Changeset 725c55d

Timestamp:

Nov 29, 2010 6:13:12 PM (14 years ago)

Author:

Ted Faber <faber@…>

Branches:

axis_example, compt_changes, info-ops, master

Children:

027b87b

Parents:

c573278

Message:

Checkpoint - successful swap in and out

Location:

fedd

Files:

• fedd_create.py (modified) (1 diff)
• federation/authorizer.py (modified) (1 diff)
• federation/emulab_access.py (modified) (4 diffs)
• federation/emulab_segment.py (modified) (1 diff)
• federation/experiment_control.py (modified) (13 diffs)

fedd/fedd_create.py

@@ -175 +175 @@
     except EnvironmentError, e:
         sys.exit('%s: %s' % (e.filename, e.strerror))
+else:
+    acerts = None
 
 # Fill in services

fedd/federation/authorizer.py

@@ -248 +248 @@
     def import_credential(self, file=None, data=None):
         if data:
-            rv = self.context.load_id_chunk(data)
-            print "id %d" % rv
-            if rv == ABAC.ABAC_CERT_SUCCESS: return True
-            rv = self.context.load_attribute_chunk(data)
-            print "attr %d" % rv
-            return rv == ABAC.ABAC_CERT_SUCCESS
-            #if self.context.load_id_chunk(data) != ABAC.ABAC_CERT_SUCCESS:
-        #       return self.context.load_attribute_chunk(data) == \
-        #               ABAC.ABAC_CERT_SUCCESS
-            ##else:
-        #       return True
+            if self.context.load_id_chunk(data) != ABAC.ABAC_CERT_SUCCESS:
+                return self.context.load_attribute_chunk(data) == \
+                        ABAC.ABAC_CERT_SUCCESS
+            else:
+                return True
         elif file:
             if self.context.load_id_file(file) != ABAC.ABAC_CERT_SUCCESS:

fedd/federation/emulab_access.py

@@ -247 +247 @@
         str = str.strip()
         if str.startswith('(') and str.endswith(')') and str.count(',') == 1:
-            proj, user = str.split(',')
-            return ( proj.strip(), user.strip(), user.strip())
+            # The slice takes the parens off the string.
+            proj, user = str[1:-1].split(',')
+            return (access_project(proj.strip(), []), 
+                    user.strip(), user.strip())
         else:
             raise self.parse_error(
@@ -501 +503 @@
         ap = None
 
+        print "%s %s %s" % (found, dyn, owners)
+
         # if this includes a project export request and the exported
         # project is not the access project, access denied.
@@ -531 +535 @@
         for o in owners:
             self.auth.set_attribute(o, allocID)
+            print "Set delete rights on %s for %s" % (o, allocID)
         self.auth.save()
         try:
@@ -585 +590 @@
             raise service_error(service_error.req, "Badly formed request")
 
-        self.log.debug("[access] deallocation requested for %s", aid)
+        self.log.debug("[access] deallocation requested for %s by %s" % \
+                (aid, fid))
         if not self.auth.check_attribute(fid, auth_attr):
             self.log.debug("[access] deallocation denied for %s", aid)

fedd/federation/emulab_segment.py

@@ -117 +117 @@
             if self.log:
                 self.log.info("[make_null_experiment]: Creating experiment")
+            print params
             code, value = self.emulab_call('experiment.startexp', params)
 

fedd/federation/experiment_control.py

@@ -984 +984 @@
                 self.log.error("Bad attribute in response: %s" % a)
 
-    def release_access(self, tb, aid, tbmap=None, uri=None):
+    def release_access(self, tb, aid, tbmap=None, uri=None, cert_file=None,
+            cert_pwd=None):
         """
         Release access to testbed through fedd
@@ -998 +999 @@
             resp = self.local_access[uri].ReleaseAccess(\
                     { 'ReleaseAccessRequestBody' : {'allocID': aid},}, 
-                    fedid(file=self.cert_file))
+                    fedid(file=cert_file))
             resp = { 'ReleaseAccessResponseBody': resp } 
         else:
             resp = self.call_ReleaseAccess(uri, {'allocID': aid},
-                    self.cert_file, self.cert_pwd, self.trusted_certs)
+                    cert_file, cert_pwd, self.trusted_certs)
 
         # better error coding
@@ -1235 +1236 @@
                 # release the allocations
                 for tb in tbparams.keys():
-                    self.release_access(tb, tbparams[tb]['allocID'], 
-                            tbmap=tbmap, uri=tbparams[tb].get('uri', None))
+                    try:
+                        self.release_access(tb, tbparams[tb]['allocID'], 
+                                tbmap=tbmap, uri=tbparams[tb].get('uri', None))
+                    except service_error, e:
+                        self.log.warn("Error releasing access: %s" % e.desc)
                 # Remove the placeholder
                 self.state_lock.acquire()
@@ -1440 +1444 @@
 
     def get_abac_access_to_testbeds(self, testbeds, fid, allocated, 
-            tbparams, masters, tbmap, expid=None, expcert=None):
+            tbparam, masters, tbmap, expid=None, expcert=None):
         for tb in testbeds:
-            self.get_abac_access(tb, tbparams, fid, masters, tbmap, expid,
+            self.get_abac_access(tb, tbparam, fid, masters, tbmap, expid,
                     expcert)
             allocated[tb] = 1
 
-    def get_abac_access(self, tb, tbparams,fid, masters, tbmap, expid=None, expcert=None):
+    def get_abac_access(self, tb, tbparam,fid, masters, tbmap, expid=None, expcert=None):
         """
         Get access to testbed through fedd and set the parameters for that tb
@@ -1482 +1486 @@
         certs = self.auth.get_creds_for_principal(fid)
         if expid:
-            print join([ "%s <- %s" % ( c.head().string(), c.tail().string()) \
-                    for c in self.auth.get_creds_for_principal(expid)])
             certs.update(self.auth.get_creds_for_principal(expid))
         for c in certs:
@@ -1531 +1533 @@
             r = self.call_RequestAccess(uri, req, cert, pw, self.trusted_certs)
 
+        if r.has_key('RequestAccessResponseBody'):
+            # Through to here we have a valid response, not a fault.
+            # Access denied is a fault, so something better or worse than
+            # access denied has happened.
+            r = r['RequestAccessResponseBody']
+            self.log.debug("[get_access] Access granted")
+        else:
+            raise service_error(service_error.protocol,
+                        "Bad proxy response")
+        
         tbparam[tb] = { 
                 "allocID" : r['allocID'],
@@ -1763 +1775 @@
             raise service_error(service_error.req, "No request?")
 
-        print "%s" % expid
-        print 'creds ',
-        print join([ "%s <- %s" % ( c.head().string(), c.tail().string()) \
-                for c in self.auth.get_creds_for_principal(expid)])
         # Import information from the requester
         if self.auth.import_credentials(data_list=req.get('credential', [])):
             self.auth.save()
 
-        print 'creds ',
-        print join([ "%s <- %s" % ( c.head().string(), c.tail().string()) \
-                for c in self.auth.get_creds_for_principal(expid)])
         self.check_experiment_access(fid, key)
 
@@ -1843 +1848 @@
 
         # make a protected copy of the access certificate so the experiment
-        # controller can act as the experiment principal.  mkstemp is the most
-        # secure way to do that and the file is in a directory created by
-        # mkdtemp.  expcert enters the if as the contents of the file and
-        # leaves is as the filename in which the cert is stored.  All this goes
-        # away when the tempfiles are cleared.
+        # controller can act as the experiment principal.
         if expcert:
-            try:
-                certf, certfn = tempfile.mkstemp(suffix=".pem", dir=tmpdir)
-                f = os.fdopen(certf, 'w')
-                print >> f, expcert
-                f.close()
-                expcert = certfn
-            except EnvironmentError, e:
+            expcert_file = self.make_temp_certfile(expcert, tmpdir)
+            if not expcert_file:
                 raise service_error(service_error.internal, 
                         "Cannot create temp cert file?")
+        else:
+            expcert_file = None
 
         try: 
@@ -1954 +1952 @@
             elif self.auth_type == 'abac':
                 self.get_abac_access_to_testbeds(testbeds, fid, allocated, 
-                        tbparams, masters, tbmap, expid, expcert)
+                        tbparams, masters, tbmap, expid, expcert_file)
             else:
                 raise service_error(service_error.internal, 
@@ -2099 +2097 @@
                 args=(allocated, masters, eid, expid, tbparams, 
                     top, topo, tmpdir, alloc_log, alloc_collector, attrs,
-                    connInfo, tbmap, expcert),
+                    connInfo, tbmap, expcert_file),
                 name=eid)
         t.start()
@@ -2358 +2356 @@
             self.log.error("Error deleting directory tree in %s" % e);
 
+    @staticmethod
+    def make_temp_certfile(expcert, tmpdir):
+        """
+        make a protected copy of the access certificate so the experiment
+        controller can act as the experiment principal.  mkstemp is the most
+        secure way to do that. The directory should be created by
+        mkdtemp.  Return the filename.
+        """
+        if expcert and tmpdir:
+            try:
+                certf, certfn = tempfile.mkstemp(suffix=".pem", dir=tmpdir)
+                f = os.fdopen(certf, 'w')
+                print >> f, expcert
+                f.close()
+            except EnvironmentError, e:
+                raise service_error(service_error.internal, 
+                        "Cannot create temp cert file?")
+            return certfn
+        else:
+            return None
+
     def terminate_experiment(self, req, fid):
         """
@@ -2435 +2454 @@
                 if id.has_key('localname'): ids.append(id['localname'])
 
+            # Get the experimentAccess - the principal for this experiment.  It
+            # is this principal to which credentials have been delegated, and
+            # as which the experiment controller must act.
+            if 'experimentAccess' in self.state[key] and \
+                    'X509' in self.state[key]['experimentAccess']:
+                expcert = self.state[key]['experimentAccess']['X509']
+            else:
+                expcert = None
             # Collect the allocation/segment ids into a dict keyed by the fedid
             # of the allocation (or a monotonically increasing integer) that
@@ -2450 +2477 @@
             self.state_lock.release()
 
-            # Stop everyone.  NB, wait_for_all waits until a thread starts and
-            # then completes, so we can't wait if nothing starts.  So, no
-            # tbparams, no start.
-            if len(tbparams) > 0:
-                thread_pool = self.thread_pool(self.nthreads)
-                for k in tbparams.keys():
-                    # Create and start a thread to stop the segment
-                    thread_pool.wait_for_slot()
-                    uri, aid = tbparams[k]
-                    t  = self.pooled_thread(\
-                            target=self.terminate_segment(log=dealloc_log,
-                                testbed=uri,
-                                cert_file=self.cert_file, 
-                                cert_pwd=self.cert_pwd,
-                                trusted_certs=self.trusted_certs,
-                                caller=self.call_TerminateSegment),
-                            args=(uri, aid), name=k,
-                            pdata=thread_pool, trace_file=self.trace_file)
-                    t.start()
-                # Wait for completions
-                thread_pool.wait_for_all_done()
-
-            # release the allocations (failed experiments have done this
-            # already, and starting experiments may be in odd states, so we
-            # ignore errors releasing those allocations
-            try: 
-                for k in tbparams.keys():
-                    # This releases access by uri
-                    uri, aid = tbparams[k]
-                    self.release_access(None, aid, uri=uri)
-            except service_error, e:
-                if status != 'failed' and not force:
-                    raise e
+            try:
+                tmpdir = tempfile.mkdtemp(prefix="split-")
+            except EnvironmentError:
+                raise service_error(service_error.internal, 
+                        "Cannot create tmp dir")
+            # This try block makes sure the tempdir is cleared
+            try:
+                # If no expcert, try the deallocation as the experiment
+                # controller instance.
+                if expcert: 
+                    cert_file = self.make_temp_certfile(expcert, tmpdir)
+                    pw = None
+                else: 
+                    cert_file = self.cert_file
+                    pw = self.cert_pw
+
+                # Stop everyone.  NB, wait_for_all waits until a thread starts
+                # and then completes, so we can't wait if nothing starts.  So,
+                # no tbparams, no start.
+                if len(tbparams) > 0:
+                    thread_pool = self.thread_pool(self.nthreads)
+                    for k in tbparams.keys():
+                        # Create and start a thread to stop the segment
+                        thread_pool.wait_for_slot()
+                        uri, aid = tbparams[k]
+                        t  = self.pooled_thread(\
+                                target=self.terminate_segment(log=dealloc_log,
+                                    testbed=uri,
+                                    cert_file=cert_file, 
+                                    cert_pwd=pw,
+                                    trusted_certs=self.trusted_certs,
+                                    caller=self.call_TerminateSegment),
+                                args=(uri, aid), name=k,
+                                pdata=thread_pool, trace_file=self.trace_file)
+                        t.start()
+                    # Wait for completions
+                    thread_pool.wait_for_all_done()
+
+                # release the allocations (failed experiments have done this
+                # already, and starting experiments may be in odd states, so we
+                # ignore errors releasing those allocations
+                try: 
+                    for k in tbparams.keys():
+                        # This releases access by uri
+                        uri, aid = tbparams[k]
+                        self.release_access(None, aid, uri=uri,
+                                cert_file=cert_file, cert_pwd=pw)
+                except service_error, e:
+                    if status != 'failed' and not force:
+                        raise e
+
+            # Clean up the tmpdir no matter what
+            finally:
+                self.remove_dirs(tmpdir)
 
             # Remove the terminated experiment