X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=plugins%2Fsliverauth.py;h=07986500cfe9360de78480602f19da4d2fdf5153;hb=3aa530936b94b6f1f308ec3e705c5528bb89bdce;hp=15f014266cc7ee3019f2e25d9bce33b4290f284f;hpb=030819db61f9c6316f1d44d7c3e3486348ae49cc;p=nodemanager.git diff --git a/plugins/sliverauth.py b/plugins/sliverauth.py index 15f0142..0798650 100644 --- a/plugins/sliverauth.py +++ b/plugins/sliverauth.py @@ -1,31 +1,29 @@ #!/usr/bin/python -tt # vim:set ts=4 sw=4 expandtab: # -# $Id$ -# $URL$ -# # NodeManager plugin for creating credentials in slivers # (*) empower slivers to make API calls throught hmac # (*) also create a ssh key - used by the OMF resource controller # for authenticating itself with its Experiment Controller -# xxx todo : a config option for turning these 2 things on or off ? +# in order to avoid spamming the DB with huge amounts of such tags, +# (*) slices need to have the 'enable_hmac' tag set +# (*) or the 'omf_control' tag set, respectively """ Sliver authentication support for NodeManager. """ -import errno import os import random import string import tempfile -import time +import socket import logger import tools -def start(options, conf): +def start(): logger.log("sliverauth: (dummy) plugin starting up...") def GetSlivers(data, config, plc): @@ -47,8 +45,18 @@ def GetSlivers(data, config, plc): logger.log("sliverauth: plc-instantiated slice %s does not yet exist. IGNORING!" % sliver['name']) continue - manage_hmac (plc, sliver) - manage_sshkey (plc, sliver) + system_slice = False + for chunk in sliver['attributes']: + if chunk['tagname'] == "system": + if chunk['value'] in (True, 1, '1') or chunk['value'].lower() == "true": + system_slice = True + + for chunk in sliver['attributes']: + if chunk['tagname']=='enable_hmac' and not system_slice: + manage_hmac (plc, sliver) + + if chunk['tagname']=='omf_control': + manage_sshkey (plc, sliver) def SetSliverTag(plc, slice, tagname, value): @@ -91,22 +99,33 @@ def manage_hmac (plc, sliver): if (tools.replace_file_with_string(keyfile,hmac,chmod=0400)): logger.log ("sliverauth: (over)wrote hmac into %s " % keyfile) +# create the key if needed and returns the key contents +def generate_sshkey (sliver): +# initial version was storing stuff in the sliver directly +# keyfile="/vservers/%s/home/%s/.ssh/id_rsa"%(sliver['name'],sliver['name']) +# we're now storing this in the same place as the authorized_keys, which in turn +# gets mounted to the user's home directory in the sliver + keyfile="/home/%s/.ssh/id_rsa"%(sliver['name']) + pubfile="%s.pub"%keyfile + dotssh=os.path.dirname(keyfile) + # create dir if needed + if not os.path.isdir (dotssh): + os.mkdir (dotssh, 0700) + logger.log_call ( [ 'chown', "%s:slices"%(sliver['name']), dotssh ] ) + if not os.path.isfile (pubfile): + comment="%s@%s"%(sliver['name'],socket.gethostname()) + logger.log_call( [ 'ssh-keygen', '-t', 'rsa', '-N', '', '-f', keyfile , '-C', comment] ) + os.chmod (keyfile, 0400) + logger.log_call ( [ 'chown', "%s:slices"%(sliver['name']), keyfile, pubfile ] ) + return file(pubfile).read().strip() + +# a sliver can get created, deleted and re-created +# the slice having the tag is not sufficient to skip key geneneration def manage_sshkey (plc, sliver): - ssh_key = find_tag (sliver, 'ssh_key') - - # generate if not present - if not ssh_key: - # create dir if needed - dotssh="/vservers/%s/home/%s/.ssh"%(sliver['name'],sliver['name']) - if not os.path.isdir (dotssh): - os.mkdir (dotssh, 0700) - logger.log_call ( [ 'chown', "%s:slices"%(sliver['name']), dotssh ] ) - keyfile="%s/id_rsa"%dotssh - pubfile="%s.pub"%keyfile - if not os.path.isfile (pubfile): - logger.log_call( [ 'ssh-keygen', '-t', 'rsa', '-N', '', '-f', keyfile ] ) - os.chmod (keyfile, 0400) - logger.log_call ( [ 'chown', "%s:slices"%(sliver['name']), keyfile, pubfile ] ) - ssh_key = file(pubfile).read() + # regardless of whether the tag is there or not, we need to grab the file + # if it's lost b/c e.g. the sliver was destroyed we cannot save the tags content + ssh_key = generate_sshkey(sliver) + old_tag = find_tag (sliver, 'ssh_key') + if ssh_key <> old_tag: SetSliverTag(plc, sliver['name'], 'ssh_key', ssh_key) logger.log ("sliverauth: %s: setting ssh_key" % sliver['name'])