sfa/managers/registry_manager.py

   1 import types
   2 import time
   3 # for get_key_from_incoming_ip
   4 import tempfile
   5 import os
   6 import commands
   7
   8 from sfa.util.faults import RecordNotFound, AccountNotEnabled, PermissionError, MissingAuthority, \
   9     UnknownSfaType, ExistingRecord, NonExistingRecord
  10 from sfa.util.prefixTree import prefixTree
  11 from sfa.util.xrn import Xrn, get_authority, hrn_to_urn, urn_to_hrn
  12 from sfa.util.plxrn import hrn_to_pl_login_base
  13 from sfa.util.version import version_core
  14 from sfa.util.sfalogging import logger
  15
  16 from sfa.trust.gid import GID
  17 from sfa.trust.credential import Credential
  18 from sfa.trust.certificate import Certificate, Keypair, convert_public_key
  19 from sfa.trust.gid import create_uuid
  20
  21 from sfa.storage.record import SfaRecord
  22 from sfa.storage.table import SfaTable
  23
  24 class RegistryManager:
  25
  26     def __init__ (self, config): pass
  27
  28     # The GENI GetVersion call
  29     def GetVersion(self, api, options):
  30         peers = dict ( [ (hrn,interface.get_url()) for (hrn,interface) in api.registries.iteritems()
  31                        if hrn != api.hrn])
  32         xrn=Xrn(api.hrn)
  33         return version_core({'interface':'registry',
  34                              'sfa': 2,
  35                              'hrn':xrn.get_hrn(),
  36                              'urn':xrn.get_urn(),
  37                              'peers':peers})
  38
  39     def GetCredential(self, api, xrn, type, is_self=False):
  40         # convert xrn to hrn
  41         if type:
  42             hrn = urn_to_hrn(xrn)[0]
  43         else:
  44             hrn, type = urn_to_hrn(xrn)
  45
  46         # Is this a root or sub authority
  47         auth_hrn = api.auth.get_authority(hrn)
  48         if not auth_hrn or hrn == api.config.SFA_INTERFACE_HRN:
  49             auth_hrn = hrn
  50         # get record info
  51         auth_info = api.auth.get_auth_info(auth_hrn)
  52         table = SfaTable()
  53         records = table.findObjects({'type': type, 'hrn': hrn})
  54         if not records:
  55             raise RecordNotFound(hrn)
  56         record = records[0]
  57
  58         # verify_cancreate_credential requires that the member lists
  59         # (researchers, pis, etc) be filled in
  60         self.driver.augment_records_with_testbed_info (record)
  61         if not self.driver.is_enabled (record):
  62               raise AccountNotEnabled(": PlanetLab account %s is not enabled. Please contact your site PI" %(record['email']))
  63
  64         # get the callers gid
  65         # if this is a self cred the record's gid is the caller's gid
  66         if is_self:
  67             caller_hrn = hrn
  68             caller_gid = record.get_gid_object()
  69         else:
  70             caller_gid = api.auth.client_cred.get_gid_caller()
  71             caller_hrn = caller_gid.get_hrn()
  72
  73         object_hrn = record.get_gid_object().get_hrn()
  74         rights = api.auth.determine_user_rights(caller_hrn, record)
  75         # make sure caller has rights to this object
  76         if rights.is_empty():
  77             raise PermissionError(caller_hrn + " has no rights to " + record['name'])
  78
  79         object_gid = GID(string=record['gid'])
  80         new_cred = Credential(subject = object_gid.get_subject())
  81         new_cred.set_gid_caller(caller_gid)
  82         new_cred.set_gid_object(object_gid)
  83         new_cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename())
  84         #new_cred.set_pubkey(object_gid.get_pubkey())
  85         new_cred.set_privileges(rights)
  86         new_cred.get_privileges().delegate_all_privileges(True)
  87         if 'expires' in record:
  88             new_cred.set_expiration(int(record['expires']))
  89         auth_kind = "authority,ma,sa"
  90         # Parent not necessary, verify with certs
  91         #new_cred.set_parent(api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
  92         new_cred.encode()
  93         new_cred.sign()
  94
  95         return new_cred.save_to_string(save_parents=True)
  96
  97
  98     def Resolve(self, api, xrns, type=None, full=True):
  99
 100         if not isinstance(xrns, types.ListType):
 101             xrns = [xrns]
 102             # try to infer type if not set and we get a single input
 103             if not type:
 104                 type = Xrn(xrns).get_type()
 105         hrns = [urn_to_hrn(xrn)[0] for xrn in xrns]
 106         # load all known registry names into a prefix tree and attempt to find
 107         # the longest matching prefix
 108         # create a dict where key is a registry hrn and its value is a
 109         # hrns at that registry (determined by the known prefix tree).
 110         xrn_dict = {}
 111         registries = api.registries
 112         tree = prefixTree()
 113         registry_hrns = registries.keys()
 114         tree.load(registry_hrns)
 115         for xrn in xrns:
 116             registry_hrn = tree.best_match(urn_to_hrn(xrn)[0])
 117             if registry_hrn not in xrn_dict:
 118                 xrn_dict[registry_hrn] = []
 119             xrn_dict[registry_hrn].append(xrn)
 120
 121         records = []
 122         for registry_hrn in xrn_dict:
 123             # skip the hrn without a registry hrn
 124             # XX should we let the user know the authority is unknown?
 125             if not registry_hrn:
 126                 continue
 127
 128             # if the best match (longest matching hrn) is not the local registry,
 129             # forward the request
 130             xrns = xrn_dict[registry_hrn]
 131             if registry_hrn != api.hrn:
 132                 credential = api.getCredential()
 133                 interface = api.registries[registry_hrn]
 134                 server_proxy = api.server_proxy(interface, credential)
 135                 peer_records = server_proxy.Resolve(xrns, credential)
 136                 records.extend([SfaRecord(dict=record).as_dict() for record in peer_records])
 137
 138         # try resolving the remaining unfound records at the local registry
 139         local_hrns = list ( set(hrns).difference([record['hrn'] for record in records]) )
 140         #
 141         table = SfaTable()
 142         local_records = table.findObjects({'hrn': local_hrns})
 143
 144         if full:
 145             # in full mode we get as much info as we can, which involves contacting the
 146             # testbed for getting implementation details about the record
 147             self.driver.augment_records_with_testbed_info(local_records)
 148             # also we fill the 'url' field for known authorities
 149             # used to be in the driver code, sounds like a poorman thing though
 150             def solve_neighbour_url (record):
 151                 if not record['type'].startswith('authority'): return
 152                 hrn=record['hrn']
 153                 for neighbour_dict in [ api.aggregates, api.registries ]:
 154                     if hrn in neighbour_dict:
 155                         record['url']=neighbour_dict[hrn].get_url()
 156                         return
 157             [ solve_neighbour_url (record) for record in local_records ]
 158
 159
 160
 161         # convert local record objects to dicts
 162         records.extend([dict(record) for record in local_records])
 163         if type:
 164             records = filter(lambda rec: rec['type'] in [type], records)
 165
 166         if not records:
 167             raise RecordNotFound(str(hrns))
 168
 169         return records
 170
 171     def List(self, api, xrn, origin_hrn=None):
 172         hrn, type = urn_to_hrn(xrn)
 173         # load all know registry names into a prefix tree and attempt to find
 174         # the longest matching prefix
 175         records = []
 176         registries = api.registries
 177         registry_hrns = registries.keys()
 178         tree = prefixTree()
 179         tree.load(registry_hrns)
 180         registry_hrn = tree.best_match(hrn)
 181
 182         #if there was no match then this record belongs to an unknow registry
 183         if not registry_hrn:
 184             raise MissingAuthority(xrn)
 185         # if the best match (longest matching hrn) is not the local registry,
 186         # forward the request
 187         records = []
 188         if registry_hrn != api.hrn:
 189             credential = api.getCredential()
 190             interface = api.registries[registry_hrn]
 191             server_proxy = api.server_proxy(interface, credential)
 192             record_list = server_proxy.List(xrn, credential)
 193             records = [SfaRecord(dict=record).as_dict() for record in record_list]
 194
 195         # if we still have not found the record yet, try the local registry
 196         if not records:
 197             if not api.auth.hierarchy.auth_exists(hrn):
 198                 raise MissingAuthority(hrn)
 199
 200             table = SfaTable()
 201             records = table.find({'authority': hrn})
 202
 203         return records
 204
 205
 206     def CreateGid(self, api, xrn, cert):
 207         # get the authority
 208         authority = Xrn(xrn=xrn).get_authority_hrn()
 209         auth_info = api.auth.get_auth_info(authority)
 210         if not cert:
 211             pkey = Keypair(create=True)
 212         else:
 213             certificate = Certificate(string=cert)
 214             pkey = certificate.get_pubkey()
 215         gid = api.auth.hierarchy.create_gid(xrn, create_uuid(), pkey)
 216         return gid.save_to_string(save_parents=True)
 217
 218     ####################
 219     # utility for handling relationships among the SFA objects
 220     # given that the SFA db does not handle this sort of relationsships
 221     # it will rely on side-effects in the testbed to keep this persistent
 222
 223     # subject_record describes the subject of the relationships
 224     # ref_record contains the target values for the various relationships we need to manage
 225     # (to begin with, this is just the slice x person relationship)
 226     def update_relations (self, subject_record, ref_record):
 227         type=subject_record['type']
 228         if type=='slice':
 229             self.update_relation(subject_record, 'researcher', ref_record.get('researcher'), 'user')
 230
 231     # field_key is the name of one field in the record, typically 'researcher' for a 'slice' record
 232     # hrns is the list of hrns that should be linked to the subject from now on
 233     # target_type would be e.g. 'user' in the 'slice' x 'researcher' example
 234     def update_relation (self, sfa_record, field_key, hrns, target_type):
 235         # locate the linked objects in our db
 236         subject_type=sfa_record['type']
 237         subject_id=sfa_record['pointer']
 238         table = SfaTable()
 239         link_sfa_records = table.find ({'type':target_type, 'hrn': hrns})
 240         link_ids = [ rec.get('pointer') for rec in link_sfa_records ]
 241         self.driver.update_relation (subject_type, target_type, subject_id, link_ids)
 242
 243
 244     def Register(self, api, record):
 245
 246         hrn, type = record['hrn'], record['type']
 247         urn = hrn_to_urn(hrn,type)
 248         # validate the type
 249         if type not in ['authority', 'slice', 'node', 'user']:
 250             raise UnknownSfaType(type)
 251
 252         # check if record already exists
 253         table = SfaTable()
 254         existing_records = table.find({'type': type, 'hrn': hrn})
 255         if existing_records:
 256             raise ExistingRecord(hrn)
 257
 258         record = SfaRecord(dict = record)
 259         record['authority'] = get_authority(record['hrn'])
 260         auth_info = api.auth.get_auth_info(record['authority'])
 261         pub_key = None
 262         # make sure record has a gid
 263         if 'gid' not in record:
 264             uuid = create_uuid()
 265             pkey = Keypair(create=True)
 266             if 'keys' in record and record['keys']:
 267                 pub_key=record['keys']
 268                 # use only first key in record
 269                 if isinstance(record['keys'], types.ListType):
 270                     pub_key = record['keys'][0]
 271                 pkey = convert_public_key(pub_key)
 272
 273             gid_object = api.auth.hierarchy.create_gid(urn, uuid, pkey)
 274             gid = gid_object.save_to_string(save_parents=True)
 275             record['gid'] = gid
 276             record.set_gid(gid)
 277
 278         if type in ["authority"]:
 279             # update the tree
 280             if not api.auth.hierarchy.auth_exists(hrn):
 281                 api.auth.hierarchy.create_auth(hrn_to_urn(hrn,'authority'))
 282
 283             # get the GID from the newly created authority
 284             gid = auth_info.get_gid_object()
 285             record.set_gid(gid.save_to_string(save_parents=True))
 286
 287         # update testbed-specific data if needed
 288         pointer = self.driver.register (record, hrn, pub_key)
 289
 290         record.set_pointer(pointer)
 291         record_id = table.insert(record)
 292         record['record_id'] = record_id
 293
 294         # update membership for researchers, pis, owners, operators
 295         self.update_relations (record, record)
 296
 297         return record.get_gid_object().save_to_string(save_parents=True)
 298
 299     def Update(self, api, record_dict):
 300         new_record = SfaRecord(dict = record_dict)
 301         type = new_record['type']
 302         hrn = new_record['hrn']
 303         urn = hrn_to_urn(hrn,type)
 304         table = SfaTable()
 305         # make sure the record exists
 306         records = table.findObjects({'type': type, 'hrn': hrn})
 307         if not records:
 308             raise RecordNotFound(hrn)
 309         record = records[0]
 310         record['last_updated'] = time.gmtime()
 311
 312         # validate the type
 313         if type not in ['authority', 'slice', 'node', 'user']:
 314             raise UnknownSfaType(type)
 315
 316         # Use the pointer from the existing record, not the one that the user
 317         # gave us. This prevents the user from inserting a forged pointer
 318         pointer = record['pointer']
 319
 320         # is the a change in keys ?
 321         new_key=None
 322         if type=='user':
 323             if 'keys' in new_record and new_record['keys']:
 324                 new_key=new_record['keys']
 325                 if isinstance (new_key,types.ListType):
 326                     new_key=new_key[0]
 327
 328         # update the PLC information that was specified with the record
 329         if not self.driver.update (record, new_record, hrn, new_key):
 330             logger.warning("driver.update failed")
 331
 332         # take new_key into account
 333         if new_key:
 334             # update the openssl key and gid
 335             pkey = convert_public_key(new_key)
 336             uuid = create_uuid()
 337             gid_object = api.auth.hierarchy.create_gid(urn, uuid, pkey)
 338             gid = gid_object.save_to_string(save_parents=True)
 339             record['gid'] = gid
 340             record = SfaRecord(dict=record)
 341             table.update(record)
 342
 343         # update membership for researchers, pis, owners, operators
 344         self.update_relations (record, new_record)
 345
 346         return 1
 347
 348     # expecting an Xrn instance
 349     def Remove(self, api, xrn, origin_hrn=None):
 350
 351         table = SfaTable()
 352         filter = {'hrn': xrn.get_hrn()}
 353         hrn=xrn.get_hrn()
 354         type=xrn.get_type()
 355         if type and type not in ['all', '*']:
 356             filter['type'] = type
 357
 358         records = table.find(filter)
 359         if not records: raise RecordNotFound(hrn)
 360         record = records[0]
 361         type = record['type']
 362
 363         if type not in ['slice', 'user', 'node', 'authority'] :
 364             raise UnknownSfaType(type)
 365
 366         credential = api.getCredential()
 367         registries = api.registries
 368
 369         # Try to remove the object from the PLCDB of federated agg.
 370         # This is attempted before removing the object from the local agg's PLCDB and sfa table
 371         if hrn.startswith(api.hrn) and type in ['user', 'slice', 'authority']:
 372             for registry in registries:
 373                 if registry not in [api.hrn]:
 374                     try:
 375                         result=registries[registry].remove_peer_object(credential, record, origin_hrn)
 376                     except:
 377                         pass
 378
 379         # call testbed callback first
 380         # IIUC this is done on the local testbed TOO because of the refreshpeer link
 381         if not self.driver.remove(record):
 382             logger.warning("driver.remove failed")
 383
 384         # delete from sfa db
 385         table.remove(record)
 386
 387         return 1
 388
 389     # This is a PLC-specific thing...
 390     def get_key_from_incoming_ip (self, api):
 391         # verify that the callers's ip address exist in the db and is an interface
 392         # for a node in the db
 393         (ip, port) = api.remote_addr
 394         interfaces = self.driver.shell.GetInterfaces({'ip': ip}, ['node_id'])
 395         if not interfaces:
 396             raise NonExistingRecord("no such ip %(ip)s" % locals())
 397         nodes = self.driver.shell.GetNodes([interfaces[0]['node_id']], ['node_id', 'hostname'])
 398         if not nodes:
 399             raise NonExistingRecord("no such node using ip %(ip)s" % locals())
 400         node = nodes[0]
 401
 402         # look up the sfa record
 403         table = SfaTable()
 404         records = table.findObjects({'type': 'node', 'pointer': node['node_id']})
 405         if not records:
 406             raise RecordNotFound("pointer:" + str(node['node_id']))
 407         record = records[0]
 408
 409         # generate a new keypair and gid
 410         uuid = create_uuid()
 411         pkey = Keypair(create=True)
 412         urn = hrn_to_urn(record['hrn'], record['type'])
 413         gid_object = api.auth.hierarchy.create_gid(urn, uuid, pkey)
 414         gid = gid_object.save_to_string(save_parents=True)
 415         record['gid'] = gid
 416         record.set_gid(gid)
 417
 418         # update the record
 419         table.update(record)
 420
 421         # attempt the scp the key
 422         # and gid onto the node
 423         # this will only work for planetlab based components
 424         (kfd, key_filename) = tempfile.mkstemp()
 425         (gfd, gid_filename) = tempfile.mkstemp()
 426         pkey.save_to_file(key_filename)
 427         gid_object.save_to_file(gid_filename, save_parents=True)
 428         host = node['hostname']
 429         key_dest="/etc/sfa/node.key"
 430         gid_dest="/etc/sfa/node.gid"
 431         scp = "/usr/bin/scp"
 432         #identity = "/etc/planetlab/root_ssh_key.rsa"
 433         identity = "/etc/sfa/root_ssh_key"
 434         scp_options=" -i %(identity)s " % locals()
 435         scp_options+="-o StrictHostKeyChecking=no " % locals()
 436         scp_key_command="%(scp)s %(scp_options)s %(key_filename)s root@%(host)s:%(key_dest)s" %\
 437                          locals()
 438         scp_gid_command="%(scp)s %(scp_options)s %(gid_filename)s root@%(host)s:%(gid_dest)s" %\
 439                          locals()
 440
 441         all_commands = [scp_key_command, scp_gid_command]
 442
 443         for command in all_commands:
 444             (status, output) = commands.getstatusoutput(command)
 445             if status:
 446                 raise Exception, output
 447
 448         for filename in [key_filename, gid_filename]:
 449             os.unlink(filename)
 450
 451         return 1