table = get_auth_table(parent_hrn)
- sa_record = table.resolve("sa", hrn)
- if not sa_record:
- sa_record = GeniRecord(name=hrn, gid=auth_info.get_gid_object(), type="sa", pointer=site['site_id'])
- report.trace(" inserting sa record for " + hrn)
- table.insert(sa_record)
-
- ma_record = table.resolve("ma", hrn)
- if not ma_record:
- ma_record = GeniRecord(name=hrn, gid=auth_info.get_gid_object(), type="ma", pointer=site['site_id'])
- report.trace(" inserting ma record for " + hrn)
- table.insert(ma_record)
+ auth_record = table.resolve("authority", hrn)
+ if not auth_record:
+ auth_record = GeniRecord(name=hrn, gid=auth_info.get_gid_object(), type="authority", pointer=site['site_id'])
+ report.trace(" inserting authority record for " + hrn)
+ table.insert(auth_record)
for person_id in site['person_ids']:
persons = shell.GetPersons(pl_auth, [person_id])
auth_info = AuthHierarchy.get_auth_info(parent_hrn)
table = get_auth_table(parent_hrn)
- sa_record = table.resolve("sa", hrn)
- if not sa_record:
- sa_record = GeniRecord(name=hrn, gid=auth_info.get_gid_object(), type="sa", pointer=-1)
- report.trace(" inserting sa record for " + hrn)
- table.insert(sa_record)
-
- ma_record = table.resolve("ma", hrn)
- if not ma_record:
- ma_record = GeniRecord(name=hrn, gid=auth_info.get_gid_object(), type="ma", pointer=-1)
- report.trace(" inserting ma record for " + hrn)
- table.insert(ma_record)
+ auth_record = table.resolve("authority", hrn)
+ if not auth_record:
+ auth_record = GeniRecord(name=hrn, gid=auth_info.get_gid_object(), type="authority", pointer=-1)
+ report.trace(" inserting authority record for " + hrn)
+ table.insert(auth_record)
def main():
global AuthHierarchy
# update the PLC information that was specified with the record
- if (type == "sa") or (type == "ma"):
+ if (type == "authority"):
self.api.plshell.UpdateSite(self.api.plauth, pointer, record.get_pl_info())
elif type == "slice":
else:
raise UnknownGeniType(type)
- # update membership for researchers, pis, owners, operators^M
+ # update membership for researchers, pis, owners, operators
self.api.update_membership(existing_record, record)
- return 1
+ return 1
"""
Get our credential from a remote registry using a geniclient connection
"""
- type = 'sa'
- cred_filename = ".".join([self.server_basedir, self.interface, self.hrn, type, "cred"])
+ type = 'authority'
+ cred_filename = ".".join([self.server_basedir, self.interface, self.hrn, type, "cred"])
try:
credential = Credential(filename = cred_filename)
return credential
except IOError:
from geni.registry import Registries
registries = Registries(self)
- registry = registries[self.hrn]
+ registry = registries[self.hrn]
self_cred = registry.get_credential(None, type, self.hrn)
cred = registry.get_credential(self_cred, type, self.hrn)
cred.save_to_file(cred_filename, save_parents=True)
def getCredentialFromLocalRegistry(self):
"""
- Get our current credential directly from the local registry.
+ Get our current credential directly from the local registry.
"""
-
+
hrn = self.hrn
auth_hrn = self.auth.get_authority(hrn)
if not auth_hrn:
new_cred.set_pubkey(object_gid.get_pubkey())
r1 = determine_rights(type, hrn)
new_cred.set_privileges(r1)
-
- # determine the type of credential that we want to use as a parent for
- # this credential.
- if (type == "ma") or (type == "node"):
- auth_kind = "authority,ma"
- else: # user, slice, sa
- auth_kind = "authority,sa"
+ auth_kind = "authority,ma,sa"
new_cred.set_parent(self.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
self.credential = Credential(filename = ma_cred_filename)
except IOError:
self.credential = self.getCredentialFromRegistry()
-
+
##
# Convert geni fields to PLC fields for use when registering up updating
# registry record in the PLC database
if not "model" in pl_fields:
pl_fields["model"] = "geni"
- elif type == "sa":
+ elif type == "authority":
pl_fields["login_base"] = hrn_to_pl_login_base(hrn)
if not "name" in pl_fields:
pl_fields["is_public"] = True
-
+
def fill_record_pl_info(self, record):
"""
Fill in the planetlab specific fields of a Geni record. This
record.set_pl_info({})
return
- if (type == "sa") or (type == "ma"):
+ if (type == "authority"):
pl_res = self.plshell.GetSites(self.plauth, [pointer])
elif (type == "slice"):
pl_res = self.plshell.GetSlices(self.plauth, [pointer])
researchers = self.lookup_users(auth_table, person_ids)
geni_info['researcher'] = researchers
- elif (type == "sa"):
+ elif (type == "authority"):
auth_table = self.auth.get_auth_table(record.get_name())
person_ids = record.pl_info.get("person_ids", [])
pis = self.lookup_users(auth_table, person_ids, "pi")
- geni_info['pi'] = pis
- # TODO: OrganizationName
-
- elif (type == "ma"):
- auth_table = self.auth.get_auth_table(record.get_name())
- person_ids = record.pl_info.get("person_ids", [])
operators = self.lookup_users(auth_table, person_ids, "tech")
- geni_info['operator'] = operators
- # TODO: OrganizationName
-
- auth_table = self.auth.get_auth_table(record.get_name())
- person_ids = record.pl_info.get("person_ids", [])
owners = self.lookup_users(auth_table, person_ids, "admin")
+ geni_info['pi'] = pis
+ geni_info['operator'] = operators
geni_info['owner'] = owners
+ # TODO: OrganizationName
elif (type == "node"):
geni_info['dns'] = record.pl_info.get("hostname", "")
# build a list of the old person ids from the person_ids field of the
# pl_info
if oldRecord:
- oldIdList = oldRecord.plinfo.get("person_ids", [])
+ oldIdList = oldRecord.pl_info.get("person_ids", [])
containerId = oldRecord.get_pointer()
else:
# if oldRecord==None, then we are doing a Register, instead of an
self.update_membership_list(oldRecord, record, 'researcher',
self.plshell.AddPersonToSlice,
self.plshell.DeletePersonFromSlice)
- elif record.type == "sa":
+ elif record.type == "authority":
# TODO
pass
- elif record.type == "ma":
- # TODO
- pass
-
+
def callable(self, method):
"""
if name.startswith(object_hrn + "."):
return
raise PermissionError(name)
-
+
+ def determine_user_rights(self, src_cred, record):
+ """
+ Given a user credential and a record, determine what set of rights the
+ user should have to that record.
+
+ This is intended to replace determine_rights() and
+ verify_cancreate_credential()
+ """
+
+ type = record.get_type()
+ cred_object_hrn = src_cred.get_gid_object().get_hrn()
+
+ rl = RightList()
+
+ if type=="slice":
+ researchers = record.get_geni_info().get("researcher", [])
+ if (cred_object_hrn in researchers):
+ rl.add("refresh")
+ rl.add("embed")
+ rl.add("bind")
+ rl.add("control")
+ rl.add("info")
+
+ elif type == "authority":
+ pis = record.get_geni_info().get("pi", [])
+ operators = record.get_geni_info().get("operator", [])
+ if (cred_object_hrn in pis):
+ rl.add("sa")
+ if (cred_object_hrn in operators):
+ rl.add("ma")
+ if (cred_object_hrn in pis) or (cred_object_hrn in operators):
+ rl.add("authority")
+
+ elif type == "user":
+ rl.add("refresh")
+ rl.add("resolve")
+ rl.add("info")
+
+ return rl
+
def verify_cancreate_credential(self, src_cred, record):
"""
- Verify that a user can retrive a particular type of credential.
+ Verify that a user can retrive a particular type of credential.
For slices, the user must be on the researcher list. For SA and
- MA the user must be on the pi and operator lists respectively
+ MA the user must be on the pi and operator lists respectively
"""
type = record.get_type()
return ".".join(parts[-1:])
def get_authority(self, hrn):
-
parts = hrn.split(".")
return ".".join(parts[:-1])
- def get_auth_type(self, type):
- if (type=="slice") or (type=="user") or (type=="sa"):
- return "sa"
- elif (type=="component") or (type=="ma"):
- return "ma"
- else:
- raise UnknownGeniType(type)
-
def hrn_to_pl_slicename(self, hrn):
parts = hrn.split(".")
return parts[-2] + "_" + parts[-1]
parts = hrn.split(".")
return ".".join(parts[:-1])
-def get_auth_type(type):
- if (type=="slice") or (type=="user") or (type=="sa"):
- return "sa"
- elif (type=="component") or (type=="ma"):
- return "ma"
- else:
- raise UnknownGeniType(type)
-
def hrn_to_pl_slicename(hrn):
parts = hrn.split(".")
return parts[-2] + "_" + parts[-1]
Name specifies the HRN of the object
GID is the GID of the object
- Type is user | sa | ma | slice | component
+ Type is user | authority | slice | component
Info is comprised of the following sub-fields
pointer = a pointer to the record in the PL database
into the persons table.
A given HRN may have more than one record, provided that the records are
- of different types. For example, planetlab.us.arizona may have both an SA
- and a MA record, but cannot have two SA records.
+ of different types.
"""
##
#
# @param name if !=None, assign the name of the record
# @param gid if !=None, assign the gid of the record
- # @param type one of user | sa | ma | slice | component
+ # @param type one of user | authority | slice | component
# @param pointer is a pointer to a PLC record
# @param dict if !=None, then fill in this record from the dictionary
##
# Set the type of the record
#
- # @param type is a string: user | sa | ma | slice | component
+ # @param type is a string: user | authority | slice | component
def set_type(self, type):
"""
if string:
self.load_from_string(string)
+ def is_empty(self):
+ return self.rights == []
+
##
# Add a right to this list
#
git://git.onelab.eu / sfa.git / commitdiff