Changeset 725c55d for fedd/federation


Ignore:
Timestamp:
Nov 29, 2010 6:13:12 PM (14 years ago)
Author:
Ted Faber <faber@…>
Branches:
axis_example, compt_changes, info-ops, master
Children:
027b87b
Parents:
c573278
Message:

Checkpoint - successful swap in and out

Location:
fedd/federation
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • fedd/federation/authorizer.py

    rc573278 r725c55d  
    248248    def import_credential(self, file=None, data=None):
    249249        if data:
    250             rv = self.context.load_id_chunk(data)
    251             print "id %d" % rv
    252             if rv == ABAC.ABAC_CERT_SUCCESS: return True
    253             rv = self.context.load_attribute_chunk(data)
    254             print "attr %d" % rv
    255             return rv == ABAC.ABAC_CERT_SUCCESS
    256             #if self.context.load_id_chunk(data) != ABAC.ABAC_CERT_SUCCESS:
    257         #       return self.context.load_attribute_chunk(data) == \
    258         #               ABAC.ABAC_CERT_SUCCESS
    259             ##else:
    260         #       return True
     250            if self.context.load_id_chunk(data) != ABAC.ABAC_CERT_SUCCESS:
     251                return self.context.load_attribute_chunk(data) == \
     252                        ABAC.ABAC_CERT_SUCCESS
     253            else:
     254                return True
    261255        elif file:
    262256            if self.context.load_id_file(file) != ABAC.ABAC_CERT_SUCCESS:
  • fedd/federation/emulab_access.py

    rc573278 r725c55d  
    247247        str = str.strip()
    248248        if str.startswith('(') and str.endswith(')') and str.count(',') == 1:
    249             proj, user = str.split(',')
    250             return ( proj.strip(), user.strip(), user.strip())
     249            # The slice takes the parens off the string.
     250            proj, user = str[1:-1].split(',')
     251            return (access_project(proj.strip(), []),
     252                    user.strip(), user.strip())
    251253        else:
    252254            raise self.parse_error(
     
    501503        ap = None
    502504
     505        print "%s %s %s" % (found, dyn, owners)
     506
    503507        # if this includes a project export request and the exported
    504508        # project is not the access project, access denied.
     
    531535        for o in owners:
    532536            self.auth.set_attribute(o, allocID)
     537            print "Set delete rights on %s for %s" % (o, allocID)
    533538        self.auth.save()
    534539        try:
     
    585590            raise service_error(service_error.req, "Badly formed request")
    586591
    587         self.log.debug("[access] deallocation requested for %s", aid)
     592        self.log.debug("[access] deallocation requested for %s by %s" % \
     593                (aid, fid))
    588594        if not self.auth.check_attribute(fid, auth_attr):
    589595            self.log.debug("[access] deallocation denied for %s", aid)
  • fedd/federation/emulab_segment.py

    rc573278 r725c55d  
    117117            if self.log:
    118118                self.log.info("[make_null_experiment]: Creating experiment")
     119            print params
    119120            code, value = self.emulab_call('experiment.startexp', params)
    120121
  • fedd/federation/experiment_control.py

    rc573278 r725c55d  
    984984                self.log.error("Bad attribute in response: %s" % a)
    985985
    986     def release_access(self, tb, aid, tbmap=None, uri=None):
     986    def release_access(self, tb, aid, tbmap=None, uri=None, cert_file=None,
     987            cert_pwd=None):
    987988        """
    988989        Release access to testbed through fedd
     
    998999            resp = self.local_access[uri].ReleaseAccess(\
    9991000                    { 'ReleaseAccessRequestBody' : {'allocID': aid},},
    1000                     fedid(file=self.cert_file))
     1001                    fedid(file=cert_file))
    10011002            resp = { 'ReleaseAccessResponseBody': resp }
    10021003        else:
    10031004            resp = self.call_ReleaseAccess(uri, {'allocID': aid},
    1004                     self.cert_file, self.cert_pwd, self.trusted_certs)
     1005                    cert_file, cert_pwd, self.trusted_certs)
    10051006
    10061007        # better error coding
     
    12351236                # release the allocations
    12361237                for tb in tbparams.keys():
    1237                     self.release_access(tb, tbparams[tb]['allocID'],
    1238                             tbmap=tbmap, uri=tbparams[tb].get('uri', None))
     1238                    try:
     1239                        self.release_access(tb, tbparams[tb]['allocID'],
     1240                                tbmap=tbmap, uri=tbparams[tb].get('uri', None))
     1241                    except service_error, e:
     1242                        self.log.warn("Error releasing access: %s" % e.desc)
    12391243                # Remove the placeholder
    12401244                self.state_lock.acquire()
     
    14401444
    14411445    def get_abac_access_to_testbeds(self, testbeds, fid, allocated,
    1442             tbparams, masters, tbmap, expid=None, expcert=None):
     1446            tbparam, masters, tbmap, expid=None, expcert=None):
    14431447        for tb in testbeds:
    1444             self.get_abac_access(tb, tbparams, fid, masters, tbmap, expid,
     1448            self.get_abac_access(tb, tbparam, fid, masters, tbmap, expid,
    14451449                    expcert)
    14461450            allocated[tb] = 1
    14471451
    1448     def get_abac_access(self, tb, tbparams,fid, masters, tbmap, expid=None, expcert=None):
     1452    def get_abac_access(self, tb, tbparam,fid, masters, tbmap, expid=None, expcert=None):
    14491453        """
    14501454        Get access to testbed through fedd and set the parameters for that tb
     
    14821486        certs = self.auth.get_creds_for_principal(fid)
    14831487        if expid:
    1484             print join([ "%s <- %s" % ( c.head().string(), c.tail().string()) \
    1485                     for c in self.auth.get_creds_for_principal(expid)])
    14861488            certs.update(self.auth.get_creds_for_principal(expid))
    14871489        for c in certs:
     
    15311533            r = self.call_RequestAccess(uri, req, cert, pw, self.trusted_certs)
    15321534
     1535        if r.has_key('RequestAccessResponseBody'):
     1536            # Through to here we have a valid response, not a fault.
     1537            # Access denied is a fault, so something better or worse than
     1538            # access denied has happened.
     1539            r = r['RequestAccessResponseBody']
     1540            self.log.debug("[get_access] Access granted")
     1541        else:
     1542            raise service_error(service_error.protocol,
     1543                        "Bad proxy response")
     1544       
    15331545        tbparam[tb] = {
    15341546                "allocID" : r['allocID'],
     
    17631775            raise service_error(service_error.req, "No request?")
    17641776
    1765         print "%s" % expid
    1766         print 'creds ',
    1767         print join([ "%s <- %s" % ( c.head().string(), c.tail().string()) \
    1768                 for c in self.auth.get_creds_for_principal(expid)])
    17691777        # Import information from the requester
    17701778        if self.auth.import_credentials(data_list=req.get('credential', [])):
    17711779            self.auth.save()
    17721780
    1773         print 'creds ',
    1774         print join([ "%s <- %s" % ( c.head().string(), c.tail().string()) \
    1775                 for c in self.auth.get_creds_for_principal(expid)])
    17761781        self.check_experiment_access(fid, key)
    17771782
     
    18431848
    18441849        # make a protected copy of the access certificate so the experiment
    1845         # controller can act as the experiment principal.  mkstemp is the most
    1846         # secure way to do that and the file is in a directory created by
    1847         # mkdtemp.  expcert enters the if as the contents of the file and
    1848         # leaves is as the filename in which the cert is stored.  All this goes
    1849         # away when the tempfiles are cleared.
     1850        # controller can act as the experiment principal.
    18501851        if expcert:
    1851             try:
    1852                 certf, certfn = tempfile.mkstemp(suffix=".pem", dir=tmpdir)
    1853                 f = os.fdopen(certf, 'w')
    1854                 print >> f, expcert
    1855                 f.close()
    1856                 expcert = certfn
    1857             except EnvironmentError, e:
     1852            expcert_file = self.make_temp_certfile(expcert, tmpdir)
     1853            if not expcert_file:
    18581854                raise service_error(service_error.internal,
    18591855                        "Cannot create temp cert file?")
     1856        else:
     1857            expcert_file = None
    18601858
    18611859        try:
     
    19541952            elif self.auth_type == 'abac':
    19551953                self.get_abac_access_to_testbeds(testbeds, fid, allocated,
    1956                         tbparams, masters, tbmap, expid, expcert)
     1954                        tbparams, masters, tbmap, expid, expcert_file)
    19571955            else:
    19581956                raise service_error(service_error.internal,
     
    20992097                args=(allocated, masters, eid, expid, tbparams,
    21002098                    top, topo, tmpdir, alloc_log, alloc_collector, attrs,
    2101                     connInfo, tbmap, expcert),
     2099                    connInfo, tbmap, expcert_file),
    21022100                name=eid)
    21032101        t.start()
     
    23582356            self.log.error("Error deleting directory tree in %s" % e);
    23592357
     2358    @staticmethod
     2359    def make_temp_certfile(expcert, tmpdir):
     2360        """
     2361        make a protected copy of the access certificate so the experiment
     2362        controller can act as the experiment principal.  mkstemp is the most
     2363        secure way to do that. The directory should be created by
     2364        mkdtemp.  Return the filename.
     2365        """
     2366        if expcert and tmpdir:
     2367            try:
     2368                certf, certfn = tempfile.mkstemp(suffix=".pem", dir=tmpdir)
     2369                f = os.fdopen(certf, 'w')
     2370                print >> f, expcert
     2371                f.close()
     2372            except EnvironmentError, e:
     2373                raise service_error(service_error.internal,
     2374                        "Cannot create temp cert file?")
     2375            return certfn
     2376        else:
     2377            return None
     2378
    23602379    def terminate_experiment(self, req, fid):
    23612380        """
     
    24352454                if id.has_key('localname'): ids.append(id['localname'])
    24362455
     2456            # Get the experimentAccess - the principal for this experiment.  It
     2457            # is this principal to which credentials have been delegated, and
     2458            # as which the experiment controller must act.
     2459            if 'experimentAccess' in self.state[key] and \
     2460                    'X509' in self.state[key]['experimentAccess']:
     2461                expcert = self.state[key]['experimentAccess']['X509']
     2462            else:
     2463                expcert = None
    24372464            # Collect the allocation/segment ids into a dict keyed by the fedid
    24382465            # of the allocation (or a monotonically increasing integer) that
     
    24502477            self.state_lock.release()
    24512478
    2452             # Stop everyone.  NB, wait_for_all waits until a thread starts and
    2453             # then completes, so we can't wait if nothing starts.  So, no
    2454             # tbparams, no start.
    2455             if len(tbparams) > 0:
    2456                 thread_pool = self.thread_pool(self.nthreads)
    2457                 for k in tbparams.keys():
    2458                     # Create and start a thread to stop the segment
    2459                     thread_pool.wait_for_slot()
    2460                     uri, aid = tbparams[k]
    2461                     t  = self.pooled_thread(\
    2462                             target=self.terminate_segment(log=dealloc_log,
    2463                                 testbed=uri,
    2464                                 cert_file=self.cert_file,
    2465                                 cert_pwd=self.cert_pwd,
    2466                                 trusted_certs=self.trusted_certs,
    2467                                 caller=self.call_TerminateSegment),
    2468                             args=(uri, aid), name=k,
    2469                             pdata=thread_pool, trace_file=self.trace_file)
    2470                     t.start()
    2471                 # Wait for completions
    2472                 thread_pool.wait_for_all_done()
    2473 
    2474             # release the allocations (failed experiments have done this
    2475             # already, and starting experiments may be in odd states, so we
    2476             # ignore errors releasing those allocations
    2477             try:
    2478                 for k in tbparams.keys():
    2479                     # This releases access by uri
    2480                     uri, aid = tbparams[k]
    2481                     self.release_access(None, aid, uri=uri)
    2482             except service_error, e:
    2483                 if status != 'failed' and not force:
    2484                     raise e
     2479            try:
     2480                tmpdir = tempfile.mkdtemp(prefix="split-")
     2481            except EnvironmentError:
     2482                raise service_error(service_error.internal,
     2483                        "Cannot create tmp dir")
     2484            # This try block makes sure the tempdir is cleared
     2485            try:
     2486                # If no expcert, try the deallocation as the experiment
     2487                # controller instance.
     2488                if expcert:
     2489                    cert_file = self.make_temp_certfile(expcert, tmpdir)
     2490                    pw = None
     2491                else:
     2492                    cert_file = self.cert_file
     2493                    pw = self.cert_pw
     2494
     2495                # Stop everyone.  NB, wait_for_all waits until a thread starts
     2496                # and then completes, so we can't wait if nothing starts.  So,
     2497                # no tbparams, no start.
     2498                if len(tbparams) > 0:
     2499                    thread_pool = self.thread_pool(self.nthreads)
     2500                    for k in tbparams.keys():
     2501                        # Create and start a thread to stop the segment
     2502                        thread_pool.wait_for_slot()
     2503                        uri, aid = tbparams[k]
     2504                        t  = self.pooled_thread(\
     2505                                target=self.terminate_segment(log=dealloc_log,
     2506                                    testbed=uri,
     2507                                    cert_file=cert_file,
     2508                                    cert_pwd=pw,
     2509                                    trusted_certs=self.trusted_certs,
     2510                                    caller=self.call_TerminateSegment),
     2511                                args=(uri, aid), name=k,
     2512                                pdata=thread_pool, trace_file=self.trace_file)
     2513                        t.start()
     2514                    # Wait for completions
     2515                    thread_pool.wait_for_all_done()
     2516
     2517                # release the allocations (failed experiments have done this
     2518                # already, and starting experiments may be in odd states, so we
     2519                # ignore errors releasing those allocations
     2520                try:
     2521                    for k in tbparams.keys():
     2522                        # This releases access by uri
     2523                        uri, aid = tbparams[k]
     2524                        self.release_access(None, aid, uri=uri,
     2525                                cert_file=cert_file, cert_pwd=pw)
     2526                except service_error, e:
     2527                    if status != 'failed' and not force:
     2528                        raise e
     2529
     2530            # Clean up the tmpdir no matter what
     2531            finally:
     2532                self.remove_dirs(tmpdir)
    24852533
    24862534            # Remove the terminated experiment
Note: See TracChangeset for help on using the changeset viewer.