print "Failed to get slice credential"
sys.exit(-1)
+def delegate_cred(cred, hrn, type = 'authority'):
+ # the gid and hrn of the object we are delegating
+ object_gid = cred.get_gid_object()
+ object_hrn = object_gid.get_hrn()
+ cred.set_delegate(True)
+ if not cred.get_delegate():
+ raise Exception, "Error: Object credential %(object_hrn)s does not have delegate bit set" % locals()
+
+
+ records = registry.resolve(cred, hrn)
+ records = filter_records(type, records)
+
+ if not records:
+ raise Exception, "Error: Didn't find a %(type)s record for %(hrn)s" % locals()
+
+ # the gid of the user who will be delegated too
+ delegee_gid = records[0].get_gid_object()
+ delegee_hrn = delegee_gid.get_hrn()
+
+ # the key and hrn of the user who will be delegating
+ user_key = Keypair(filename = get_key_file())
+ user_hrn = cred.get_gid_caller().get_hrn()
+
+ dcred = Credential(subject=object_hrn + " delegated to " + delegee_hrn)
+ dcred.set_gid_caller(delegee_gid)
+ dcred.set_gid_object(object_gid)
+ dcred.set_privileges(cred.get_privileges())
+ dcred.set_delegate(True)
+ dcred.set_pubkey(object_gid.get_pubkey())
+ dcred.set_issuer(user_key, user_hrn)
+ dcred.set_parent(cred)
+ dcred.encode()
+ dcred.sign()
+
+ return dcred
+
def get_rspec_file(rspec):
if (os.path.isabs(rspec)):
file = rspec
os.remove(outfn)
return key_string
-
#
# Generate sub-command parser
#
global registry
user_cred = get_user_cred()
if opts.delegate_user:
- cred = user_cred
+ object_cred = user_cred
elif opts.delegate_slice:
- cred = get_slice_cred(opt.delegate_slice)
+ object_cred = get_slice_cred(opts.delegate_slice)
else:
print "Must specify either --user or --slice <hrn>"
return
+ # the gid and hrn of the object we are delegating
+ object_gid = object_cred.get_gid_object()
+ object_hrn = object_gid.get_hrn()
+
+ if not object_cred.get_delegate():
+ print "Error: Object credential", object_hrn, "does not have delegate bit set"
+ return
+
records = registry.resolve(user_cred, args[0])
records = filter_records("user", records)
if not records:
- print "Didn't find a user record for", delegee_name
+ print "Error: Didn't find a user record for", args[0]
return
- # the gid and hrn of the object we are delegating
- object_gid = cred.get_gid_object()
- object_hrn = object_gid.get_hrn()
-
# the gid of the user who will be delegated too
delegee_gid = records[0].get_gid_object()
delegee_hrn = delegee_gid.get_hrn()
user_key = Keypair(filename = get_key_file())
user_hrn = user_cred.get_gid_caller().get_hrn()
- dcred = Credential(subject=cred.get_subject())
+ dcred = Credential(subject=object_hrn + " delegated to " + delegee_hrn)
dcred.set_gid_caller(delegee_gid)
dcred.set_gid_object(object_gid)
- dcred.set_privileges(cred.get_privileges())
+ dcred.set_privileges(object_cred.get_privileges())
dcred.set_delegate(True)
dcred.set_pubkey(object_gid.get_pubkey())
dcred.set_issuer(user_key, user_hrn)
- dcred.set_parent(cred)
+ dcred.set_parent(object_cred)
dcred.encode()
dcred.sign()
# broken and has no way for us to get the key back out of the gid)
geni_info = record.get_geni_info()
if "create_gid" in geni_info:
- gid = registry.create_gid(auth_cred, geni_info["create_gid_hrn"], create_uuid(), geni_info["create_gid_key"])
+ key_string = geni_info["create_gid_key"].replace("|","\n") # XXX smbaker: the rspec kills newlines
+ gid = registry.create_gid(auth_cred, geni_info["create_gid_hrn"], create_uuid(), key_string)
record.set_gid(gid)
del geni_info["create_gid"]
if record.get_name() == user_cred.get_gid_object().get_hrn():
cred = user_cred
else:
- create = get_auth_cred()
+ cred = get_auth_cred()
elif record.get_type() in ["slice"]:
try:
cred = get_slice_cred(record.get_name())
except ServerException, e:
- if "PermissionError" in e.args[0]:
+ # XXX smbaker -- once we have better error return codes, update this
+ # to do something better than a string compare
+ if "Permission error" in e.args[0]:
cred = get_auth_cred()
else:
raise
- elif record.get_type() in ["sa", "ma", "node"]:
+ elif record.get_type() in ["authority"]:
cred = get_auth_cred()
+ elif record.get_type() == 'node':
+ cred = get_auth_cred()
else:
raise "unknown record type" + record.get_type()
return registry.update(cred, record)
format = opts.format
display_rspec(result, format)
if (opts.file is not None):
- save_rspec_to_file(opts.file, result)
+ save_rspec_to_file(result, opts.file)
return
# created named slice with given rspec