Changeset c573278
- Timestamp:
- Nov 24, 2010 3:45:50 PM (14 years ago)
- Branches:
- axis_example, compt_changes, info-ops, master
- Children:
- 725c55d
- Parents:
- de7cb08
- Location:
- fedd
- Files:
-
- 1 added
- 8 edited
Legend:
- Unmodified
- Added
- Removed
-
fedd/fedd_create.py
rde7cb08 rc573278 4 4 import re 5 5 import subprocess 6 7 import ABAC 6 8 7 9 from string import join … … 12 14 wrangle_standard_options, do_rpc, get_experiment_names, save_certfile,\ 13 15 get_abac_certs 14 from federation.util import abac_split_cert 16 from federation.util import abac_split_cert, abac_context_to_creds 15 17 16 18 class fedd_create_opts(client_opts): … … 101 103 value if the filename in which the certificate was stored. 102 104 ''' 103 104 105 certfile = keyfile = None 105 106 expid = "%s" % fedid … … 110 111 try: 111 112 keyfile, certfile = abac_split_cert(cert) 112 print "%s %s" % (keyfile, certfile)113 113 114 114 rv = 0 115 if name: fn = '%s/%s_attr.der' % (dir, name) 116 else: fn = '%s/%s_attr.der' % (dir, expid) 115 if name: 116 fn ='%s/%s_attr.der' % (dir, name) 117 id_fn = '%s/%s_id.pem' % (dir, name) 118 else: 119 fn = '%s/%s_attr.der' % (dir, expid) 120 id_fn = '%s/%s_id.pem' % (dir, expid) 117 121 118 122 cmd = [creddy, '--attribute', '--issuer=%s' % certfile, … … 122 126 if not debug: 123 127 if subprocess.call(cmd) != 0: 124 return None128 return [] 125 129 else: 126 130 print join(cmd) 127 return None 128 129 f = open(fn, 'r') 130 rv = f.read() 131 f.close() 132 return rv 131 return [] 132 133 context = ABAC.Context() 134 if context.load_id_file(certfile) != ABAC.ABAC_CERT_SUCCESS or \ 135 context.load_attribute_file(fn) != ABAC.ABAC_CERT_SUCCESS: 136 return [] 137 ids, attrs = abac_context_to_creds(context) 138 139 return ids + attrs 140 133 141 134 142 finally: … … 236 244 if e_fedid and opts.delegate: 237 245 try: 238 cred = delegate(e_fedid, cert, opts.abac_dir, name=opts.exp_name)239 if cred :240 acerts. append(cred)246 creds = delegate(e_fedid, cert, opts.abac_dir, name=opts.exp_name) 247 if creds: 248 acerts.extend(creds) 241 249 except EnvironmentError, e: 242 250 sys.exit("Cannot delegate rights %s: %s" % (e.filename, e.strerror)); -
fedd/fedd_to_abac.py
rde7cb08 rc573278 10 10 from string import join 11 11 from optparse import OptionParser 12 13 from federation.util import abac_pem_type, abac_split_cert 12 14 13 15 class Parser(OptionParser): … … 46 48 parser = Parser() 47 49 opts, args = parser.parse_args() 50 cert, key = None, None 51 delete_certs = False 48 52 49 if any([ x is None for x in (opts.cert, opts.dir, opts.key)]):50 print >>sys.stderr, "Need all of --dir, --cert, and --key to create certs"51 print >>sys.stderr, "Reverting to debug mode"52 debug = True53 else:54 debug = opts.debug55 53 56 if opts.cert and not os.access(opts.cert, os.R_OK):57 sys.exit('Cannot read %s (certificate file)' % opts.cert)58 54 59 if opts.key and not os.access(opts.key, os.R_OK): 60 sys.exit('Cannot read %s (key file)' % opts.key) 55 if opts.key: 56 if os.access(opts.key, os.R_OK): key = opts.key 57 else: sys.exit('Cannot read %s (key file)' % opts.key) 61 58 62 59 if opts.dir: … … 73 70 sys.exit('%s is not writable' % opts.dir) 74 71 72 if opts.cert: 73 if os.access(opts.cert, os.R_OK): 74 if not key: 75 if abac_pem_type(opts.cert) == 'both': 76 key, cert = abac_split_cert(opts.cert) 77 delete_certs = True 78 else: 79 cert = opts.cert 80 else: 81 sys.exit('Cannot read %s (certificate file)' % opts.cert) 82 83 if any([ x is None for x in (cert, opts.dir, key)]): 84 print >>sys.stderr, "Need output dir, certificate and key to make creds" 85 print >>sys.stderr, "Reverting to debug mode" 86 debug = True 87 else: 88 debug = opts.debug 75 89 76 90 roles = { } 91 try: 92 for fn in args: 93 try: 94 f = open(fn, "r") 95 for l in f: 96 id = None 97 for r in (comment_re, single_re, double_re): 98 m = r.match(l) 99 if m: 100 if m.groups(): 101 g = m.groups() 102 id = g[0] 103 r = [ bad_role.sub('_', x) for x in g[1:] ] 104 break 105 else: 106 print 'Unmatched line: %s' % l 107 if id: 108 # New and create are implicit. >sigh< 109 r.extend(('new', 'create')) 110 if id in roles: roles[id].add_roles(r) 111 else: roles[id] = identity(r[0], r) 77 112 78 for fn in args: 79 try: 80 f = open(fn, "r") 81 for l in f: 82 id = None 83 for r in (comment_re, single_re, double_re): 84 m = r.match(l) 85 if m: 86 if m.groups(): 87 g = m.groups() 88 id = g[0] 89 r = [ bad_role.sub('_', x) for x in g[1:] ] 90 break 113 except EnvironmentError, e: 114 print >>sys.stderr, 'Cannot open file (%s): %s' % \ 115 (e.filename, e.strerror) 116 117 if not roles: 118 print >>sys.stderr, "No roles found. Did you specify a configuration?" 119 120 for k, id in roles.items(): 121 for i, r in enumerate(id.roles): 122 cmd = ['creddy', '--attribute', 123 '--issuer=%s' % (cert or 'cert_file'), 124 '--key=%s' % (key or 'key_file'), '--role=%s' % r, 125 '--subject-id=%s' % k, 126 '--out=%s/%s%03d_attr.der' % \ 127 (opts.dir or 'new_cert_dir', id.name, i)] 128 if debug: 129 print join(cmd) 91 130 else: 92 print 'Unmatched line: %s' % l 93 if id: 94 # New and create are implicit. >sigh< 95 r.extend(('new', 'create')) 96 if id in roles: roles[id].add_roles(r) 97 else: roles[id] = identity(r[0], r) 98 99 except EnvironmentError, e: 100 print >>sys.stderr, 'Cannot open file (%s): %e' % e 101 102 if not roles: 103 print >>sys.stderr, "No roles found. Did you specify a configuration?" 104 105 for k, id in roles.items(): 106 for i, r in enumerate(id.roles): 107 cmd = ['creddy', '--attribute', 108 '--issuer=%s' % (opts.cert or 'cert_file'), 109 '--key=%s' % (opts.key or 'key_file'), '--role=%s' % r, 110 '--subject-id=%s' % k, 111 '--out=%s/%s%03d_attr.der' % \ 112 (opts.dir or 'new_cert_dir', id.name, i)] 113 if debug: 114 print join(cmd) 115 else: 116 rv = subprocess.call(cmd) 117 if rv != 0: 118 sys.exit('%s failed: %d' % (join(cmd), rv)) 119 131 rv = subprocess.call(cmd) 132 if rv != 0: 133 sys.exit('%s failed: %d' % (join(cmd), rv)) 134 finally: 135 if delete_certs: 136 if cert: os.unlink(cert) 137 if key: os.unlink(key) -
fedd/federation/authorizer.py
rde7cb08 rc573278 18 18 19 19 import sys 20 import os 20 import os, os.path 21 21 import re 22 22 … … 201 201 self.me = me 202 202 self.save_dir = load or save 203 if self.save_dir: 204 self.save_dir = os.path.abspath(self.save_dir) 203 205 # If the me parameter is a combination certificate, split it into the 204 206 # abac_authorizer save directory (if any) for use with creddy. … … 246 248 def import_credential(self, file=None, data=None): 247 249 if data: 248 if self.context.load_id_chunk(data) != ABAC.ABAC_CERT_SUCCESS: 249 return self.context.load_attribute_chunk(data) == \ 250 ABAC.ABAC_CERT_SUCCESS 251 else: 252 return True 250 rv = self.context.load_id_chunk(data) 251 print "id %d" % rv 252 if rv == ABAC.ABAC_CERT_SUCCESS: return True 253 rv = self.context.load_attribute_chunk(data) 254 print "attr %d" % rv 255 return rv == ABAC.ABAC_CERT_SUCCESS 256 #if self.context.load_id_chunk(data) != ABAC.ABAC_CERT_SUCCESS: 257 # return self.context.load_attribute_chunk(data) == \ 258 # ABAC.ABAC_CERT_SUCCESS 259 ##else: 260 # return True 253 261 elif file: 254 262 if self.context.load_id_file(file) != ABAC.ABAC_CERT_SUCCESS: … … 388 396 self.lock.acquire() 389 397 if dir: 390 self.save_dir = dir398 self.save_dir = os.path.abspath(dir) 391 399 else: 392 400 dir = self.save_dir … … 503 511 look_for = next_look 504 512 next_look = set() 513 self.lock.release() 505 514 506 515 return found -
fedd/federation/client_lib.py
rde7cb08 rc573278 84 84 85 85 def get_user_cert(): 86 cert = os.path.expanduser("~/.ssl/emulab.pem") 87 if not os.access(cert, os.R_OK): 88 cert = None 86 for c in ("~/.ssl/fedid.pem", "~/.ssl/emulab.pem"): 87 cert = os.path.expanduser(c) 88 if os.access(cert, os.R_OK): 89 break 90 else: 91 cert = None 89 92 return cert 90 93 … … 102 105 f.close() 103 106 return rv 104 105 107 106 108 def wrangle_standard_options(opts): -
fedd/federation/emulab_access.py
rde7cb08 rc573278 335 335 # Check every attribute that we know how to map and take the first 336 336 # success. 337 print "%s" %self.auth 337 338 for attr in (self.access.keys()): 338 339 if self.auth.check_attribute(fid, attr): … … 482 483 raise service_error(service_error.req, "No request!?") 483 484 485 alog = open("./auth.log", 'w') 486 print >>alog, self.auth 487 print >> alog, "after" 488 if self.auth.import_credentials( 489 data_list=req.get('abac_credential', [])): 490 self.auth.save() 491 print >>alog, self.auth 492 alog.close() 484 493 485 494 if self.auth_type == "legacy": -
fedd/federation/experiment_control.py
rde7cb08 rc573278 20 20 from threading import Lock, Thread, Condition 21 21 from subprocess import call, Popen, PIPE 22 from string import join 22 23 23 24 from urlparse import urlparse … … 1127 1128 def allocate_resources(self, allocated, masters, eid, expid, 1128 1129 tbparams, top, topo, tmpdir, alloc_log=None, log_collector=None, 1129 attrs=None, connInfo={}, tbmap=None ):1130 attrs=None, connInfo={}, tbmap=None, expcert=None): 1130 1131 1131 1132 started = { } # Testbeds where a sub-experiment started … … 1142 1143 threads = [ ] 1143 1144 starters = [ ] 1145 1146 if expcert: 1147 cert = expcert 1148 pw = None 1149 else: 1150 cert = self.cert_file 1151 pw = self.cert_pw 1144 1152 1145 1153 for tb in allocated.keys(): … … 1167 1175 1168 1176 s = self.start_segment(log=log, debug=self.debug, 1169 testbed=tb, cert_file= self.cert_file,1170 cert_pwd= self.cert_pwd, trusted_certs=self.trusted_certs,1177 testbed=tb, cert_file=cert, 1178 cert_pwd=pw, trusted_certs=self.trusted_certs, 1171 1179 caller=self.call_StartSegment, 1172 1180 log_collector=log_collector) … … 1432 1440 1433 1441 def get_abac_access_to_testbeds(self, testbeds, fid, allocated, 1434 tbparams, masters, tbmap ):1442 tbparams, masters, tbmap, expid=None, expcert=None): 1435 1443 for tb in testbeds: 1436 self.get_abac_access(tb, tbparams, fid, masters, tbmap) 1444 self.get_abac_access(tb, tbparams, fid, masters, tbmap, expid, 1445 expcert) 1437 1446 allocated[tb] = 1 1438 1447 1439 def get_abac_access(self, tb, tbparams,fid, masters, tbmap ):1448 def get_abac_access(self, tb, tbparams,fid, masters, tbmap, expid=None, expcert=None): 1440 1449 """ 1441 1450 Get access to testbed through fedd and set the parameters for that tb … … 1471 1480 creds = set() 1472 1481 keys = set() 1473 for c in self.auth.get_creds_for_principal(fid): 1482 certs = self.auth.get_creds_for_principal(fid) 1483 if expid: 1484 print join([ "%s <- %s" % ( c.head().string(), c.tail().string()) \ 1485 for c in self.auth.get_creds_for_principal(expid)]) 1486 certs.update(self.auth.get_creds_for_principal(expid)) 1487 for c in certs: 1474 1488 keys.add(c.issuer_cert()) 1475 1489 creds.add(c.attribute_cert()) 1476 1490 creds = list(keys) + list(creds) 1491 1492 if expcert: cert, pw = expcert, None 1493 else: cert, pw = self.cert_file, self.cert_pw 1477 1494 1478 1495 # Request credentials … … 1512 1529 r = { 'RequestAccessResponseBody' : r } 1513 1530 else: 1514 r = self.call_RequestAccess(uri, req, 1515 self.cert_file, self.cert_pwd, self.trusted_certs) 1531 r = self.call_RequestAccess(uri, req, cert, pw, self.trusted_certs) 1516 1532 1517 1533 tbparam[tb] = { … … 1653 1669 if self.auth.import_credentials(data_list=req.get('credential', [])): 1654 1670 self.auth.save() 1655 1671 1656 1672 if not self.auth.check_attribute(fid, 'new'): 1657 1673 raise service_error(service_error.access, "New access denied") … … 1747 1763 raise service_error(service_error.req, "No request?") 1748 1764 1765 print "%s" % expid 1766 print 'creds ', 1767 print join([ "%s <- %s" % ( c.head().string(), c.tail().string()) \ 1768 for c in self.auth.get_creds_for_principal(expid)]) 1749 1769 # Import information from the requester 1750 1770 if self.auth.import_credentials(data_list=req.get('credential', [])): 1751 1771 self.auth.save() 1752 1772 1773 print 'creds ', 1774 print join([ "%s <- %s" % ( c.head().string(), c.tail().string()) \ 1775 for c in self.auth.get_creds_for_principal(expid)]) 1753 1776 self.check_experiment_access(fid, key) 1754 1777 … … 1808 1831 elif not eid and e.has_key('localname'): 1809 1832 eid = e['localname'] 1833 if 'experimentAccess' in self.state[key] and \ 1834 'X509' in self.state[key]['experimentAccess']: 1835 expcert = self.state[key]['experimentAccess']['X509'] 1836 else: 1837 expcert = None 1810 1838 self.state_lock.release() 1811 1839 … … 1813 1841 raise service_error(service_error.internal, 1814 1842 "Cannot find local experiment info!?") 1843 1844 # make a protected copy of the access certificate so the experiment 1845 # controller can act as the experiment principal. mkstemp is the most 1846 # secure way to do that and the file is in a directory created by 1847 # mkdtemp. expcert enters the if as the contents of the file and 1848 # leaves is as the filename in which the cert is stored. All this goes 1849 # away when the tempfiles are cleared. 1850 if expcert: 1851 try: 1852 certf, certfn = tempfile.mkstemp(suffix=".pem", dir=tmpdir) 1853 f = os.fdopen(certf, 'w') 1854 print >> f, expcert 1855 f.close() 1856 expcert = certfn 1857 except EnvironmentError, e: 1858 raise service_error(service_error.internal, 1859 "Cannot create temp cert file?") 1815 1860 1816 1861 try: … … 1909 1954 elif self.auth_type == 'abac': 1910 1955 self.get_abac_access_to_testbeds(testbeds, fid, allocated, 1911 tbparams, masters, tbmap )1956 tbparams, masters, tbmap, expid, expcert) 1912 1957 else: 1913 1958 raise service_error(service_error.internal, … … 1955 2000 # Now get access to the dynamic testbeds (those added above) 1956 2001 for tb in [ t for t in topo if t not in allocated]: 2002 #XXX: ABAC 1957 2003 self.get_access(tb, None, tbparams, access_user, masters, tbmap) 1958 2004 allocated[tb] = 1 … … 2053 2099 args=(allocated, masters, eid, expid, tbparams, 2054 2100 top, topo, tmpdir, alloc_log, alloc_collector, attrs, 2055 connInfo, tbmap ),2101 connInfo, tbmap, expcert), 2056 2102 name=eid) 2057 2103 t.start() -
fedd/federation/util.py
rde7cb08 rc573278 351 351 return rkeyfile, rcertfile 352 352 353 def abac_context_to_creds(context): 354 """ 355 Pull all the credentials out of the context and return 2 lists of the 356 underlying credentials in an exportable format, IDs and attributes. 357 There are no duplicates in the lists. 358 """ 359 ids, attrs = set(), set() 360 # This should be a one-iteration loop 361 for c in context.credentials(): 362 ids.add(c.issuer_cert()) 363 attrs.add(c.attribute_cert()) 364 365 return list(ids), list(attrs) 366 353 367 def find_pickle_problem(o, st=None): 354 368 """ -
fedd/init_abac_authorizer.py
rde7cb08 rc573278 2 2 3 3 import sys 4 import os, os.path 4 5 5 6 from optparse import OptionParser … … 21 22 parser.print_help() 22 23 sys.exit(1) 24 25 try: 26 for path, dirs, files in os.walk(opts.out_dir, topdown=False): 27 for f in files: os.unlink(os.path.join(path, f)) 28 for d in dirs: os.rmdir(os.path.join(path, d)) 29 except EnvironmentError, e: 30 sys.exit("Can't remove %s: %s" % ( e.filename, e.strerror)) 31 23 32 try: 24 33 a = abac_authorizer(key=opts.key, me=opts.cert, certs=opts.policy,
Note: See TracChangeset
for help on using the changeset viewer.