Changeset 725c55d for fedd/federation
- Timestamp:
- Nov 29, 2010 6:13:12 PM (14 years ago)
- Branches:
- axis_example, compt_changes, info-ops, master
- Children:
- 027b87b
- Parents:
- c573278
- Location:
- fedd/federation
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
fedd/federation/authorizer.py
rc573278 r725c55d 248 248 def import_credential(self, file=None, data=None): 249 249 if data: 250 rv = self.context.load_id_chunk(data) 251 print "id %d" % rv 252 if rv == ABAC.ABAC_CERT_SUCCESS: return True 253 rv = self.context.load_attribute_chunk(data) 254 print "attr %d" % rv 255 return rv == ABAC.ABAC_CERT_SUCCESS 256 #if self.context.load_id_chunk(data) != ABAC.ABAC_CERT_SUCCESS: 257 # return self.context.load_attribute_chunk(data) == \ 258 # ABAC.ABAC_CERT_SUCCESS 259 ##else: 260 # return True 250 if self.context.load_id_chunk(data) != ABAC.ABAC_CERT_SUCCESS: 251 return self.context.load_attribute_chunk(data) == \ 252 ABAC.ABAC_CERT_SUCCESS 253 else: 254 return True 261 255 elif file: 262 256 if self.context.load_id_file(file) != ABAC.ABAC_CERT_SUCCESS: -
fedd/federation/emulab_access.py
rc573278 r725c55d 247 247 str = str.strip() 248 248 if str.startswith('(') and str.endswith(')') and str.count(',') == 1: 249 proj, user = str.split(',') 250 return ( proj.strip(), user.strip(), user.strip()) 249 # The slice takes the parens off the string. 250 proj, user = str[1:-1].split(',') 251 return (access_project(proj.strip(), []), 252 user.strip(), user.strip()) 251 253 else: 252 254 raise self.parse_error( … … 501 503 ap = None 502 504 505 print "%s %s %s" % (found, dyn, owners) 506 503 507 # if this includes a project export request and the exported 504 508 # project is not the access project, access denied. … … 531 535 for o in owners: 532 536 self.auth.set_attribute(o, allocID) 537 print "Set delete rights on %s for %s" % (o, allocID) 533 538 self.auth.save() 534 539 try: … … 585 590 raise service_error(service_error.req, "Badly formed request") 586 591 587 self.log.debug("[access] deallocation requested for %s", aid) 592 self.log.debug("[access] deallocation requested for %s by %s" % \ 593 (aid, fid)) 588 594 if not self.auth.check_attribute(fid, auth_attr): 589 595 self.log.debug("[access] deallocation denied for %s", aid) -
fedd/federation/emulab_segment.py
rc573278 r725c55d 117 117 if self.log: 118 118 self.log.info("[make_null_experiment]: Creating experiment") 119 print params 119 120 code, value = self.emulab_call('experiment.startexp', params) 120 121 -
fedd/federation/experiment_control.py
rc573278 r725c55d 984 984 self.log.error("Bad attribute in response: %s" % a) 985 985 986 def release_access(self, tb, aid, tbmap=None, uri=None): 986 def release_access(self, tb, aid, tbmap=None, uri=None, cert_file=None, 987 cert_pwd=None): 987 988 """ 988 989 Release access to testbed through fedd … … 998 999 resp = self.local_access[uri].ReleaseAccess(\ 999 1000 { 'ReleaseAccessRequestBody' : {'allocID': aid},}, 1000 fedid(file= self.cert_file))1001 fedid(file=cert_file)) 1001 1002 resp = { 'ReleaseAccessResponseBody': resp } 1002 1003 else: 1003 1004 resp = self.call_ReleaseAccess(uri, {'allocID': aid}, 1004 self.cert_file, self.cert_pwd, self.trusted_certs)1005 cert_file, cert_pwd, self.trusted_certs) 1005 1006 1006 1007 # better error coding … … 1235 1236 # release the allocations 1236 1237 for tb in tbparams.keys(): 1237 self.release_access(tb, tbparams[tb]['allocID'], 1238 tbmap=tbmap, uri=tbparams[tb].get('uri', None)) 1238 try: 1239 self.release_access(tb, tbparams[tb]['allocID'], 1240 tbmap=tbmap, uri=tbparams[tb].get('uri', None)) 1241 except service_error, e: 1242 self.log.warn("Error releasing access: %s" % e.desc) 1239 1243 # Remove the placeholder 1240 1244 self.state_lock.acquire() … … 1440 1444 1441 1445 def get_abac_access_to_testbeds(self, testbeds, fid, allocated, 1442 tbparam s, masters, tbmap, expid=None, expcert=None):1446 tbparam, masters, tbmap, expid=None, expcert=None): 1443 1447 for tb in testbeds: 1444 self.get_abac_access(tb, tbparam s, fid, masters, tbmap, expid,1448 self.get_abac_access(tb, tbparam, fid, masters, tbmap, expid, 1445 1449 expcert) 1446 1450 allocated[tb] = 1 1447 1451 1448 def get_abac_access(self, tb, tbparam s,fid, masters, tbmap, expid=None, expcert=None):1452 def get_abac_access(self, tb, tbparam,fid, masters, tbmap, expid=None, expcert=None): 1449 1453 """ 1450 1454 Get access to testbed through fedd and set the parameters for that tb … … 1482 1486 certs = self.auth.get_creds_for_principal(fid) 1483 1487 if expid: 1484 print join([ "%s <- %s" % ( c.head().string(), c.tail().string()) \1485 for c in self.auth.get_creds_for_principal(expid)])1486 1488 certs.update(self.auth.get_creds_for_principal(expid)) 1487 1489 for c in certs: … … 1531 1533 r = self.call_RequestAccess(uri, req, cert, pw, self.trusted_certs) 1532 1534 1535 if r.has_key('RequestAccessResponseBody'): 1536 # Through to here we have a valid response, not a fault. 1537 # Access denied is a fault, so something better or worse than 1538 # access denied has happened. 1539 r = r['RequestAccessResponseBody'] 1540 self.log.debug("[get_access] Access granted") 1541 else: 1542 raise service_error(service_error.protocol, 1543 "Bad proxy response") 1544 1533 1545 tbparam[tb] = { 1534 1546 "allocID" : r['allocID'], … … 1763 1775 raise service_error(service_error.req, "No request?") 1764 1776 1765 print "%s" % expid1766 print 'creds ',1767 print join([ "%s <- %s" % ( c.head().string(), c.tail().string()) \1768 for c in self.auth.get_creds_for_principal(expid)])1769 1777 # Import information from the requester 1770 1778 if self.auth.import_credentials(data_list=req.get('credential', [])): 1771 1779 self.auth.save() 1772 1780 1773 print 'creds ',1774 print join([ "%s <- %s" % ( c.head().string(), c.tail().string()) \1775 for c in self.auth.get_creds_for_principal(expid)])1776 1781 self.check_experiment_access(fid, key) 1777 1782 … … 1843 1848 1844 1849 # make a protected copy of the access certificate so the experiment 1845 # controller can act as the experiment principal. mkstemp is the most 1846 # secure way to do that and the file is in a directory created by 1847 # mkdtemp. expcert enters the if as the contents of the file and 1848 # leaves is as the filename in which the cert is stored. All this goes 1849 # away when the tempfiles are cleared. 1850 # controller can act as the experiment principal. 1850 1851 if expcert: 1851 try: 1852 certf, certfn = tempfile.mkstemp(suffix=".pem", dir=tmpdir) 1853 f = os.fdopen(certf, 'w') 1854 print >> f, expcert 1855 f.close() 1856 expcert = certfn 1857 except EnvironmentError, e: 1852 expcert_file = self.make_temp_certfile(expcert, tmpdir) 1853 if not expcert_file: 1858 1854 raise service_error(service_error.internal, 1859 1855 "Cannot create temp cert file?") 1856 else: 1857 expcert_file = None 1860 1858 1861 1859 try: … … 1954 1952 elif self.auth_type == 'abac': 1955 1953 self.get_abac_access_to_testbeds(testbeds, fid, allocated, 1956 tbparams, masters, tbmap, expid, expcert )1954 tbparams, masters, tbmap, expid, expcert_file) 1957 1955 else: 1958 1956 raise service_error(service_error.internal, … … 2099 2097 args=(allocated, masters, eid, expid, tbparams, 2100 2098 top, topo, tmpdir, alloc_log, alloc_collector, attrs, 2101 connInfo, tbmap, expcert ),2099 connInfo, tbmap, expcert_file), 2102 2100 name=eid) 2103 2101 t.start() … … 2358 2356 self.log.error("Error deleting directory tree in %s" % e); 2359 2357 2358 @staticmethod 2359 def make_temp_certfile(expcert, tmpdir): 2360 """ 2361 make a protected copy of the access certificate so the experiment 2362 controller can act as the experiment principal. mkstemp is the most 2363 secure way to do that. The directory should be created by 2364 mkdtemp. Return the filename. 2365 """ 2366 if expcert and tmpdir: 2367 try: 2368 certf, certfn = tempfile.mkstemp(suffix=".pem", dir=tmpdir) 2369 f = os.fdopen(certf, 'w') 2370 print >> f, expcert 2371 f.close() 2372 except EnvironmentError, e: 2373 raise service_error(service_error.internal, 2374 "Cannot create temp cert file?") 2375 return certfn 2376 else: 2377 return None 2378 2360 2379 def terminate_experiment(self, req, fid): 2361 2380 """ … … 2435 2454 if id.has_key('localname'): ids.append(id['localname']) 2436 2455 2456 # Get the experimentAccess - the principal for this experiment. It 2457 # is this principal to which credentials have been delegated, and 2458 # as which the experiment controller must act. 2459 if 'experimentAccess' in self.state[key] and \ 2460 'X509' in self.state[key]['experimentAccess']: 2461 expcert = self.state[key]['experimentAccess']['X509'] 2462 else: 2463 expcert = None 2437 2464 # Collect the allocation/segment ids into a dict keyed by the fedid 2438 2465 # of the allocation (or a monotonically increasing integer) that … … 2450 2477 self.state_lock.release() 2451 2478 2452 # Stop everyone. NB, wait_for_all waits until a thread starts and 2453 # then completes, so we can't wait if nothing starts. So, no 2454 # tbparams, no start. 2455 if len(tbparams) > 0: 2456 thread_pool = self.thread_pool(self.nthreads) 2457 for k in tbparams.keys(): 2458 # Create and start a thread to stop the segment 2459 thread_pool.wait_for_slot() 2460 uri, aid = tbparams[k] 2461 t = self.pooled_thread(\ 2462 target=self.terminate_segment(log=dealloc_log, 2463 testbed=uri, 2464 cert_file=self.cert_file, 2465 cert_pwd=self.cert_pwd, 2466 trusted_certs=self.trusted_certs, 2467 caller=self.call_TerminateSegment), 2468 args=(uri, aid), name=k, 2469 pdata=thread_pool, trace_file=self.trace_file) 2470 t.start() 2471 # Wait for completions 2472 thread_pool.wait_for_all_done() 2473 2474 # release the allocations (failed experiments have done this 2475 # already, and starting experiments may be in odd states, so we 2476 # ignore errors releasing those allocations 2477 try: 2478 for k in tbparams.keys(): 2479 # This releases access by uri 2480 uri, aid = tbparams[k] 2481 self.release_access(None, aid, uri=uri) 2482 except service_error, e: 2483 if status != 'failed' and not force: 2484 raise e 2479 try: 2480 tmpdir = tempfile.mkdtemp(prefix="split-") 2481 except EnvironmentError: 2482 raise service_error(service_error.internal, 2483 "Cannot create tmp dir") 2484 # This try block makes sure the tempdir is cleared 2485 try: 2486 # If no expcert, try the deallocation as the experiment 2487 # controller instance. 2488 if expcert: 2489 cert_file = self.make_temp_certfile(expcert, tmpdir) 2490 pw = None 2491 else: 2492 cert_file = self.cert_file 2493 pw = self.cert_pw 2494 2495 # Stop everyone. NB, wait_for_all waits until a thread starts 2496 # and then completes, so we can't wait if nothing starts. So, 2497 # no tbparams, no start. 2498 if len(tbparams) > 0: 2499 thread_pool = self.thread_pool(self.nthreads) 2500 for k in tbparams.keys(): 2501 # Create and start a thread to stop the segment 2502 thread_pool.wait_for_slot() 2503 uri, aid = tbparams[k] 2504 t = self.pooled_thread(\ 2505 target=self.terminate_segment(log=dealloc_log, 2506 testbed=uri, 2507 cert_file=cert_file, 2508 cert_pwd=pw, 2509 trusted_certs=self.trusted_certs, 2510 caller=self.call_TerminateSegment), 2511 args=(uri, aid), name=k, 2512 pdata=thread_pool, trace_file=self.trace_file) 2513 t.start() 2514 # Wait for completions 2515 thread_pool.wait_for_all_done() 2516 2517 # release the allocations (failed experiments have done this 2518 # already, and starting experiments may be in odd states, so we 2519 # ignore errors releasing those allocations 2520 try: 2521 for k in tbparams.keys(): 2522 # This releases access by uri 2523 uri, aid = tbparams[k] 2524 self.release_access(None, aid, uri=uri, 2525 cert_file=cert_file, cert_pwd=pw) 2526 except service_error, e: 2527 if status != 'failed' and not force: 2528 raise e 2529 2530 # Clean up the tmpdir no matter what 2531 finally: 2532 self.remove_dirs(tmpdir) 2485 2533 2486 2534 # Remove the terminated experiment
Note: See TracChangeset
for help on using the changeset viewer.