='generate a cert to which to delegate rights') 17 22 18 23 parser = new_opts() … … 20 25 21 26 cert, fid, url = wrangle_standard_options(opts) 27 try: 28 acerts = get_abac_certs(opts.abac_dir) 29 except EnvironmentError, e: 30 sys.exit('%s: %s' % (e.filename, e.strerror)) 22 31 23 32 out_certfile = opts.out_certfile … … 25 34 msg = { } 26 35 36 if opts.gen_cert: 37 expid, expcert = generate_fedid(opts.exp_name or 'dummy') 38 print expid 39 msg['experimentAccess'] = { 'X509': expcert } 40 else: 41 expcert = None 42 27 43 if opts.exp_name: 28 44 msg['experimentID'] = { 'localname': opts.exp_name } 45 46 if acerts: 47 msg['credential'] = acerts 29 48 30 49 if opts.debug > 1: print >>sys.stderr, msg … … 44 63 45 64 try: 46 save_certfile(opts.out_certfile, resp_dict.get('experimentAccess', None)) 47 except EnvironmentError: 48 sys.exit('Could not write to %s' % out_certfile) 65 save_certfile(opts.out_certfile, resp_dict.get('experimentAccess', None), 66 expcert) 67 except EnvironmentError, e: 68 sys.exit('Could not write to %s:' % (e.strerror, e.filename)) 69 except CertificateMismatchError: 70 printf >>sys.stderr, "Fedid of created experiment does not match generated" 71 49 72 50 73 e_fedid, e_local = get_experiment_names(resp_dict.get('experimentID', None)) -
fedd/federation/authorizer.py
r09b1e9d r7206e5a 152 152 self.globals.discard(attr) 153 153 154 def import_credentials(self, file_list=None, data_list=None): 155 return False 156 154 157 def __str__(self): 155 158 rv = "" … … 182 185 """ 183 186 184 clean_attr_re = re.compile('[^A-Za-z _]+')187 clean_attr_re = re.compile('[^A-Za-z0-9_]+') 185 188 cred_file_re = re.compile('.*\.der$') 186 189 bad_name = authorizer_base.bad_name 187 190 attribute_error = authorizer_base.attribute_error 188 ABAC.libabac_init()189 190 def __init__(self, certs=None, me=None, key=None, load file=None):191 class no_file(RuntimeError): pass 192 193 def __init__(self, certs=None, me=None, key=None, load=None): 191 194 self.creddy = '/usr/local/bin/creddy' 192 195 self.globals = set() … … 207 210 self.context.load_directory(dir) 208 211 209 if loadfile: 210 self.load(loadfile) 212 if load: 213 self.save_dir = load 214 self.load(load) 215 else: 216 self.save_dir = None 211 217 212 218 @staticmethod 213 219 def clean_attr(attr): 214 220 return abac_authorizer.clean_attr_re.sub('_', attr) 221 222 def import_credentials(self, file_list=None, data_list=None): 223 if data_list: 224 return any([self.import_credential(data=d) for d in data_list]) 225 elif file_list: 226 return any([self.import_credential(file=f) for f in file_list]) 227 else: 228 return False 229 230 def import_credential(self, file=None, data=None): 231 if data: 232 if self.context.load_id_chunk(data) != ABAC.ABAC_CERT_SUCCESS: 233 return self.context.load_attribute_chunk(data) == \ 234 ABAC.ABAC_CERT_SUCCESS 235 else: 236 return True 237 elif file: 238 if self.context.load_id_file(file) != ABAC.ABAC_CERT_SUCCESS: 239 return self.context.load_attribute_file(file) == \ 240 ABAC.ABAC_CERT_SUCCESS 241 else: 242 return True 243 else: 244 return False 215 245 216 246 def set_attribute(self, name=None, attr=None, cert=None): … … 219 249 raise abac_authorizer.bad_name( 220 250 "ABAC doesn't understand three-names") 251 # Convert non-string attributes to strings 252 if not isinstance(attr, basestring): 253 attr = "%s" % attr 221 254 if self.me and self.key: 222 255 # Create a credential and insert it into context … … 261 294 raise abac_authorizer.bad_name( 262 295 "ABAC doesn't understand three-names") 296 # Convert non-string attributes to strings 297 if not isinstance(attr, basestring): 298 attr = "%s" % attr 263 299 cattr = self.clean_attr(attr) 264 300 self.lock.acquire() … … 289 325 "ABAC doesn't understand three-names") 290 326 else: 327 # Convert non-string attributes to strings 328 if not isinstance(attr, basestring): 329 attr = "%s" % attr 291 330 # Naked attributes are attested by this principal 292 331 if attr.find('.') == -1: … … 297 336 298 337 self.lock.acquire() 299 proof, rv = self.context.query(a,name)338 rv, proof = self.context.query(a, "%s" % name) 300 339 # XXX delete soon 301 340 if not rv and attr in self.globals: rv = True … … 330 369 return rv 331 370 332 def save(self, dir): 333 self.lock.acquire() 371 def save(self, dir=None): 372 self.lock.acquire() 373 if dir: 374 self.save_dir = dir 375 else: 376 dir = self.save_dir 377 if dir is None: 378 self.lock.release() 379 raise abac_authorizer.no_file_error("No load directory specified") 334 380 try: 335 381 if not os.access(dir, os.F_OK): … … 347 393 if not os.access("%s/certs" %dir, os.F_OK): 348 394 os.mkdir("%s/certs" % dir) 349 seenit = set() 395 seenid = set() 396 seenattr = set() 350 397 351 398 #restore unpicklable state … … 363 410 # NB: file naming conventions matter here. The trailing_ID and 364 411 # _attr are required by ABAC.COntext.load_directory() 365 if id not in seenit:412 if id and id not in seenid: 366 413 f = open("%s/certs/ID_%03d_ID.der" % (dir, ii), "w") 367 print >>f, id414 f.write(id) 368 415 f.close() 369 416 ii += 1 370 seeni t.add(id)371 if attr :417 seenid.add(id) 418 if attr and attr not in seenattr: 372 419 f = open("%s/certs/attr_%03d_attr.der" % (dir, ai), "w") 373 print >>f, attr420 f.write(attr) 374 421 f.close() 375 422 ai += 1 423 seenattr.add(attr) 376 424 except EnvironmentError, e: 377 425 # If we've mislaid self.lock, release lock (they're the same object) … … 386 434 self.lock.release() 387 435 388 def load(self, dir): 389 self.lock.acquire() 436 def load(self, dir=None): 437 self.lock.acquire() 438 if dir: 439 self.save_dir = dir 440 else: 441 dir = self.save_dir 442 if dir is None: 443 self.lock.release() 444 raise abac_authorizer.no_file_error("No load directory specified") 390 445 try: 391 446 if os.access("%s/state" % dir, os.R_OK): … … 402 457 self.context.load_id_file(self.me) 403 458 self.context.load_directory("%s/certs" % dir) 459 self.save_dir = dir 404 460 except EnvironmentError, e: 405 461 self.lock.release() -
fedd/federation/client_lib.py
r09b1e9d r7206e5a 80 80 self.errstr = errstr 81 81 82 class CertificateMismatchError(RuntimeError): pass 83 82 84 83 85 def get_user_cert(): … … 97 99 if os.path.isfile("%s/%s" % (dir,p))]: 98 100 f = open(fn, 'r') 99 rv.append( join(f))101 rv.append(f.read()) 100 102 f.close() 101 103 return rv … … 138 140 return (cert, fid, url) 139 141 140 def save_certfile(out_certfile, ea ):142 def save_certfile(out_certfile, ea, check_cert=None): 141 143 """ 142 144 if the experiment authority section in ea has a certificate and the 143 145 out_certfile parameter has a place to put it, save the cert to the file. 144 EnvronnemtError s can come from the file operations. 146 EnvronmentError s can come from the file operations. If check_cert is 147 given, the certificate in ea is compared with it and if they are not equal, 148 a CertificateMismatchError is raised. 145 149 """ 146 150 if out_certfile and ea and 'X509' in ea: 151 out_cert = ea['X509'] 152 if check_cert and check_cert != out_cert: 153 raise CertificateMismatchError() 147 154 f = open(out_certfile, "w") 148 print >>f, ea['X509']155 f.write(out_cert) 149 156 f.close() 150 157 -
fedd/federation/experiment_control.py
r09b1e9d r7206e5a 30 30 from synch_store import synch_store 31 31 from experiment_partition import experiment_partition 32 from authorizer import abac_authorizer 32 33 33 34 import topdl … … 282 283 "ssh_privkey_file") 283 284 dt = config.get("experiment_control", "direct_transit") 285 self.auth_type = config.get('experiment_control', 'auth_type') \ 286 or 'legacy' 287 self.auth_dir = config.get('experiment_control', 'auth_dir') 284 288 if dt: self.direct_transit = [ tb.strip() for tb in dt.split(",")] 285 289 else: self.direct_transit = [ ] … … 319 323 self.local_access = { } 320 324 321 if auth: 322 self.auth = auth 323 else: 324 self.log.error(\ 325 "[access]: No authorizer initialized, creating local one.") 326 auth = authorizer() 325 if self.auth_type == 'legacy': 326 if auth: 327 self.auth = auth 328 else: 329 self.log.error( "[access]: No authorizer initialized, " +\ 330 "creating local one.") 331 auth = authorizer() 332 elif self.auth_type == 'abac': 333 self.auth = abac_authorizer(load=self.auth_dir) 334 else: 335 raise service_error(service_error.internal, 336 "Unknown auth_type: %s" % self.auth_type) 327 337 328 338 … … 475 485 eid = get_experiment_id(s) 476 486 if eid : 477 # Give the owner rights to the experiment 478 self.auth.set_attribute(s['owner'], eid) 479 # And holders of the eid as well 480 self.auth.set_attribute(eid, eid) 481 # allow overrides to control experiments as well 482 for o in self.overrides: 483 self.auth.set_attribute(o, eid) 484 # Set permissions to allow reading of the software repo, if 485 # any, as well. 486 for a in self.get_alloc_ids(s): 487 self.auth.set_attribute(a, 'repo/%s' % eid) 487 if self.auth_type == 'legacy': 488 # XXX: legacy 489 # Give the owner rights to the experiment 490 self.auth.set_attribute(s['owner'], eid) 491 # And holders of the eid as well 492 self.auth.set_attribute(eid, eid) 493 # allow overrides to control experiments as well 494 for o in self.overrides: 495 self.auth.set_attribute(o, eid) 496 # Set permissions to allow reading of the software 497 # repo, if any, as well. 498 for a in self.get_alloc_ids(s): 499 self.auth.set_attribute(a, 'repo/%s' % eid) 488 500 else: 489 501 raise KeyError("No experiment id") … … 546 558 547 559 # Initialize the authorization attributes 548 for fid in self.accessdb.keys(): 549 self.auth.set_attribute(fid, 'create') 550 self.auth.set_attribute(fid, 'new') 560 # XXX: legacy 561 if self.auth_type == 'legacy': 562 for fid in self.accessdb.keys(): 563 self.auth.set_attribute(fid, 'create') 564 self.auth.set_attribute(fid, 'new') 551 565 552 566 def read_mapdb(self, file): … … 589 603 # Set the initial permissions on data in the store. XXX: This ad hoc 590 604 # authorization attribute initialization is getting out of hand. 591 for k in self.synch_store.all_keys(): 592 try: 593 if k.startswith('fedid:'): 594 fid = fedid(hexstr=k[6:46]) 595 if self.state.has_key(fid): 596 for a in self.get_alloc_ids(self.state[fid]): 597 self.auth.set_attribute(a, k) 598 except ValueError, e: 599 self.log.warn("Cannot deduce permissions for %s" % k) 605 # XXX: legacy 606 if self.auth_type == 'legacy': 607 for k in self.synch_store.all_keys(): 608 try: 609 if k.startswith('fedid:'): 610 fid = fedid(hexstr=k[6:46]) 611 if self.state.has_key(fid): 612 for a in self.get_alloc_ids(self.state[fid]): 613 self.auth.set_attribute(a, k) 614 except ValueError, e: 615 self.log.warn("Cannot deduce permissions for %s" % k) 600 616 601 617 … … 1300 1316 if status and status == 'failed': 1301 1317 # remove the old access attribute 1302 self.auth.unset_attribute(fid, old_expid) 1318 self.auth.unset_attribute(fid, old_expid) 1319 self.auth.save() 1303 1320 overwrite = True 1304 1321 del self.state[eid] … … 1497 1514 self.auth.set_attribute(tbparams[tb]['allocID']['fedid'], 1498 1515 "/%s/%s" % ( path, dest)) 1516 self.auth.save() 1499 1517 1500 1518 # Convert the software locations in the segments into the local … … 1518 1536 to instantiate them and start it all up. 1519 1537 """ 1538 req = req.get('NewRequestBody', None) 1539 if not req: 1540 raise service_error(service_error.req, 1541 "Bad request format (no NewRequestBody)") 1542 1543 if self.auth.import_credentials(data_list=req.get('credential', [])): 1544 self.auth.save() 1545 1520 1546 if not self.auth.check_attribute(fid, 'new'): 1521 1547 raise service_error(service_error.access, "New access denied") … … 1536 1562 gid = "dummy" 1537 1563 1538 req = req.get('NewRequestBody', None)1539 if not req:1540 raise service_error(service_error.req,1541 "Bad request format (no NewRequestBody)")1542 1543 1564 # Generate an ID for the experiment (slice) and a certificate that the 1544 1565 # allocator can use to prove they own it. We'll ship it back through 1545 # the encrypted connection. 1546 (expid, expcert) = generate_fedid("test", dir=tmpdir, log=self.log) 1566 # the encrypted connection. If the requester supplied one, use it. 1567 if 'experimentAccess' in req and 'X509' in req['experimentAccess']: 1568 expcert = req['experimentAccess']['X509'] 1569 tf = tempfile.NamedTemporaryFile() 1570 tf.write(expcert) 1571 tf.flush() 1572 expid = fedid(file=tf.name) 1573 tf.close() 1574 self.state_lock.acquire() 1575 if expid in self.state: 1576 self.state_lock.release() 1577 raise service_error(service_error.req, 1578 'fedid %s identifies an existing experiment' % expid) 1579 self.state_lock.release() 1580 else: 1581 (expid, expcert) = generate_fedid("test", dir=tmpdir, log=self.log) 1547 1582 1548 1583 #now we're done with the tmpdir, and it should be empty … … 1557 1592 1558 1593 # Let users touch the state 1559 self.auth.set_attribute(fid, expid) 1560 self.auth.set_attribute(expid, expid) 1561 # Override fedids can manipulate state as well 1562 for o in self.overrides: 1563 self.auth.set_attribute(o, expid) 1594 self.auth.set_attribute(fid, expid) 1595 self.auth.set_attribute(expid, expid) 1596 # Override fedids can manipulate state as well 1597 for o in self.overrides: 1598 self.auth.set_attribute(o, expid) 1599 self.auth.save() 1564 1600 1565 1601 rv = { … … 1793 1829 asignee = tbparams[tb]['allocID']['fedid'] 1794 1830 for f in ("hosts", gw_secretkey_base, gw_pubkey_base): 1795 self.auth.set_attribute(asignee, "%s/%s" % (configpath, f)) 1831 self.auth.set_attribute(asignee, "%s/%s" % \ 1832 (configpath, f)) 1796 1833 1797 1834 part = experiment_partition(self.auth, self.store_url, tbmap, … … 1809 1846 self.auth.set_attribute(\ 1810 1847 tbparams[tb]['allocID']['fedid'], sk) 1848 self.auth.save() 1811 1849 1812 1850 self.wrangle_software(expid, top, topo, tbparams) … … 1851 1889 # here on out, the state will stick around a while. 1852 1890 1853 # Let users touch the state 1854 self.auth.set_attribute(fid, expid) 1855 self.auth.set_attribute(expid, expid) 1856 # Override fedids can manipulate state as well 1857 for o in self.overrides: 1858 self.auth.set_attribute(o, expid) 1891 # Let users touch the state 1892 self.auth.set_attribute(fid, expid) 1893 self.auth.set_attribute(expid, expid) 1894 # Override fedids can manipulate state as well 1895 for o in self.overrides: 1896 self.auth.set_attribute(o, expid) 1897 self.auth.save() 1859 1898 1860 1899 # Create a logger that logs to the experiment's state object as well as -
fedd/federation/fedid.py
r09b1e9d r7206e5a 158 158 159 159 rv = subprocess.call(cmd, stdout=call_out, stderr=call_out) 160 log.debug("rv = %d" % rv)160 if log: log.debug("rv = %d" % rv) 161 161 if rv == 0: 162 162 cert = ""
Note: See TracChangeset
for help on using the changeset viewer.