git://git.onelab.eu
/
sfa.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
aa9b791
)
adding support for geni_speaking_for option
author
Tony Mack
<tmack@paris.CS.Princeton.EDU>
Wed, 22 Jan 2014 02:50:11 +0000
(21:50 -0500)
committer
Tony Mack
<tmack@paris.CS.Princeton.EDU>
Wed, 22 Jan 2014 02:50:11 +0000
(21:50 -0500)
sfa/managers/aggregate_manager.py
patch
|
blob
|
history
sfa/methods/CreateSliver.py
patch
|
blob
|
history
sfa/methods/DeleteSliver.py
patch
|
blob
|
history
sfa/methods/ListResources.py
patch
|
blob
|
history
sfa/methods/RenewSliver.py
patch
|
blob
|
history
sfa/methods/SliverStatus.py
patch
|
blob
|
history
sfa/methods/Start.py
patch
|
blob
|
history
sfa/methods/Stop.py
patch
|
blob
|
history
sfa/trust/auth.py
patch
|
blob
|
history
diff --git
a/sfa/managers/aggregate_manager.py
b/sfa/managers/aggregate_manager.py
index
2ad3f9c
..
36126c2
100644
(file)
--- a/
sfa/managers/aggregate_manager.py
+++ b/
sfa/managers/aggregate_manager.py
@@
-24,6
+24,7
@@
class AggregateManager:
'geni_api_versions': geni_api_versions,
'hrn':xrn.get_hrn(),
'urn':xrn.get_urn(),
'geni_api_versions': geni_api_versions,
'hrn':xrn.get_hrn(),
'urn':xrn.get_urn(),
+ 'geni_handles_speaksfor': True, # supports 'speaks for' credentials
}
version.update(version_generic)
testbed_version = self.driver.aggregate_version()
}
version.update(version_generic)
testbed_version = self.driver.aggregate_version()
diff --git
a/sfa/methods/CreateSliver.py
b/sfa/methods/CreateSliver.py
index
2797489
..
bc9bf96
100644
(file)
--- a/
sfa/methods/CreateSliver.py
+++ b/
sfa/methods/CreateSliver.py
@@
-34,8
+34,10
@@
class CreateSliver(Method):
self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, hrn, self.name))
self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, hrn, self.name))
+ (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
+
# Find the valid credentials
# Find the valid credentials
- valid_creds = self.api.auth.checkCredentials(creds, 'createsliver', hrn)
+ valid_creds = self.api.auth.checkCredentials(creds, 'createsliver', hrn
, speaking_for
)
origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
# make sure users info is specified
origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
# make sure users info is specified
diff --git
a/sfa/methods/DeleteSliver.py
b/sfa/methods/DeleteSliver.py
index
c9e40a4
..
caa3694
100644
(file)
--- a/
sfa/methods/DeleteSliver.py
+++ b/
sfa/methods/DeleteSliver.py
@@
-26,7
+26,8
@@
class DeleteSliver(Method):
def call(self, xrn, creds, options):
(hrn, type) = urn_to_hrn(xrn)
def call(self, xrn, creds, options):
(hrn, type) = urn_to_hrn(xrn)
- valid_creds = self.api.auth.checkCredentials(creds, 'deletesliver', hrn)
+ (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
+ valid_creds = self.api.auth.checkCredentials(creds, 'deletesliver', hrn, speaking_for)
#log the call
origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
#log the call
origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
diff --git
a/sfa/methods/ListResources.py
b/sfa/methods/ListResources.py
index
04359a0
..
4fb0faf
100644
(file)
--- a/
sfa/methods/ListResources.py
+++ b/
sfa/methods/ListResources.py
@@
-36,9
+36,10
@@
class ListResources(Method):
# get slice's hrn from options
xrn = options.get('geni_slice_urn', '')
(hrn, _) = urn_to_hrn(xrn)
# get slice's hrn from options
xrn = options.get('geni_slice_urn', '')
(hrn, _) = urn_to_hrn(xrn)
+ (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
# Find the valid credentials
# Find the valid credentials
- valid_creds = self.api.auth.checkCredentials(creds, 'listnodes', hrn)
+ valid_creds = self.api.auth.checkCredentials(creds, 'listnodes', hrn
, speaking_for
)
# get hrn of the original caller
origin_hrn = options.get('origin_hrn', None)
# get hrn of the original caller
origin_hrn = options.get('origin_hrn', None)
diff --git
a/sfa/methods/RenewSliver.py
b/sfa/methods/RenewSliver.py
index
c64b884
..
735a566
100644
(file)
--- a/
sfa/methods/RenewSliver.py
+++ b/
sfa/methods/RenewSliver.py
@@
-32,8
+32,10
@@
class RenewSliver(Method):
self.api.logger.info("interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s"%(self.api.interface, hrn, creds, self.name))
self.api.logger.info("interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s"%(self.api.interface, hrn, creds, self.name))
+ (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
+
# Find the valid credentials
# Find the valid credentials
- valid_creds = self.api.auth.checkCredentials(creds, 'renewsliver', hrn)
+ valid_creds = self.api.auth.checkCredentials(creds, 'renewsliver', hrn
, speaking_for
)
# Validate that the time does not go beyond the credential's expiration time
requested_time = utcparse(expiration_time)
# Validate that the time does not go beyond the credential's expiration time
requested_time = utcparse(expiration_time)
diff --git
a/sfa/methods/SliverStatus.py
b/sfa/methods/SliverStatus.py
index
deb7998
..
a3cff50
100644
(file)
--- a/
sfa/methods/SliverStatus.py
+++ b/
sfa/methods/SliverStatus.py
@@
-21,7
+21,8
@@
class SliverStatus(Method):
def call(self, slice_xrn, creds, options):
hrn, type = urn_to_hrn(slice_xrn)
def call(self, slice_xrn, creds, options):
hrn, type = urn_to_hrn(slice_xrn)
- valid_creds = self.api.auth.checkCredentials(creds, 'sliverstatus', hrn)
+ (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
+ valid_creds = self.api.auth.checkCredentials(creds, 'sliverstatus', hrn, speaking_for)
self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, hrn, self.name))
self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, hrn, self.name))
diff --git
a/sfa/methods/Start.py
b/sfa/methods/Start.py
index
1412222
..
b4d88ee
100644
(file)
--- a/
sfa/methods/Start.py
+++ b/
sfa/methods/Start.py
@@
-26,7
+26,8
@@
class Start(Method):
def call(self, xrn, creds):
hrn, type = urn_to_hrn(xrn)
def call(self, xrn, creds):
hrn, type = urn_to_hrn(xrn)
- valid_creds = self.api.auth.checkCredentials(creds, 'startslice', hrn)
+ (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
+ valid_creds = self.api.auth.checkCredentials(creds, 'startslice', hrn, speaking_for)
#log the call
origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
#log the call
origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
diff --git
a/sfa/methods/Stop.py
b/sfa/methods/Stop.py
index
0d80282
..
654ac40
100644
(file)
--- a/
sfa/methods/Stop.py
+++ b/
sfa/methods/Stop.py
@@
-26,7
+26,8
@@
class Stop(Method):
def call(self, xrn, creds):
hrn, type = urn_to_hrn(xrn)
def call(self, xrn, creds):
hrn, type = urn_to_hrn(xrn)
- valid_creds = self.api.auth.checkCredentials(creds, 'stopslice', hrn)
+ (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
+ valid_creds = self.api.auth.checkCredentials(creds, 'stopslice', hrn, speaking_for)
#log the call
origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
#log the call
origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
diff --git
a/sfa/trust/auth.py
b/sfa/trust/auth.py
index
0c03279
..
48ad5b2
100644
(file)
--- a/
sfa/trust/auth.py
+++ b/
sfa/trust/auth.py
@@
-34,10
+34,18
@@
class Auth:
self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list()
self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list()
self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list()
self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list()
-
-
- def checkCredentials(self, creds, operation, hrn = None):
+
+ def checkCredentials(self, creds, operation, hrn = None, speaking_for_hrn = None):
+
+ def log_invalid_cred(cred):
+ cred_obj=Credential(string=cred)
+ logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True))
+ error = sys.exc_info()[:2]
+ return error
+
valid = []
valid = []
+ speaks_for_cred = None
+
if not isinstance(creds, list):
creds = [creds]
logger.debug("Auth.checkCredentials with %d creds"%len(creds))
if not isinstance(creds, list):
creds = [creds]
logger.debug("Auth.checkCredentials with %d creds"%len(creds))
@@
-46,14
+54,25
@@
class Auth:
self.check(cred, operation, hrn)
valid.append(cred)
except:
self.check(cred, operation, hrn)
valid.append(cred)
except:
- cred_obj=Credential(string=cred)
- logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True))
- error = sys.exc_info()[:2]
+ # check if credential is a 'speaks for credential'
+ if speaking_for_hrn:
+ try:
+ self.check(cred, operation, speaking_for_hrn)
+ speaks_for_cred = cred
+ valid.append(cred)
+ except:
+ error = log_invalid_cred(cred)
+ else:
+ error = log_invalid_cred(cred)
continue
if not len(valid):
raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1]))
continue
if not len(valid):
raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1]))
+ if speaking_for_hrn and not speaks_for_cred:
+ raise InsufficientRights('Access denied: "geni_speaking_for" option specified but no valid speaks for credential found: %s -- %s' % (error[0],error[1]))
+
+
return valid
return valid