--- /dev/null
+import os
+import sys
+import datetime
+import time
+import xmlrpclib
+
+from util.geniserver import *
+from util.geniclient import *
+from util.cert import *
+from util.trustedroot import *
+from util.excep import *
+from util.misc import *
+from util.config import Config
+from util.rspec import Rspec
+
+class Aggregate(GeniServer):
+
+ hrn = None
+ components_file = None
+ components_ttl = None
+ components = []
+ whitelist_file = None
+ blacklist_file = None
+ policy = {}
+ timestamp = None
+ threshold = None
+ shell = None
+ registry = None
+
+ ##
+ # Create a new aggregate object.
+ #
+ # @param ip the ip address to listen on
+ # @param port the port to listen on
+ # @param key_file private key filename of registry
+ # @param cert_file certificate filename containing public key (could be a GID file)
+
+ def __init__(self, ip, port, key_file, cert_file, config = "/usr/share/geniwrapper/util/geni_config"):
+ GeniServer.__init__(ip, port, keyfile, cert_file)
+
+ conf = Config(config)
+ basedir = conf.GENI_BASE_DIR + os.sep
+ server_basedir = basedir + os.sep + "plc" + os.sep
+ self.hrn = conf.GENI_INTERFACE_HRN
+ self.components_file = os.sep.join([server_basedir, 'components', hrn + '.comp'])
+ self.whitelist_file = os.sep.join([server_basedir, 'policy', 'whitelist'])
+ self.blacklist_file = os.sep.join([server_basedir, 'policy', 'blacklist'])
+ self.timestamp_file = os.sep.join([server_basedir, 'components', hrn + '.timestamp'])
+ self.components_ttl = components_ttl
+ self.policy['whitelist'] = []
+ self.policy['blacklist'] = []
+ self.connectPLC()
+ self.connectRegistry()
+
+ def connectRegistry(self):
+ """
+ Connect to the registry
+ """
+
+
+ def connectPLC(self):
+ """
+ Connect to the plc api interface. First attempt to impor thte shell, if that fails
+ try to connect to the xmlrpc server.
+ """
+ self.auth = {'Username': conf.GENI_PLC_USER,
+ 'AuthMethod': 'password',
+ 'AuthString': conf.GENI_PLC_PASSWORD}
+
+ try:
+ # try to import PLC.Shell directly
+ sys.path.append(conf.GENI_PLC_SHELL_PATH)
+ import PLC.Shell
+ self.shell = PLC.Shell.Shell(globals())
+ self.shell.AuthCheck()
+ except ImportError:
+ # connect to plc api via xmlrpc
+ plc_host = conf.GENI_PLC_HOST
+ plc_port = conf.GENI_PLC_PORT
+ plc_api_path = conf.GENI_PLC_API_PATH
+ url = "https://%(plc_host)s:%(plc_port)s/%(plc_api_path)s/" % locals()
+ self.auth = {'Username': conf.GENI_PLC_USER,
+ 'AuthMethod': 'password',
+ 'AuthString': conf.GENI_PLC_PASSWORD}
+
+ self.shell = xmlrpclib.Server(url, verbose = 0, allow_none = True)
+ self.shell.AuthCheck(self.auth)
+
+ def hostname_to_hrn(self, login_base, hostname):
+ """
+ Convert hrn to plantelab name.
+ """
+ genihostname = "_".join(hostname.split("."))
+ return ".".join([self.hrn, login_base, genihostname])
+
+ def slicename_to_hrn(self, slicename):
+ """
+ Convert hrn to planetlab name.
+ """
+ slicename = slicename.replace("_", ".")
+ return ".".join([self.hrn, slicename])
+
+ def refresh_components(self):
+ """
+ Update the cached list of nodes.
+ """
+ # resolve component hostnames
+ nodes = self.shell.GetNodes(self.auth, {}, ['hostname', 'site_id'])
+
+ # resolve site login_bases
+ site_ids = [node['site_id'] for node in nodes]
+ sites = self.shell.GetSites(self.auth, site_ids, ['site_id', 'login_base'])
+ site_dict = {}
+ for site in sites:
+ site_dict[site['site_id']] = site['login_base']
+
+ # convert plc names to geni hrn
+ self.components = [self.hostname_to_hrn(site_dict[node['site_id']], node['hostname']) for node in nodes]
+
+ # apply policy. Do not allow nodes found in blacklist, only allow nodes found in whitelist
+ whitelist_policy = lambda node: node in self.policy['whitelist']
+ blacklist_policy = lambda node: node not in self.policy['blacklist']
+
+ if self.policy['blacklist']:
+ self.components = blacklist_policy(self.components)
+ if self.policy['whitelist']:
+ self.components = whitelist_policy(self.components)
+
+ # update timestamp and threshold
+ self.timestamp = datetime.datetime.now()
+ delta = datetime.timedelta(hours=self.components_ttl)
+ self.threshold = self.timestamp + delta
+
+ f = open(self.components_file, 'w')
+ f.write(str(self.components))
+ f.close()
+ f = open(self.timestamp_file, 'w')
+ f.write(str(self.threshold))
+ f.close()
+
+ def load_components(self):
+ """
+ Read cached list of nodes.
+ """
+ # Read component list from cached file
+ if os.path.exists(self.components_file):
+ f = open(self.components_file, 'r')
+ self.components = eval(f.read())
+ f.close()
+
+ time_format = "%Y-%m-%d %H:%M:%S"
+ if os.path.exists(self.timestamp_file):
+ f = open(self.timestamp_file, 'r')
+ timestamp = str(f.read()).split(".")[0]
+ self.timestamp = datetime.datetime.fromtimestamp(time.mktime(time.strptime(timestamp, time_format)))
+ delta = datetime.timedelta(hours=self.components_ttl)
+ self.threshold = self.timestamp + delta
+ f.close()
+
+ def load_policy(self):
+ """
+ Read the list of blacklisted and whitelisted nodes.
+ """
+ whitelist = []
+ blacklist = []
+ if os.path.exists(self.whitelist_file):
+ f = open(self.whitelist_file, 'r')
+ lines = f.readlines()
+ f.close()
+ for line in lines:
+ line = line.strip().replace(" ", "").replace("\n", "")
+ whitelist.extend(line.split(","))
+
+
+ if os.path.exists(self.blacklist_file):
+ f = open(self.blacklist_file, 'r')
+ lines = f.readlines()
+ f.close()
+ for line in lines:
+ line = line.strip().replace(" ", "").replace("\n", "")
+ blacklist.extend(line.split(","))
+
+ self.policy['whitelist'] = whitelist
+ self.policy['blacklist'] = blacklist
+
+ def get_components(self):
+ """
+ Return a list of components at this aggregate.
+ """
+ # Reload components list
+ now = datetime.datetime.now()
+ #self.load_components()
+ if not self.threshold or not self.timestamp or now > self.threshold:
+ self.refresh_components()
+ elif now < self.threshold and not self.components:
+ self.load_components()
+ return self.components
+
+ def get_rspec(self, hrn, type):
+ rspec = Rspec()
+ rspec['nodespec'] = {'name': self.conf.GENI_INTERFACE_HRN}
+ rsepc['nodespec']['nodes'] = []
+ if type in ['node']:
+ nodes = self.shell.GetNodes(self.auth)
+ elif type in ['slice']:
+ slicename = hrn_to_pl_slicename(hrn)
+ slices = self.shell.GetSlices(self.auth, [slicename])
+ node_ids = slices[0]['node_ids']
+ nodes = self.shell.GetNodes(self.auth, node_ids)
+ for node in nodes:
+ nodespec = {'name': node['hostname'], 'type': 'std'}
+ elif type in ['aggregate']:
+ pass
+
+ return rspec
+
+ def get_resources(self, slice_hrn):
+ """
+ Return the current rspec for the specified slice.
+ """
+ slicename = hrn_to_plcslicename(slice_hrn)
+ rspec = self.get_rspec(slicenamem, 'slice')
+
+ return rspec
+
+ def create_slice(self, slice_hrn, rspec, attributes = []):
+ """
+ Instantiate the specified slice according to whats defined in the rspec.
+ """
+ slicename = self.hrn_to_plcslicename(slice_hrn)
+ spec = Rspec(rspec)
+ nodespecs = spec.getDictsByTagName('NodeSpec')
+ nodes = [nodespec['name'] for nodespec in nodespecs]
+ self.shell.AddSliceToNodes(self.auth, slicename, nodes)
+ for attribute in attributes:
+ type, value, node, nodegroup = attribute['type'], attribute['value'], attribute['node'], attribute['nodegroup']
+ shell.AddSliceAttribute(self.auth, slicename, type, value, node, nodegroup)
+
+ # XX contact the registry to get the list of users on this slice and
+ # their keys.
+ #slice_record = self.registry.resolve(slice_hrn)
+ #person_records = slice_record['users']
+ # for person in person_record:
+ # email = person['email']
+ # self.shell.AddPersonToSlice(self.auth, email, slicename)
+
+
+ return 1
+
+ def update_slice(self, slice_hrn, rspec, attributes = []):
+ """
+ Update the specified slice.
+ """
+ # Get slice info
+ slicename = self.hrn_to_plcslicename(slice_hrn)
+ slices = self.shell.GetSlices(self.auth, [slicename], ['node_ids'])
+ if not slice:
+ raise RecordNotFound(slice_hrn)
+ slice = slices[0]
+
+ # find out where this slice is currently running
+ nodes = self.shell.GetNodes(self.auth, slice['node_ids'], ['hostname'])
+ hostnames = [node['hostname'] for node in nodes]
+
+ # get netspec details
+ spec = Rspec(rspec)
+ nodespecs = spec.getDictsByTagName('NodeSpec')
+ nodes = [nodespec['name'] for nodespec in nodespecs]
+ # remove nodes not in rspec
+ delete_nodes = set(hostnames).difference(nodes)
+ # add nodes from rspec
+ added_nodes = set(nodes).difference(hostnames)
+
+ shell.AddSliceToNodes(self.auth, slicename, added_nodes)
+ shell.DeleteSliceFromNodes(self.auth, slicename, deleted_nodes)
+
+ for attribute in attributes:
+ type, value, node, nodegroup = attribute['type'], attribute['value'], attribute['node'], attribute['nodegroup']
+ shell.AddSliceAttribute(self.auth, slicename, type, value, node, nodegroup)
+
+ # contact registry to get slice users and add them to the slice
+ # slice_record = self.registry.resolve(slice_hrn)
+ # persons = slice_record['users']
+
+ #for person in persons:
+ # shell.AddPersonToSlice(person['email'], slice_name)
+ def delete_slice_(self, slice_hrn):
+ """
+ Remove this slice from all components it was previouly associated with and
+ free up the resources it was using.
+ """
+ slicename = self.hrn_to_plcslicename(slice_hrn)
+ slices = shell.GetSlices(self.auth, [slicename])
+ if not slice:
+ raise RecordNotFound(slice_hrn)
+ slice = slices[0]
+
+ shell.DeleteSliceFromNodes(self.auth, slicename, slice['node_ids'])
+ return 1
+
+ def start_slice(self, slice_hrn):
+ """
+ Stop the slice at plc.
+ """
+ slicename = hrn_to_plcslicename(slice_hrn)
+ slices = self.shell.GetSlices(self.auth, {'name': slicename}, ['slice_id'])
+ if not slices:
+ raise RecordNotFound(slice_hrn)
+ slice_id = slices[0]
+ atrribtes = self.shell.GetSliceAttributes({'slice_id': slice_id, 'name': 'enabled'}, ['slice_attribute_id'])
+ attribute_id = attreibutes[0]
+ self.shell.UpdateSliceAttribute(self.auth, attribute_id, "1" )
+ return 1
+
+ def stop_slice(self, slice_hrn):
+ """
+ Stop the slice at plc
+ """
+ slicename = hrn_to_plcslicename(slice_hrn)
+ slices = self.shell.GetSlices(self.auth, {'name': slicename}, ['slice_id'])
+ if not slices:
+ raise RecordNotFound(slice_hrn)
+ slice_id = slices[0]
+ atrribtes = self.shell.GetSliceAttributes({'slice_id': slice_id, 'name': 'enabled'}, ['slice_attribute_id'])
+ attribute_id = attreibutes[0]
+ self.shell.UpdateSliceAttribute(self.auth, attribute_id, "0")
+ return 1
+
+
+ def reset_slice(self, slice_hrn):
+ """
+ Reset the slice
+ """
+ slicename = self.hrn_to_plcslicename(slice_hrn)
+ return 1
+
+ def get_policy(self):
+ """
+ Return this aggregates policy.
+ """
+
+ return self.policy
+
+
+
+##############################
+## Server methods here for now
+##############################
+
+ def nodes(self):
+ return self..get_components()
+
+ #def slices(self):
+ # return self.get_slices()
+
+ def resources(self, cred, hrn):
+ self.decode_authentication(cred, 'info')
+ self.verify_object_belongs_to_me(hrn)
+
+ return self.get_resources(hrn)
+
+ def create(self, cred, hrn, rspec):
+ self.decode_authentication(cred, 'embed')
+ self.verify_object_belongs_to_me(hrn)
+ return self.create(hrn)
+
+ def update(self, cred, hrn, rspec):
+ self.decode_authentication(cred, 'embed')
+ self.verify_object_belongs_to_me(hrn)
+ return self.update(hrn)
+
+ def delete(self, cred, hrn):
+ self.decode_authentication(cred, 'embed')
+ self.verify_object_belongs_to_me(hrn)
+ return self.delete_slice(hrn)
+
+ def start(self, cred, hrn):
+ self.decode_authentication(cred, 'control')
+ return self.start(hrn)
+
+ def stop(self, cred, hrn):
+ self.decode_authentication(cred, 'control')
+ return self.stop(hrn)
+
+ def reset(self, cred, hrn):
+ self.decode_authentication(cred, 'control')
+ return self.reset(hrn)
+
+ def policy(self, cred):
+ self.decode_authentication(cred, 'info')
+ return self.get_policy()
+
+ def register_functions(self):
+ GeniServer.register_functions(self)
+
+ # Aggregate interface methods
+ self.server.register_function(self.components)
+ #self.server.register_function(self.slices)
+ self.server.register_function(self.resources)
+ self.server.register_function(self.create)
+ self.server.register_function(self.delete)
+ self.server.register_function(self.start)
+ self.server.register_function(self.stop)
+ self.server.register_function(self.reset)
+ self.server.register_function(self.policy)
+
--- /dev/null
+##
+# Import PLC records into the Geni database. It is indended that this tool be
+# run once to create Geni records that reflect the current state of the
+# planetlab database.
+#
+# The import tool assumes that the existing PLC hierarchy should all be part
+# of "planetlab.us" (see the root_auth and level1_auth variables below).
+#
+# Public keys are extracted from the users' SSH keys automatically and used to
+# create GIDs. This is relatively experimental as a custom tool had to be
+# written to perform conversion from SSH to OpenSSL format. It only supports
+# RSA keys at this time, not DSA keys.
+##
+
+import getopt
+import sys
+import tempfile
+
+from cert import *
+from trustedroot import *
+from hierarchy import *
+from record import *
+from genitable import *
+from misc import *
+
+shell = None
+
+##
+# Two authorities are specified: the root authority and the level1 authority.
+
+root_auth = "planetlab"
+level1_auth = "planetlab.us"
+
+
+def un_unicode(str):
+ if isinstance(str, unicode):
+ return str.encode("ascii", "ignore")
+ else:
+ return str
+
+def cleanup_string(str):
+ # pgsql has a fit with strings that have high ascii in them, so filter it
+ # out when generating the hrns.
+ tmp = ""
+ for c in str:
+ if ord(c) < 128:
+ tmp = tmp + c
+ str = tmp
+
+ str = un_unicode(str)
+ str = str.replace(" ", "_")
+ str = str.replace(".", "_")
+ str = str.replace("(", "_")
+ str = str.replace("'", "_")
+ str = str.replace(")", "_")
+ str = str.replace('"', "_")
+ return str
+
+def process_options():
+ global hrn
+
+ (options, args) = getopt.getopt(sys.argv[1:], '', [])
+ for opt in options:
+ name = opt[0]
+ val = opt[1]
+
+def connect_shell():
+ global pl_auth, shell
+
+ # get PL account settings from config module
+ pl_auth = get_pl_auth()
+
+ # connect to planetlab
+ if "Url" in pl_auth:
+ import remoteshell
+ shell = remoteshell.RemoteShell()
+ else:
+ import PLC.Shell
+ shell = PLC.Shell.Shell(globals = globals())
+
+def get_auth_table(auth_name):
+ AuthHierarchy = Hierarchy()
+ auth_info = AuthHierarchy.get_auth_info(auth_name)
+
+ table = GeniTable(hrn=auth_name,
+ cninfo=auth_info.get_dbinfo())
+
+ # if the table doesn't exist, then it means we haven't put any records
+ # into this authority yet.
+
+ if not table.exists():
+ report.trace("Import: creating table for authority " + auth_name)
+ table.create()
+
+ return table
+
+def get_pl_pubkey(key_id):
+ keys = shell.GetKeys(pl_auth, [key_id])
+ if keys:
+ key_str = keys[0]['key']
+
+ if "ssh-dss" in key_str:
+ print "XXX: DSA key encountered, ignoring"
+ return None
+
+ # generate temporary files to hold the keys
+ (ssh_f, ssh_fn) = tempfile.mkstemp()
+ ssl_fn = tempfile.mktemp()
+
+ os.write(ssh_f, key_str)
+ os.close(ssh_f)
+
+ cmd = "../keyconvert/keyconvert " + ssh_fn + " " + ssl_fn
+ print cmd
+ os.system(cmd)
+
+ # this check leaves the temporary file containing the public key so
+ # that it can be expected to see why it failed.
+ # TODO: for production, cleanup the temporary files
+ if not os.path.exists(ssl_fn):
+ report.trace(" failed to convert key from " + ssh_fn + " to " + ssl_fn)
+ return None
+
+ k = Keypair()
+ try:
+ k.load_pubkey_from_file(ssl_fn)
+ except:
+ print "XXX: Error while converting key: ", key_str
+ k = None
+
+ # remove the temporary files
+ os.remove(ssh_fn)
+ os.remove(ssl_fn)
+
+ return k
+ else:
+ return None
+
+def person_to_hrn(parent_hrn, person):
+ personname = person['last_name'] + "_" + person['first_name']
+
+ personname = cleanup_string(personname)
+
+ hrn = parent_hrn + "." + personname
+ return hrn
+
+def import_person(parent_hrn, person):
+ AuthHierarchy = Hierarchy()
+ hrn = person_to_hrn(parent_hrn, person)
+
+ # ASN.1 will have problems with hrn's longer than 64 characters
+ if len(hrn) > 64:
+ hrn = hrn[:64]
+
+ report.trace("Import: importing person " + hrn)
+
+ table = get_auth_table(parent_hrn)
+
+ person_record = table.resolve("user", hrn)
+ if not person_record:
+ key_ids = person["key_ids"]
+
+ if key_ids:
+ # get the user's private key from the SSH keys they have uploaded
+ # to planetlab
+ pkey = get_pl_pubkey(key_ids[0])
+ else:
+ # the user has no keys
+ report.trace(" person " + hrn + " does not have a PL public key")
+ pkey = None
+
+ # if a key is unavailable, then we still need to put something in the
+ # user's GID. So make one up.
+ if not pkey:
+ pkey = Keypair(create=True)
+
+ person_gid = AuthHierarchy.create_gid(hrn, create_uuid(), pkey)
+ person_record = GeniRecord(name=hrn, gid=person_gid, type="user", pointer=person['person_id'])
+ report.trace(" inserting user record for " + hrn)
+ table.insert(person_record)
+ else:
+ key_ids = person["key_ids"]
+ if key_ids:
+ pkey = get_pl_pubkey(key_ids[0])
+ person_gid = AuthHierarchy.create_gid(hrn, create_uuid(), pkey)
+ person_record = GeniRecord(name=hrn, gid=person_gid, type="user", pointer=person['person_id'])
+ report.trace(" updating user record for " + hrn)
+ table.update(person_record)
+
+def import_slice(parent_hrn, slice):
+ AuthHierarchy = Hierarchy()
+ slicename = slice['name'].split("_",1)[-1]
+ slicename = cleanup_string(slicename)
+
+ if not slicename:
+ report.error("Import_Slice: failed to parse slice name " + slice['name'])
+ return
+
+ hrn = parent_hrn + "." + slicename
+ report.trace("Import: importing slice " + hrn)
+
+ table = get_auth_table(parent_hrn)
+
+ slice_record = table.resolve("slice", hrn)
+ if not slice_record:
+ pkey = Keypair(create=True)
+ slice_gid = AuthHierarchy.create_gid(hrn, create_uuid(), pkey)
+ slice_record = GeniRecord(name=hrn, gid=slice_gid, type="slice", pointer=slice['slice_id'])
+ report.trace(" inserting slice record for " + hrn)
+ table.insert(slice_record)
+
+def import_node(parent_hrn, node):
+ AuthHierarchy = Hierarchy()
+ nodename = node['hostname']
+ nodename = cleanup_string(nodename)
+
+ if not nodename:
+ report.error("Import_node: failed to parse node name " + node['hostname'])
+ return
+
+ hrn = parent_hrn + "." + nodename
+
+ # ASN.1 will have problems with hrn's longer than 64 characters
+ if len(hrn) > 64:
+ hrn = hrn[:64]
+
+ report.trace("Import: importing node " + hrn)
+
+ table = get_auth_table(parent_hrn)
+
+ node_record = table.resolve("node", hrn)
+ if not node_record:
+ pkey = Keypair(create=True)
+ node_gid = AuthHierarchy.create_gid(hrn, create_uuid(), pkey)
+ node_record = GeniRecord(name=hrn, gid=node_gid, type="node", pointer=node['node_id'])
+ report.trace(" inserting node record for " + hrn)
+ table.insert(node_record)
+
+def import_site(parent_hrn, site):
+ AuthHierarchy = Hierarchy()
+ sitename = site['login_base']
+ sitename = cleanup_string(sitename)
+
+ hrn = parent_hrn + "." + sitename
+
+ report.trace("Import_Site: importing site " + hrn)
+
+ # create the authority
+ if not AuthHierarchy.auth_exists(hrn):
+ AuthHierarchy.create_auth(hrn)
+
+ auth_info = AuthHierarchy.get_auth_info(hrn)
+
+ table = get_auth_table(parent_hrn)
+
+ sa_record = table.resolve("sa", hrn)
+ if not sa_record:
+ sa_record = GeniRecord(name=hrn, gid=auth_info.get_gid_object(), type="sa", pointer=site['site_id'])
+ report.trace(" inserting sa record for " + hrn)
+ table.insert(sa_record)
+
+ ma_record = table.resolve("ma", hrn)
+ if not ma_record:
+ ma_record = GeniRecord(name=hrn, gid=auth_info.get_gid_object(), type="ma", pointer=site['site_id'])
+ report.trace(" inserting ma record for " + hrn)
+ table.insert(ma_record)
+
+ for person_id in site['person_ids']:
+ persons = shell.GetPersons(pl_auth, [person_id])
+ if persons:
+ import_person(hrn, persons[0])
+
+ for slice_id in site['slice_ids']:
+ slices = shell.GetSlices(pl_auth, [slice_id])
+ if slices:
+ import_slice(hrn, slices[0])
+
+ for node_id in site['node_ids']:
+ nodes = shell.GetNodes(pl_auth, [node_id])
+ if nodes:
+ import_node(hrn, nodes[0])
+
+def create_top_level_auth_records(hrn):
+ parent_hrn = get_authority(hrn)
+ print hrn, ":", parent_hrn
+ auth_info = AuthHierarchy.get_auth_info(parent_hrn)
+ table = get_auth_table(parent_hrn)
+
+ sa_record = table.resolve("sa", hrn)
+ if not sa_record:
+ sa_record = GeniRecord(name=hrn, gid=auth_info.get_gid_object(), type="sa", pointer=-1)
+ report.trace(" inserting sa record for " + hrn)
+ table.insert(sa_record)
+
+ ma_record = table.resolve("ma", hrn)
+ if not ma_record:
+ ma_record = GeniRecord(name=hrn, gid=auth_info.get_gid_object(), type="ma", pointer=-1)
+ report.trace(" inserting ma record for " + hrn)
+ table.insert(ma_record)
+
+def main():
+ global AuthHierarchy
+ global TrustedRoots
+
+ process_options()
+
+ AuthHierarchy = Hierarchy()
+ TrustedRoots = TrustedRootList()
+
+ print "Import: creating top level authorities"
+
+ if not AuthHierarchy.auth_exists(root_auth):
+ AuthHierarchy.create_auth(root_auth)
+ #create_top_level_auth_records(root_auth)
+ if not AuthHierarchy.auth_exists(level1_auth):
+ AuthHierarchy.create_auth(level1_auth)
+ create_top_level_auth_records(level1_auth)
+
+ print "Import: adding", root_auth, "to trusted list"
+ root = AuthHierarchy.get_auth_info(root_auth)
+ TrustedRoots.add_gid(root.get_gid_object())
+
+ connect_shell()
+
+ sites = shell.GetSites(pl_auth)
+ for site in sites:
+ import_site(level1_auth, site)
+
+if __name__ == "__main__":
+ main()
--- /dev/null
+##
+# Delete all the database records for Geni. This tool is used to clean out Geni
+# records during testing.
+#
+# Authority info (maintained by the hierarchy module in a subdirectory tree)
+# is not purged by this tool and may be deleted by a command like 'rm'.
+##
+
+import getopt
+import sys
+
+from hierarchy import *
+from record import *
+from genitable import *
+from config import *
+
+def process_options():
+ global hrn
+
+ (options, args) = getopt.getopt(sys.argv[1:], '', [])
+ for opt in options:
+ name = opt[0]
+ val = opt[1]
+
+def main():
+ process_options()
+
+ print "purging geni records from database"
+ geni_records_purge(get_default_dbinfo())
+
+if __name__ == "__main__":
+ main()
--- /dev/null
+##
+# GENI PLC Wrapper
+#
+# This wrapper implements the Geni Registry and Slice Interfaces on PLC.
+# Depending on command line options, it starts some combination of a
+# Registry, an Aggregate Manager, and a Slice Manager.
+#
+# There are several items that need to be done before starting the wrapper
+# server.
+#
+# NOTE: Many configuration settings, including the PLC maintenance account
+# credentials, URI of the PLCAPI, and PLC DB URI and admin credentials are initialized
+# from your MyPLC configuration (/etc/planetlab/plc_config*). Please make sure this information
+# is up to date and accurate.
+#
+# 1) Import the existing planetlab database, creating the
+# appropriate geni records. This is done by running the "import.py" tool.
+#
+# 2) Create a "trusted_roots" directory and place the certificate of the root
+# authority in that directory. Given the defaults in import.py, this
+# certificate would be named "planetlab.gid". For example,
+#
+# mkdir trusted_roots; cp authorities/planetlab.gid trusted_roots/
+#
+# TODO: Can all three servers use the same "registry" certificate?
+##
+
+# TCP ports for the three servers
+registry_port=12345
+aggregate_port=12346
+slicemgr_port=12347
+
+import os, os.path
+from optparse import OptionParser
+
+from util.hierarchy import Hierarchy
+from util.trustedroot import TrustedRootList
+from util.cert import Keypair, Certificate
+from registry import Registry
+#from aggregate import Aggregate
+from slicemgr import SliceMgr
+
+def main():
+ global AuthHierarchy
+ global TrustedRoots
+ global registry_port
+ global aggregate_port
+ global slicemgr_port
+
+ # Generate command line parser
+ parser = OptionParser(usage="plc [options]")
+ parser.add_option("-r", "--registry", dest="registry", action="store_true",
+ help="run registry server", default=False)
+ parser.add_option("-s", "--slicemgr", dest="sm", action="store_true",
+ help="run slice manager", default=False)
+ parser.add_option("-a", "--aggregate", dest="am", action="store_true",
+ help="run aggregate manager", default=False)
+ parser.add_option("-v", "--verbose", dest="verbose", action="store_true",
+ help="verbose mode", default=False)
+ (options, args) = parser.parse_args()
+
+ key_file = "server.key"
+ cert_file = "server.cert"
+
+ # if no key is specified, then make one up
+ if (not os.path.exists(key_file)) or (not os.path.exists(cert_file)):
+ key = Keypair(create=True)
+ key.save_to_file(key_file)
+
+ cert = Certificate(subject="registry")
+ cert.set_issuer(key=key, subject="registry")
+ cert.set_pubkey(key)
+ cert.sign()
+ cert.save_to_file(cert_file)
+
+ AuthHierarchy = Hierarchy()
+
+ TrustedRoots = TrustedRootList()
+
+ # start registry server
+ if (options.registry):
+ r = Registry("", registry_port, key_file, cert_file)
+ r.trusted_cert_list = TrustedRoots.get_list()
+ r.hierarchy = AuthHierarchy
+ r.start()
+
+ # start aggregate manager
+ if (options.am):
+ a = Aggregate("", aggregate_port, key_file, cert_file)
+ a.trusted_cert_list = TrustedRoots.get_list()
+ a.start()
+
+ # start slice manager
+ if (options.sm):
+ s = SliceMgr("", slicemgr_port, key_file, cert_file)
+ s.trusted_cert_list = TrustedRoots.get_list()
+ s.start()
+
+if __name__ == "__main__":
+ main()
--- /dev/null
+##
+# Registry is a GeniServer that implements the Registry interface
+
+import tempfile
+import os
+import time
+import sys
+
+from util.credential import Credential
+from util.hierarchy import Hierarchy
+from util.trustedroot import TrustedRootList
+from util.cert import Keypair, Certificate
+from util.gid import GID, create_uuid
+from util.geniserver import GeniServer
+from util.record import GeniRecord
+from util.rights import RightList
+from util.genitable import GeniTable
+from util.geniticket import Ticket
+from util.excep import *
+from util.misc import *
+
+from util.config import *
+
+##
+# Convert geni fields to PLC fields for use when registering up updating
+# registry record in the PLC database
+#
+# @param type type of record (user, slice, ...)
+# @param hrn human readable name
+# @param geni_fields dictionary of geni fields
+# @param pl_fields dictionary of PLC fields (output)
+
+def geni_fields_to_pl_fields(type, hrn, geni_fields, pl_fields):
+ if type == "user":
+ if not "email" in pl_fields:
+ if not "email" in geni_fields:
+ raise MissingGeniInfo("email")
+ pl_fields["email"] = geni_fields["email"]
+
+ if not "first_name" in pl_fields:
+ pl_fields["first_name"] = "geni"
+
+ if not "last_name" in pl_fields:
+ pl_fields["last_name"] = hrn
+
+ elif type == "slice":
+ if not "instantiation" in pl_fields:
+ pl_fields["instantiation"] = "delegated" # "plc-instantiated"
+ if not "name" in pl_fields:
+ pl_fields["name"] = hrn_to_pl_slicename(hrn)
+ if not "max_nodes" in pl_fields:
+ pl_fields["max_nodes"] = 10
+
+ elif type == "node":
+ if not "hostname" in pl_fields:
+ if not "dns" in geni_fields:
+ raise MissingGeniInfo("dns")
+ pl_fields["hostname"] = geni_fields["dns"]
+
+ if not "model" in pl_fields:
+ pl_fields["model"] = "geni"
+
+ elif type == "sa":
+ pl_fields["login_base"] = hrn_to_pl_login_base(hrn)
+
+ if not "name" in pl_fields:
+ pl_fields["name"] = hrn
+
+ if not "abbreviated_name" in pl_fields:
+ pl_fields["abbreviated_name"] = hrn
+
+ if not "enabled" in pl_fields:
+ pl_fields["enabled"] = True
+
+ if not "is_public" in pl_fields:
+ pl_fields["is_public"] = True
+
+##
+# Registry is a GeniServer that serves registry and slice operations at PLC.
+
+class Registry(GeniServer):
+ ##
+ # Create a new registry object.
+ #
+ # @param ip the ip address to listen on
+ # @param port the port to listen on
+ # @param key_file private key filename of registry
+ # @param cert_file certificate filename containing public key (could be a GID file)
+
+ def __init__(self, ip, port, key_file, cert_file):
+ GeniServer.__init__(self, ip, port, key_file, cert_file)
+
+ # get PL account settings from config module
+ self.pl_auth = get_pl_auth()
+
+ # connect to planetlab
+ if "Url" in self.pl_auth:
+ self.connect_remote_shell()
+ else:
+ self.connect_local_shell()
+
+ ##
+ # Connect to a remote shell via XMLRPC
+
+ def connect_remote_shell(self):
+ import remoteshell
+ self.shell = remoteshell.RemoteShell()
+
+ ##
+ # Connect to a local shell via local API functions
+
+ def connect_local_shell(self):
+ import PLC.Shell
+ self.shell = PLC.Shell.Shell(globals = globals())
+
+ ##
+ # Register the server RPCs for the registry
+
+ def register_functions(self):
+ GeniServer.register_functions(self)
+ # registry interface
+ self.server.register_function(self.create_gid)
+ self.server.register_function(self.get_self_credential)
+ self.server.register_function(self.get_credential)
+ self.server.register_function(self.get_gid)
+ self.server.register_function(self.register)
+ self.server.register_function(self.remove)
+ self.server.register_function(self.update)
+ self.server.register_function(self.list)
+ self.server.register_function(self.resolve)
+
+ ##
+ # Given an authority name, return the information for that authority. This
+ # is basically a stub that calls the hierarchy module.
+ #
+ # @param auth_hrn human readable name of authority
+
+ def get_auth_info(self, auth_hrn):
+ return self.hierarchy.get_auth_info(auth_hrn)
+
+ ##
+ # Given an authority name, return the database table for that authority. If
+ # the database table does not exist, then one will be automatically
+ # created.
+ #
+ # @param auth_name human readable name of authority
+
+ def get_auth_table(self, auth_name):
+ auth_info = self.get_auth_info(auth_name)
+
+ table = GeniTable(hrn=auth_name,
+ cninfo=auth_info.get_dbinfo())
+
+ # if the table doesn't exist, then it means we haven't put any records
+ # into this authority yet.
+
+ if not table.exists():
+ print "Registry: creating table for authority", auth_name
+ table.create()
+
+ return table
+
+ ##
+ # Verify that an authority belongs to this registry. This is basically left
+ # up to the implementation of the hierarchy module. If the specified name
+ # does not belong to this registry, an exception is thrown indicating the
+ # caller should contact someone else.
+ #
+ # @param auth_name human readable name of authority
+
+ def verify_auth_belongs_to_me(self, name):
+ # get_auth_info will throw an exception if the authority does not
+ # exist
+ self.get_auth_info(name)
+
+ ##
+ # Verify that an object belongs to this registry. By extension, this implies
+ # that the authority that owns the object belongs to this registry. If the
+ # object does not belong to this registry, then an exception is thrown.
+ #
+ # @param name human readable name of object
+
+ def verify_object_belongs_to_me(self, name):
+ auth_name = get_authority(name)
+ if not auth_name:
+ # the root authority belongs to the registry by default?
+ # TODO: is this true?
+ return
+ self.verify_auth_belongs_to_me(auth_name)
+
+ ##
+ # Verify that the object_gid that was specified in the credential allows
+ # permission to the object 'name'. This is done by a simple prefix test.
+ # For example, an object_gid for planetlab.us.arizona would match the
+ # objects planetlab.us.arizona.slice1 and planetlab.us.arizona.
+ #
+ # @param name human readable name to test
+
+ def verify_object_permission(self, name):
+ object_hrn = self.object_gid.get_hrn()
+ if object_hrn == name:
+ return
+ if name.startswith(object_hrn + "."):
+ return
+ raise PermissionError(name)
+
+ ##
+ # Fill in the planetlab-specific fields of a Geni record. This involves
+ # calling the appropriate PLC methods to retrieve the database record for
+ # the object.
+ #
+ # PLC data is filled into the pl_info field of the record.
+ #
+ # @param record record to fill in fields (in/out param)
+
+ def fill_record_pl_info(self, record):
+ type = record.get_type()
+ pointer = record.get_pointer()
+
+ # records with pointer==-1 do not have plc info associated with them.
+ # for example, the top level authority records which are
+ # authorities, but not PL "sites"
+ if pointer == -1:
+ record.set_pl_info({})
+ return
+
+ if (type == "sa") or (type == "ma"):
+ pl_res = self.shell.GetSites(self.pl_auth, [pointer])
+ elif (type == "slice"):
+ pl_res = self.shell.GetSlices(self.pl_auth, [pointer])
+ elif (type == "user"):
+ pl_res = self.shell.GetPersons(self.pl_auth, [pointer])
+ elif (type == "node"):
+ pl_res = self.shell.GetNodes(self.pl_auth, [pointer])
+ else:
+ raise UnknownGeniType(type)
+
+ if not pl_res:
+ # the planetlab record no longer exists
+ # TODO: delete the geni record ?
+ raise PlanetLabRecordDoesNotExist(record.get_name())
+
+ record.set_pl_info(pl_res[0])
+
+ ##
+ # Look up user records given PLC user-ids. This is used as part of the
+ # process for reverse-mapping PLC records into Geni records.
+ #
+ # @param auth_table database table for the authority that holds the user records
+ # @param user_id_list list of user ids
+ # @param role either "*" or a string describing the role to look for ("pi", "user", ...)
+ #
+ # TODO: This function currently only searches one authority because it would
+ # be inefficient to brute-force search all authorities for a user id. The
+ # solution would likely be to implement a reverse mapping of user-id to
+ # (type, hrn) pairs.
+
+ def lookup_users(self, auth_table, user_id_list, role="*"):
+ record_list = []
+ for person_id in user_id_list:
+ user_records = auth_table.find("user", person_id, "pointer")
+ for user_record in user_records:
+ self.fill_record_info(user_record)
+
+ user_roles = user_record.get_pl_info().get("roles")
+ if (role=="*") or (role in user_roles):
+ record_list.append(user_record.get_name())
+ return record_list
+
+ ##
+ # Fill in the geni-specific fields of the record.
+ #
+ # Note: It is assumed the fill_record_pl_info() has already been performed
+ # on the record.
+
+ def fill_record_geni_info(self, record):
+ geni_info = {}
+ type = record.get_type()
+
+ if (type == "slice"):
+ auth_table = self.get_auth_table(get_authority(record.get_name()))
+ person_ids = record.pl_info.get("person_ids", [])
+ researchers = self.lookup_users(auth_table, person_ids)
+ geni_info['researcher'] = researchers
+
+ elif (type == "sa"):
+ auth_table = self.get_auth_table(record.get_name())
+ person_ids = record.pl_info.get("person_ids", [])
+ pis = self.lookup_users(auth_table, person_ids, "pi")
+ geni_info['pi'] = pis
+ # TODO: OrganizationName
+
+ elif (type == "ma"):
+ auth_table = self.get_auth_table(record.get_name())
+ person_ids = record.pl_info.get("person_ids", [])
+ operators = self.lookup_users(auth_table, person_ids, "tech")
+ geni_info['operator'] = operators
+ # TODO: OrganizationName
+
+ auth_table = self.get_auth_table(record.get_name())
+ person_ids = record.pl_info.get("person_ids", [])
+ owners = self.lookup_users(auth_table, person_ids, "admin")
+ geni_info['owner'] = owners
+
+ elif (type == "node"):
+ geni_info['dns'] = record.pl_info.get("hostname", "")
+ # TODO: URI, LatLong, IP, DNS
+
+ elif (type == "user"):
+ geni_info['email'] = record.pl_info.get("email", "")
+ # TODO: PostalAddress, Phone
+
+ record.set_geni_info(geni_info)
+
+ ##
+ # Given a Geni record, fill in the PLC-specific and Geni-specific fields
+ # in the record.
+
+ def fill_record_info(self, record):
+ self.fill_record_pl_info(record)
+ self.fill_record_geni_info(record)
+
+ ##
+ # GENI API: register
+ #
+ # Register an object with the registry. In addition to being stored in the
+ # Geni database, the appropriate records will also be created in the
+ # PLC databases
+ #
+ # @param cred credential string
+ # @param record_dict dictionary containing record fields
+
+ def register(self, cred, record_dict):
+ self.decode_authentication(cred, "register")
+
+ record = GeniRecord(dict = record_dict)
+ type = record.get_type()
+ name = record.get_name()
+
+ auth_name = get_authority(name)
+ self.verify_object_permission(auth_name)
+ auth_info = self.get_auth_info(auth_name)
+ table = self.get_auth_table(auth_name)
+
+ pkey = None
+
+ # check if record already exists
+ existing_records = table.resolve(type, name)
+ if existing_records:
+ raise ExistingRecord(name)
+
+ if (type == "sa") or (type=="ma"):
+ # update the tree
+ if not self.hierarchy.auth_exists(name):
+ self.hierarchy.create_auth(name)
+
+ # authorities are special since they are managed by the registry
+ # rather than by the caller. We create our own GID for the
+ # authority rather than relying on the caller to supply one.
+
+ # get the GID from the newly created authority
+ child_auth_info = self.get_auth_info(name)
+ gid = auth_info.get_gid_object()
+ record.set_gid(gid.save_to_string(save_parents=True))
+
+ geni_fields = record.get_geni_info()
+ site_fields = record.get_pl_info()
+
+ # if registering a sa, see if a ma already exists
+ # if registering a ma, see if a sa already exists
+ if (type == "sa"):
+ other_rec = table.resolve("ma", record.get_name())
+ elif (type == "ma"):
+ other_rec = table.resolve("sa", record.get_name())
+
+ if other_rec:
+ print "linking ma and sa to the same plc site"
+ pointer = other_rec[0].get_pointer()
+ else:
+ geni_fields_to_pl_fields(type, name, geni_fields, site_fields)
+ print "adding site with fields", site_fields
+ pointer = self.shell.AddSite(self.pl_auth, site_fields)
+
+ record.set_pointer(pointer)
+
+ elif (type == "slice"):
+ geni_fields = record.get_geni_info()
+ slice_fields = record.get_pl_info()
+
+ geni_fields_to_pl_fields(type, name, geni_fields, slice_fields)
+
+ pointer = self.shell.AddSlice(self.pl_auth, slice_fields)
+ record.set_pointer(pointer)
+
+ elif (type == "user"):
+ geni_fields = record.get_geni_info()
+ user_fields = record.get_pl_info()
+
+ geni_fields_to_pl_fields(type, name, geni_fields, user_fields)
+
+ pointer = self.shell.AddPerson(self.pl_auth, user_fields)
+ record.set_pointer(pointer)
+
+ elif (type == "node"):
+ geni_fields = record.get_geni_info()
+ node_fields = record.get_pl_info()
+
+ geni_fields_to_pl_fields(type, name, geni_fields, node_fields)
+
+ login_base = hrn_to_pl_login_base(auth_name)
+
+ print "calling addnode with", login_base, node_fields
+ pointer = self.shell.AddNode(self.pl_auth, login_base, node_fields)
+ record.set_pointer(pointer)
+
+ else:
+ raise UnknownGeniType(type)
+
+ table.insert(record)
+
+ return record.get_gid_object().save_to_string(save_parents=True)
+
+ ##
+ # GENI API: remove
+ #
+ # Remove an object from the registry. If the object represents a PLC object,
+ # then the PLC records will also be removed.
+ #
+ # @param cred credential string
+ # @param record_dict dictionary containing record fields. The only relevant
+ # fields of the record are 'name' and 'type', which are used to lookup
+ # the current copy of the record in the Geni database, to make sure
+ # that the appopriate record is removed.
+
+ def remove(self, cred, type, hrn):
+ self.decode_authentication(cred, "remove")
+
+ self.verify_object_permission(hrn)
+
+ auth_name = get_authority(hrn)
+ table = self.get_auth_table(auth_name)
+
+ record_list = table.resolve(type, hrn)
+ if not record_list:
+ raise RecordNotFound(name)
+ record = record_list[0]
+
+ # TODO: sa, ma
+ if type == "user":
+ self.shell.DeletePerson(self.pl_auth, record.get_pointer())
+ elif type == "slice":
+ self.shell.DeleteSlice(self.pl_auth, record.get_pointer())
+ elif type == "node":
+ self.shell.DeleteNode(self.pl_auth, record.get_pointer())
+ elif (type == "sa") or (type == "ma"):
+ if (type == "sa"):
+ other_rec = table.resolve("ma", record.get_name())
+ elif (type == "ma"):
+ other_rec = table.resolve("sa", record.get_name())
+
+ if other_rec:
+ # sa and ma both map to a site, so if we are deleting one
+ # but the other still exists, then do not delete the site
+ print "not removing site", record.get_name(), "because either sa or ma still exists"
+ pass
+ else:
+ print "removing site", record.get_name()
+ self.shell.DeleteSite(self.pl_auth, record.get_pointer())
+ else:
+ raise UnknownGeniType(type)
+
+ table.remove(record)
+
+ return True
+
+ ##
+ # GENI API: Register
+ #
+ # Update an object in the registry. Currently, this only updates the
+ # PLC information associated with the record. The Geni fields (name, type,
+ # GID) are fixed.
+ #
+ # The record is expected to have the pl_info field filled in with the data
+ # that should be updated.
+ #
+ # TODO: The geni_info member of the record should be parsed and the pl_info
+ # adjusted as necessary (add/remove users from a slice, etc)
+ #
+ # @param cred credential string specifying rights of the caller
+ # @param record a record dictionary to be updated
+
+ def update(self, cred, record_dict):
+ self.decode_authentication(cred, "update")
+
+ record = GeniRecord(dict = record_dict)
+ type = record.get_type()
+
+ self.verify_object_permission(record.get_name())
+
+ auth_name = get_authority(record.get_name())
+ table = self.get_auth_table(auth_name)
+
+ # make sure the record exists
+ existing_record_list = table.resolve(type, record.get_name())
+ if not existing_record_list:
+ raise RecordNotFound(record.get_name())
+
+ existing_record = existing_record_list[0]
+ pointer = existing_record.get_pointer()
+
+ # update the PLC information that was specified with the record
+
+ if (type == "sa") or (type == "ma"):
+ self.shell.UpdateSite(self.pl_auth, pointer, record.get_pl_info())
+
+ elif type == "slice":
+ self.shell.UpdateSlice(self.pl_auth, pointer, record.get_pl_info())
+
+ elif type == "user":
+ # SMBAKER: UpdatePerson only allows a limited set of fields to be
+ # updated. Ideally we should have a more generic way of doing
+ # this. I copied the field names from UpdatePerson.py...
+ update_fields = {}
+ all_fields = record.get_pl_info()
+ for key in all_fields.keys():
+ if key in ['first_name', 'last_name', 'title', 'email',
+ 'password', 'phone', 'url', 'bio', 'accepted_aup',\r
+ 'enabled']:
+ update_fields[key] = all_fields[key]
+ self.shell.UpdatePerson(self.pl_auth, pointer, update_fields)
+
+ elif type == "node":
+ self.shell.UpdateNode(self.pl_auth, pointer, record.get_pl_info())
+
+ else:
+ raise UnknownGeniType(type)
+
+ ##
+ # List the records in an authority. The objectGID in the supplied credential
+ # should name the authority that will be listed.
+ #
+ # TODO: List doesn't take an hrn and uses the hrn contained in the
+ # objectGid of the credential. Does this mean the only way to list an
+ # authority is by having a credential for that authority?
+ #
+ # @param cred credential string specifying rights of the caller
+ #
+ # @return list of record dictionaries
+ def list(self, cred, auth_hrn):
+ self.decode_authentication(cred, "list")
+
+ if not self.hierarchy.auth_exists(auth_hrn):
+ raise MissingAuthority(auth_hrn)
+
+ table = self.get_auth_table(auth_hrn)
+
+ records = table.list()
+
+ good_records = []
+ for record in records:
+ try:
+ self.fill_record_info(record)
+ good_records.append(record)
+ except PlanetLabRecordDoesNotExist:
+ # silently drop the ones that are missing in PL.
+ # is this the right thing to do?
+ print "ignoring geni record ", record.get_name(), " because pl record does not exist"
+ table.remove(record)
+
+ dicts = []
+ for record in good_records:
+ dicts.append(record.as_dict())
+
+ return dicts
+
+ return dict_list
+
+ ##
+ # Resolve a record. This is an internal version of the Resolve API call
+ # and returns records in record object format rather than dictionaries
+ # that may be sent over XMLRPC.
+ #
+ # @param type type of record to resolve (user | sa | ma | slice | node)
+ # @param name human readable name of object
+ # @param must_exist if True, throw an exception if no records are found
+ #
+ # @return a list of record objects, or an empty list []
+
+ def resolve_raw(self, type, name, must_exist=True):
+ auth_name = get_authority(name)
+
+ table = self.get_auth_table(auth_name)
+
+ records = table.resolve(type, name)
+
+ if (not records) and must_exist:
+ raise RecordNotFound(name)
+
+ good_records = []
+ for record in records:
+ try:
+ self.fill_record_info(record)
+ good_records.append(record)
+ except PlanetLabRecordDoesNotExist:
+ # silently drop the ones that are missing in PL.
+ # is this the right thing to do?
+ print "ignoring geni record ", record.get_name(), "because pl record does not exist"
+ table.remove(record)
+
+ return good_records
+
+ ##
+ # GENI API: Resolve
+ #
+ # This is a wrapper around resolve_raw that converts records objects into
+ # dictionaries before returning them to the user.
+ #
+ # @param cred credential string authorizing the caller
+ # @param name human readable name to resolve
+ #
+ # @return a list of record dictionaries, or an empty list
+
+ def resolve(self, cred, name):
+ self.decode_authentication(cred, "resolve")
+
+ records = self.resolve_raw("*", name)
+ dicts = []
+ for record in records:
+ dicts.append(record.as_dict())
+
+ return dicts
+
+ ##
+ # GENI API: get_gid
+ #
+ # Retrieve the GID for an object. This function looks up a record in the
+ # registry and returns the GID of the record if it exists.
+ # TODO: Is this function needed? It's a shortcut for Resolve()
+ #
+ # @param name hrn to look up
+ #
+ # @return the string representation of a GID object
+
+ def get_gid(self, name):
+ self.verify_object_belongs_to_me(name)
+ records = self.resolve_raw("*", name)
+ gid_string_list = []
+ for record in records:
+ gid = record.get_gid()
+ gid_string_list.append(gid.save_to_string(save_parents=True))
+ return gid_string_list
+
+ ##
+ # Determine tje rights that an object should have. The rights are entirely
+ # dependent on the type of the object. For example, users automatically
+ # get "refresh", "resolve", and "info".
+ #
+ # @param type the type of the object (user | sa | ma | slice | node)
+ # @param name human readable name of the object (not used at this time)
+ #
+ # @return RightList object containing rights
+
+ def determine_rights(self, type, name):
+ rl = RightList()
+
+ # rights seem to be somewhat redundant with the type of the credential.
+ # For example, a "sa" credential implies the authority right, because
+ # a sa credential cannot be issued to a user who is not an owner of
+ # the authority
+
+ if type == "user":
+ rl.add("refresh")
+ rl.add("resolve")
+ rl.add("info")
+ elif type == "sa":
+ rl.add("authority")
+ elif type == "ma":
+ rl.add("authority")
+ elif type == "slice":
+ rl.add("refresh")
+ rl.add("embed")
+ rl.add("bind")
+ rl.add("control")
+ rl.add("info")
+ elif type == "component":
+ rl.add("operator")
+
+ return rl
+
+ ##
+ # GENI API: Get_self_credential
+ #
+ # Get_self_credential a degenerate version of get_credential used by a
+ # client to get his initial credential when he doesn't have one. This is
+ # the same as get_credential(..., cred=None,...).
+ #
+ # The registry ensures that the client is the principal that is named by
+ # (type, name) by comparing the public key in the record's GID to the
+ # private key used to encrypt the client-side of the HTTPS connection. Thus
+ # it is impossible for one principal to retrieve another principal's
+ # credential without having the appropriate private key.
+ #
+ # @param type type of object (user | slice | sa | ma | node
+ # @param name human readable name of object
+ #
+ # @return the string representation of a credential object
+
+ def get_self_credential(self, type, name):
+ self.verify_object_belongs_to_me(name)
+
+ auth_hrn = get_authority(name)
+ auth_info = self.get_auth_info(auth_hrn)
+
+ # find a record that matches
+ records = self.resolve_raw(type, name, must_exist=True)
+ record = records[0]
+
+ gid = record.get_gid_object()
+ peer_cert = self.server.peer_cert
+ if not peer_cert.is_pubkey(gid.get_pubkey()):
+ raise ConnectionKeyGIDMismatch(gid.get_subject())
+
+ # create the credential
+ gid = record.get_gid_object()
+ cred = Credential(subject = gid.get_subject())
+ cred.set_gid_caller(gid)
+ cred.set_gid_object(gid)
+ cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
+ cred.set_pubkey(gid.get_pubkey())
+
+ rl = self.determine_rights(type, name)
+ cred.set_privileges(rl)
+
+ cred.set_parent(self.hierarchy.get_auth_cred(auth_hrn))
+
+ cred.encode()
+ cred.sign()
+
+ return cred.save_to_string(save_parents=True)
+
+ ##
+ # GENI API: Get_credential
+ #
+ # Retrieve a credential for an object.
+ #
+ # If cred==None, then the behavior reverts to get_self_credential()
+ #
+ # @param cred credential object specifying rights of the caller
+ # @param type type of object (user | slice | sa | ma | node)
+ # @param name human readable name of object
+ #
+ # @return the string representation of a credental object
+
+ def get_credential(self, cred, type, name):
+ if not cred:
+ return get_self_credential(self, type, name)
+
+ self.decode_authentication(cred, "getcredential")
+
+ self.verify_object_belongs_to_me(name)
+
+ auth_hrn = get_authority(name)
+ auth_info = self.get_auth_info(auth_hrn)
+
+ records = self.resolve_raw(type, name, must_exist=True)
+ record = records[0]
+
+ # TODO: Check permission that self.client_cred can access the object
+
+ object_gid = record.get_gid_object()
+ new_cred = Credential(subject = object_gid.get_subject())
+ new_cred.set_gid_caller(self.client_gid)
+ new_cred.set_gid_object(object_gid)
+ new_cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
+ new_cred.set_pubkey(object_gid.get_pubkey())
+
+ rl = self.determine_rights(type, name)
+ new_cred.set_privileges(rl)
+
+ new_cred.set_parent(self.hierarchy.get_auth_cred(auth_hrn))
+
+ new_cred.encode()
+ new_cred.sign()
+
+ return new_cred.save_to_string(save_parents=True)
+
+ ##
+ # GENI_API: Create_gid
+ #
+ # Create a new GID. For MAs and SAs that are physically located on the
+ # registry, this allows a owner/operator/PI to create a new GID and have it
+ # signed by his respective authority.
+ #
+ # @param cred credential of caller
+ # @param name hrn for new GID
+ # @param uuid unique identifier for new GID
+ # @param pkey_string public-key string (TODO: why is this a string and not a keypair object?)
+ #
+ # @return the string representation of a GID object
+
+ def create_gid(self, cred, name, uuid, pubkey_str):
+ self.decode_authentication(cred, "getcredential")
+
+ self.verify_object_belongs_to_me(name)
+
+ self.verify_object_permission(name)
+
+ if uuid == None:
+ uuid = create_uuid()
+
+ pkey = Keypair()
+ pkey.load_pubkey_from_string(pubkey_str)
+ gid = self.hierarchy.create_gid(name, uuid, pkey)
+
+ return gid.save_to_string(save_parents=True)
+
--- /dev/null
+import os
+import sys
+import datetime
+import time
+
+from util.geniserver import *
+from util.geniclient import *
+from util.cert import *
+from util.trustedroot import *
+from util.excep import *
+from util.misc import *
+from util.config import Config
+
+class SliceMgr(GeniServer):
+
+ hrn = None
+ key_file = None
+ cert_file = None
+ components_file = None
+ slices_file = None
+ components_ttl = None
+ components = []
+ slices = []
+ policy = {}
+ timestamp = None
+ threshold = None
+ shell = None
+ aggregates = {}
+
+
+ ##
+ # Create a new slice manager object.
+ #
+ # @param ip the ip address to listen on
+ # @param port the port to listen on
+ # @param key_file private key filename of registry
+ # @param cert_file certificate filename containing public key (could be a GID file)
+
+ def __init__(self, ip, port, key_file, cert_file, config = "/usr/share/geniwrapper/util/geni_config"):
+ GeniServer.__init__(ip, port, key_file, cert_file)
+ self.key_file = key_file
+ self.cert_file = cert_file
+ self.conf = Config(config)
+ basedir = self.conf.GENI_BASE_DIR + os.sep
+ server_basedir = basedir + os.sep + "plc" + os.sep
+ self.hrn = conf.GENI_INTERFACE_HRN
+
+ # Get list of aggregates this sm talks to
+ aggregates_file = server_basedir + os.sep + 'aggregates'
+ self.load_aggregates(aggregates_file)
+ self.components_file = os.sep.join([server_basedir, 'components', 'slicemgr.' + hrn + '.comp'])
+ self.slices_file = os.sep.join([server_basedir, 'components', 'slicemgr' + hrn + '.slices'])
+ self.timestamp_file = os.sep.join([server_basedir, 'components', 'slicemgr' + hrn + '.timestamp'])
+ self.components_ttl = components_ttl
+ self.policy['whitelist'] = []
+ self.policy['blacklist'] = []
+ self.connect()
+
+ def load_aggregates(self, aggregates_file):
+ """
+ Get info about the aggregates available to us from file and create
+ an xmlrpc connection to each. If any info is invalid, skip it.
+ """
+ lines = []
+ try:
+ f = open(aggregates_file, 'r')
+ lines = f.readlines()
+ f.close()
+ except: raise
+
+ for line in lines:
+ # Skip comments
+ if line.strip.startswith("#"):
+ continue
+ agg_info = line.split("\t").split(" ")
+
+ # skip invalid info
+ if len(agg_info) != 3:
+ continue
+
+ # create xmlrpc connection using GeniClient
+ hrn, address, port = agg_info[0], agg_info[1], agg_info[2]
+ url = 'https://%(address)s:%(port)s' % locals()
+ self.aggregates[hrn] = GeniClient(url, self.key_file, self.cert_file)
+
+
+ def item_hrns(self, items):
+ """
+ Take a list of items (components or slices) and return a dictionary where
+ the key is the authoritative hrn and the value is a list of items at that
+ hrn.
+ """
+ item_hrns = {}
+ agg_hrns = self.aggregates.keys()
+ for agg_hrn in agg_hrns:
+ item_hrns[agg_hrn] = []
+ for item in items:
+ for agg_hrn in agg_hrns:
+ if item.startswith(agg_hrn):
+ item_hrns[agg_hrn] = item
+
+ return item_hrns
+
+
+ def hostname_to_hrn(self, login_base, hostname):
+ """
+ Convert hrn to plantelab name.
+ """
+ genihostname = "_".join(hostname.split("."))
+ return ".".join([self.hrn, login_base, genihostname])
+
+ def slicename_to_hrn(self, slicename):
+ """
+ Convert hrn to planetlab name.
+ """
+ slicename = slicename.replace("_", ".")
+ return ".".join([self.hrn, slicename])
+
+ def refresh_components(self):
+ """
+ Update the cached list of nodes.
+ """
+ print "refreshing"
+
+ aggregates = self.aggregates.keys()
+ all_nodes = []
+ all_slices = []
+ for aggregate in aggregates:
+ try:
+ # resolve components hostnames
+ nodes = self.aggregates[aggregate].get_components()
+ all_nodes.extend(nodes)
+ # update timestamp and threshold
+ self.timestamp = datetime.datetime.now()
+ delta = datetime.timedelta(hours=self.components_ttl)
+ self.threshold = self.timestamp + delta
+ except:
+ # XX print out to some error log
+ pass
+
+ self.components = all_nodes
+ f = open(self.components_file, 'w')
+ f.write(str(self.components))
+ f.close()
+ f = open(self.timestamp_file, 'w')
+ f.write(str(self.threshold))
+ f.close()
+
+ def load_components(self):
+ """
+ Read cached list of nodes and slices.
+ """
+ print "loading nodes"
+ # Read component list from cached file
+ if os.path.exists(self.components_file):
+ f = open(self.components_file, 'r')
+ self.components = eval(f.read())
+ f.close()
+
+ time_format = "%Y-%m-%d %H:%M:%S"
+ if os.path.exists(self.timestamp_file):
+ f = open(self.timestamp_file, 'r')
+ timestamp = str(f.read()).split(".")[0]
+ self.timestamp = datetime.datetime.fromtimestamp(time.mktime(time.strptime(timestamp, time_format)))
+ delta = datetime.timedelta(hours=self.components_ttl)
+ self.threshold = self.timestamp + delta
+ f.close()
+
+ def load_policy(self):
+ """
+ Read the list of blacklisted and whitelisted nodes.
+ """
+ whitelist = []
+ blacklist = []
+ if os.path.exists(self.whitelist_file):
+ f = open(self.whitelist_file, 'r')
+ lines = f.readlines()
+ f.close()
+ for line in lines:
+ line = line.strip().replace(" ", "").replace("\n", "")
+ whitelist.extend(line.split(","))
+
+
+ if os.path.exists(self.blacklist_file):
+ f = open(self.blacklist_file, 'r')
+ lines = f.readlines()
+ f.close()
+ for line in lines:
+ line = line.strip().replace(" ", "").replace("\n", "")
+ blacklist.extend(line.split(","))
+
+ self.policy['whitelist'] = whitelist
+ self.policy['blacklist'] = blacklist
+
+ def load_slices(self):
+ """
+ Read current slice instantiation states.
+ """
+ print "loading slices"
+ if os.path.exists(self.slices_file):
+ f = open(self.components_file, 'r')
+ self.slices = eval(f.read())
+ f.close()
+
+ def write_slices(self):
+ """
+ Write current slice instantiations to file.
+ """
+ print "writing slices"
+ f = open(self.slices_file, 'w')
+ f.write(str(self.slices))
+ f.close()
+
+
+ def get_components(self):
+ """
+ Return a list of components managed by this slice manager.
+ """
+ # Reload components list
+ now = datetime.datetime.now()
+ #self.load_components()
+ if not self.threshold or not self.timestamp or now > self.threshold:
+ self.refresh_components()
+ elif now < self.threshold and not self.components:
+ self.load_components()
+ return self.components
+
+
+ def get_slices(self):
+ """
+ Return a list of instnatiated managed by this slice manager.
+ """
+ now = datetime.datetime.now()
+ #self.load_components()
+ if not self.threshold or not self.timestamp or now > self.threshold:
+ self.refresh_components()
+ elif now < self.threshold and not self.slices:
+ self.load_components()
+ return self.slices
+
+ def get_slivers(self, hrn):
+ """
+ Return the list of slices instantiated at the specified component.
+ """
+
+ # hrn is assumed to be a component hrn
+ if hrn not in self.slices:
+ raise RecordNotFound(hrn)
+
+ return self.slices[hrn]
+
+ def get_rspec(self, hrn, type):
+ #rspec = Rspec()
+ if type in ['node']:
+ nodes = self.shell.GetNodes(self.auth)
+ elif type in ['slice']:
+ slices = self.shell.GetSlices(self.auth)
+ elif type in ['aggregate']:
+ pass
+
+ def get_resources(self, slice_hrn):
+ """
+ Return the current rspec for the specified slice.
+ """
+ slicename = hrn_to_plcslicename(slice_hrn)
+ rspec = self.get_rspec(slicenamem, 'slice' )
+
+ return rspec
+
+ def create_slice(self, slice_hrn, rspec, attributes):
+ """
+ Instantiate the specified slice according to whats defined in the rspec.
+ """
+ slicename = self.hrn_to_plcslicename(slice_hrn)
+ #spec = Rspec(rspec)
+ node_hrns = []
+ #for netspec in spec['networks]:
+ # networkname = netspec['name']
+ # nodespec = spec['networks']['nodes']
+ # nodes = [nspec['name'] for nspec in nodespec]
+ # node_hrns = [networkname + node for node in nodes]
+ #
+ self.db.AddSliceToNodes(slice_hrn, node_hrns)
+ return 1
+
+ def delete_slice_(self, slice_hrn):
+ """
+ Remove this slice from all components it was previouly associated with and
+ free up the resources it was using.
+ """
+ self.db.DeleteSliceFromNodes(self.auth, slicename, self.components)
+ return 1
+
+ def start_slice(self, slice_hrn):
+ """
+ Stop the slice at plc.
+ """
+ slicename = hrn_to_plcslicename(slice_hrn)
+ slices = self.shell.GetSlices(self.auth, {'name': slicename}, ['slice_id'])
+ if not slices:
+ raise RecordNotFound(slice_hrn)
+ slice_id = slices[0]
+ atrribtes = self.shell.GetSliceAttributes({'slice_id': slice_id, 'name': 'enabled'}, ['slice_attribute_id'])
+ attribute_id = attreibutes[0]
+ self.shell.UpdateSliceAttribute(self.auth, attribute_id, "1" )
+ return 1
+
+ def stop_slice(self, slice_hrn):
+ """
+ Stop the slice at plc
+ """
+ slicename = hrn_to_plcslicename(slice_hrn)
+ slices = self.shell.GetSlices(self.auth, {'name': slicename}, ['slice_id'])
+ if not slices:
+ raise RecordNotFound(slice_hrn)
+ slice_id = slices[0]
+ atrribtes = self.shell.GetSliceAttributes({'slice_id': slice_id, 'name': 'enabled'}, ['slice_attribute_id'])
+ attribute_id = attreibutes[0]
+ self.shell.UpdateSliceAttribute(self.auth, attribute_id, "0")
+ return 1
+
+ def reset_slice(self, slice_hrn):
+ """
+ Reset the slice
+ """
+ slicename = self.hrn_to_plcslicename(slice_hrn)
+ return 1
+
+ def get_policy(self):
+ """
+ Return the policy of this slice manager.
+ """
+
+ return self.policy
+
+
+
+##############################
+## Server methods here for now
+##############################
+
+ def nodes(self):
+ return self..get_components()
+
+ def slices(self):
+ return self.get_slices()
+
+ def resources(self, cred, hrn):
+ self.decode_authentication(cred, 'info')
+ self.verify_object_belongs_to_me(hrn)
+
+ return self.get_resources(hrn)
+
+ def create(self, cred, hrn, rspec):
+ self.decode_authentication(cred, 'embed')
+ self.verify_object_belongs_to_me(hrn, rspec)
+ return self.create(hrn)
+
+ def delete(self, cred, hrn):
+ self.decode_authentication(cred, 'embed')
+ self.verify_object_belongs_to_me(hrn)
+ return self.delete_slice(hrn)
+
+ def start(self, cred, hrn):
+ self.decode_authentication(cred, 'control')
+ return self.start(hrn)
+
+ def stop(self, cred, hrn):
+ self.decode_authentication(cred, 'control')
+ return self.stop(hrn)
+
+ def reset(self, cred, hrn):
+ self.decode_authentication(cred, 'control')
+ return self.reset(hrn)
+
+ def policy(self, cred):
+ self.decode_authentication(cred, 'info')
+ return self.get_policy()
+
+ def register_functions(self):
+ GeniServer.register_functions(self)
+
+ # Aggregate interface methods
+ self.server.register_function(self.components)
+ self.server.register_function(self.slices)
+ self.server.register_function(self.resources)
+ self.server.register_function(self.create)
+ self.server.register_function(self.delete)
+ self.server.register_function(self.start)
+ self.server.register_function(self.stop)
+ self.server.register_function(self.reset)
+ self.server.register_function(self.policy)
+
git://git.onelab.eu / sfa.git / commitdiff