X-Git-Url: http://git.onelab.eu/?p=nodemanager.git;a=blobdiff_plain;f=plugins%2Fsliverauth.py;h=503afa1084b482be17f967e1d11da41f73947a77;hp=9ff2f385a76f6d61ec2bec1f1b83f22dd5baa938;hb=48a73b18fd7daed13c645c1adeddb57b560e7a2d;hpb=08d6f2b70b86a10b222a5afe80945598296196ad diff --git a/plugins/sliverauth.py b/plugins/sliverauth.py index 9ff2f38..503afa1 100644 --- a/plugins/sliverauth.py +++ b/plugins/sliverauth.py @@ -1,14 +1,13 @@ #!/usr/bin/python -tt # vim:set ts=4 sw=4 expandtab: # -# $Id$ -# $URL$ -# # NodeManager plugin for creating credentials in slivers # (*) empower slivers to make API calls throught hmac # (*) also create a ssh key - used by the OMF resource controller # for authenticating itself with its Experiment Controller -# xxx todo : a config option for turning these 2 things on or off ? +# in order to avoid spamming the DB with huge amounts of such tags, +# (*) slices need to have the 'enable_hmac' tag set +# (*) or the 'omf_control' tag set, respectively """ Sliver authentication support for NodeManager. @@ -41,34 +40,44 @@ def GetSlivers(data, config, plc): path = '/vservers/%s' % sliver['name'] if not os.path.exists(path): # ignore all non-plc-instantiated slivers - instantiation = sliver.get('instantiation','') + instantiation = sliver.get('instantiation', '') if instantiation == 'plc-instantiated': logger.log("sliverauth: plc-instantiated slice %s does not yet exist. IGNORING!" % sliver['name']) continue - manage_hmac (plc, sliver) - manage_sshkey (plc, sliver) + system_slice = False + for chunk in sliver['attributes']: + if chunk['tagname'] == "system": + if chunk['value'] in (True, 1, '1') or chunk['value'].lower() == "true": + system_slice = True + + for chunk in sliver['attributes']: + if chunk['tagname']=='enable_hmac' and not system_slice: + manage_hmac (plc, sliver) + + if chunk['tagname']=='omf_control': + manage_sshkey (plc, sliver) def SetSliverTag(plc, slice, tagname, value): node_id = tools.node_id() - slivertags=plc.GetSliceTags({"name":slice,"node_id":node_id,"tagname":tagname}) + slivertags=plc.GetSliceTags({"name":slice, "node_id":node_id, "tagname":tagname}) if len(slivertags)==0: # looks like GetSlivers reports about delegated/nm-controller slices that do *not* belong to this node # and this is something that AddSliceTag does not like try: - slivertag_id=plc.AddSliceTag(slice,tagname,value,node_id) + slivertag_id=plc.AddSliceTag(slice, tagname, value, node_id) except: logger.log_exc ("sliverauth.SetSliverTag (probably delegated) slice=%(slice)s tag=%(tagname)s node_id=%(node_id)d"%locals()) pass else: slivertag_id=slivertags[0]['slice_tag_id'] - plc.UpdateSliceTag(slivertag_id,value) + plc.UpdateSliceTag(slivertag_id, value) def find_tag (sliver, tagname): for attribute in sliver['attributes']: # for legacy, try the old-fashioned 'name' as well - name = attribute.get('tagname',attribute.get('name','')) + name = attribute.get('tagname', attribute.get('name', '')) if name == tagname: return attribute['value'] return None @@ -79,32 +88,37 @@ def manage_hmac (plc, sliver): if not hmac: # let python do its thing random.seed() - d = [random.choice(string.letters) for x in xrange(32)] + d = [random.choice(string.letters) for x in range(32)] hmac = "".join(d) - SetSliverTag(plc,sliver['name'],'hmac',hmac) + SetSliverTag(plc, sliver['name'], 'hmac', hmac) logger.log("sliverauth: %s: setting hmac" % sliver['name']) path = '/vservers/%s/etc/planetlab' % sliver['name'] if os.path.exists(path): keyfile = '%s/key' % path - if (tools.replace_file_with_string(keyfile,hmac,chmod=0400)): + if (tools.replace_file_with_string(keyfile, hmac, chmod=0o400)): logger.log ("sliverauth: (over)wrote hmac into %s " % keyfile) # create the key if needed and returns the key contents def generate_sshkey (sliver): - keyfile="/vservers/%s/home/%s/.ssh/id_rsa"%(sliver['name'],sliver['name']) +# initial version was storing stuff in the sliver directly +# keyfile="/vservers/%s/home/%s/.ssh/id_rsa"%(sliver['name'], sliver['name']) +# we're now storing this in the same place as the authorized_keys, which in turn +# gets mounted to the user's home directory in the sliver + keyfile="/home/%s/.ssh/id_rsa"%(sliver['name']) pubfile="%s.pub"%keyfile dotssh=os.path.dirname(keyfile) # create dir if needed if not os.path.isdir (dotssh): - os.mkdir (dotssh, 0700) + os.mkdir (dotssh, 0o700) logger.log_call ( [ 'chown', "%s:slices"%(sliver['name']), dotssh ] ) - if not os.path.isfile (pubfile): - comment="%s@%s"%(sliver['name'],socket.gethostname()) + if not os.path.isfile(pubfile): + comment="%s@%s"%(sliver['name'], socket.gethostname()) logger.log_call( [ 'ssh-keygen', '-t', 'rsa', '-N', '', '-f', keyfile , '-C', comment] ) - os.chmod (keyfile, 0400) + os.chmod (keyfile, 0o400) logger.log_call ( [ 'chown', "%s:slices"%(sliver['name']), keyfile, pubfile ] ) - return file(pubfile).read() + with open(pubfile) as f: + return f.read().strip() # a sliver can get created, deleted and re-created # the slice having the tag is not sufficient to skip key geneneration @@ -113,6 +127,6 @@ def manage_sshkey (plc, sliver): # if it's lost b/c e.g. the sliver was destroyed we cannot save the tags content ssh_key = generate_sshkey(sliver) old_tag = find_tag (sliver, 'ssh_key') - if ssh_key <> old_tag: + if ssh_key != old_tag: SetSliverTag(plc, sliver['name'], 'ssh_key', ssh_key) logger.log ("sliverauth: %s: setting ssh_key" % sliver['name'])