X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa.spec;h=f39ab0ecd610f55f40d346f5f260572d6d77f3e1;hb=8497f5e533ca98401daa5adb3515eb5113f88848;hp=d04af2905ce9a44653d1d315aacff60ffa426e75;hpb=ae04dcf2a27134c8e90f1dddb50e8d5b50794b24;p=sfa.git diff --git a/sfa.spec b/sfa.spec index d04af290..f39ab0ec 100644 --- a/sfa.spec +++ b/sfa.spec @@ -1,8 +1,6 @@ -%define url $URL: svn+ssh://svn.planet-lab.org/svn/geniwrapper/trunk/geniwrapper.spec $ - %define name sfa -%define version 0.8 -%define taglevel 6 +%define version 1.0 +%define taglevel 36 %define release %{taglevel}%{?pldistro:.%{pldistro}}%{?date:.%{date}} %global python_sitearch %( python -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)" ) @@ -19,81 +17,463 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot Vendor: PlanetLab Packager: PlanetLab Central Distribution: PlanetLab %{plrelease} -URL: %(echo %{url} | cut -d ' ' -f 2) +URL: %{SCMURL} +Summary: the SFA python libraries +Group: Applications/System BuildRequires: make -Requires: python -Requires: pyOpenSSL >= 0.7 +Requires: python >= 2.5 Requires: m2crypto - -Summary: the SFA python libraries +Requires: xmlsec1-openssl-devel +Requires: libxslt-python +Requires: python-ZSI +# xmlbuilder depends on lxml +Requires: python-lxml +Requires: python-setuptools +Requires: python-dateutil + +# python 2.5 has uuid module added, for python 2.4 we still need it. +# we can't really check for if we can load uuid as a python module, +# it'll be installed by "devel.pkgs". we have the epel repository so +# python-uuid will be provided. but we can test for the python +# version. +# %define has_py24 %( python -c "import sys;sys.exit(sys.version_info[0:2] == (2,4))" 2> /dev/null; echo $? ) +# %if %has_py24 +# +# this also didn't work very well. I'll just check for distroname - baris +#%if %{distroname} == "centos5" +#Requires: python-uuid +#%endif + +%package cm +Summary: the SFA layer around MyPLC NodeManager Group: Applications/System +Requires: sfa +Requires: pyOpenSSL >= 0.6 %package plc -Summary: the SFA wrapper arounf MyPLC +Summary: the SFA layer around MyPLC Group: Applications/System Requires: sfa +Requires: python-psycopg2 +Requires: myplc-config +Requires: pyOpenSSL >= 0.7 %package client Summary: the SFA experimenter-side CLI Group: Applications/System Requires: sfa +Requires: pyOpenSSL >= 0.7 + +%package sfatables +Summary: sfatables policy tool for SFA +Group: Applications/System +Requires: sfa + +%package flashpolicy +Summary: SFA support for flash clients +Group: Applications/System +Requires: sfa + +%package tests +Summary: unit tests suite for SFA +Group: Applications/System +Requires: sfa %description -This package provides the python libraries that the SFA implementation requires +This package provides the python libraries for the PlanetLab implementation of SFA +%description cm +This package implements the SFA interface which serves as a layer +between the existing PlanetLab NodeManager interfaces and the SFA API. + %description plc -Geniwrapper implements the SFA interface which serves as a layer +This package implements the SFA interface which serves as a layer between the existing PlanetLab interfaces and the SFA API. %description client This package provides the client side of the SFA API, in particular sfi.py, together with other utilities. +%description sfatables +sfatables is a tool for defining access and admission control policies +in an SFA network, in much the same way as iptables is for ip +networks. This is the command line interface to manage sfatables + +%description flashpolicy +This package provides support for adobe flash client applications. + +%description tests +Provides some binary unit tests in /usr/share/sfa/tests + %prep %setup -q %build -make +make VERSIONTAG="%{version}-%{taglevel}" SCMURL="%{SCMURL}" %install rm -rf $RPM_BUILD_ROOT -make install DESTDIR="$RPM_BUILD_ROOT" +make VERSIONTAG="%{version}-%{taglevel}" SCMURL="%{SCMURL}" install DESTDIR="$RPM_BUILD_ROOT" %clean rm -rf $RPM_BUILD_ROOT %files +# sfa and sfatables depend each other. +%{_bindir}/sfa-start.py* +/etc/sfatables/* %{python_sitelib}/* -/usr/bin/keyconvert +%{_bindir}/keyconvert.py* /var/www/html/wsdl/*.wsdl +%files cm +/etc/init.d/sfa-cm +%{_bindir}/sfa_component_setup.py* +# cron jobs here + %files plc %defattr(-,root,root) -%config (noreplace) /etc/sfa/sfa_config +%config /etc/sfa/default_config.xml %config (noreplace) /etc/sfa/aggregates.xml %config (noreplace) /etc/sfa/registries.xml /etc/init.d/sfa +/etc/sfa/pl.rng +/etc/sfa/credential.xsd +/etc/sfa/top.xsd +/etc/sfa/sig.xsd +/etc/sfa/xml.xsd +/etc/sfa/protogeni-rspec-common.xsd %{_bindir}/sfa-config-tty %{_bindir}/sfa-import-plc.py* +%{_bindir}/sfa-clean-peer-records.py* %{_bindir}/sfa-nuke-plc.py* -%{_bindir}/sfa-server.py* +%{_bindir}/gen-sfa-cm-config.py* +%{_bindir}/sfa-ca.py* %files client %config (noreplace) /etc/sfa/sfi_config -%{_bindir}/sfi.py* +%{_bindir}/sfi* %{_bindir}/getNodes.py* %{_bindir}/getRecord.py* %{_bindir}/setRecord.py* -%{_bindir}/genidump.py* +%{_bindir}/sfadump.py* + +%files sfatables +%{_bindir}/sfatables -%pre plc -[ -f %{_sysconfdir}/init.d/sfa ] && service sfa stop ||: +%files flashpolicy +%{_bindir}/sfa_flashpolicy.py* +/etc/sfa/sfa_flashpolicy_config.xml +%files tests +%{_datadir}/sfa/tests + +### sfa-plc installs the 'sfa' service %post plc chkconfig --add sfa +%preun plc +if [ "$1" = 0 ] ; then + /sbin/service sfa stop || : + /sbin/chkconfig --del sfa || : +fi + +%postun plc +[ "$1" -ge "1" ] && service sfa restart + +### sfa-cm installs the 'sfa-cm' service +%post cm +chkconfig --add sfa-cm + +%preun cm +if [ "$1" = 0 ] ; then + /sbin/service sfa-cm stop || : + /sbin/chkconfig --del sfa-cm || : +fi + +%postun cm +[ "$1" -ge "1" ] && service sfa-cm restart || : + %changelog +* Thu Sep 15 2011 Tony Mack - sfa-1.0-36 +- Unicode-friendliness for user names with accents/special chars. +- Fix bug that could cause create the client to fail when calling CreateSliver for a slice that has the same hrn as a user. +- CreaetSliver no longer fails for users that have a capital letter in their URN. +- Fix bug in CreateSliver that generated incorrect login bases and email addresses for ProtoGENI requests. +- Allow files with .gid, .pem or .crt extension to be loaded into the server's list of trusted certs. +- Fix bugs and missing imports + + +* Tue Aug 30 2011 Thierry Parmentelat - sfa-1.0-35 +- new method record.get_field for sface + +* Mon Aug 29 2011 Thierry Parmentelat - sfa-1.0-34 +- new option -c to sfa-nuke-plc.py +- CreateSliver fixed for admin-only slice tags + +* Wed Aug 24 2011 Tony Mack - sfa-1.0-32 +- Fixed exploit that allowed an authorities to issue certs for objects that dont belong to them. +- Fixed holes in certificate verification logic. +- Aggregates no longer try to lookup slice and person records when processing CreateSliver requests. Clients are now required to specify this info in the 'users' argument. +- Added 'boot_state' as an attribute of the node element in SFA rspec. +- Non authority certificates are marked as CA:FALSE. + +* Tue Aug 16 2011 Tony Mack - sfa-1.0-32 +- fix typo in sfa-1.0-31 tag. +- added CreateGid() Registry interface method. + +* Tue Aug 16 2011 Tony Mack - sfa-1.0-31 +- fix typo in sfa-1.0-30 tag + +* Tue Aug 16 2011 Tony Mack - sfa-1.0-30 +- Declare namespace and schema location in the credential. +- Fix bug that prevetend connections from timing out. +- Fix slice delegation. +- Add statistics to slicemaanger listresources/createsliver rspec. +- Added SFA_MAX_SLICE_RENEW which allows operators to configure the max ammout + of days a user can extend their slice expiration. +- CA certs are only issued to objects of type authority + +* Fri Aug 05 2011 Thierry Parmentelat - sfa-1.0-29 +- tag 1.0-28 was broken due to typo in the changelog +- new class sfa/util/httpsProtocol.py that supports timeouts + +* Thu Aug 4 2011 Tony Mack - sfa-1.0-28 +- Resolved issue that caused sfa hold onto idle db connections. +- Fix bug that caused the registry to use the wrong type of credential. +- Support authority+sm type. +- Fix rspec merging bugs. +- Only load certs that have .gid extension from /etc/sfa/trusted_roots/ +- Created a 'planetlab' extension to the ProtoGENI v2 rspec for supporting + planetlab hosted initscripts using the tag +- Can now handle extraneous whitespace in the rspec without failing. + +* Fri Jul 8 2011 Tony Mack - sfa-1.0-27 +- ProtoGENI v2 RSpec updates. +- Convert expiration timestamps with timezone info in credentials to utc. +- Fixed redundant logging issue. +- Improved SliceManager and SFI client logging. +- Support aggregates that don't support the optional 'call_id' argument. +- Only call get_trusted_certs() at aggreage interfaces that support the call. +- CreateSliver() now handles MyPLC slice attributes/tags. +- Cache now supports persistence. +- Hide whitelisted nodes. + +* Tue Jun 21 2011 Thierry Parmentelat - sfa-1.0-26 +- fixed issues with sup authority signing +- fixed bugs in remove_slivers and SliverStatus + +* Thu Jun 16 2011 Thierry Parmentelat - sfa-1.0-25 +- fix typo that prevented aggregates from operating properly + +* Tue Jun 14 2011 Thierry Parmentelat - sfa-1.0-24 +- load trusted certs into ssl context prior to handshake +- client's logfile lives in ~/.sfi/sfi.log + +* Fri Jun 10 2011 Thierry Parmentelat - sfa-1.0-23 +- includes a change on passphrases that was intended in 1.0-22 + +* Thu Jun 6 2011 Tony Mack - sfa-1.0-22 +- Added support for ProtoGENI RSpec v2 + +* Wed Mar 16 2011 Thierry Parmentelat - sfa-1.0-21 +- stable sfascan +- fix in initscript, *ENABLED tags in config now taken into account + +* Fri Mar 11 2011 Thierry Parmentelat - sfa-1.0-20 +- some commits had not been pushed in tag 19 + +* Fri Mar 11 2011 Thierry Parmentelat - sfa-1.0-19 +- GetVersion should now report full URLs with path +- scansfa has nicer output and new syntax (entry URLs as args and not options) +- dos2unix'ed flash policy pill + +* Wed Mar 09 2011 Thierry Parmentelat - sfa-1.0-18 +- fix packaging again for f8 + +* Wed Mar 09 2011 Thierry Parmentelat - sfa-1.0-17 +- fix packaging (apparently broken in 1.0-16) +- first working version of sfascan +- tweaks in GetVersion for exposing hrn(AM) and full set of aggregates(SM) +- deprecated the sfa_geni_aggregate config category + +* Tue Mar 08 2011 Andy Bavier - sfa-1.0-16 +- Fix build problem +- First version of SFA scanner + +* Mon Mar 07 2011 Andy Bavier - sfa-1.0-15 +- Add support for Flash clients using flashpolicy +- Fix problems with tag handling in RSpec + +* Wed Mar 02 2011 Andy Bavier - sfa-1.0-14 +- Modifications to the Eucalyptus Aggregate Manager +- Fixes for VINI RSpec +- Fix tag handling for PL RSpec +- Fix XML Schema ordering for element + +* Tue Feb 01 2011 Thierry Parmentelat - sfa-1.0-13 +- just set x509 version to 2 + +* Wed Jan 26 2011 Thierry Parmentelat - sfa-1.0-12 +- added urn to the node area in rspecs +- conversion to urn now exports fqdn +- sfa-import-plc.py now creates a unique registry record for each SFA interface + +* Thu Dec 16 2010 Thierry Parmentelat - sfa-1.0-11 +- undo broken attempt for python-2.7 + +* Wed Dec 15 2010 Thierry Parmentelat - sfa-1.0-10 +- SMs avoid duplicates for when call graph has dags; +- just based on network's name, when a duplicate occurs, one is just dropped +- does not try to merge/aggregate 2 networks +- also reviewed logging with the hope to fix the sfa startup msg: +- TypeError: not all arguments converted during string formatting + +* Tue Dec 07 2010 Thierry Parmentelat - sfa-1.0-9 +- verify credentials against xsd schema +- Fix SM to SM communication +- Fix bug in sfa.util.sfalogging, sfa-import.py now logs to sfa_import.log +- new setting session_key_path + +* Tue Nov 09 2010 Thierry Parmentelat - sfa-1.0-8 +- fix registry credential regeneration and handle expiration +- support for setting slice tags (min_role=user) +- client can display its own version: sfi.py version --local +- GetVersion to provide urn in addition to hrn +- more code uses plxrn vs previous helper functions +- import replaces '+' in email addresses with '_' + +* Fri Oct 22 2010 Thierry Parmentelat - sfa-1.0-7 +- fix GetVersion code_tag and add code_url + +* Fri Oct 22 2010 Thierry Parmentelat - sfa-1.0-6 +- extend GetVersion towards minimum federation introspection, and expose local tag + +* Wed Oct 20 2010 Thierry Parmentelat - sfa-1.0-5 +- fixed some legacy issues (list vs List) +- deprecated sfa.util.namespace for xrn and plxrn +- unit tests ship as the sfa-tests rpm + +* Mon Oct 11 2010 Thierry Parmentelat - sfa-1.0-2 +- deprecated old methods (e.g. List/list, and GetCredential/get_credential) +- NOTE: get_(self_)credential both have type and hrn swapped when moving to Get(Self)Credential +- hrn-urn translations tweaked +- fixed 'service sfa status' +- sfa-nuke-plc has a -f/--file-system option to clean up /var/lib/authorities (exp.) +- started to repair sfadump - although not usable yet +- trust objects now have dump_string method that dump() actually prints +- unit tests under review +- logging cleanup ongoing (always safe to use sfalogging.sfa_logger()) +- binaries now support -v or -vv to increase loglevel +- trashed obsolete sfa.util.client + +* Mon Oct 04 2010 Thierry Parmentelat - sfa-1.0-1 +- various bugfixes and cleanup, improved/harmonized logging + +* Tue Sep 07 2010 Tony Mack - sfa-0.9-16 +- truncate login base of external (ProtoGeni, etc) slices to 20 characters + to avoid returning a PLCAPI exception that might confuse users. +- Enhance PLC aggregate performace by using a better filter when querying SliceTags. +- fix build errors. + +* Tue Aug 24 2010 Tony Mack - sfa-0.9-15 +- (Architecture) Credential format changed to match ProtoGENI xml format +- (Architecture) All interfaces export a new set of methods that are compatible + with the ProtoGeni Aggregate spec. These new methods are considered a + replacement for the pervious methods exported by the interfaces. All + previous methods are still exported and work as normal, but they are + considered deprecated and will not be supported in future releases. +- (Architecture) SFI has been updated to use the new interface methods. +- (Architecture) Changed keyconvet implementation from c to python. +- (Architecture) Slice Manager now attempts looks for a delegated credential + provided by the client before using its own server credential. +- (Archiceture) Slice Interface no longers stores cache of resources on disk. + This cache now exists only in memory and is cleared when service is restarted + or cache lifetime is exceeded. +- (Performance) SliceManager sends request to Aggregates in parallel instead + of sequentially. +- (Bug fix) SFA tickets now support the new rspec format. +- (Bug fix) SFI only uses cahced credential if they aren't expired. +- (Bug fix) Cerdential delegation modified to work with new credential format. +- (Enhancement) SFI -a --aggregatge option now sends requests directly to the + Aggregate instead of relaying through the Slice Manager. +- (Enhancement) Simplified caching. Accociated a global cache instance with + the api handler on every new server request, making it easier to access the + cache and use in more general ways. + +* Thu May 11 2010 Tony Mack - sfa-0.9-11 +- SfaServer now uses a pool of threads to handle requests concurrently +- sfa.util.rspec no longer used to process/manage rspecs (deprecated). This is now handled by sfa.plc.network and is not backwards compatible +- PIs can now get a slice credential for any slice at their site without having to be a member of the slice +- Registry records for federated peers (defined in registries.xml, aggregates.xml) updated when sfa service is started +- Interfaces will try to fetch and install gids from peers listed in registries.xml/aggregates.xml if gid is not found in /etc/sfa/trusted_roots dir +- Component manager does not install gid files if slice already has them +- Server automatically fetches and installs peer certificats (defined in registries/aggregates.xml) when service is restarted. +- fix credential verification exploit (verify that the trusted signer is a parent of the object it it signed) +- made it easier for root authorities to sign their sub's certifiacate using the sfa-ca.py (sfa/server/sfa-ca.py) tool + +* Thu Jan 21 2010 anil vengalil - sfa-0.9-10 +- This tag is quite same as the previous one (sfa-0.9-9) except that the vini and max aggregate managers are also updated for urn support. Other features are: +- - sfa-config-tty now has the same features like plc-config-tty +- - Contains code to support both urn and hrn +- - Cleaned up request_hash related stuff +- - SM, AM and Registry code is organized under respective managers +- - Site and Slice synchronization across federated aggregates +- - Script to generate sfa_component_config + +* Fri Jan 15 2010 anil vengalil - sfa-0.9-9 +- sfa-config-tty now has the same features like plc-config-tty +- Contains code to support both urn and hrn +- Cleaned up request_hash related stuff +- SM, AM and Registry code is organized under respective managers +- Slice synchronization across federated aggregates +- some bugs are fixed + +* Wed Jan 06 2010 Thierry Parmentelat - sfa-0.9-8 +- checkpoint with fewer mentions of geni + +* Tue Jan 05 2010 Thierry Parmentelat - sfa-0.9-7 +- checkpointing +- this is believed to pass the tests; among other things: +- reworked configuration based on the myplc config with xml skeleton (no more sfa_config) + +* Mon Nov 16 2009 anil vengalil - sfa-0.9-6 +- This tag includes: +- - Sfatables +- - Preliminary version of hash based authentication +- - Initial code for Component Manager +- - Authority structure is moved to /var/lib/sfa/ +- - some bug-fixes + +* Fri Oct 09 2009 anil vengalil - sfa-0.9-5 +- Create_slice and get_resources methods are connected to sfatables. +- Other features include compatibility with RP, handling remote objects created as part of federation, preliminary version of sfatables, call tracability and logging. + +* Wed Oct 07 2009 anil vengalil - sfa-0.9-4 +- Bug fix on update and remove_peer_object methods +- Compatibility with RP, preliminiary version of sfatables, call tracability and logging + +* Mon Oct 05 2009 anil vengalil - sfa-0.9-3 +- Compatibility with RP, two additional methods to handle remote objects, call tracability and logging, PLCDB now has single table for sfa records, preliminary version of sfatables (still under development) + +* Fri Sep 18 2009 Thierry Parmentelat - sfa-0.9-2 +- compatibility with RefreshPeer +- incremental mechanism for importing PLC records into SFA tables +- unified single database (still inside the underlying PLC db postgresql server) +- includes/improves call traceability and logging features +- several bug fixes + +* Thu Sep 17 2009 Baris Metin +- added libxslt-python dependency + +* Thu Sep 10 2009 Thierry Parmentelat - sfa-0.9-1 +- unified single SFA database in the PLC-DB +- upcalls from PLCAPI to SFA methods +- SFA call traceability and logging features +- many bug fixes +- includes first/rough version of sfatables for policy implementation + * Thu Jul 23 2009 Thierry Parmentelat - geniwrapper-0.8-6 - snapshot after the GEC5 demo - should be the last tag set in the geniwrapper module, are we are now moving to the sfa module