X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=api-config;h=f58ab758953c489d1ec41d8cd81a30c746090471;hb=refs%2Fheads%2Fmyplc-0_4-branch;hp=51f8e30641d7ab10ae30952d2ec748db3338c865;hpb=3c7323109fd6729924ebfe1495144a24f8a111e3;p=myplc.git diff --git a/api-config b/api-config index 51f8e30..f58ab75 100755 --- a/api-config +++ b/api-config @@ -1,19 +1,21 @@ #!/usr/bin/python # # Bootstraps the PLC database with a default administrator account and -# a default site. +# a default site. Also generates the MA/SA API certificate. # # Mark Huang # Copyright (C) 2006 The Trustees of Princeton University # -# $Id: api-config,v 1.1.1.1 2006/03/27 17:36:46 mlhuang Exp $ +# $Id: api-config,v 1.15 2006/07/11 20:57:25 mlhuang Exp $ # -import plcapilib -(plcapi, moreopts, argv) = plcapilib.plcapi(globals()) from plc_config import PLCConfiguration -import xmlrpclib -import sys +import os +import re +import xml +import CertOps, Certificate +import Certificate +import commands def main(): @@ -22,201 +24,105 @@ def main(): variables = cfg.variables() # Load variables into dictionaries - (category, variablelist) = variables['plc'] - plc = dict(zip(variablelist.keys(), - [variable['value'] for variable in variablelist.values()])) - - (category, variablelist) = variables['plc_www'] - plc_www = dict(zip(variablelist.keys(), - [variable['value'] for variable in variablelist.values()])) - - (category, variablelist) = variables['plc_api'] - plc_api = dict(zip(variablelist.keys(), - [variable['value'] for variable in variablelist.values()])) - - # Create/update the default administrator account (should be - # person_id 2). - admin = { 'person_id': 2, - 'first_name': "Default", - 'last_name': "Administrator", - 'email': plc['root_user'], - 'password': plc['root_password'] } - persons = AdmGetPersons([admin['person_id']]) - if not persons: - person_id = AdmAddPerson(admin['first_name'], admin['last_name'], admin) - if person_id != admin['person_id']: - # Huh? Someone deleted the account manually from the database. - AdmDeletePerson(person_id) - raise Exception, "Someone deleted the \"%s %s\" account from the database!" % \ - (admin['first_name'], admin['last_name']) - AdmSetPersonEnabled(person_id, True) - else: - person_id = persons[0]['person_id'] - AdmUpdatePerson(person_id, admin) - - # Create/update the default site (should be site_id 0) - if plc_www['port'] == '80': - url = "http://" + plc_www['host'] + "/" - elif plc_www['port'] == '443': - url = "https://" + plc_www['host'] + "/" - else: - url = "http://" + plc_www['host'] + ":" + plc_www['port'] + "/" - site = { 'site_id': 1, - 'name': plc['name'] + " Central", - 'abbreviated_name': plc['name'], - # XXX Default site slice_prefix/login_base must be "pl_" - # 'login_base': plc['slice_prefix'], - 'login_base': "pl_", - 'is_public': False, - 'url': url, - 'max_slices': 100 } - - sites = AdmGetSites([site['site_id']]) - if not sites: - site_id = AdmAddSite(site['name'], site['abbreviated_name'], site['login_base'], site) - if site_id != site['site_id']: - AdmDeleteSite(site_id) - raise Exception, "Someone deleted the \"%s\" site from the database!" % \ - site['name'] + for category_id, (category, variablelist) in variables.iteritems(): + globals()[category_id] = dict(zip(variablelist.keys(), + [variable['value'] for variable in variablelist.values()])) + + # Get the issuer e-mail address and public key from the root CA certificate + root_ca_email = commands.getoutput("openssl x509 -in %s -noout -email" % \ + plc_ma_sa['ca_ssl_crt']) + root_ca_key_pub = commands.getoutput("openssl x509 -in %s -noout -pubkey" % \ + plc_ma_sa['ca_ssl_crt']) + + # Verify API certificate + if os.path.exists(plc_ma_sa['api_crt']): + print "Verifying API certificate '%s'" % plc_ma_sa['api_crt'] + try: + cert_xml = file(plc_ma_sa['api_crt']).read().strip() + # Verify root CA signature + CertOps.authenticate_cert(cert_xml, {root_ca_email: root_ca_key_pub}) + # Check if MA/SA e-mail address has changed + dom = xml.dom.minidom.parseString(cert_xml) + for subject in dom.getElementsByTagName('subject'): + if subject.getAttribute('email') != plc_mail['support_address']: + raise Exception, "E-mail address '%s' in certificate '%s' does not match support address '%s'" % \ + (subject.getAttribute('email'), plc_ma_sa['api_crt'], plc_mail['support_address']) + except Exception, e: + # Delete invalid API certificate + print "Warning: ", e + os.unlink(plc_ma_sa['api_crt']) + + # Generate self-signed API certificate + if not os.path.exists(plc_ma_sa['api_crt']): + print "Generating new API certificate" + try: + cert = Certificate.Certificate('ticket-cert-0') + ma_sa_ssl_key_pub = commands.getoutput("openssl x509 -in %s -noout -pubkey" % \ + plc_ma_sa['ssl_crt']) + cert.add_subject_pubkey(pubkey = ma_sa_ssl_key_pub, email = plc_mail['support_address']) + root_ca_subject = commands.getoutput("openssl x509 -in %s -noout -subject" % \ + plc_ma_sa['ssl_crt']) + m = re.search('/CN=([^/]*).*', root_ca_subject) + if m is None: + root_ca_cn = plc['name'] + " Management and Slice Authority" + else: + root_ca_cn = m.group(1) + cert.set_issuer(email = root_ca_email, cn = root_ca_cn) + cert_xml = cert.sign(plc_ma_sa['ssl_key']) + ma_sa_api_crt = file(plc_ma_sa['api_crt'], "w") + ma_sa_api_crt.write(cert_xml) + ma_sa_api_crt.close() + except Exception, e: + print "Warning: Could not generate API certificate: ", e + + # For backward compatibility, until we can convert all code to use + # the now standardized variable names. + + # API expects root SSH public key to be at /etc/planetlab/node_root_key + if not os.path.exists("/etc/planetlab/node_root_key"): + os.symlink(plc['root_ssh_key_pub'], "/etc/planetlab/node_root_key") + + # Old variable names littered throughout the API + if plc_mail['enabled'] == "true": + plc_mail_enabled = "1" else: - site_id = sites[0]['site_id'] - # XXX login_base cannot be updated - del site['login_base'] - AdmUpdateSite(site_id, site) - - # The default administrator account must be associated with a site - # in order to login. - AdmAddPersonToSite(admin['person_id'], site['site_id']) - AdmSetPersonPrimarySite(admin['person_id'], site['site_id']) - - # Grant admin and PI roles to the default administrator account - AdmGrantRoleToPerson(admin['person_id'], 10) - AdmGrantRoleToPerson(admin['person_id'], 20) - - # Further bootstrap the database. A few PlanetLabConf entries are - # absolutely required, and NM requires the slice tables to be - # populated. + plc_mail_enabled = "0" + + old_variables = {'PL_API_SERVER': plc_api['host'], + 'PL_API_PATH': plc_api['path'], + 'PL_API_PORT': plc_api['port'], + 'PL_API_CAPABILITY_AUTH_METHOD': "capability", + 'PL_API_CAPABILITY_PASS': plc_api['maintenance_password'], + 'PL_API_CAPABILITY_USERNAME': plc_api['maintenance_user'], + 'PLANETLAB_SUPPORT_EMAIL': plc_mail['support_address'], + 'BOOT_MESSAGES_EMAIL': plc_mail['boot_address'], + 'WWW_BASE': plc_www['host'], + 'BOOT_BASE': plc_boot['host'], + + 'PLC_MAIL_ENABLED': plc_mail_enabled, + 'MA_SA_NAMESPACE': plc_ma_sa['namespace'], + 'SESSION_LENGTH_HOURS': "24", + 'ROOT_CA_EMAIL': root_ca_email, + 'ROOT_CA_PUB_KEY': plc_ma_sa['ca_ssl_key_pub'], + 'API_CERT_PATH': plc_ma_sa['api_crt'], + 'MA_SA_PRIVATE_KEY': plc_ma_sa['ssl_key'], + 'PL_API_TICKET_KEY_FILE': plc_ma_sa['ssl_key']} + + # The format of an "allowed maintenance source" specification is # - # XXX This data should really become part of the DB schema so that - # we don't have to copy it from PLC. For now, this code is only - # intended to be called at build time, when we know that we have - # access to PLC. Once the tables have been populated, this code - # should never be called again and PLC access is not required, - # i.e., end users of MyPLC should never see this code be executed. - - # Use xmlrpclib to connect to PLC temporarily. plcapilib cannot - # connect to multiple servers at once. - auth = {'AuthMethod': 'anonymous'} - PLC = None - - conf_files = AdmGetConfFile() - if not conf_files: - if PLC is None: - PLC = xmlrpclib.Server("https://www.planet-lab.org/PLCAPI/") - for conf_file in PLC.AnonAdmGetConfFile(auth): - if conf_file['enabled'] and \ - not conf_file['node_id'] and \ - not conf_file['nodegroup_id']: - AdmCreateConfFile(conf_file['enabled'], - conf_file['source'], - conf_file['dest'], - conf_file['file_permissions'], - conf_file['file_owner'], - conf_file['file_group'], - conf_file['preinstall_cmd'], - conf_file['postinstall_cmd'], - conf_file['error_cmd'], - conf_file['ignore_cmd_errors'], - conf_file['always_update']) - - # Setup default slice attribute types, slices, and - # attributes. These are hard-coded here because we cannot safely - # support an anonymous interface to the SliceAttribute functions, - # yet we also do not want to require API authentication for - # bootstrapping. - - if not SliceAttributeTypeList(): - # Create system attribute types - attribute_types = [{'name': "general_prop_share", - 'description': "general share", - 'is_exclusive': False, 'min_role_id': 10, 'max_per_slice': 1, - 'value_fields': [{'description': "", - 'name': "general_prop_share", - 'type': "integer"}]}, - {'name': "initscript", - 'description': "slice initialization script", - 'is_exclusive': False, 'min_role_id': 10, 'max_per_slice': 1, - 'value_fields': [{'description': "", - 'name': "initscript_id", - 'type': "integer"}]}, - {'name': "plc_slice_type", - 'description': "Type of slice rspec to be created", - 'is_exclusive': True, 'min_role_id': 20, 'max_per_slice': 1, - 'value_fields': [{'description': "rspec class", - 'name': "type", - 'type': "string"}]}, - {'name': "nm_cpu_share", - 'description': "Number of CPU shares to be allocated to slice", - 'is_exclusive': True, 'min_role_id': 10, 'max_per_slice': 1, - 'value_fields': [{'description': "number of shares", - 'name': "cpu_share", - 'type': "integer"}]}, - {'name': "plc_agent_version", - 'description': "Version of PLC agent (slice creation service) software to be deployed", - 'is_exclusive': True, 'min_role_id': 10, 'max_per_slice': 1, - 'value_fields': [{'description': "current version of PLC agent (SCS)", - 'name': "version", - 'type': "string"}]}, - {'name': "plc_ticket_pubkey", - 'description': "Public key used to verify PLC-signed tickets", - 'is_exclusive': True, 'min_role_id': 10, 'max_per_slice': 1, - 'value_fields': [{'description': "PEM-encoded public key", - 'name': "key", - 'type': "string"}]}, - {'name': "nm_disk_quota", - 'description': "Disk quota", - 'is_exclusive': True, 'min_role_id': 10, 'max_per_slice': 1, - 'value_fields': [{'description': "Number of 1k disk blocks", - 'name': "quota", - 'type': "integer"}]}] - for attribute_type in attribute_types: - SliceAttributeTypeCreate(attribute_type['name'], attribute_type['description'], - attribute_type['min_role_id'], attribute_type['max_per_slice'], - attribute_type['is_exclusive'], attribute_type['value_fields']) - - if not SliceListNames(): - # Get contents of SSL public certificate used for signing tickets - try: - plc_ticket_pubkey = "" - for line in file(plc_api['ssl_key_pub']): - # Skip comments - if line[0:5] != "-----": - # XXX The embedded newlines matter, do not strip()! - plc_ticket_pubkey += line - except: - plc_ticket_pubkey = '%KEY%' - - # Create system slices - slices = [{'name': "pl_conf", - 'description': "PlanetLab Slice Creation Service (SCS)", - 'url': url, - 'attributes': {'plc_slice_type': {'type': "VServerSlice"}, - 'plc_agent_version': {'version': "1.0"}, - 'plc_ticket_pubkey': {'key': plc_ticket_pubkey}}}, - {'name': "pl_conf_vserverslice", - 'description': "Default attributes for vserver slices", - 'url': url, - 'attributes': {'nm_cpu_share': {'cpu_share': 32}, - 'plc_slice_type': {'type': "VServerSlice"}, - 'nm_disk_quota': {'quota': 5000000}}}] - for slice in slices: - SliceCreate(slice['name']) - SliceUpdate(slice['name'], slice['url'], slice['description']) - SliceSetInstantiationMethod(slice['name'], 'plc-instantiated') - # Renew forever - SliceRenew(slice['name'], sys.maxint) - for attribute, values in slice['attributes'].iteritems(): - SliceAttributeAdd(slice['name'], attribute, values) + # ip:max_role_id:organization_id:password + # + # It is unlikely that we will let federated sites use the + # maintenance account to access each others' APIs, so we always + # set organization_id to -1. + old_variables['PL_API_CAPABILITY_SOURCES'] = " ".join( + ["%s:-1:-1:%s" % (ip, plc_api['maintenance_password']) \ + for ip in plc_api['maintenance_sources'].split()]) + + old_config = open("/etc/planetlab/plc_api", "w") + for name, value in old_variables.iteritems(): + old_config.write("%s='%s'\n" % (name, value)) + old_config.close() if __name__ == '__main__':