Changeset c573278 for fedd/federation

Timestamp:

Nov 24, 2010 3:45:50 PM (14 years ago)

Author:

Ted Faber <faber@…>

Branches:

axis_example, compt_changes, info-ops, master

Children:

725c55d

Parents:

de7cb08

Message:

Checkpoint. Still lots to do

Location:

fedd/federation

Files:

• authorizer.py (modified) (5 diffs)
• client_lib.py (modified) (2 diffs)
• emulab_access.py (modified) (2 diffs)
• experiment_control.py (modified) (14 diffs)
• util.py (modified) (1 diff)

fedd/federation/authorizer.py

@@ -18 +18 @@
 
 import sys
-import os
+import os, os.path
 import re
 
@@ -201 +201 @@
         self.me = me
         self.save_dir = load or save
+        if self.save_dir:
+            self.save_dir = os.path.abspath(self.save_dir)
         # If the me parameter is a combination certificate, split it into the
         # abac_authorizer save directory (if any) for use with creddy.
@@ -246 +248 @@
     def import_credential(self, file=None, data=None):
         if data:
-            if self.context.load_id_chunk(data) != ABAC.ABAC_CERT_SUCCESS:
-                return self.context.load_attribute_chunk(data) == \
-                        ABAC.ABAC_CERT_SUCCESS
-            else:
-                return True
+            rv = self.context.load_id_chunk(data)
+            print "id %d" % rv
+            if rv == ABAC.ABAC_CERT_SUCCESS: return True
+            rv = self.context.load_attribute_chunk(data)
+            print "attr %d" % rv
+            return rv == ABAC.ABAC_CERT_SUCCESS
+            #if self.context.load_id_chunk(data) != ABAC.ABAC_CERT_SUCCESS:
+        #       return self.context.load_attribute_chunk(data) == \
+        #               ABAC.ABAC_CERT_SUCCESS
+            ##else:
+        #       return True
         elif file:
             if self.context.load_id_file(file) != ABAC.ABAC_CERT_SUCCESS:
@@ -388 +396 @@
         self.lock.acquire()
         if dir:
-            self.save_dir = dir
+            self.save_dir = os.path.abspath(dir)
         else:
             dir = self.save_dir
@@ -503 +511 @@
             look_for = next_look
             next_look = set()
+        self.lock.release()
         
         return found

fedd/federation/client_lib.py

@@ -84 +84 @@
 
 def get_user_cert():
-    cert = os.path.expanduser("~/.ssl/emulab.pem")
-    if not os.access(cert, os.R_OK):
-        cert = None
+    for c in ("~/.ssl/fedid.pem", "~/.ssl/emulab.pem"):
+        cert = os.path.expanduser(c)
+        if os.access(cert, os.R_OK):
+            break
+        else:
+            cert = None
     return cert
 
@@ -102 +105 @@
             f.close()
     return rv
-
 
 def wrangle_standard_options(opts):

fedd/federation/emulab_access.py

@@ -335 +335 @@
         # Check every attribute that we know how to map and take the first
         # success.
+        print "%s" %self.auth
         for attr in (self.access.keys()):
             if self.auth.check_attribute(fid, attr):
@@ -482 +483 @@
             raise service_error(service_error.req, "No request!?")
 
+        alog = open("./auth.log", 'w')
+        print >>alog, self.auth
+        print >> alog, "after"
+        if self.auth.import_credentials(
+                data_list=req.get('abac_credential', [])):
+            self.auth.save()
+        print >>alog, self.auth
+        alog.close()
 
         if self.auth_type == "legacy":

fedd/federation/experiment_control.py

@@ -20 +20 @@
 from threading import Lock, Thread, Condition
 from subprocess import call, Popen, PIPE
+from string import join
 
 from urlparse import urlparse
@@ -1127 +1128 @@
     def allocate_resources(self, allocated, masters, eid, expid, 
             tbparams, top, topo, tmpdir, alloc_log=None, log_collector=None, 
-            attrs=None, connInfo={}, tbmap=None):
+            attrs=None, connInfo={}, tbmap=None, expcert=None):
 
         started = { }           # Testbeds where a sub-experiment started 
@@ -1142 +1143 @@
         threads = [ ]
         starters = [ ]
+
+        if expcert:
+            cert = expcert
+            pw = None
+        else:
+            cert = self.cert_file
+            pw = self.cert_pw
 
         for tb in allocated.keys():
@@ -1167 +1175 @@
 
             s = self.start_segment(log=log, debug=self.debug,
-                    testbed=tb, cert_file=self.cert_file,
-                    cert_pwd=self.cert_pwd, trusted_certs=self.trusted_certs,
+                    testbed=tb, cert_file=cert,
+                    cert_pwd=pw, trusted_certs=self.trusted_certs,
                     caller=self.call_StartSegment,
                     log_collector=log_collector)
@@ -1432 +1440 @@
 
     def get_abac_access_to_testbeds(self, testbeds, fid, allocated, 
-            tbparams, masters, tbmap):
+            tbparams, masters, tbmap, expid=None, expcert=None):
         for tb in testbeds:
-            self.get_abac_access(tb, tbparams, fid, masters, tbmap)
+            self.get_abac_access(tb, tbparams, fid, masters, tbmap, expid,
+                    expcert)
             allocated[tb] = 1
 
-    def get_abac_access(self, tb, tbparams,fid, masters, tbmap):
+    def get_abac_access(self, tb, tbparams,fid, masters, tbmap, expid=None, expcert=None):
         """
         Get access to testbed through fedd and set the parameters for that tb
@@ -1471 +1480 @@
         creds = set()
         keys = set()
-        for c in self.auth.get_creds_for_principal(fid):
+        certs = self.auth.get_creds_for_principal(fid)
+        if expid:
+            print join([ "%s <- %s" % ( c.head().string(), c.tail().string()) \
+                    for c in self.auth.get_creds_for_principal(expid)])
+            certs.update(self.auth.get_creds_for_principal(expid))
+        for c in certs:
             keys.add(c.issuer_cert())
             creds.add(c.attribute_cert())
         creds = list(keys) + list(creds)
+
+        if expcert: cert, pw = expcert, None
+        else: cert, pw = self.cert_file, self.cert_pw
 
         # Request credentials
@@ -1512 +1529 @@
             r = { 'RequestAccessResponseBody' : r }
         else:
-            r = self.call_RequestAccess(uri, req, 
-                    self.cert_file, self.cert_pwd, self.trusted_certs)
+            r = self.call_RequestAccess(uri, req, cert, pw, self.trusted_certs)
 
         tbparam[tb] = { 
@@ -1653 +1669 @@
         if self.auth.import_credentials(data_list=req.get('credential', [])):
             self.auth.save()
-        
+
         if not self.auth.check_attribute(fid, 'new'):
             raise service_error(service_error.access, "New access denied")
@@ -1747 +1763 @@
             raise service_error(service_error.req, "No request?")
 
+        print "%s" % expid
+        print 'creds ',
+        print join([ "%s <- %s" % ( c.head().string(), c.tail().string()) \
+                for c in self.auth.get_creds_for_principal(expid)])
         # Import information from the requester
         if self.auth.import_credentials(data_list=req.get('credential', [])):
             self.auth.save()
 
+        print 'creds ',
+        print join([ "%s <- %s" % ( c.head().string(), c.tail().string()) \
+                for c in self.auth.get_creds_for_principal(expid)])
         self.check_experiment_access(fid, key)
 
@@ -1808 +1831 @@
                 elif not eid and e.has_key('localname'):
                     eid = e['localname']
+            if 'experimentAccess' in self.state[key] and \
+                    'X509' in self.state[key]['experimentAccess']:
+                expcert = self.state[key]['experimentAccess']['X509']
+            else:
+                expcert = None
         self.state_lock.release()
 
@@ -1813 +1841 @@
             raise service_error(service_error.internal, 
                     "Cannot find local experiment info!?")
+
+        # make a protected copy of the access certificate so the experiment
+        # controller can act as the experiment principal.  mkstemp is the most
+        # secure way to do that and the file is in a directory created by
+        # mkdtemp.  expcert enters the if as the contents of the file and
+        # leaves is as the filename in which the cert is stored.  All this goes
+        # away when the tempfiles are cleared.
+        if expcert:
+            try:
+                certf, certfn = tempfile.mkstemp(suffix=".pem", dir=tmpdir)
+                f = os.fdopen(certf, 'w')
+                print >> f, expcert
+                f.close()
+                expcert = certfn
+            except EnvironmentError, e:
+                raise service_error(service_error.internal, 
+                        "Cannot create temp cert file?")
 
         try: 
@@ -1909 +1954 @@
             elif self.auth_type == 'abac':
                 self.get_abac_access_to_testbeds(testbeds, fid, allocated, 
-                        tbparams, masters, tbmap)
+                        tbparams, masters, tbmap, expid, expcert)
             else:
                 raise service_error(service_error.internal, 
@@ -1955 +2000 @@
             # Now get access to the dynamic testbeds (those added above)
             for tb in [ t for t in topo if t not in allocated]:
+                #XXX: ABAC
                 self.get_access(tb, None, tbparams, access_user, masters, tbmap)
                 allocated[tb] = 1
@@ -2053 +2099 @@
                 args=(allocated, masters, eid, expid, tbparams, 
                     top, topo, tmpdir, alloc_log, alloc_collector, attrs,
-                    connInfo, tbmap),
+                    connInfo, tbmap, expcert),
                 name=eid)
         t.start()

fedd/federation/util.py

@@ -351 +351 @@
     return rkeyfile, rcertfile
 
+def abac_context_to_creds(context):
+    """
+    Pull all the credentials out of the context and return 2  lists of the
+    underlying credentials in an exportable format, IDs and attributes.
+    There are no duplicates in the lists.
+    """
+    ids, attrs = set(), set()
+    # This should be a one-iteration loop
+    for c in context.credentials():
+        ids.add(c.issuer_cert())
+        attrs.add(c.attribute_cert())
+
+    return list(ids), list(attrs)
+
 def find_pickle_problem(o, st=None):
     """