+##
+# Geni Registry Wrapper
+#
+# This wrapper implements the Geni Registry
+##
+
import tempfile
import os
-
+import time
import sys
from cert import *
from misc import *
from record import *
from genitable import *
+from geniticket import *
+
+##
+# Convert geni fields to PLC fields for use when registering up updating
+# registry record in the PLC database
+#
+# @params type type of record (user, slice, ...)
+# @params hrn human readable name
+# @params geni_fields dictionary of geni fields
+# @params pl_fields dictionary of PLC fields (output)
def geni_fields_to_pl_fields(type, hrn, geni_fields, pl_fields):
if type == "user":
if not "is_public" in pl_fields:
pl_fields["is_public"] = True
+##
+# Registry is a GeniServer that serves registry requests. It also serves
+# component and slice operations that are implemented on the registry
+# due to SFA engineering decisions
+#
+
class Registry(GeniServer):
def __init__(self, ip, port, key_file, cert_file):
GeniServer.__init__(self, ip, port, key_file, cert_file)
else:
self.connect_local_shell()
+ ##
+ # Connect to a remote shell via XMLRPC
+
def connect_remote_shell(self):
import remoteshell
self.shell = remoteshell.RemoteShell()
+ ##
+ # Connect to a local shell via local API functions
+
def connect_local_shell(self):
import PLC.Shell
self.shell = PLC.Shell.Shell(globals = globals())
+ ##
+ # Register the server RPCs for the registry
+
def register_functions(self):
GeniServer.register_functions(self)
+ # registry interface
self.server.register_function(self.create_gid)
self.server.register_function(self.get_self_credential)
self.server.register_function(self.get_credential)
self.server.register_function(self.update)
self.server.register_function(self.list)
self.server.register_function(self.resolve)
+ # component interface
+ self.server.register_function(self.get_ticket)
- def get_auth_info(self, name):
- return AuthHierarchy.get_auth_info(name)
+ ##
+ # Given an authority name, return the information for that authority. This
+ # is basically a stub that calls the hierarchy module.
+ #
+ # @param auth_hrn human readable name of authority
+
+ def get_auth_info(self, auth_hrn):
+ return AuthHierarchy.get_auth_info(auth_hrn)
+
+ ##
+ # Given an authority name, return the database table for that authority. If
+ # the database table does not exist, then one will be automatically
+ # created.
+ #
+ # @param auth_name human readable name of authority
def get_auth_table(self, auth_name):
auth_info = self.get_auth_info(auth_name)
return table
+ ##
+ # Verify that an authority belongs to this registry. This is basically left
+ # up to the implementation of the hierarchy module. If the specified name
+ # does not belong to this registry, an exception is thrown indicating the
+ # caller should contact someone else.
+ #
+ # @param auth_name human readable name of authority
+
def verify_auth_belongs_to_me(self, name):
# get_auth_info will throw an exception if the authority does not
# exist
self.get_auth_info(name)
+ ##
+ # Verify that an object belongs to this registry. By extension, this implies
+ # that the authority that owns the object belongs to this registry. If the
+ # object does not belong to this registry, then an exception is thrown.
+ #
+ # @param name human readable name of object
+
def verify_object_belongs_to_me(self, name):
auth_name = get_authority(name)
if not auth_name:
return
self.verify_auth_belongs_to_me(auth_name)
+ ##
+ # Verify that the object_gid that was specified in the credential allows
+ # permission to the object 'name'. This is done by a simple prefix test.
+ # For example, an object_gid for planetlab.us.arizona would match the
+ # objects planetlab.us.arizona.slice1 and planetlab.us.arizona.
+ #
+ # @param name human readable name to test
+
def verify_object_permission(self, name):
object_hrn = self.object_gid.get_hrn()
if object_hrn == name:
return
raise PermissionError(name)
+ ##
+ # Fill in the planetlab-specific fields of a Geni record. This involves
+ # calling the appropriate PLC methods to retrieve the database record for
+ # the object.
+ #
+ # PLC data is filled into the pl_info field of the record.
+ #
+ # @param record record to fill in fields (in/out param)
+
def fill_record_pl_info(self, record):
type = record.get_type()
pointer = record.get_pointer()
record.set_pl_info(pl_res[0])
+ ##
+ # Look up user records given PLC user-ids. This is used as part of the
+ # process for reverse-mapping PLC records into Geni records.
+ #
+ # @param auth_table database table for the authority that holds the user records
+ # @param user_id_list list of user ids
+ # @param role either "*" or a string describing the role to look for ("pi", "user", ...)
+ #
+ # TODO: This function currently only searches one authority because it would
+ # be inefficient to brute-force search all authorities for a user id. The
+ # solution would likely be to implement a reverse mapping of user-id to
+ # (type, hrn) pairs.
+
+ def lookup_users(self, auth_table, user_id_list, role="*"):
+ record_list = []
+ for person_id in user_id_list:
+ user_records = auth_table.find("user", person_id, "pointer")
+ for user_record in user_records:
+ self.fill_record_info(user_record)
+
+ user_roles = user_record.get_pl_info().get("roles")
+ if (role=="*") or (role in user_roles):
+ record_list.append(user_record.get_name())
+ return record_list
+
+ ##
+ # Fill in the geni-specific fields of the record.
+ #
+ # Note: It is assumed the fill_record_pl_info() has already been performed
+ # on the record.
+
def fill_record_geni_info(self, record):
- pass
+ geni_info = {}
+ type = record.get_type()
+
+ if (type == "slice"):
+ auth_table = self.get_auth_table(get_authority(record.get_name()))
+ person_ids = record.pl_info.get("person_ids", [])
+ researchers = self.lookup_users(auth_table, person_ids)
+ geni_info['researcher'] = researchers
+
+ elif (type == "sa"):
+ auth_table = self.get_auth_table(record.get_name())
+ person_ids = record.pl_info.get("person_ids", [])
+ pis = self.lookup_users(auth_table, person_ids, "pi")
+ geni_info['pi'] = pis
+ # TODO: OrganizationName
+
+ elif (type == "ma"):
+ auth_table = self.get_auth_table(record.get_name())
+ person_ids = record.pl_info.get("person_ids", [])
+ operators = self.lookup_users(auth_table, person_ids, "tech")
+ geni_info['operator'] = operators
+ # TODO: OrganizationName
+
+ auth_table = self.get_auth_table(record.get_name())
+ person_ids = record.pl_info.get("person_ids", [])
+ owners = self.lookup_users(auth_table, person_ids, "admin")
+ geni_info['owner'] = owners
+
+ elif (type == "node"):
+ geni_info['dns'] = record.pl_info.get("hostname", "")
+ # TODO: URI, LatLong, IP, DNS
+
+ elif (type == "user"):
+ geni_info['email'] = record.pl_info.get("email", "")
+ # TODO: PostalAddress, Phone
+
+ record.set_geni_info(geni_info)
+
+ ##
+ # Given a Geni record, fill in the PLC-specific and Geni-specific fields
+ # in the record.
def fill_record_info(self, record):
self.fill_record_pl_info(record)
self.fill_record_geni_info(record)
+ ##
+ # GENI API: register
+ #
+ # Register an object with the registry. In addition to being stored in the
+ # Geni database, the appropriate records will also be created in the
+ # PLC databases
+ #
+ # @param cred credential string
+ # @param record_dict dictionary containing record fields
+
def register(self, cred, record_dict):
self.decode_authentication(cred, "register")
return record.get_gid_object().save_to_string(save_parents=True)
+ ##
+ # GENI API: remove
+ #
+ # Remove an object from the registry. If the object represents a PLC object,
+ # then the PLC records will also be removed.
+ #
+ # @param cred credential string
+ # @param record_dict dictionary containing record fields. The only relevant
+ # fields of the record are 'name' and 'type', which are used to lookup
+ # the current copy of the record in the Geni database, to make sure
+ # that the appopriate record is removed.
+
def remove(self, cred, record_dict):
self.decode_authentication(cred, "remove")
return True
+ ##
+ # GENI API: update
+
def update(self, cred, record_dict):
self.decode_authentication(cred, "update")
existing_record = existing_record_list[0]
pointer = existing_record.get_pointer()
+ # update the PLC information that was specified with the record
+
if (type == "sa") or (type == "ma"):
self.shell.UpdateSite(self.pl_auth, pointer, record.get_pl_info())
if type == "user":
rl.add("refresh")
rl.add("resolve")
+ rl.add("info")
elif type == "sa":
rl.add("authority")
elif type == "ma":
rl.add("embed")
rl.add("bind")
rl.add("control")
+ rl.add("info")
elif type == "component":
rl.add("operator")
return gid.save_to_string(save_parents=True)
+ # ------------------------------------------------------------------------
+ # Component Interface
+
+ def record_to_slice_info(self, record):
+
+ # get the user keys from the slice
+ keys = []
+ persons = self.shell.GetPersons(self.pl_auth, record.pl_info['person_ids'])
+ for person in persons:
+ person_keys = self.shell.GetKeys(self.pl_auth, person["key_ids"])
+ for person_key in person_keys:
+ keys = keys + [person_key['key']]
+
+ attributes={}
+ attributes['name'] = record.pl_info['name']
+ attributes['keys'] = keys
+ attributes['instantiation'] = record.pl_info['instantiation']
+ attributes['vref'] = 'default'
+ attributes['timestamp'] = time.time()
+
+ rspec = {}
+
+ # get the PLC attributes and separate them into slice attributes and
+ # rspec attributes
+ filter = {}
+ filter['slice_id'] = record.pl_info['slice_id']
+ plc_attrs = self.shell.GetSliceAttributes(self.pl_auth, filter)
+ for attr in plc_attrs:
+ name = attr['name']
+
+ # initscripts: lookup the contents of the initscript and store it
+ # in the ticket attributes
+ if (name == "initscript"):
+ filter={'name': attr['value']}
+ initscripts = self.shell.GetInitScripts(self.pl_auth, filter)
+ if initscripts:
+ attributes['initscript'] = initscripts[0]['script']
+ else:
+ rspec[name] = attr['value']
+
+ return (attributes, rspec)
+
+
+ def get_ticket(self, cred, name, rspec):
+ self.decode_authentication(cred, "getticket")
+
+ self.verify_object_belongs_to_me(name)
+
+ self.verify_object_permission(name)
+
+ # XXX much of this code looks like get_credential... are they so similar
+ # that they should be combined?
+
+ auth_hrn = get_authority(name)
+ auth_info = self.get_auth_info(auth_hrn)
+
+ records = self.resolve_raw("slice", name, must_exist=True)
+ record = records[0]
+
+ object_gid = record.get_gid_object()
+ new_ticket = Ticket(subject = object_gid.get_subject())
+ new_ticket.set_gid_caller(self.client_gid)
+ new_ticket.set_gid_object(object_gid)
+ new_ticket.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
+ new_ticket.set_pubkey(object_gid.get_pubkey())
+
+ self.fill_record_info(record)
+
+ (attributes, rspec) = self.record_to_slice_info(record)
+
+ new_ticket.set_attributes(attributes)
+ new_ticket.set_rspec(rspec)
+
+ new_ticket.set_parent(AuthHierarchy.get_auth_ticket(auth_hrn))
+
+ new_ticket.encode()
+ new_ticket.sign()
+
+ return new_ticket.save_to_string(save_parents=True)
+
if __name__ == "__main__":
global AuthHierarchy