Changeset 7206e5a for fedd/federation/experiment_control.py
- Timestamp:
- Sep 23, 2010 5:44:47 PM (14 years ago)
- Branches:
- axis_example, compt_changes, info-ops, master
- Children:
- 835cf55
- Parents:
- 09b1e9d
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
fedd/federation/experiment_control.py
r09b1e9d r7206e5a 30 30 from synch_store import synch_store 31 31 from experiment_partition import experiment_partition 32 from authorizer import abac_authorizer 32 33 33 34 import topdl … … 282 283 "ssh_privkey_file") 283 284 dt = config.get("experiment_control", "direct_transit") 285 self.auth_type = config.get('experiment_control', 'auth_type') \ 286 or 'legacy' 287 self.auth_dir = config.get('experiment_control', 'auth_dir') 284 288 if dt: self.direct_transit = [ tb.strip() for tb in dt.split(",")] 285 289 else: self.direct_transit = [ ] … … 319 323 self.local_access = { } 320 324 321 if auth: 322 self.auth = auth 323 else: 324 self.log.error(\ 325 "[access]: No authorizer initialized, creating local one.") 326 auth = authorizer() 325 if self.auth_type == 'legacy': 326 if auth: 327 self.auth = auth 328 else: 329 self.log.error( "[access]: No authorizer initialized, " +\ 330 "creating local one.") 331 auth = authorizer() 332 elif self.auth_type == 'abac': 333 self.auth = abac_authorizer(load=self.auth_dir) 334 else: 335 raise service_error(service_error.internal, 336 "Unknown auth_type: %s" % self.auth_type) 327 337 328 338 … … 475 485 eid = get_experiment_id(s) 476 486 if eid : 477 # Give the owner rights to the experiment 478 self.auth.set_attribute(s['owner'], eid) 479 # And holders of the eid as well 480 self.auth.set_attribute(eid, eid) 481 # allow overrides to control experiments as well 482 for o in self.overrides: 483 self.auth.set_attribute(o, eid) 484 # Set permissions to allow reading of the software repo, if 485 # any, as well. 486 for a in self.get_alloc_ids(s): 487 self.auth.set_attribute(a, 'repo/%s' % eid) 487 if self.auth_type == 'legacy': 488 # XXX: legacy 489 # Give the owner rights to the experiment 490 self.auth.set_attribute(s['owner'], eid) 491 # And holders of the eid as well 492 self.auth.set_attribute(eid, eid) 493 # allow overrides to control experiments as well 494 for o in self.overrides: 495 self.auth.set_attribute(o, eid) 496 # Set permissions to allow reading of the software 497 # repo, if any, as well. 498 for a in self.get_alloc_ids(s): 499 self.auth.set_attribute(a, 'repo/%s' % eid) 488 500 else: 489 501 raise KeyError("No experiment id") … … 546 558 547 559 # Initialize the authorization attributes 548 for fid in self.accessdb.keys(): 549 self.auth.set_attribute(fid, 'create') 550 self.auth.set_attribute(fid, 'new') 560 # XXX: legacy 561 if self.auth_type == 'legacy': 562 for fid in self.accessdb.keys(): 563 self.auth.set_attribute(fid, 'create') 564 self.auth.set_attribute(fid, 'new') 551 565 552 566 def read_mapdb(self, file): … … 589 603 # Set the initial permissions on data in the store. XXX: This ad hoc 590 604 # authorization attribute initialization is getting out of hand. 591 for k in self.synch_store.all_keys(): 592 try: 593 if k.startswith('fedid:'): 594 fid = fedid(hexstr=k[6:46]) 595 if self.state.has_key(fid): 596 for a in self.get_alloc_ids(self.state[fid]): 597 self.auth.set_attribute(a, k) 598 except ValueError, e: 599 self.log.warn("Cannot deduce permissions for %s" % k) 605 # XXX: legacy 606 if self.auth_type == 'legacy': 607 for k in self.synch_store.all_keys(): 608 try: 609 if k.startswith('fedid:'): 610 fid = fedid(hexstr=k[6:46]) 611 if self.state.has_key(fid): 612 for a in self.get_alloc_ids(self.state[fid]): 613 self.auth.set_attribute(a, k) 614 except ValueError, e: 615 self.log.warn("Cannot deduce permissions for %s" % k) 600 616 601 617 … … 1300 1316 if status and status == 'failed': 1301 1317 # remove the old access attribute 1302 self.auth.unset_attribute(fid, old_expid) 1318 self.auth.unset_attribute(fid, old_expid) 1319 self.auth.save() 1303 1320 overwrite = True 1304 1321 del self.state[eid] … … 1497 1514 self.auth.set_attribute(tbparams[tb]['allocID']['fedid'], 1498 1515 "/%s/%s" % ( path, dest)) 1516 self.auth.save() 1499 1517 1500 1518 # Convert the software locations in the segments into the local … … 1518 1536 to instantiate them and start it all up. 1519 1537 """ 1538 req = req.get('NewRequestBody', None) 1539 if not req: 1540 raise service_error(service_error.req, 1541 "Bad request format (no NewRequestBody)") 1542 1543 if self.auth.import_credentials(data_list=req.get('credential', [])): 1544 self.auth.save() 1545 1520 1546 if not self.auth.check_attribute(fid, 'new'): 1521 1547 raise service_error(service_error.access, "New access denied") … … 1536 1562 gid = "dummy" 1537 1563 1538 req = req.get('NewRequestBody', None)1539 if not req:1540 raise service_error(service_error.req,1541 "Bad request format (no NewRequestBody)")1542 1543 1564 # Generate an ID for the experiment (slice) and a certificate that the 1544 1565 # allocator can use to prove they own it. We'll ship it back through 1545 # the encrypted connection. 1546 (expid, expcert) = generate_fedid("test", dir=tmpdir, log=self.log) 1566 # the encrypted connection. If the requester supplied one, use it. 1567 if 'experimentAccess' in req and 'X509' in req['experimentAccess']: 1568 expcert = req['experimentAccess']['X509'] 1569 tf = tempfile.NamedTemporaryFile() 1570 tf.write(expcert) 1571 tf.flush() 1572 expid = fedid(file=tf.name) 1573 tf.close() 1574 self.state_lock.acquire() 1575 if expid in self.state: 1576 self.state_lock.release() 1577 raise service_error(service_error.req, 1578 'fedid %s identifies an existing experiment' % expid) 1579 self.state_lock.release() 1580 else: 1581 (expid, expcert) = generate_fedid("test", dir=tmpdir, log=self.log) 1547 1582 1548 1583 #now we're done with the tmpdir, and it should be empty … … 1557 1592 1558 1593 # Let users touch the state 1559 self.auth.set_attribute(fid, expid) 1560 self.auth.set_attribute(expid, expid) 1561 # Override fedids can manipulate state as well 1562 for o in self.overrides: 1563 self.auth.set_attribute(o, expid) 1594 self.auth.set_attribute(fid, expid) 1595 self.auth.set_attribute(expid, expid) 1596 # Override fedids can manipulate state as well 1597 for o in self.overrides: 1598 self.auth.set_attribute(o, expid) 1599 self.auth.save() 1564 1600 1565 1601 rv = { … … 1793 1829 asignee = tbparams[tb]['allocID']['fedid'] 1794 1830 for f in ("hosts", gw_secretkey_base, gw_pubkey_base): 1795 self.auth.set_attribute(asignee, "%s/%s" % (configpath, f)) 1831 self.auth.set_attribute(asignee, "%s/%s" % \ 1832 (configpath, f)) 1796 1833 1797 1834 part = experiment_partition(self.auth, self.store_url, tbmap, … … 1809 1846 self.auth.set_attribute(\ 1810 1847 tbparams[tb]['allocID']['fedid'], sk) 1848 self.auth.save() 1811 1849 1812 1850 self.wrangle_software(expid, top, topo, tbparams) … … 1851 1889 # here on out, the state will stick around a while. 1852 1890 1853 # Let users touch the state 1854 self.auth.set_attribute(fid, expid) 1855 self.auth.set_attribute(expid, expid) 1856 # Override fedids can manipulate state as well 1857 for o in self.overrides: 1858 self.auth.set_attribute(o, expid) 1891 # Let users touch the state 1892 self.auth.set_attribute(fid, expid) 1893 self.auth.set_attribute(expid, expid) 1894 # Override fedids can manipulate state as well 1895 for o in self.overrides: 1896 self.auth.set_attribute(o, expid) 1897 self.auth.save() 1859 1898 1860 1899 # Create a logger that logs to the experiment's state object as well as
Note: See TracChangeset
for help on using the changeset viewer.