#!/usr/bin/python
#
# Bootstraps the PLC database with a default administrator account and
-# a default site.
+# a default site. Also generates the MA/SA API certificate.
#
# Mark Huang <mlhuang@cs.princeton.edu>
# Copyright (C) 2006 The Trustees of Princeton University
#
-# $Id: api-config,v 1.3 2006/03/28 22:03:21 mlhuang Exp $
+# $Id: api-config,v 1.14 2006/07/10 21:06:16 mlhuang Exp $
#
-import plcapilib
-(plcapi, moreopts, argv) = plcapilib.plcapi(globals())
from plc_config import PLCConfiguration
-import xmlrpclib
-import sys
+import os
+import re
+import xml
+import CertOps, Certificate
+import Certificate
+import commands
def main():
variables = cfg.variables()
# Load variables into dictionaries
- (category, variablelist) = variables['plc']
- plc = dict(zip(variablelist.keys(),
- [variable['value'] for variable in variablelist.values()]))
-
- (category, variablelist) = variables['plc_www']
- plc_www = dict(zip(variablelist.keys(),
- [variable['value'] for variable in variablelist.values()]))
-
- (category, variablelist) = variables['plc_api']
- plc_api = dict(zip(variablelist.keys(),
- [variable['value'] for variable in variablelist.values()]))
-
- # Create/update the default administrator account (should be
- # person_id 2).
- admin = { 'person_id': 2,
- 'first_name': "Default",
- 'last_name': "Administrator",
- 'email': plc['root_user'],
- 'password': plc['root_password'] }
- persons = AdmGetPersons([admin['person_id']])
- if not persons:
- person_id = AdmAddPerson(admin['first_name'], admin['last_name'], admin)
- if person_id != admin['person_id']:
- # Huh? Someone deleted the account manually from the database.
- AdmDeletePerson(person_id)
- raise Exception, "Someone deleted the \"%s %s\" account from the database!" % \
- (admin['first_name'], admin['last_name'])
- AdmSetPersonEnabled(person_id, True)
- else:
- person_id = persons[0]['person_id']
- AdmUpdatePerson(person_id, admin)
-
- # Create/update the default site (should be site_id 0)
- if plc_www['port'] == '80':
- url = "http://" + plc_www['host'] + "/"
- elif plc_www['port'] == '443':
- url = "https://" + plc_www['host'] + "/"
+ for category_id, (category, variablelist) in variables.iteritems():
+ globals()[category_id] = dict(zip(variablelist.keys(),
+ [variable['value'] for variable in variablelist.values()]))
+
+ # Get the issuer e-mail address and public key from the root CA certificate
+ root_ca_email = commands.getoutput("openssl x509 -in %s -noout -email" % \
+ plc_ma_sa['ca_ssl_crt'])
+ root_ca_key_pub = commands.getoutput("openssl x509 -in %s -noout -pubkey" % \
+ plc_ma_sa['ca_ssl_crt'])
+
+ # Verify API certificate
+ if os.path.exists(plc_ma_sa['api_crt']):
+ print "Verifying API certificate '%s'" % plc_ma_sa['api_crt']
+ try:
+ cert_xml = file(plc_ma_sa['api_crt']).read().strip()
+ # Verify root CA signature
+ CertOps.authenticate_cert(cert_xml, {root_ca_email: root_ca_key_pub})
+ # Check if MA/SA e-mail address has changed
+ dom = xml.dom.minidom.parseString(cert_xml)
+ for subject in dom.getElementsByTagName('subject'):
+ if subject.getAttribute('email') != plc_mail['support_address']:
+ raise Exception, "E-mail address '%s' in certificate '%s' does not match support address '%s'" % \
+ (subject.getAttribute('email'), plc_ma_sa['api_crt'], plc_mail['support_address'])
+ except Exception, e:
+ # Delete invalid API certificate
+ print "Warning: ", e
+ os.unlink(plc_ma_sa['api_crt'])
+
+ # Generate self-signed API certificate
+ if not os.path.exists(plc_ma_sa['api_crt']):
+ print "Generating new API certificate"
+ try:
+ cert = Certificate.Certificate('ticket-cert-0')
+ ma_sa_ssl_key_pub = commands.getoutput("openssl x509 -in %s -noout -pubkey" % \
+ plc_ma_sa['ssl_crt'])
+ cert.add_subject_pubkey(pubkey = ma_sa_ssl_key_pub, email = plc_mail['support_address'])
+ root_ca_subject = commands.getoutput("openssl x509 -in %s -noout -subject" % \
+ plc_ma_sa['ssl_crt'])
+ m = re.search('/CN=([^/]*).*', root_ca_subject)
+ if m is None:
+ root_ca_cn = plc['name'] + " Management and Slice Authority"
+ else:
+ root_ca_cn = m.group(1)
+ cert.set_issuer(email = root_ca_email, cn = root_ca_cn)
+ cert_xml = cert.sign(plc_ma_sa['ssl_key'])
+ ma_sa_api_crt = file(plc_ma_sa['api_crt'], "w")
+ ma_sa_api_crt.write(cert_xml)
+ ma_sa_api_crt.close()
+ except Exception, e:
+ print "Warning: Could not generate API certificate: ", e
+
+ # For backward compatibility, until we can convert all code to use
+ # the now standardized variable names.
+
+ # API expects root SSH public key to be at /etc/planetlab/node_root_key
+ if not os.path.exists("/etc/planetlab/node_root_key"):
+ os.symlink(plc['root_ssh_key_pub'], "/etc/planetlab/node_root_key")
+
+ # Old variable names littered throughout the API
+ if plc_mail['enabled'] == "true":
+ plc_mail_enabled = "1"
else:
- url = "http://" + plc_www['host'] + ":" + plc_www['port'] + "/"
- site = { 'site_id': 1,
- 'name': plc['name'] + " Central",
- 'abbreviated_name': plc['name'],
- # XXX Default site slice_prefix/login_base must be "pl_"
- # 'login_base': plc['slice_prefix'],
- 'login_base': "pl",
- 'is_public': False,
- 'url': url,
- 'max_slices': 100 }
-
- sites = AdmGetSites([site['site_id']])
- if not sites:
- site_id = AdmAddSite(site['name'], site['abbreviated_name'], site['login_base'], site)
- if site_id != site['site_id']:
- AdmDeleteSite(site_id)
- raise Exception, "Someone deleted the \"%s\" site from the database!" % \
- site['name']
- sites = [site]
-
- # Must call AdmUpdateSite() even after AdmAddSite() to update max_slices
- site_id = sites[0]['site_id']
- # XXX login_base cannot be updated
- del site['login_base']
- AdmUpdateSite(site_id, site)
-
- # The default administrator account must be associated with a site
- # in order to login.
- AdmAddPersonToSite(admin['person_id'], site['site_id'])
- AdmSetPersonPrimarySite(admin['person_id'], site['site_id'])
-
- # Grant admin and PI roles to the default administrator account
- AdmGrantRoleToPerson(admin['person_id'], 10)
- AdmGrantRoleToPerson(admin['person_id'], 20)
-
- # Further bootstrap the database. A few PlanetLabConf entries are
- # absolutely required, and NM requires the slice tables to be
- # populated.
+ plc_mail_enabled = "0"
+
+ old_variables = {'PL_API_SERVER': plc_api['host'],
+ 'PL_API_PATH': plc_api['path'],
+ 'PL_API_PORT': plc_api['port'],
+ 'PL_API_CAPABILITY_AUTH_METHOD': "capability",
+ 'PL_API_CAPABILITY_PASS': plc_api['maintenance_password'],
+ 'PL_API_CAPABILITY_USERNAME': plc_api['maintenance_user'],
+ 'PLANETLAB_SUPPORT_EMAIL': plc_mail['support_address'],
+ 'BOOT_MESSAGES_EMAIL': plc_mail['boot_address'],
+ 'WWW_BASE': plc_www['host'],
+ 'BOOT_BASE': plc_boot['host'],
+
+ 'PLC_MAIL_ENABLED': plc_mail_enabled,
+ 'MA_SA_NAMESPACE': plc_ma_sa['namespace'],
+ 'SESSION_LENGTH_HOURS': "24",
+ 'ROOT_CA_EMAIL': root_ca_email,
+ 'ROOT_CA_PUB_KEY': plc_ma_sa['ca_ssl_key_pub'],
+ 'API_CERT_PATH': plc_ma_sa['api_crt'],
+ 'MA_SA_PRIVATE_KEY': plc_ma_sa['ssl_key'],
+ 'PL_API_TICKET_KEY_FILE': plc_ma_sa['ssl_key']}
+
+ # The format of an "allowed maintenance source" specification is
#
- # XXX This data should really become part of the DB schema so that
- # we don't have to copy it from PLC. For now, this code is only
- # intended to be called at build time, when we know that we have
- # access to PLC. Once the tables have been populated, this code
- # should never be called again and PLC access is not required,
- # i.e., end users of MyPLC should never see this code be executed.
-
- # Use xmlrpclib to connect to PLC temporarily. plcapilib cannot
- # connect to multiple servers at once.
- auth = {'AuthMethod': 'anonymous'}
- PLC = None
-
- conf_files = AdmGetConfFile()
- if not conf_files:
- if PLC is None:
- PLC = xmlrpclib.Server("https://www.planet-lab.org/PLCAPI/")
- for conf_file in PLC.AnonAdmGetConfFile(auth):
- if conf_file['enabled'] and \
- not conf_file['node_id'] and \
- not conf_file['nodegroup_id']:
- AdmCreateConfFile(conf_file['enabled'],
- conf_file['source'],
- conf_file['dest'],
- conf_file['file_permissions'],
- conf_file['file_owner'],
- conf_file['file_group'],
- conf_file['preinstall_cmd'],
- conf_file['postinstall_cmd'],
- conf_file['error_cmd'],
- conf_file['ignore_cmd_errors'],
- conf_file['always_update'])
-
- # Setup default slice attribute types, slices, and
- # attributes. These are hard-coded here because we cannot safely
- # support an anonymous interface to the SliceAttribute functions,
- # yet we also do not want to require API authentication for
- # bootstrapping.
-
- if not SliceAttributeTypeList():
- # Create system attribute types
- attribute_types = [{'name': "general_prop_share",
- 'description': "general share",
- 'is_exclusive': False, 'min_role_id': 10, 'max_per_slice': 1,
- 'value_fields': [{'description': "",
- 'name': "general_prop_share",
- 'type': "integer"}]},
- {'name': "initscript",
- 'description': "slice initialization script",
- 'is_exclusive': False, 'min_role_id': 10, 'max_per_slice': 1,
- 'value_fields': [{'description': "",
- 'name': "initscript_id",
- 'type': "integer"}]},
- {'name': "plc_slice_type",
- 'description': "Type of slice rspec to be created",
- 'is_exclusive': True, 'min_role_id': 20, 'max_per_slice': 1,
- 'value_fields': [{'description': "rspec class",
- 'name': "type",
- 'type': "string"}]},
- {'name': "nm_cpu_share",
- 'description': "Number of CPU shares to be allocated to slice",
- 'is_exclusive': True, 'min_role_id': 10, 'max_per_slice': 1,
- 'value_fields': [{'description': "number of shares",
- 'name': "cpu_share",
- 'type': "integer"}]},
- {'name': "plc_agent_version",
- 'description': "Version of PLC agent (slice creation service) software to be deployed",
- 'is_exclusive': True, 'min_role_id': 10, 'max_per_slice': 1,
- 'value_fields': [{'description': "current version of PLC agent (SCS)",
- 'name': "version",
- 'type': "string"}]},
- {'name': "plc_ticket_pubkey",
- 'description': "Public key used to verify PLC-signed tickets",
- 'is_exclusive': True, 'min_role_id': 10, 'max_per_slice': 1,
- 'value_fields': [{'description': "PEM-encoded public key",
- 'name': "key",
- 'type': "string"}]},
- {'name': "nm_disk_quota",
- 'description': "Disk quota",
- 'is_exclusive': True, 'min_role_id': 10, 'max_per_slice': 1,
- 'value_fields': [{'description': "Number of 1k disk blocks",
- 'name': "quota",
- 'type': "integer"}]}]
- for attribute_type in attribute_types:
- SliceAttributeTypeCreate(attribute_type['name'], attribute_type['description'],
- attribute_type['min_role_id'], attribute_type['max_per_slice'],
- attribute_type['is_exclusive'], attribute_type['value_fields'])
-
- if not SliceListNames():
- # Get contents of SSL public certificate used for signing tickets
- try:
- plc_ticket_pubkey = ""
- for line in file(plc_api['ssl_key_pub']):
- # Skip comments
- if line[0:5] != "-----":
- # XXX The embedded newlines matter, do not strip()!
- plc_ticket_pubkey += line
- except:
- plc_ticket_pubkey = '%KEY%'
-
- # Create system slices
- slices = [{'name': "pl_conf",
- 'description': "PlanetLab Slice Creation Service (SCS)",
- 'url': url,
- 'attributes': {'plc_slice_type': {'type': "VServerSlice"},
- 'plc_agent_version': {'version': "1.0"},
- 'plc_ticket_pubkey': {'key': plc_ticket_pubkey}}},
- {'name': "pl_conf_vserverslice",
- 'description': "Default attributes for vserver slices",
- 'url': url,
- 'attributes': {'nm_cpu_share': {'cpu_share': 32},
- 'plc_slice_type': {'type': "VServerSlice"},
- 'nm_disk_quota': {'quota': 5000000}}}]
- for slice in slices:
- SliceCreate(slice['name'])
- SliceUpdate(slice['name'], slice['url'], slice['description'])
- SliceSetInstantiationMethod(slice['name'], 'plc-instantiated')
- # Renew forever
- SliceRenew(slice['name'], sys.maxint)
- for attribute, values in slice['attributes'].iteritems():
- SliceAttributeAdd(slice['name'], attribute, values)
+ # ip:max_role_id:organization_id:password
+ #
+ # It is unlikely that we will let federated sites use the
+ # maintenance account to access each others' APIs, so we always
+ # set organization_id to -1.
+ old_variables['PL_API_CAPABILITY_SOURCES'] = " ".join(
+ ["%s:-1:-1:%s" % (ip, plc_api['maintenance_password']) \
+ for ip in plc_api['maintenance_sources'].split()])
+
+ old_config = open("/etc/planetlab/plc_api", "w")
+ for name, value in old_variables.iteritems():
+ old_config.write("%s='%s'\n" % (name, value))
+ old_config.close()
if __name__ == '__main__':