slice = network.get_slice(api, hrn)
current = __get_hostnames(slice.get_nodes())
-
+ api.logger.info("Current = %s" % " ".join(current))
+ api.logger.info("before addrspec")
network.addRSpec(xml, api.config.SFA_AGGREGATE_RSPEC_SCHEMA)
-
+ api.logger.info("after addrspec")
request = __get_hostnames(network.nodesWithSlivers())
# remove nodes not in rspec
deleted_nodes = list(set(current).difference(request))
+ api.logger.info("Deleted nodes = " + " ".join(deleted_nodes))
# add nodes from rspec
added_nodes = list(set(request).difference(current))
+ api.logger.info("Added nodes = " + " ".join(added_nodes))
+
+
if peer:
api.plshell.UnBindObjectFromPeer(api.plauth, 'slice', slice.id, peer)
from sfa.trust.certificate import *
from sfa.util.faults import *
-def GetVersion():
- version = {}
- version['geni_api'] = 1
- return version
-
-
def get_credential(api, xrn, type, is_self=False):
return new_cred.save_to_string(save_parents=True)
+
+# The GENI GetVersion call
+def GetVersion():
+ version = {}
+ version['geni_api'] = 1
+ return version
+
+
+
# The GENI resolve call
def Resolve(api, xrn, creds):
records = resolve(api, xrn)
record = records[0]
if record.type == 'slice':
- return {'geni_urn': xrn, 'geni_creator': record.gid}
+ return {'geni_urn': xrn, 'geni_creator': " ".join(record.PI)}
if record.type == 'user':
return {'geni_urn': xrn, 'geni_certificate': record.gid}
from sfatables.runtime import SFATablesRules
import sys
from sfa.trust.credential import Credential
+from sfa.util.sfalogging import logger
class CreateSliver(Method):
"""
def call(self, slice_xrn, creds, rspec):
hrn, type = urn_to_hrn(slice_xrn)
- self.api.logger.info("interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s"%(self.api.interface, hrn, creds, self.name))
+ self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, hrn, self.name))
+
+ # Find the valid credentials
+ ValidCreds = self.api.auth.checkCredentials(creds, 'createslice', hrn)
+
+ origin_hrn = Credential(string=ValidCreds[0]).get_gid_caller().get_hrn()
- # Validate that at least one of the credentials is good enough
- found = False
- for cred in creds:
- try:
- self.api.auth.check(cred, 'createslice')
- origin_hrn = Credential(string=cred).get_gid_caller().get_hrn()
- found = True
- break
- except:
- error = sys.exc_info()[:2]
- continue
-
- if not found:
- raise InsufficientRights('CreateSliver: Access denied: %s -- %s' % (error[0],error[1]))
-
-
manager_base = 'sfa.managers'
if self.api.interface in ['geni_am']:
manager = __import__(manager_module, fromlist=[manager_base])
rspec = self.__run_sfatables(manager, SFATablesRules('INCOMING'),
hrn, origin_hrn, rspec)
- return manager.CreateSliver(self.api, slice_xrn, creds, rspec)
-
+ logger.info("Calling with rspec = %s"% rspec)
+ return manager.CreateSliver(self.api, slice_xrn, ValidCreds, rspec)
return ''
def call(self, slice_xrn, creds):
hrn, type = urn_to_hrn(slice_xrn)
- self.api.logger.info("interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s"%(self.api.interface, hrn, creds, self.name))
+ self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, hrn, self.name))
- # Validate that at least one of the credentials is good enough
- found = False
- for cred in creds:
- try:
- self.api.auth.check(cred, 'deleteslice')
- found = True
- break
- except:
- continue
-
- if not found:
- raise InsufficientRights('DeleteSliver: Credentials either did not verify, were no longer valid, or did not have appropriate privileges')
-
+ # Find the valid credentials
+ ValidCreds = self.api.auth.checkCredentials(creds, 'deleteslice', hrn)
manager_base = 'sfa.managers'
mgr_type = self.api.config.SFA_GENI_AGGREGATE_TYPE
manager_module = manager_base + ".geni_am_%s" % mgr_type
manager = __import__(manager_module, fromlist=[manager_base])
- return manager.DeleteSliver(self.api, slice_xrn, creds)
+ return manager.DeleteSliver(self.api, slice_xrn, ValidCreds)
return ''
class ListResources(Method):
"""
- Returns information about available resources or resources allocated to this slice
+ Returns information about available resources or resources allocated to this slice
@param credential list
@param options dictionary
@return string
def call(self, creds, options):
self.api.logger.info("interface: %s\tmethod-name: %s" % (self.api.interface, self.name))
- # Validate that at least one of the credentials is good enough
- found = False
- for cred in creds:
- try:
- self.api.auth.check(cred, 'listnodes')
- found = True
- user_cred = Credential(string=cred)
- break
- except:
- error = sys.exc_info()[:2]
- continue
+ # Find the valid credentials
+ hrn = None
+ if options.has_key('geni_slice_urn'):
+ xrn = options['geni_slice_urn']
+ hrn, _ = urn_to_hrn(xrn)
+
+ ValidCreds = self.api.auth.checkCredentials(creds, 'listnodes', hrn)
+ origin_hrn = Credential(string=ValidCreds[0]).get_gid_caller().get_hrn()
- if not found:
- raise InsufficientRights('ListResources: Access denied: %s -- %s' % (error[0],error[1]))
-
- origin_hrn = user_cred.get_gid_caller().get_hrn()
manager_base = 'sfa.managers'
mgr_type = self.api.config.SFA_GENI_AGGREGATE_TYPE
manager_module = manager_base + ".geni_am_%s" % mgr_type
manager = __import__(manager_module, fromlist=[manager_base])
- rspec = manager.ListResources(self.api, creds, options)
+ rspec = manager.ListResources(self.api, ValidCreds, options)
outgoing_rules = SFATablesRules('OUTGOING')
self.api.logger.info("interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s"%(self.api.interface, hrn, creds, self.name))
- # Validate that at least one of the credentials is good enough
- found = False
- validCred = None
- for cred in creds:
- try:
- self.api.auth.check(cred, 'renewsliver')
- validCred = cred
- found = True
- break
- except:
- continue
-
- if not found:
- raise InsufficientRights('SliverStatus: Credentials either did not verify, were no longer valid, or did not have appropriate privileges')
-
+ # Find the valid credentials
+ ValidCreds = self.api.auth.checkCredentials(creds, 'renewsliver', hrn)
+
# Validate that the time does not go beyond the credential's expiration time
requested_time = parse(expiration_time)
- if requested_time > Credential(string=validCred).get_lifetime():
+ if requested_time > Credential(string=ValidCreds[0]).get_lifetime():
raise InsufficientRights('SliverStatus: Credential expires before requested expiration time')
manager_base = 'sfa.managers'
mgr_type = self.api.config.SFA_GENI_AGGREGATE_TYPE
manager_module = manager_base + ".geni_am_%s" % mgr_type
manager = __import__(manager_module, fromlist=[manager_base])
- return manager.RenewSliver(self.api, slice_xrn, creds, expiration_time)
+ return manager.RenewSliver(self.api, slice_xrn, ValidCreds, expiration_time)
return ''
from sfa.util.namespace import *
from sfa.util.method import Method
from sfa.util.parameter import Parameter
-
+from sfa.trust.credential import Credential
class Resolve(Method):
"""
for cred in creds:
try:
self.api.auth.check(cred, 'resolve')
+ # Make sure it's an authority and not a user
+ if cred.get_gid_caller().get_type() != 'authority':
+ raise 'NotAuthority'
found = True
break
except:
continue
-
+
if not found:
raise InsufficientRights('Resolve: Credentials either did not verify, were no longer valid, or did not have appropriate privileges')
self.api.logger.info("interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s"%(self.api.interface, hrn, creds, self.name))
- # Validate that at least one of the credentials is good enough
- found = False
- for cred in creds:
- try:
- self.api.auth.check(cred, 'shutdown')
- found = True
- break
- except:
- continue
-
- if not found:
- raise InsufficientRights('Shutdown: Credentials either did not verify, were no longer valid, or did not have appropriate privileges')
-
+ # Find the valid credentials
+ ValidCreds = self.api.auth.checkCredentials(creds, 'shutdown', hrn)
+
manager_base = 'sfa.managers'
if self.api.interface in ['geni_am']:
mgr_type = self.api.config.SFA_GENI_AGGREGATE_TYPE
manager_module = manager_base + ".geni_am_%s" % mgr_type
manager = __import__(manager_module, fromlist=[manager_base])
- return manager.Shutdown(self.api, slice_xrn, creds)
+ return manager.Shutdown(self.api, slice_xrn, ValidCreds)
return ''
self.api.logger.info("interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s"%(self.api.interface, hrn, creds, self.name))
- # Validate that at least one of the credentials is good enough
- found = False
- for cred in creds:
- try:
- self.api.auth.check(cred, 'sliverstatus')
- found = True
- break
- except:
- continue
-
- if not found:
- raise InsufficientRights('SliverStatus: Credentials either did not verify, were no longer valid, or did not have appropriate privileges')
-
+ # Find the valid credentials
+ ValidCreds = self.api.auth.checkCredentials(creds, 'sliverstatus', hrn)
manager_base = 'sfa.managers'
mgr_type = self.api.config.SFA_GENI_AGGREGATE_TYPE
manager_module = manager_base + ".geni_am_%s" % mgr_type
manager = __import__(manager_module, fromlist=[manager_base])
- return manager.SliverStatus(self.api, slice_xrn, creds)
+ return manager.SliverStatus(self.api, slice_xrn, ValidCreds)
return ''
from lxml import etree
import sys
from StringIO import StringIO
-
+from sfa.util.sfalogging import logger
class Sliver:
def __init__(self, node):
self.slice = node.network.slice
def toxml(self, xml):
+ logger.info("sliver to xml!")
with xml.sliver:
self.slice.tags_to_xml(xml, self.node)
self.sliver = Sliver(self)
def toxml(self, xml):
+ logger.info("node.toxml(I)")
slice = self.network.slice
if self.whitelist and not self.sliver:
if not slice or slice.id not in self.whitelist:
xml << (tag.tagname, tag.value)
def toxml(self, xml):
+ logger.info("slice to xml!")
+
with xml.sliver_defaults:
self.tags_to_xml(xml)
raise InvalidRSpec(message)
self.rspec = rspec
-
defaults = rspec.find(".//sliver_defaults")
self.__process_attributes(defaults)
+
# Find slivers under node elements
for sliver in rspec.iterfind("./network/site/node/sliver"):
elem = sliver.getparent()
from sfa.util.sfaticket import *
from sfa.util.sfalogging import logger
+import sys
+
class Auth:
"""
Credential based authentication
self.trusted_cert_file_list = TrustedRootList(self.config.get_trustedroots_dir()).get_file_list()
+
+ def checkCredentials(self, creds, operation, hrn = None):
+ valid = []
+ for cred in creds:
+ try:
+ self.check(cred, operation, hrn)
+ valid.append(cred)
+ except:
+ error = sys.exc_info()[:2]
+ continue
+
+ if not len(valid):
+ raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1]))
+
+ return valid
+
+
def check(self, cred, operation, hrn = None):
"""
Check the credential against the peer cert (callerGID included
# Make sure the credential's target matches the specified hrn.
# This check does not apply to trusted peers
trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list]
- if hrn and client_gid.get_hrn() not in trusted_peers:
- if not hrn == object_gid.get_hrn():
+ if hrn and self.client_gid.get_hrn() not in trusted_peers:
+ if not hrn == self.object_gid.get_hrn():
raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \
- (object_gid.get_hrn(), hrn) )
+ (self.object_gid.get_hrn(), hrn) )
return True
def check_ticket(self, ticket):
self.decode()
return self.urn
+ def get_type(self):
+ if not self.urn:
+ self.decode()
+ _, t = urn_to_hrn(self.urn)
+ return t
+
##
# Encode the GID fields and package them into the subject-alt-name field
# of the X509 certificate. This must be called prior to signing the