From: Tony Mack Date: Tue, 27 Jan 2009 00:18:36 +0000 (+0000) Subject: copy file from plc dir into geni dir X-Git-Tag: sfa-0.9-0@14641~703 X-Git-Url: http://git.onelab.eu/?a=commitdiff_plain;h=3f02043626b0511a3b92406411eb44810e607542;p=sfa.git copy file from plc dir into geni dir --- diff --git a/geni/aggregate.py b/geni/aggregate.py new file mode 100644 index 00000000..78bb9beb --- /dev/null +++ b/geni/aggregate.py @@ -0,0 +1,406 @@ +import os +import sys +import datetime +import time +import xmlrpclib + +from util.geniserver import * +from util.geniclient import * +from util.cert import * +from util.trustedroot import * +from util.excep import * +from util.misc import * +from util.config import Config +from util.rspec import Rspec + +class Aggregate(GeniServer): + + hrn = None + components_file = None + components_ttl = None + components = [] + whitelist_file = None + blacklist_file = None + policy = {} + timestamp = None + threshold = None + shell = None + registry = None + + ## + # Create a new aggregate object. + # + # @param ip the ip address to listen on + # @param port the port to listen on + # @param key_file private key filename of registry + # @param cert_file certificate filename containing public key (could be a GID file) + + def __init__(self, ip, port, key_file, cert_file, config = "/usr/share/geniwrapper/util/geni_config"): + GeniServer.__init__(ip, port, keyfile, cert_file) + + conf = Config(config) + basedir = conf.GENI_BASE_DIR + os.sep + server_basedir = basedir + os.sep + "plc" + os.sep + self.hrn = conf.GENI_INTERFACE_HRN + self.components_file = os.sep.join([server_basedir, 'components', hrn + '.comp']) + self.whitelist_file = os.sep.join([server_basedir, 'policy', 'whitelist']) + self.blacklist_file = os.sep.join([server_basedir, 'policy', 'blacklist']) + self.timestamp_file = os.sep.join([server_basedir, 'components', hrn + '.timestamp']) + self.components_ttl = components_ttl + self.policy['whitelist'] = [] + self.policy['blacklist'] = [] + self.connectPLC() + self.connectRegistry() + + def connectRegistry(self): + """ + Connect to the registry + """ + + + def connectPLC(self): + """ + Connect to the plc api interface. First attempt to impor thte shell, if that fails + try to connect to the xmlrpc server. + """ + self.auth = {'Username': conf.GENI_PLC_USER, + 'AuthMethod': 'password', + 'AuthString': conf.GENI_PLC_PASSWORD} + + try: + # try to import PLC.Shell directly + sys.path.append(conf.GENI_PLC_SHELL_PATH) + import PLC.Shell + self.shell = PLC.Shell.Shell(globals()) + self.shell.AuthCheck() + except ImportError: + # connect to plc api via xmlrpc + plc_host = conf.GENI_PLC_HOST + plc_port = conf.GENI_PLC_PORT + plc_api_path = conf.GENI_PLC_API_PATH + url = "https://%(plc_host)s:%(plc_port)s/%(plc_api_path)s/" % locals() + self.auth = {'Username': conf.GENI_PLC_USER, + 'AuthMethod': 'password', + 'AuthString': conf.GENI_PLC_PASSWORD} + + self.shell = xmlrpclib.Server(url, verbose = 0, allow_none = True) + self.shell.AuthCheck(self.auth) + + def hostname_to_hrn(self, login_base, hostname): + """ + Convert hrn to plantelab name. + """ + genihostname = "_".join(hostname.split(".")) + return ".".join([self.hrn, login_base, genihostname]) + + def slicename_to_hrn(self, slicename): + """ + Convert hrn to planetlab name. + """ + slicename = slicename.replace("_", ".") + return ".".join([self.hrn, slicename]) + + def refresh_components(self): + """ + Update the cached list of nodes. + """ + # resolve component hostnames + nodes = self.shell.GetNodes(self.auth, {}, ['hostname', 'site_id']) + + # resolve site login_bases + site_ids = [node['site_id'] for node in nodes] + sites = self.shell.GetSites(self.auth, site_ids, ['site_id', 'login_base']) + site_dict = {} + for site in sites: + site_dict[site['site_id']] = site['login_base'] + + # convert plc names to geni hrn + self.components = [self.hostname_to_hrn(site_dict[node['site_id']], node['hostname']) for node in nodes] + + # apply policy. Do not allow nodes found in blacklist, only allow nodes found in whitelist + whitelist_policy = lambda node: node in self.policy['whitelist'] + blacklist_policy = lambda node: node not in self.policy['blacklist'] + + if self.policy['blacklist']: + self.components = blacklist_policy(self.components) + if self.policy['whitelist']: + self.components = whitelist_policy(self.components) + + # update timestamp and threshold + self.timestamp = datetime.datetime.now() + delta = datetime.timedelta(hours=self.components_ttl) + self.threshold = self.timestamp + delta + + f = open(self.components_file, 'w') + f.write(str(self.components)) + f.close() + f = open(self.timestamp_file, 'w') + f.write(str(self.threshold)) + f.close() + + def load_components(self): + """ + Read cached list of nodes. + """ + # Read component list from cached file + if os.path.exists(self.components_file): + f = open(self.components_file, 'r') + self.components = eval(f.read()) + f.close() + + time_format = "%Y-%m-%d %H:%M:%S" + if os.path.exists(self.timestamp_file): + f = open(self.timestamp_file, 'r') + timestamp = str(f.read()).split(".")[0] + self.timestamp = datetime.datetime.fromtimestamp(time.mktime(time.strptime(timestamp, time_format))) + delta = datetime.timedelta(hours=self.components_ttl) + self.threshold = self.timestamp + delta + f.close() + + def load_policy(self): + """ + Read the list of blacklisted and whitelisted nodes. + """ + whitelist = [] + blacklist = [] + if os.path.exists(self.whitelist_file): + f = open(self.whitelist_file, 'r') + lines = f.readlines() + f.close() + for line in lines: + line = line.strip().replace(" ", "").replace("\n", "") + whitelist.extend(line.split(",")) + + + if os.path.exists(self.blacklist_file): + f = open(self.blacklist_file, 'r') + lines = f.readlines() + f.close() + for line in lines: + line = line.strip().replace(" ", "").replace("\n", "") + blacklist.extend(line.split(",")) + + self.policy['whitelist'] = whitelist + self.policy['blacklist'] = blacklist + + def get_components(self): + """ + Return a list of components at this aggregate. + """ + # Reload components list + now = datetime.datetime.now() + #self.load_components() + if not self.threshold or not self.timestamp or now > self.threshold: + self.refresh_components() + elif now < self.threshold and not self.components: + self.load_components() + return self.components + + def get_rspec(self, hrn, type): + rspec = Rspec() + rspec['nodespec'] = {'name': self.conf.GENI_INTERFACE_HRN} + rsepc['nodespec']['nodes'] = [] + if type in ['node']: + nodes = self.shell.GetNodes(self.auth) + elif type in ['slice']: + slicename = hrn_to_pl_slicename(hrn) + slices = self.shell.GetSlices(self.auth, [slicename]) + node_ids = slices[0]['node_ids'] + nodes = self.shell.GetNodes(self.auth, node_ids) + for node in nodes: + nodespec = {'name': node['hostname'], 'type': 'std'} + elif type in ['aggregate']: + pass + + return rspec + + def get_resources(self, slice_hrn): + """ + Return the current rspec for the specified slice. + """ + slicename = hrn_to_plcslicename(slice_hrn) + rspec = self.get_rspec(slicenamem, 'slice') + + return rspec + + def create_slice(self, slice_hrn, rspec, attributes = []): + """ + Instantiate the specified slice according to whats defined in the rspec. + """ + slicename = self.hrn_to_plcslicename(slice_hrn) + spec = Rspec(rspec) + nodespecs = spec.getDictsByTagName('NodeSpec') + nodes = [nodespec['name'] for nodespec in nodespecs] + self.shell.AddSliceToNodes(self.auth, slicename, nodes) + for attribute in attributes: + type, value, node, nodegroup = attribute['type'], attribute['value'], attribute['node'], attribute['nodegroup'] + shell.AddSliceAttribute(self.auth, slicename, type, value, node, nodegroup) + + # XX contact the registry to get the list of users on this slice and + # their keys. + #slice_record = self.registry.resolve(slice_hrn) + #person_records = slice_record['users'] + # for person in person_record: + # email = person['email'] + # self.shell.AddPersonToSlice(self.auth, email, slicename) + + + return 1 + + def update_slice(self, slice_hrn, rspec, attributes = []): + """ + Update the specified slice. + """ + # Get slice info + slicename = self.hrn_to_plcslicename(slice_hrn) + slices = self.shell.GetSlices(self.auth, [slicename], ['node_ids']) + if not slice: + raise RecordNotFound(slice_hrn) + slice = slices[0] + + # find out where this slice is currently running + nodes = self.shell.GetNodes(self.auth, slice['node_ids'], ['hostname']) + hostnames = [node['hostname'] for node in nodes] + + # get netspec details + spec = Rspec(rspec) + nodespecs = spec.getDictsByTagName('NodeSpec') + nodes = [nodespec['name'] for nodespec in nodespecs] + # remove nodes not in rspec + delete_nodes = set(hostnames).difference(nodes) + # add nodes from rspec + added_nodes = set(nodes).difference(hostnames) + + shell.AddSliceToNodes(self.auth, slicename, added_nodes) + shell.DeleteSliceFromNodes(self.auth, slicename, deleted_nodes) + + for attribute in attributes: + type, value, node, nodegroup = attribute['type'], attribute['value'], attribute['node'], attribute['nodegroup'] + shell.AddSliceAttribute(self.auth, slicename, type, value, node, nodegroup) + + # contact registry to get slice users and add them to the slice + # slice_record = self.registry.resolve(slice_hrn) + # persons = slice_record['users'] + + #for person in persons: + # shell.AddPersonToSlice(person['email'], slice_name) + def delete_slice_(self, slice_hrn): + """ + Remove this slice from all components it was previouly associated with and + free up the resources it was using. + """ + slicename = self.hrn_to_plcslicename(slice_hrn) + slices = shell.GetSlices(self.auth, [slicename]) + if not slice: + raise RecordNotFound(slice_hrn) + slice = slices[0] + + shell.DeleteSliceFromNodes(self.auth, slicename, slice['node_ids']) + return 1 + + def start_slice(self, slice_hrn): + """ + Stop the slice at plc. + """ + slicename = hrn_to_plcslicename(slice_hrn) + slices = self.shell.GetSlices(self.auth, {'name': slicename}, ['slice_id']) + if not slices: + raise RecordNotFound(slice_hrn) + slice_id = slices[0] + atrribtes = self.shell.GetSliceAttributes({'slice_id': slice_id, 'name': 'enabled'}, ['slice_attribute_id']) + attribute_id = attreibutes[0] + self.shell.UpdateSliceAttribute(self.auth, attribute_id, "1" ) + return 1 + + def stop_slice(self, slice_hrn): + """ + Stop the slice at plc + """ + slicename = hrn_to_plcslicename(slice_hrn) + slices = self.shell.GetSlices(self.auth, {'name': slicename}, ['slice_id']) + if not slices: + raise RecordNotFound(slice_hrn) + slice_id = slices[0] + atrribtes = self.shell.GetSliceAttributes({'slice_id': slice_id, 'name': 'enabled'}, ['slice_attribute_id']) + attribute_id = attreibutes[0] + self.shell.UpdateSliceAttribute(self.auth, attribute_id, "0") + return 1 + + + def reset_slice(self, slice_hrn): + """ + Reset the slice + """ + slicename = self.hrn_to_plcslicename(slice_hrn) + return 1 + + def get_policy(self): + """ + Return this aggregates policy. + """ + + return self.policy + + + +############################## +## Server methods here for now +############################## + + def nodes(self): + return self..get_components() + + #def slices(self): + # return self.get_slices() + + def resources(self, cred, hrn): + self.decode_authentication(cred, 'info') + self.verify_object_belongs_to_me(hrn) + + return self.get_resources(hrn) + + def create(self, cred, hrn, rspec): + self.decode_authentication(cred, 'embed') + self.verify_object_belongs_to_me(hrn) + return self.create(hrn) + + def update(self, cred, hrn, rspec): + self.decode_authentication(cred, 'embed') + self.verify_object_belongs_to_me(hrn) + return self.update(hrn) + + def delete(self, cred, hrn): + self.decode_authentication(cred, 'embed') + self.verify_object_belongs_to_me(hrn) + return self.delete_slice(hrn) + + def start(self, cred, hrn): + self.decode_authentication(cred, 'control') + return self.start(hrn) + + def stop(self, cred, hrn): + self.decode_authentication(cred, 'control') + return self.stop(hrn) + + def reset(self, cred, hrn): + self.decode_authentication(cred, 'control') + return self.reset(hrn) + + def policy(self, cred): + self.decode_authentication(cred, 'info') + return self.get_policy() + + def register_functions(self): + GeniServer.register_functions(self) + + # Aggregate interface methods + self.server.register_function(self.components) + #self.server.register_function(self.slices) + self.server.register_function(self.resources) + self.server.register_function(self.create) + self.server.register_function(self.delete) + self.server.register_function(self.start) + self.server.register_function(self.stop) + self.server.register_function(self.reset) + self.server.register_function(self.policy) + diff --git a/geni/gimport.py b/geni/gimport.py new file mode 100755 index 00000000..31e3faeb --- /dev/null +++ b/geni/gimport.py @@ -0,0 +1,330 @@ +## +# Import PLC records into the Geni database. It is indended that this tool be +# run once to create Geni records that reflect the current state of the +# planetlab database. +# +# The import tool assumes that the existing PLC hierarchy should all be part +# of "planetlab.us" (see the root_auth and level1_auth variables below). +# +# Public keys are extracted from the users' SSH keys automatically and used to +# create GIDs. This is relatively experimental as a custom tool had to be +# written to perform conversion from SSH to OpenSSL format. It only supports +# RSA keys at this time, not DSA keys. +## + +import getopt +import sys +import tempfile + +from cert import * +from trustedroot import * +from hierarchy import * +from record import * +from genitable import * +from misc import * + +shell = None + +## +# Two authorities are specified: the root authority and the level1 authority. + +root_auth = "planetlab" +level1_auth = "planetlab.us" + + +def un_unicode(str): + if isinstance(str, unicode): + return str.encode("ascii", "ignore") + else: + return str + +def cleanup_string(str): + # pgsql has a fit with strings that have high ascii in them, so filter it + # out when generating the hrns. + tmp = "" + for c in str: + if ord(c) < 128: + tmp = tmp + c + str = tmp + + str = un_unicode(str) + str = str.replace(" ", "_") + str = str.replace(".", "_") + str = str.replace("(", "_") + str = str.replace("'", "_") + str = str.replace(")", "_") + str = str.replace('"', "_") + return str + +def process_options(): + global hrn + + (options, args) = getopt.getopt(sys.argv[1:], '', []) + for opt in options: + name = opt[0] + val = opt[1] + +def connect_shell(): + global pl_auth, shell + + # get PL account settings from config module + pl_auth = get_pl_auth() + + # connect to planetlab + if "Url" in pl_auth: + import remoteshell + shell = remoteshell.RemoteShell() + else: + import PLC.Shell + shell = PLC.Shell.Shell(globals = globals()) + +def get_auth_table(auth_name): + AuthHierarchy = Hierarchy() + auth_info = AuthHierarchy.get_auth_info(auth_name) + + table = GeniTable(hrn=auth_name, + cninfo=auth_info.get_dbinfo()) + + # if the table doesn't exist, then it means we haven't put any records + # into this authority yet. + + if not table.exists(): + report.trace("Import: creating table for authority " + auth_name) + table.create() + + return table + +def get_pl_pubkey(key_id): + keys = shell.GetKeys(pl_auth, [key_id]) + if keys: + key_str = keys[0]['key'] + + if "ssh-dss" in key_str: + print "XXX: DSA key encountered, ignoring" + return None + + # generate temporary files to hold the keys + (ssh_f, ssh_fn) = tempfile.mkstemp() + ssl_fn = tempfile.mktemp() + + os.write(ssh_f, key_str) + os.close(ssh_f) + + cmd = "../keyconvert/keyconvert " + ssh_fn + " " + ssl_fn + print cmd + os.system(cmd) + + # this check leaves the temporary file containing the public key so + # that it can be expected to see why it failed. + # TODO: for production, cleanup the temporary files + if not os.path.exists(ssl_fn): + report.trace(" failed to convert key from " + ssh_fn + " to " + ssl_fn) + return None + + k = Keypair() + try: + k.load_pubkey_from_file(ssl_fn) + except: + print "XXX: Error while converting key: ", key_str + k = None + + # remove the temporary files + os.remove(ssh_fn) + os.remove(ssl_fn) + + return k + else: + return None + +def person_to_hrn(parent_hrn, person): + personname = person['last_name'] + "_" + person['first_name'] + + personname = cleanup_string(personname) + + hrn = parent_hrn + "." + personname + return hrn + +def import_person(parent_hrn, person): + AuthHierarchy = Hierarchy() + hrn = person_to_hrn(parent_hrn, person) + + # ASN.1 will have problems with hrn's longer than 64 characters + if len(hrn) > 64: + hrn = hrn[:64] + + report.trace("Import: importing person " + hrn) + + table = get_auth_table(parent_hrn) + + person_record = table.resolve("user", hrn) + if not person_record: + key_ids = person["key_ids"] + + if key_ids: + # get the user's private key from the SSH keys they have uploaded + # to planetlab + pkey = get_pl_pubkey(key_ids[0]) + else: + # the user has no keys + report.trace(" person " + hrn + " does not have a PL public key") + pkey = None + + # if a key is unavailable, then we still need to put something in the + # user's GID. So make one up. + if not pkey: + pkey = Keypair(create=True) + + person_gid = AuthHierarchy.create_gid(hrn, create_uuid(), pkey) + person_record = GeniRecord(name=hrn, gid=person_gid, type="user", pointer=person['person_id']) + report.trace(" inserting user record for " + hrn) + table.insert(person_record) + else: + key_ids = person["key_ids"] + if key_ids: + pkey = get_pl_pubkey(key_ids[0]) + person_gid = AuthHierarchy.create_gid(hrn, create_uuid(), pkey) + person_record = GeniRecord(name=hrn, gid=person_gid, type="user", pointer=person['person_id']) + report.trace(" updating user record for " + hrn) + table.update(person_record) + +def import_slice(parent_hrn, slice): + AuthHierarchy = Hierarchy() + slicename = slice['name'].split("_",1)[-1] + slicename = cleanup_string(slicename) + + if not slicename: + report.error("Import_Slice: failed to parse slice name " + slice['name']) + return + + hrn = parent_hrn + "." + slicename + report.trace("Import: importing slice " + hrn) + + table = get_auth_table(parent_hrn) + + slice_record = table.resolve("slice", hrn) + if not slice_record: + pkey = Keypair(create=True) + slice_gid = AuthHierarchy.create_gid(hrn, create_uuid(), pkey) + slice_record = GeniRecord(name=hrn, gid=slice_gid, type="slice", pointer=slice['slice_id']) + report.trace(" inserting slice record for " + hrn) + table.insert(slice_record) + +def import_node(parent_hrn, node): + AuthHierarchy = Hierarchy() + nodename = node['hostname'] + nodename = cleanup_string(nodename) + + if not nodename: + report.error("Import_node: failed to parse node name " + node['hostname']) + return + + hrn = parent_hrn + "." + nodename + + # ASN.1 will have problems with hrn's longer than 64 characters + if len(hrn) > 64: + hrn = hrn[:64] + + report.trace("Import: importing node " + hrn) + + table = get_auth_table(parent_hrn) + + node_record = table.resolve("node", hrn) + if not node_record: + pkey = Keypair(create=True) + node_gid = AuthHierarchy.create_gid(hrn, create_uuid(), pkey) + node_record = GeniRecord(name=hrn, gid=node_gid, type="node", pointer=node['node_id']) + report.trace(" inserting node record for " + hrn) + table.insert(node_record) + +def import_site(parent_hrn, site): + AuthHierarchy = Hierarchy() + sitename = site['login_base'] + sitename = cleanup_string(sitename) + + hrn = parent_hrn + "." + sitename + + report.trace("Import_Site: importing site " + hrn) + + # create the authority + if not AuthHierarchy.auth_exists(hrn): + AuthHierarchy.create_auth(hrn) + + auth_info = AuthHierarchy.get_auth_info(hrn) + + table = get_auth_table(parent_hrn) + + sa_record = table.resolve("sa", hrn) + if not sa_record: + sa_record = GeniRecord(name=hrn, gid=auth_info.get_gid_object(), type="sa", pointer=site['site_id']) + report.trace(" inserting sa record for " + hrn) + table.insert(sa_record) + + ma_record = table.resolve("ma", hrn) + if not ma_record: + ma_record = GeniRecord(name=hrn, gid=auth_info.get_gid_object(), type="ma", pointer=site['site_id']) + report.trace(" inserting ma record for " + hrn) + table.insert(ma_record) + + for person_id in site['person_ids']: + persons = shell.GetPersons(pl_auth, [person_id]) + if persons: + import_person(hrn, persons[0]) + + for slice_id in site['slice_ids']: + slices = shell.GetSlices(pl_auth, [slice_id]) + if slices: + import_slice(hrn, slices[0]) + + for node_id in site['node_ids']: + nodes = shell.GetNodes(pl_auth, [node_id]) + if nodes: + import_node(hrn, nodes[0]) + +def create_top_level_auth_records(hrn): + parent_hrn = get_authority(hrn) + print hrn, ":", parent_hrn + auth_info = AuthHierarchy.get_auth_info(parent_hrn) + table = get_auth_table(parent_hrn) + + sa_record = table.resolve("sa", hrn) + if not sa_record: + sa_record = GeniRecord(name=hrn, gid=auth_info.get_gid_object(), type="sa", pointer=-1) + report.trace(" inserting sa record for " + hrn) + table.insert(sa_record) + + ma_record = table.resolve("ma", hrn) + if not ma_record: + ma_record = GeniRecord(name=hrn, gid=auth_info.get_gid_object(), type="ma", pointer=-1) + report.trace(" inserting ma record for " + hrn) + table.insert(ma_record) + +def main(): + global AuthHierarchy + global TrustedRoots + + process_options() + + AuthHierarchy = Hierarchy() + TrustedRoots = TrustedRootList() + + print "Import: creating top level authorities" + + if not AuthHierarchy.auth_exists(root_auth): + AuthHierarchy.create_auth(root_auth) + #create_top_level_auth_records(root_auth) + if not AuthHierarchy.auth_exists(level1_auth): + AuthHierarchy.create_auth(level1_auth) + create_top_level_auth_records(level1_auth) + + print "Import: adding", root_auth, "to trusted list" + root = AuthHierarchy.get_auth_info(root_auth) + TrustedRoots.add_gid(root.get_gid_object()) + + connect_shell() + + sites = shell.GetSites(pl_auth) + for site in sites: + import_site(level1_auth, site) + +if __name__ == "__main__": + main() diff --git a/geni/nuke.py b/geni/nuke.py new file mode 100644 index 00000000..b9b2c883 --- /dev/null +++ b/geni/nuke.py @@ -0,0 +1,32 @@ +## +# Delete all the database records for Geni. This tool is used to clean out Geni +# records during testing. +# +# Authority info (maintained by the hierarchy module in a subdirectory tree) +# is not purged by this tool and may be deleted by a command like 'rm'. +## + +import getopt +import sys + +from hierarchy import * +from record import * +from genitable import * +from config import * + +def process_options(): + global hrn + + (options, args) = getopt.getopt(sys.argv[1:], '', []) + for opt in options: + name = opt[0] + val = opt[1] + +def main(): + process_options() + + print "purging geni records from database" + geni_records_purge(get_default_dbinfo()) + +if __name__ == "__main__": + main() diff --git a/geni/plc.py b/geni/plc.py new file mode 100644 index 00000000..7c3052af --- /dev/null +++ b/geni/plc.py @@ -0,0 +1,100 @@ +## +# GENI PLC Wrapper +# +# This wrapper implements the Geni Registry and Slice Interfaces on PLC. +# Depending on command line options, it starts some combination of a +# Registry, an Aggregate Manager, and a Slice Manager. +# +# There are several items that need to be done before starting the wrapper +# server. +# +# NOTE: Many configuration settings, including the PLC maintenance account +# credentials, URI of the PLCAPI, and PLC DB URI and admin credentials are initialized +# from your MyPLC configuration (/etc/planetlab/plc_config*). Please make sure this information +# is up to date and accurate. +# +# 1) Import the existing planetlab database, creating the +# appropriate geni records. This is done by running the "import.py" tool. +# +# 2) Create a "trusted_roots" directory and place the certificate of the root +# authority in that directory. Given the defaults in import.py, this +# certificate would be named "planetlab.gid". For example, +# +# mkdir trusted_roots; cp authorities/planetlab.gid trusted_roots/ +# +# TODO: Can all three servers use the same "registry" certificate? +## + +# TCP ports for the three servers +registry_port=12345 +aggregate_port=12346 +slicemgr_port=12347 + +import os, os.path +from optparse import OptionParser + +from util.hierarchy import Hierarchy +from util.trustedroot import TrustedRootList +from util.cert import Keypair, Certificate +from registry import Registry +#from aggregate import Aggregate +from slicemgr import SliceMgr + +def main(): + global AuthHierarchy + global TrustedRoots + global registry_port + global aggregate_port + global slicemgr_port + + # Generate command line parser + parser = OptionParser(usage="plc [options]") + parser.add_option("-r", "--registry", dest="registry", action="store_true", + help="run registry server", default=False) + parser.add_option("-s", "--slicemgr", dest="sm", action="store_true", + help="run slice manager", default=False) + parser.add_option("-a", "--aggregate", dest="am", action="store_true", + help="run aggregate manager", default=False) + parser.add_option("-v", "--verbose", dest="verbose", action="store_true", + help="verbose mode", default=False) + (options, args) = parser.parse_args() + + key_file = "server.key" + cert_file = "server.cert" + + # if no key is specified, then make one up + if (not os.path.exists(key_file)) or (not os.path.exists(cert_file)): + key = Keypair(create=True) + key.save_to_file(key_file) + + cert = Certificate(subject="registry") + cert.set_issuer(key=key, subject="registry") + cert.set_pubkey(key) + cert.sign() + cert.save_to_file(cert_file) + + AuthHierarchy = Hierarchy() + + TrustedRoots = TrustedRootList() + + # start registry server + if (options.registry): + r = Registry("", registry_port, key_file, cert_file) + r.trusted_cert_list = TrustedRoots.get_list() + r.hierarchy = AuthHierarchy + r.start() + + # start aggregate manager + if (options.am): + a = Aggregate("", aggregate_port, key_file, cert_file) + a.trusted_cert_list = TrustedRoots.get_list() + a.start() + + # start slice manager + if (options.sm): + s = SliceMgr("", slicemgr_port, key_file, cert_file) + s.trusted_cert_list = TrustedRoots.get_list() + s.start() + +if __name__ == "__main__": + main() diff --git a/geni/registry.py b/geni/registry.py new file mode 100644 index 00000000..53581d43 --- /dev/null +++ b/geni/registry.py @@ -0,0 +1,816 @@ +## +# Registry is a GeniServer that implements the Registry interface + +import tempfile +import os +import time +import sys + +from util.credential import Credential +from util.hierarchy import Hierarchy +from util.trustedroot import TrustedRootList +from util.cert import Keypair, Certificate +from util.gid import GID, create_uuid +from util.geniserver import GeniServer +from util.record import GeniRecord +from util.rights import RightList +from util.genitable import GeniTable +from util.geniticket import Ticket +from util.excep import * +from util.misc import * + +from util.config import * + +## +# Convert geni fields to PLC fields for use when registering up updating +# registry record in the PLC database +# +# @param type type of record (user, slice, ...) +# @param hrn human readable name +# @param geni_fields dictionary of geni fields +# @param pl_fields dictionary of PLC fields (output) + +def geni_fields_to_pl_fields(type, hrn, geni_fields, pl_fields): + if type == "user": + if not "email" in pl_fields: + if not "email" in geni_fields: + raise MissingGeniInfo("email") + pl_fields["email"] = geni_fields["email"] + + if not "first_name" in pl_fields: + pl_fields["first_name"] = "geni" + + if not "last_name" in pl_fields: + pl_fields["last_name"] = hrn + + elif type == "slice": + if not "instantiation" in pl_fields: + pl_fields["instantiation"] = "delegated" # "plc-instantiated" + if not "name" in pl_fields: + pl_fields["name"] = hrn_to_pl_slicename(hrn) + if not "max_nodes" in pl_fields: + pl_fields["max_nodes"] = 10 + + elif type == "node": + if not "hostname" in pl_fields: + if not "dns" in geni_fields: + raise MissingGeniInfo("dns") + pl_fields["hostname"] = geni_fields["dns"] + + if not "model" in pl_fields: + pl_fields["model"] = "geni" + + elif type == "sa": + pl_fields["login_base"] = hrn_to_pl_login_base(hrn) + + if not "name" in pl_fields: + pl_fields["name"] = hrn + + if not "abbreviated_name" in pl_fields: + pl_fields["abbreviated_name"] = hrn + + if not "enabled" in pl_fields: + pl_fields["enabled"] = True + + if not "is_public" in pl_fields: + pl_fields["is_public"] = True + +## +# Registry is a GeniServer that serves registry and slice operations at PLC. + +class Registry(GeniServer): + ## + # Create a new registry object. + # + # @param ip the ip address to listen on + # @param port the port to listen on + # @param key_file private key filename of registry + # @param cert_file certificate filename containing public key (could be a GID file) + + def __init__(self, ip, port, key_file, cert_file): + GeniServer.__init__(self, ip, port, key_file, cert_file) + + # get PL account settings from config module + self.pl_auth = get_pl_auth() + + # connect to planetlab + if "Url" in self.pl_auth: + self.connect_remote_shell() + else: + self.connect_local_shell() + + ## + # Connect to a remote shell via XMLRPC + + def connect_remote_shell(self): + import remoteshell + self.shell = remoteshell.RemoteShell() + + ## + # Connect to a local shell via local API functions + + def connect_local_shell(self): + import PLC.Shell + self.shell = PLC.Shell.Shell(globals = globals()) + + ## + # Register the server RPCs for the registry + + def register_functions(self): + GeniServer.register_functions(self) + # registry interface + self.server.register_function(self.create_gid) + self.server.register_function(self.get_self_credential) + self.server.register_function(self.get_credential) + self.server.register_function(self.get_gid) + self.server.register_function(self.register) + self.server.register_function(self.remove) + self.server.register_function(self.update) + self.server.register_function(self.list) + self.server.register_function(self.resolve) + + ## + # Given an authority name, return the information for that authority. This + # is basically a stub that calls the hierarchy module. + # + # @param auth_hrn human readable name of authority + + def get_auth_info(self, auth_hrn): + return self.hierarchy.get_auth_info(auth_hrn) + + ## + # Given an authority name, return the database table for that authority. If + # the database table does not exist, then one will be automatically + # created. + # + # @param auth_name human readable name of authority + + def get_auth_table(self, auth_name): + auth_info = self.get_auth_info(auth_name) + + table = GeniTable(hrn=auth_name, + cninfo=auth_info.get_dbinfo()) + + # if the table doesn't exist, then it means we haven't put any records + # into this authority yet. + + if not table.exists(): + print "Registry: creating table for authority", auth_name + table.create() + + return table + + ## + # Verify that an authority belongs to this registry. This is basically left + # up to the implementation of the hierarchy module. If the specified name + # does not belong to this registry, an exception is thrown indicating the + # caller should contact someone else. + # + # @param auth_name human readable name of authority + + def verify_auth_belongs_to_me(self, name): + # get_auth_info will throw an exception if the authority does not + # exist + self.get_auth_info(name) + + ## + # Verify that an object belongs to this registry. By extension, this implies + # that the authority that owns the object belongs to this registry. If the + # object does not belong to this registry, then an exception is thrown. + # + # @param name human readable name of object + + def verify_object_belongs_to_me(self, name): + auth_name = get_authority(name) + if not auth_name: + # the root authority belongs to the registry by default? + # TODO: is this true? + return + self.verify_auth_belongs_to_me(auth_name) + + ## + # Verify that the object_gid that was specified in the credential allows + # permission to the object 'name'. This is done by a simple prefix test. + # For example, an object_gid for planetlab.us.arizona would match the + # objects planetlab.us.arizona.slice1 and planetlab.us.arizona. + # + # @param name human readable name to test + + def verify_object_permission(self, name): + object_hrn = self.object_gid.get_hrn() + if object_hrn == name: + return + if name.startswith(object_hrn + "."): + return + raise PermissionError(name) + + ## + # Fill in the planetlab-specific fields of a Geni record. This involves + # calling the appropriate PLC methods to retrieve the database record for + # the object. + # + # PLC data is filled into the pl_info field of the record. + # + # @param record record to fill in fields (in/out param) + + def fill_record_pl_info(self, record): + type = record.get_type() + pointer = record.get_pointer() + + # records with pointer==-1 do not have plc info associated with them. + # for example, the top level authority records which are + # authorities, but not PL "sites" + if pointer == -1: + record.set_pl_info({}) + return + + if (type == "sa") or (type == "ma"): + pl_res = self.shell.GetSites(self.pl_auth, [pointer]) + elif (type == "slice"): + pl_res = self.shell.GetSlices(self.pl_auth, [pointer]) + elif (type == "user"): + pl_res = self.shell.GetPersons(self.pl_auth, [pointer]) + elif (type == "node"): + pl_res = self.shell.GetNodes(self.pl_auth, [pointer]) + else: + raise UnknownGeniType(type) + + if not pl_res: + # the planetlab record no longer exists + # TODO: delete the geni record ? + raise PlanetLabRecordDoesNotExist(record.get_name()) + + record.set_pl_info(pl_res[0]) + + ## + # Look up user records given PLC user-ids. This is used as part of the + # process for reverse-mapping PLC records into Geni records. + # + # @param auth_table database table for the authority that holds the user records + # @param user_id_list list of user ids + # @param role either "*" or a string describing the role to look for ("pi", "user", ...) + # + # TODO: This function currently only searches one authority because it would + # be inefficient to brute-force search all authorities for a user id. The + # solution would likely be to implement a reverse mapping of user-id to + # (type, hrn) pairs. + + def lookup_users(self, auth_table, user_id_list, role="*"): + record_list = [] + for person_id in user_id_list: + user_records = auth_table.find("user", person_id, "pointer") + for user_record in user_records: + self.fill_record_info(user_record) + + user_roles = user_record.get_pl_info().get("roles") + if (role=="*") or (role in user_roles): + record_list.append(user_record.get_name()) + return record_list + + ## + # Fill in the geni-specific fields of the record. + # + # Note: It is assumed the fill_record_pl_info() has already been performed + # on the record. + + def fill_record_geni_info(self, record): + geni_info = {} + type = record.get_type() + + if (type == "slice"): + auth_table = self.get_auth_table(get_authority(record.get_name())) + person_ids = record.pl_info.get("person_ids", []) + researchers = self.lookup_users(auth_table, person_ids) + geni_info['researcher'] = researchers + + elif (type == "sa"): + auth_table = self.get_auth_table(record.get_name()) + person_ids = record.pl_info.get("person_ids", []) + pis = self.lookup_users(auth_table, person_ids, "pi") + geni_info['pi'] = pis + # TODO: OrganizationName + + elif (type == "ma"): + auth_table = self.get_auth_table(record.get_name()) + person_ids = record.pl_info.get("person_ids", []) + operators = self.lookup_users(auth_table, person_ids, "tech") + geni_info['operator'] = operators + # TODO: OrganizationName + + auth_table = self.get_auth_table(record.get_name()) + person_ids = record.pl_info.get("person_ids", []) + owners = self.lookup_users(auth_table, person_ids, "admin") + geni_info['owner'] = owners + + elif (type == "node"): + geni_info['dns'] = record.pl_info.get("hostname", "") + # TODO: URI, LatLong, IP, DNS + + elif (type == "user"): + geni_info['email'] = record.pl_info.get("email", "") + # TODO: PostalAddress, Phone + + record.set_geni_info(geni_info) + + ## + # Given a Geni record, fill in the PLC-specific and Geni-specific fields + # in the record. + + def fill_record_info(self, record): + self.fill_record_pl_info(record) + self.fill_record_geni_info(record) + + ## + # GENI API: register + # + # Register an object with the registry. In addition to being stored in the + # Geni database, the appropriate records will also be created in the + # PLC databases + # + # @param cred credential string + # @param record_dict dictionary containing record fields + + def register(self, cred, record_dict): + self.decode_authentication(cred, "register") + + record = GeniRecord(dict = record_dict) + type = record.get_type() + name = record.get_name() + + auth_name = get_authority(name) + self.verify_object_permission(auth_name) + auth_info = self.get_auth_info(auth_name) + table = self.get_auth_table(auth_name) + + pkey = None + + # check if record already exists + existing_records = table.resolve(type, name) + if existing_records: + raise ExistingRecord(name) + + if (type == "sa") or (type=="ma"): + # update the tree + if not self.hierarchy.auth_exists(name): + self.hierarchy.create_auth(name) + + # authorities are special since they are managed by the registry + # rather than by the caller. We create our own GID for the + # authority rather than relying on the caller to supply one. + + # get the GID from the newly created authority + child_auth_info = self.get_auth_info(name) + gid = auth_info.get_gid_object() + record.set_gid(gid.save_to_string(save_parents=True)) + + geni_fields = record.get_geni_info() + site_fields = record.get_pl_info() + + # if registering a sa, see if a ma already exists + # if registering a ma, see if a sa already exists + if (type == "sa"): + other_rec = table.resolve("ma", record.get_name()) + elif (type == "ma"): + other_rec = table.resolve("sa", record.get_name()) + + if other_rec: + print "linking ma and sa to the same plc site" + pointer = other_rec[0].get_pointer() + else: + geni_fields_to_pl_fields(type, name, geni_fields, site_fields) + print "adding site with fields", site_fields + pointer = self.shell.AddSite(self.pl_auth, site_fields) + + record.set_pointer(pointer) + + elif (type == "slice"): + geni_fields = record.get_geni_info() + slice_fields = record.get_pl_info() + + geni_fields_to_pl_fields(type, name, geni_fields, slice_fields) + + pointer = self.shell.AddSlice(self.pl_auth, slice_fields) + record.set_pointer(pointer) + + elif (type == "user"): + geni_fields = record.get_geni_info() + user_fields = record.get_pl_info() + + geni_fields_to_pl_fields(type, name, geni_fields, user_fields) + + pointer = self.shell.AddPerson(self.pl_auth, user_fields) + record.set_pointer(pointer) + + elif (type == "node"): + geni_fields = record.get_geni_info() + node_fields = record.get_pl_info() + + geni_fields_to_pl_fields(type, name, geni_fields, node_fields) + + login_base = hrn_to_pl_login_base(auth_name) + + print "calling addnode with", login_base, node_fields + pointer = self.shell.AddNode(self.pl_auth, login_base, node_fields) + record.set_pointer(pointer) + + else: + raise UnknownGeniType(type) + + table.insert(record) + + return record.get_gid_object().save_to_string(save_parents=True) + + ## + # GENI API: remove + # + # Remove an object from the registry. If the object represents a PLC object, + # then the PLC records will also be removed. + # + # @param cred credential string + # @param record_dict dictionary containing record fields. The only relevant + # fields of the record are 'name' and 'type', which are used to lookup + # the current copy of the record in the Geni database, to make sure + # that the appopriate record is removed. + + def remove(self, cred, type, hrn): + self.decode_authentication(cred, "remove") + + self.verify_object_permission(hrn) + + auth_name = get_authority(hrn) + table = self.get_auth_table(auth_name) + + record_list = table.resolve(type, hrn) + if not record_list: + raise RecordNotFound(name) + record = record_list[0] + + # TODO: sa, ma + if type == "user": + self.shell.DeletePerson(self.pl_auth, record.get_pointer()) + elif type == "slice": + self.shell.DeleteSlice(self.pl_auth, record.get_pointer()) + elif type == "node": + self.shell.DeleteNode(self.pl_auth, record.get_pointer()) + elif (type == "sa") or (type == "ma"): + if (type == "sa"): + other_rec = table.resolve("ma", record.get_name()) + elif (type == "ma"): + other_rec = table.resolve("sa", record.get_name()) + + if other_rec: + # sa and ma both map to a site, so if we are deleting one + # but the other still exists, then do not delete the site + print "not removing site", record.get_name(), "because either sa or ma still exists" + pass + else: + print "removing site", record.get_name() + self.shell.DeleteSite(self.pl_auth, record.get_pointer()) + else: + raise UnknownGeniType(type) + + table.remove(record) + + return True + + ## + # GENI API: Register + # + # Update an object in the registry. Currently, this only updates the + # PLC information associated with the record. The Geni fields (name, type, + # GID) are fixed. + # + # The record is expected to have the pl_info field filled in with the data + # that should be updated. + # + # TODO: The geni_info member of the record should be parsed and the pl_info + # adjusted as necessary (add/remove users from a slice, etc) + # + # @param cred credential string specifying rights of the caller + # @param record a record dictionary to be updated + + def update(self, cred, record_dict): + self.decode_authentication(cred, "update") + + record = GeniRecord(dict = record_dict) + type = record.get_type() + + self.verify_object_permission(record.get_name()) + + auth_name = get_authority(record.get_name()) + table = self.get_auth_table(auth_name) + + # make sure the record exists + existing_record_list = table.resolve(type, record.get_name()) + if not existing_record_list: + raise RecordNotFound(record.get_name()) + + existing_record = existing_record_list[0] + pointer = existing_record.get_pointer() + + # update the PLC information that was specified with the record + + if (type == "sa") or (type == "ma"): + self.shell.UpdateSite(self.pl_auth, pointer, record.get_pl_info()) + + elif type == "slice": + self.shell.UpdateSlice(self.pl_auth, pointer, record.get_pl_info()) + + elif type == "user": + # SMBAKER: UpdatePerson only allows a limited set of fields to be + # updated. Ideally we should have a more generic way of doing + # this. I copied the field names from UpdatePerson.py... + update_fields = {} + all_fields = record.get_pl_info() + for key in all_fields.keys(): + if key in ['first_name', 'last_name', 'title', 'email', + 'password', 'phone', 'url', 'bio', 'accepted_aup', + 'enabled']: + update_fields[key] = all_fields[key] + self.shell.UpdatePerson(self.pl_auth, pointer, update_fields) + + elif type == "node": + self.shell.UpdateNode(self.pl_auth, pointer, record.get_pl_info()) + + else: + raise UnknownGeniType(type) + + ## + # List the records in an authority. The objectGID in the supplied credential + # should name the authority that will be listed. + # + # TODO: List doesn't take an hrn and uses the hrn contained in the + # objectGid of the credential. Does this mean the only way to list an + # authority is by having a credential for that authority? + # + # @param cred credential string specifying rights of the caller + # + # @return list of record dictionaries + def list(self, cred, auth_hrn): + self.decode_authentication(cred, "list") + + if not self.hierarchy.auth_exists(auth_hrn): + raise MissingAuthority(auth_hrn) + + table = self.get_auth_table(auth_hrn) + + records = table.list() + + good_records = [] + for record in records: + try: + self.fill_record_info(record) + good_records.append(record) + except PlanetLabRecordDoesNotExist: + # silently drop the ones that are missing in PL. + # is this the right thing to do? + print "ignoring geni record ", record.get_name(), " because pl record does not exist" + table.remove(record) + + dicts = [] + for record in good_records: + dicts.append(record.as_dict()) + + return dicts + + return dict_list + + ## + # Resolve a record. This is an internal version of the Resolve API call + # and returns records in record object format rather than dictionaries + # that may be sent over XMLRPC. + # + # @param type type of record to resolve (user | sa | ma | slice | node) + # @param name human readable name of object + # @param must_exist if True, throw an exception if no records are found + # + # @return a list of record objects, or an empty list [] + + def resolve_raw(self, type, name, must_exist=True): + auth_name = get_authority(name) + + table = self.get_auth_table(auth_name) + + records = table.resolve(type, name) + + if (not records) and must_exist: + raise RecordNotFound(name) + + good_records = [] + for record in records: + try: + self.fill_record_info(record) + good_records.append(record) + except PlanetLabRecordDoesNotExist: + # silently drop the ones that are missing in PL. + # is this the right thing to do? + print "ignoring geni record ", record.get_name(), "because pl record does not exist" + table.remove(record) + + return good_records + + ## + # GENI API: Resolve + # + # This is a wrapper around resolve_raw that converts records objects into + # dictionaries before returning them to the user. + # + # @param cred credential string authorizing the caller + # @param name human readable name to resolve + # + # @return a list of record dictionaries, or an empty list + + def resolve(self, cred, name): + self.decode_authentication(cred, "resolve") + + records = self.resolve_raw("*", name) + dicts = [] + for record in records: + dicts.append(record.as_dict()) + + return dicts + + ## + # GENI API: get_gid + # + # Retrieve the GID for an object. This function looks up a record in the + # registry and returns the GID of the record if it exists. + # TODO: Is this function needed? It's a shortcut for Resolve() + # + # @param name hrn to look up + # + # @return the string representation of a GID object + + def get_gid(self, name): + self.verify_object_belongs_to_me(name) + records = self.resolve_raw("*", name) + gid_string_list = [] + for record in records: + gid = record.get_gid() + gid_string_list.append(gid.save_to_string(save_parents=True)) + return gid_string_list + + ## + # Determine tje rights that an object should have. The rights are entirely + # dependent on the type of the object. For example, users automatically + # get "refresh", "resolve", and "info". + # + # @param type the type of the object (user | sa | ma | slice | node) + # @param name human readable name of the object (not used at this time) + # + # @return RightList object containing rights + + def determine_rights(self, type, name): + rl = RightList() + + # rights seem to be somewhat redundant with the type of the credential. + # For example, a "sa" credential implies the authority right, because + # a sa credential cannot be issued to a user who is not an owner of + # the authority + + if type == "user": + rl.add("refresh") + rl.add("resolve") + rl.add("info") + elif type == "sa": + rl.add("authority") + elif type == "ma": + rl.add("authority") + elif type == "slice": + rl.add("refresh") + rl.add("embed") + rl.add("bind") + rl.add("control") + rl.add("info") + elif type == "component": + rl.add("operator") + + return rl + + ## + # GENI API: Get_self_credential + # + # Get_self_credential a degenerate version of get_credential used by a + # client to get his initial credential when he doesn't have one. This is + # the same as get_credential(..., cred=None,...). + # + # The registry ensures that the client is the principal that is named by + # (type, name) by comparing the public key in the record's GID to the + # private key used to encrypt the client-side of the HTTPS connection. Thus + # it is impossible for one principal to retrieve another principal's + # credential without having the appropriate private key. + # + # @param type type of object (user | slice | sa | ma | node + # @param name human readable name of object + # + # @return the string representation of a credential object + + def get_self_credential(self, type, name): + self.verify_object_belongs_to_me(name) + + auth_hrn = get_authority(name) + auth_info = self.get_auth_info(auth_hrn) + + # find a record that matches + records = self.resolve_raw(type, name, must_exist=True) + record = records[0] + + gid = record.get_gid_object() + peer_cert = self.server.peer_cert + if not peer_cert.is_pubkey(gid.get_pubkey()): + raise ConnectionKeyGIDMismatch(gid.get_subject()) + + # create the credential + gid = record.get_gid_object() + cred = Credential(subject = gid.get_subject()) + cred.set_gid_caller(gid) + cred.set_gid_object(gid) + cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn) + cred.set_pubkey(gid.get_pubkey()) + + rl = self.determine_rights(type, name) + cred.set_privileges(rl) + + cred.set_parent(self.hierarchy.get_auth_cred(auth_hrn)) + + cred.encode() + cred.sign() + + return cred.save_to_string(save_parents=True) + + ## + # GENI API: Get_credential + # + # Retrieve a credential for an object. + # + # If cred==None, then the behavior reverts to get_self_credential() + # + # @param cred credential object specifying rights of the caller + # @param type type of object (user | slice | sa | ma | node) + # @param name human readable name of object + # + # @return the string representation of a credental object + + def get_credential(self, cred, type, name): + if not cred: + return get_self_credential(self, type, name) + + self.decode_authentication(cred, "getcredential") + + self.verify_object_belongs_to_me(name) + + auth_hrn = get_authority(name) + auth_info = self.get_auth_info(auth_hrn) + + records = self.resolve_raw(type, name, must_exist=True) + record = records[0] + + # TODO: Check permission that self.client_cred can access the object + + object_gid = record.get_gid_object() + new_cred = Credential(subject = object_gid.get_subject()) + new_cred.set_gid_caller(self.client_gid) + new_cred.set_gid_object(object_gid) + new_cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn) + new_cred.set_pubkey(object_gid.get_pubkey()) + + rl = self.determine_rights(type, name) + new_cred.set_privileges(rl) + + new_cred.set_parent(self.hierarchy.get_auth_cred(auth_hrn)) + + new_cred.encode() + new_cred.sign() + + return new_cred.save_to_string(save_parents=True) + + ## + # GENI_API: Create_gid + # + # Create a new GID. For MAs and SAs that are physically located on the + # registry, this allows a owner/operator/PI to create a new GID and have it + # signed by his respective authority. + # + # @param cred credential of caller + # @param name hrn for new GID + # @param uuid unique identifier for new GID + # @param pkey_string public-key string (TODO: why is this a string and not a keypair object?) + # + # @return the string representation of a GID object + + def create_gid(self, cred, name, uuid, pubkey_str): + self.decode_authentication(cred, "getcredential") + + self.verify_object_belongs_to_me(name) + + self.verify_object_permission(name) + + if uuid == None: + uuid = create_uuid() + + pkey = Keypair() + pkey.load_pubkey_from_string(pubkey_str) + gid = self.hierarchy.create_gid(name, uuid, pkey) + + return gid.save_to_string(save_parents=True) + diff --git a/geni/slicemgr.py b/geni/slicemgr.py new file mode 100644 index 00000000..0f28d544 --- /dev/null +++ b/geni/slicemgr.py @@ -0,0 +1,393 @@ +import os +import sys +import datetime +import time + +from util.geniserver import * +from util.geniclient import * +from util.cert import * +from util.trustedroot import * +from util.excep import * +from util.misc import * +from util.config import Config + +class SliceMgr(GeniServer): + + hrn = None + key_file = None + cert_file = None + components_file = None + slices_file = None + components_ttl = None + components = [] + slices = [] + policy = {} + timestamp = None + threshold = None + shell = None + aggregates = {} + + + ## + # Create a new slice manager object. + # + # @param ip the ip address to listen on + # @param port the port to listen on + # @param key_file private key filename of registry + # @param cert_file certificate filename containing public key (could be a GID file) + + def __init__(self, ip, port, key_file, cert_file, config = "/usr/share/geniwrapper/util/geni_config"): + GeniServer.__init__(ip, port, key_file, cert_file) + self.key_file = key_file + self.cert_file = cert_file + self.conf = Config(config) + basedir = self.conf.GENI_BASE_DIR + os.sep + server_basedir = basedir + os.sep + "plc" + os.sep + self.hrn = conf.GENI_INTERFACE_HRN + + # Get list of aggregates this sm talks to + aggregates_file = server_basedir + os.sep + 'aggregates' + self.load_aggregates(aggregates_file) + self.components_file = os.sep.join([server_basedir, 'components', 'slicemgr.' + hrn + '.comp']) + self.slices_file = os.sep.join([server_basedir, 'components', 'slicemgr' + hrn + '.slices']) + self.timestamp_file = os.sep.join([server_basedir, 'components', 'slicemgr' + hrn + '.timestamp']) + self.components_ttl = components_ttl + self.policy['whitelist'] = [] + self.policy['blacklist'] = [] + self.connect() + + def load_aggregates(self, aggregates_file): + """ + Get info about the aggregates available to us from file and create + an xmlrpc connection to each. If any info is invalid, skip it. + """ + lines = [] + try: + f = open(aggregates_file, 'r') + lines = f.readlines() + f.close() + except: raise + + for line in lines: + # Skip comments + if line.strip.startswith("#"): + continue + agg_info = line.split("\t").split(" ") + + # skip invalid info + if len(agg_info) != 3: + continue + + # create xmlrpc connection using GeniClient + hrn, address, port = agg_info[0], agg_info[1], agg_info[2] + url = 'https://%(address)s:%(port)s' % locals() + self.aggregates[hrn] = GeniClient(url, self.key_file, self.cert_file) + + + def item_hrns(self, items): + """ + Take a list of items (components or slices) and return a dictionary where + the key is the authoritative hrn and the value is a list of items at that + hrn. + """ + item_hrns = {} + agg_hrns = self.aggregates.keys() + for agg_hrn in agg_hrns: + item_hrns[agg_hrn] = [] + for item in items: + for agg_hrn in agg_hrns: + if item.startswith(agg_hrn): + item_hrns[agg_hrn] = item + + return item_hrns + + + def hostname_to_hrn(self, login_base, hostname): + """ + Convert hrn to plantelab name. + """ + genihostname = "_".join(hostname.split(".")) + return ".".join([self.hrn, login_base, genihostname]) + + def slicename_to_hrn(self, slicename): + """ + Convert hrn to planetlab name. + """ + slicename = slicename.replace("_", ".") + return ".".join([self.hrn, slicename]) + + def refresh_components(self): + """ + Update the cached list of nodes. + """ + print "refreshing" + + aggregates = self.aggregates.keys() + all_nodes = [] + all_slices = [] + for aggregate in aggregates: + try: + # resolve components hostnames + nodes = self.aggregates[aggregate].get_components() + all_nodes.extend(nodes) + # update timestamp and threshold + self.timestamp = datetime.datetime.now() + delta = datetime.timedelta(hours=self.components_ttl) + self.threshold = self.timestamp + delta + except: + # XX print out to some error log + pass + + self.components = all_nodes + f = open(self.components_file, 'w') + f.write(str(self.components)) + f.close() + f = open(self.timestamp_file, 'w') + f.write(str(self.threshold)) + f.close() + + def load_components(self): + """ + Read cached list of nodes and slices. + """ + print "loading nodes" + # Read component list from cached file + if os.path.exists(self.components_file): + f = open(self.components_file, 'r') + self.components = eval(f.read()) + f.close() + + time_format = "%Y-%m-%d %H:%M:%S" + if os.path.exists(self.timestamp_file): + f = open(self.timestamp_file, 'r') + timestamp = str(f.read()).split(".")[0] + self.timestamp = datetime.datetime.fromtimestamp(time.mktime(time.strptime(timestamp, time_format))) + delta = datetime.timedelta(hours=self.components_ttl) + self.threshold = self.timestamp + delta + f.close() + + def load_policy(self): + """ + Read the list of blacklisted and whitelisted nodes. + """ + whitelist = [] + blacklist = [] + if os.path.exists(self.whitelist_file): + f = open(self.whitelist_file, 'r') + lines = f.readlines() + f.close() + for line in lines: + line = line.strip().replace(" ", "").replace("\n", "") + whitelist.extend(line.split(",")) + + + if os.path.exists(self.blacklist_file): + f = open(self.blacklist_file, 'r') + lines = f.readlines() + f.close() + for line in lines: + line = line.strip().replace(" ", "").replace("\n", "") + blacklist.extend(line.split(",")) + + self.policy['whitelist'] = whitelist + self.policy['blacklist'] = blacklist + + def load_slices(self): + """ + Read current slice instantiation states. + """ + print "loading slices" + if os.path.exists(self.slices_file): + f = open(self.components_file, 'r') + self.slices = eval(f.read()) + f.close() + + def write_slices(self): + """ + Write current slice instantiations to file. + """ + print "writing slices" + f = open(self.slices_file, 'w') + f.write(str(self.slices)) + f.close() + + + def get_components(self): + """ + Return a list of components managed by this slice manager. + """ + # Reload components list + now = datetime.datetime.now() + #self.load_components() + if not self.threshold or not self.timestamp or now > self.threshold: + self.refresh_components() + elif now < self.threshold and not self.components: + self.load_components() + return self.components + + + def get_slices(self): + """ + Return a list of instnatiated managed by this slice manager. + """ + now = datetime.datetime.now() + #self.load_components() + if not self.threshold or not self.timestamp or now > self.threshold: + self.refresh_components() + elif now < self.threshold and not self.slices: + self.load_components() + return self.slices + + def get_slivers(self, hrn): + """ + Return the list of slices instantiated at the specified component. + """ + + # hrn is assumed to be a component hrn + if hrn not in self.slices: + raise RecordNotFound(hrn) + + return self.slices[hrn] + + def get_rspec(self, hrn, type): + #rspec = Rspec() + if type in ['node']: + nodes = self.shell.GetNodes(self.auth) + elif type in ['slice']: + slices = self.shell.GetSlices(self.auth) + elif type in ['aggregate']: + pass + + def get_resources(self, slice_hrn): + """ + Return the current rspec for the specified slice. + """ + slicename = hrn_to_plcslicename(slice_hrn) + rspec = self.get_rspec(slicenamem, 'slice' ) + + return rspec + + def create_slice(self, slice_hrn, rspec, attributes): + """ + Instantiate the specified slice according to whats defined in the rspec. + """ + slicename = self.hrn_to_plcslicename(slice_hrn) + #spec = Rspec(rspec) + node_hrns = [] + #for netspec in spec['networks]: + # networkname = netspec['name'] + # nodespec = spec['networks']['nodes'] + # nodes = [nspec['name'] for nspec in nodespec] + # node_hrns = [networkname + node for node in nodes] + # + self.db.AddSliceToNodes(slice_hrn, node_hrns) + return 1 + + def delete_slice_(self, slice_hrn): + """ + Remove this slice from all components it was previouly associated with and + free up the resources it was using. + """ + self.db.DeleteSliceFromNodes(self.auth, slicename, self.components) + return 1 + + def start_slice(self, slice_hrn): + """ + Stop the slice at plc. + """ + slicename = hrn_to_plcslicename(slice_hrn) + slices = self.shell.GetSlices(self.auth, {'name': slicename}, ['slice_id']) + if not slices: + raise RecordNotFound(slice_hrn) + slice_id = slices[0] + atrribtes = self.shell.GetSliceAttributes({'slice_id': slice_id, 'name': 'enabled'}, ['slice_attribute_id']) + attribute_id = attreibutes[0] + self.shell.UpdateSliceAttribute(self.auth, attribute_id, "1" ) + return 1 + + def stop_slice(self, slice_hrn): + """ + Stop the slice at plc + """ + slicename = hrn_to_plcslicename(slice_hrn) + slices = self.shell.GetSlices(self.auth, {'name': slicename}, ['slice_id']) + if not slices: + raise RecordNotFound(slice_hrn) + slice_id = slices[0] + atrribtes = self.shell.GetSliceAttributes({'slice_id': slice_id, 'name': 'enabled'}, ['slice_attribute_id']) + attribute_id = attreibutes[0] + self.shell.UpdateSliceAttribute(self.auth, attribute_id, "0") + return 1 + + def reset_slice(self, slice_hrn): + """ + Reset the slice + """ + slicename = self.hrn_to_plcslicename(slice_hrn) + return 1 + + def get_policy(self): + """ + Return the policy of this slice manager. + """ + + return self.policy + + + +############################## +## Server methods here for now +############################## + + def nodes(self): + return self..get_components() + + def slices(self): + return self.get_slices() + + def resources(self, cred, hrn): + self.decode_authentication(cred, 'info') + self.verify_object_belongs_to_me(hrn) + + return self.get_resources(hrn) + + def create(self, cred, hrn, rspec): + self.decode_authentication(cred, 'embed') + self.verify_object_belongs_to_me(hrn, rspec) + return self.create(hrn) + + def delete(self, cred, hrn): + self.decode_authentication(cred, 'embed') + self.verify_object_belongs_to_me(hrn) + return self.delete_slice(hrn) + + def start(self, cred, hrn): + self.decode_authentication(cred, 'control') + return self.start(hrn) + + def stop(self, cred, hrn): + self.decode_authentication(cred, 'control') + return self.stop(hrn) + + def reset(self, cred, hrn): + self.decode_authentication(cred, 'control') + return self.reset(hrn) + + def policy(self, cred): + self.decode_authentication(cred, 'info') + return self.get_policy() + + def register_functions(self): + GeniServer.register_functions(self) + + # Aggregate interface methods + self.server.register_function(self.components) + self.server.register_function(self.slices) + self.server.register_function(self.resources) + self.server.register_function(self.create) + self.server.register_function(self.delete) + self.server.register_function(self.start) + self.server.register_function(self.stop) + self.server.register_function(self.reset) + self.server.register_function(self.policy) +