#!/usr/bin/python -tt
# vim:set ts=4 sw=4 expandtab:
#
-# $Id$
-# $URL$
-#
# NodeManager plugin for creating credentials in slivers
# (*) empower slivers to make API calls throught hmac
# (*) also create a ssh key - used by the OMF resource controller
# for authenticating itself with its Experiment Controller
-# xxx todo : a config option for turning these 2 things on or off ?
+# in order to avoid spamming the DB with huge amounts of such tags,
+# (*) slices need to have the 'enable_hmac' tag set
+# (*) or the 'omf_control' tag set, respectively
"""
Sliver authentication support for NodeManager.
import logger
import tools
-def start(options, conf):
+def start():
logger.log("sliverauth: (dummy) plugin starting up...")
def GetSlivers(data, config, plc):
path = '/vservers/%s' % sliver['name']
if not os.path.exists(path):
# ignore all non-plc-instantiated slivers
- instantiation = sliver.get('instantiation','')
+ instantiation = sliver.get('instantiation', '')
if instantiation == 'plc-instantiated':
logger.log("sliverauth: plc-instantiated slice %s does not yet exist. IGNORING!" % sliver['name'])
continue
- manage_hmac (plc, sliver)
- manage_sshkey (plc, sliver)
+ system_slice = False
+ for chunk in sliver['attributes']:
+ if chunk['tagname'] == "system":
+ if chunk['value'] in (True, 1, '1') or chunk['value'].lower() == "true":
+ system_slice = True
+
+ for chunk in sliver['attributes']:
+ if chunk['tagname']=='enable_hmac' and not system_slice:
+ manage_hmac (plc, sliver)
+
+ if chunk['tagname']=='omf_control':
+ manage_sshkey (plc, sliver)
def SetSliverTag(plc, slice, tagname, value):
node_id = tools.node_id()
- slivertags=plc.GetSliceTags({"name":slice,"node_id":node_id,"tagname":tagname})
+ slivertags=plc.GetSliceTags({"name":slice, "node_id":node_id, "tagname":tagname})
if len(slivertags)==0:
# looks like GetSlivers reports about delegated/nm-controller slices that do *not* belong to this node
# and this is something that AddSliceTag does not like
try:
- slivertag_id=plc.AddSliceTag(slice,tagname,value,node_id)
+ slivertag_id=plc.AddSliceTag(slice, tagname, value, node_id)
except:
logger.log_exc ("sliverauth.SetSliverTag (probably delegated) slice=%(slice)s tag=%(tagname)s node_id=%(node_id)d"%locals())
pass
else:
slivertag_id=slivertags[0]['slice_tag_id']
- plc.UpdateSliceTag(slivertag_id,value)
+ plc.UpdateSliceTag(slivertag_id, value)
def find_tag (sliver, tagname):
for attribute in sliver['attributes']:
# for legacy, try the old-fashioned 'name' as well
- name = attribute.get('tagname',attribute.get('name',''))
+ name = attribute.get('tagname', attribute.get('name', ''))
if name == tagname:
return attribute['value']
return None
random.seed()
d = [random.choice(string.letters) for x in xrange(32)]
hmac = "".join(d)
- SetSliverTag(plc,sliver['name'],'hmac',hmac)
+ SetSliverTag(plc, sliver['name'], 'hmac', hmac)
logger.log("sliverauth: %s: setting hmac" % sliver['name'])
path = '/vservers/%s/etc/planetlab' % sliver['name']
if os.path.exists(path):
keyfile = '%s/key' % path
- if (tools.replace_file_with_string(keyfile,hmac,chmod=0400)):
+ if (tools.replace_file_with_string(keyfile, hmac, chmod=0400)):
logger.log ("sliverauth: (over)wrote hmac into %s " % keyfile)
# create the key if needed and returns the key contents
def generate_sshkey (sliver):
- keyfile="/vservers/%s/home/%s/.ssh/id_rsa"%(sliver['name'],sliver['name'])
+# initial version was storing stuff in the sliver directly
+# keyfile="/vservers/%s/home/%s/.ssh/id_rsa"%(sliver['name'], sliver['name'])
+# we're now storing this in the same place as the authorized_keys, which in turn
+# gets mounted to the user's home directory in the sliver
+ keyfile="/home/%s/.ssh/id_rsa"%(sliver['name'])
pubfile="%s.pub"%keyfile
dotssh=os.path.dirname(keyfile)
# create dir if needed
if not os.path.isdir (dotssh):
os.mkdir (dotssh, 0700)
logger.log_call ( [ 'chown', "%s:slices"%(sliver['name']), dotssh ] )
- if not os.path.isfile (pubfile):
- comment="%s@%s"%(sliver['name'],socket.gethostname())
+ if not os.path.isfile(pubfile):
+ comment="%s@%s"%(sliver['name'], socket.gethostname())
logger.log_call( [ 'ssh-keygen', '-t', 'rsa', '-N', '', '-f', keyfile , '-C', comment] )
os.chmod (keyfile, 0400)
logger.log_call ( [ 'chown', "%s:slices"%(sliver['name']), keyfile, pubfile ] )
- return file(pubfile).read()
+ with open(pubfile) as f:
+ return f.read().strip()
# a sliver can get created, deleted and re-created
# the slice having the tag is not sufficient to skip key geneneration