From 1558d5577c91788ef01eab10f6dfadef7c51b511 Mon Sep 17 00:00:00 2001 From: Scott Baker Date: Tue, 28 Apr 2009 01:56:36 +0000 Subject: [PATCH] switch from sa/ma to authority, fix update_membership_list --- geni/gimport.py | 32 ++++++++---------------- geni/methods/update.py | 6 ++--- geni/util/api.py | 51 +++++++++++++-------------------------- geni/util/auth.py | 55 +++++++++++++++++++++++++++++++++--------- geni/util/misc.py | 8 ------ geni/util/record.py | 9 +++---- geni/util/rights.py | 3 +++ 7 files changed, 80 insertions(+), 84 deletions(-) diff --git a/geni/gimport.py b/geni/gimport.py index 5c8f756f..ef6534c2 100755 --- a/geni/gimport.py +++ b/geni/gimport.py @@ -283,17 +283,11 @@ def import_site(parent_hrn, site): table = get_auth_table(parent_hrn) - sa_record = table.resolve("sa", hrn) - if not sa_record: - sa_record = GeniRecord(name=hrn, gid=auth_info.get_gid_object(), type="sa", pointer=site['site_id']) - report.trace(" inserting sa record for " + hrn) - table.insert(sa_record) - - ma_record = table.resolve("ma", hrn) - if not ma_record: - ma_record = GeniRecord(name=hrn, gid=auth_info.get_gid_object(), type="ma", pointer=site['site_id']) - report.trace(" inserting ma record for " + hrn) - table.insert(ma_record) + auth_record = table.resolve("authority", hrn) + if not auth_record: + auth_record = GeniRecord(name=hrn, gid=auth_info.get_gid_object(), type="authority", pointer=site['site_id']) + report.trace(" inserting authority record for " + hrn) + table.insert(auth_record) for person_id in site['person_ids']: persons = shell.GetPersons(pl_auth, [person_id]) @@ -325,17 +319,11 @@ def create_top_level_auth_records(hrn): auth_info = AuthHierarchy.get_auth_info(parent_hrn) table = get_auth_table(parent_hrn) - sa_record = table.resolve("sa", hrn) - if not sa_record: - sa_record = GeniRecord(name=hrn, gid=auth_info.get_gid_object(), type="sa", pointer=-1) - report.trace(" inserting sa record for " + hrn) - table.insert(sa_record) - - ma_record = table.resolve("ma", hrn) - if not ma_record: - ma_record = GeniRecord(name=hrn, gid=auth_info.get_gid_object(), type="ma", pointer=-1) - report.trace(" inserting ma record for " + hrn) - table.insert(ma_record) + auth_record = table.resolve("authority", hrn) + if not auth_record: + auth_record = GeniRecord(name=hrn, gid=auth_info.get_gid_object(), type="authority", pointer=-1) + report.trace(" inserting authority record for " + hrn) + table.insert(auth_record) def main(): global AuthHierarchy diff --git a/geni/methods/update.py b/geni/methods/update.py index 11841832..1f2788d1 100644 --- a/geni/methods/update.py +++ b/geni/methods/update.py @@ -59,7 +59,7 @@ class update(Method): # update the PLC information that was specified with the record - if (type == "sa") or (type == "ma"): + if (type == "authority"): self.api.plshell.UpdateSite(self.api.plauth, pointer, record.get_pl_info()) elif type == "slice": @@ -84,7 +84,7 @@ class update(Method): else: raise UnknownGeniType(type) - # update membership for researchers, pis, owners, operators^M + # update membership for researchers, pis, owners, operators self.api.update_membership(existing_record, record) - return 1 + return 1 diff --git a/geni/util/api.py b/geni/util/api.py index b501fd72..9b190104 100644 --- a/geni/util/api.py +++ b/geni/util/api.py @@ -150,24 +150,24 @@ class GeniAPI: """ Get our credential from a remote registry using a geniclient connection """ - type = 'sa' - cred_filename = ".".join([self.server_basedir, self.interface, self.hrn, type, "cred"]) + type = 'authority' + cred_filename = ".".join([self.server_basedir, self.interface, self.hrn, type, "cred"]) try: credential = Credential(filename = cred_filename) return credential except IOError: from geni.registry import Registries registries = Registries(self) - registry = registries[self.hrn] + registry = registries[self.hrn] self_cred = registry.get_credential(None, type, self.hrn) cred = registry.get_credential(self_cred, type, self.hrn) cred.save_to_file(cred_filename, save_parents=True) def getCredentialFromLocalRegistry(self): """ - Get our current credential directly from the local registry. + Get our current credential directly from the local registry. """ - + hrn = self.hrn auth_hrn = self.auth.get_authority(hrn) if not auth_hrn: @@ -187,14 +187,8 @@ class GeniAPI: new_cred.set_pubkey(object_gid.get_pubkey()) r1 = determine_rights(type, hrn) new_cred.set_privileges(r1) - - # determine the type of credential that we want to use as a parent for - # this credential. - if (type == "ma") or (type == "node"): - auth_kind = "authority,ma" - else: # user, slice, sa - auth_kind = "authority,sa" + auth_kind = "authority,ma,sa" new_cred.set_parent(self.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind)) @@ -218,7 +212,7 @@ class GeniAPI: self.credential = Credential(filename = ma_cred_filename) except IOError: self.credential = self.getCredentialFromRegistry() - + ## # Convert geni fields to PLC fields for use when registering up updating # registry record in the PLC database @@ -257,7 +251,7 @@ class GeniAPI: if not "model" in pl_fields: pl_fields["model"] = "geni" - elif type == "sa": + elif type == "authority": pl_fields["login_base"] = hrn_to_pl_login_base(hrn) if not "name" in pl_fields: @@ -273,7 +267,7 @@ class GeniAPI: pl_fields["is_public"] = True - + def fill_record_pl_info(self, record): """ Fill in the planetlab specific fields of a Geni record. This @@ -294,7 +288,7 @@ class GeniAPI: record.set_pl_info({}) return - if (type == "sa") or (type == "ma"): + if (type == "authority"): pl_res = self.plshell.GetSites(self.plauth, [pointer]) elif (type == "slice"): pl_res = self.plshell.GetSlices(self.plauth, [pointer]) @@ -341,24 +335,16 @@ class GeniAPI: researchers = self.lookup_users(auth_table, person_ids) geni_info['researcher'] = researchers - elif (type == "sa"): + elif (type == "authority"): auth_table = self.auth.get_auth_table(record.get_name()) person_ids = record.pl_info.get("person_ids", []) pis = self.lookup_users(auth_table, person_ids, "pi") - geni_info['pi'] = pis - # TODO: OrganizationName - - elif (type == "ma"): - auth_table = self.auth.get_auth_table(record.get_name()) - person_ids = record.pl_info.get("person_ids", []) operators = self.lookup_users(auth_table, person_ids, "tech") - geni_info['operator'] = operators - # TODO: OrganizationName - - auth_table = self.auth.get_auth_table(record.get_name()) - person_ids = record.pl_info.get("person_ids", []) owners = self.lookup_users(auth_table, person_ids, "admin") + geni_info['pi'] = pis + geni_info['operator'] = operators geni_info['owner'] = owners + # TODO: OrganizationName elif (type == "node"): geni_info['dns'] = record.pl_info.get("hostname", "") @@ -409,7 +395,7 @@ class GeniAPI: # build a list of the old person ids from the person_ids field of the # pl_info if oldRecord: - oldIdList = oldRecord.plinfo.get("person_ids", []) + oldIdList = oldRecord.pl_info.get("person_ids", []) containerId = oldRecord.get_pointer() else: # if oldRecord==None, then we are doing a Register, instead of an @@ -434,13 +420,10 @@ class GeniAPI: self.update_membership_list(oldRecord, record, 'researcher', self.plshell.AddPersonToSlice, self.plshell.DeletePersonFromSlice) - elif record.type == "sa": + elif record.type == "authority": # TODO pass - elif record.type == "ma": - # TODO - pass - + def callable(self, method): """ diff --git a/geni/util/auth.py b/geni/util/auth.py index 48c39221..6ec5dacd 100644 --- a/geni/util/auth.py +++ b/geni/util/auth.py @@ -141,12 +141,52 @@ class Auth: if name.startswith(object_hrn + "."): return raise PermissionError(name) - + + def determine_user_rights(self, src_cred, record): + """ + Given a user credential and a record, determine what set of rights the + user should have to that record. + + This is intended to replace determine_rights() and + verify_cancreate_credential() + """ + + type = record.get_type() + cred_object_hrn = src_cred.get_gid_object().get_hrn() + + rl = RightList() + + if type=="slice": + researchers = record.get_geni_info().get("researcher", []) + if (cred_object_hrn in researchers): + rl.add("refresh") + rl.add("embed") + rl.add("bind") + rl.add("control") + rl.add("info") + + elif type == "authority": + pis = record.get_geni_info().get("pi", []) + operators = record.get_geni_info().get("operator", []) + if (cred_object_hrn in pis): + rl.add("sa") + if (cred_object_hrn in operators): + rl.add("ma") + if (cred_object_hrn in pis) or (cred_object_hrn in operators): + rl.add("authority") + + elif type == "user": + rl.add("refresh") + rl.add("resolve") + rl.add("info") + + return rl + def verify_cancreate_credential(self, src_cred, record): """ - Verify that a user can retrive a particular type of credential. + Verify that a user can retrive a particular type of credential. For slices, the user must be on the researcher list. For SA and - MA the user must be on the pi and operator lists respectively + MA the user must be on the pi and operator lists respectively """ type = record.get_type() @@ -171,18 +211,9 @@ class Auth: return ".".join(parts[-1:]) def get_authority(self, hrn): - parts = hrn.split(".") return ".".join(parts[:-1]) - def get_auth_type(self, type): - if (type=="slice") or (type=="user") or (type=="sa"): - return "sa" - elif (type=="component") or (type=="ma"): - return "ma" - else: - raise UnknownGeniType(type) - def hrn_to_pl_slicename(self, hrn): parts = hrn.split(".") return parts[-2] + "_" + parts[-1] diff --git a/geni/util/misc.py b/geni/util/misc.py index 614ea120..5913419a 100644 --- a/geni/util/misc.py +++ b/geni/util/misc.py @@ -9,14 +9,6 @@ def get_authority(hrn): parts = hrn.split(".") return ".".join(parts[:-1]) -def get_auth_type(type): - if (type=="slice") or (type=="user") or (type=="sa"): - return "sa" - elif (type=="component") or (type=="ma"): - return "ma" - else: - raise UnknownGeniType(type) - def hrn_to_pl_slicename(hrn): parts = hrn.split(".") return parts[-2] + "_" + parts[-1] diff --git a/geni/util/record.py b/geni/util/record.py index 076aab37..368f910b 100644 --- a/geni/util/record.py +++ b/geni/util/record.py @@ -17,7 +17,7 @@ class GeniRecord: Name specifies the HRN of the object GID is the GID of the object - Type is user | sa | ma | slice | component + Type is user | authority | slice | component Info is comprised of the following sub-fields pointer = a pointer to the record in the PL database @@ -29,8 +29,7 @@ class GeniRecord: into the persons table. A given HRN may have more than one record, provided that the records are - of different types. For example, planetlab.us.arizona may have both an SA - and a MA record, but cannot have two SA records. + of different types. """ ## @@ -38,7 +37,7 @@ class GeniRecord: # # @param name if !=None, assign the name of the record # @param gid if !=None, assign the gid of the record - # @param type one of user | sa | ma | slice | component + # @param type one of user | authority | slice | component # @param pointer is a pointer to a PLC record # @param dict if !=None, then fill in this record from the dictionary @@ -94,7 +93,7 @@ class GeniRecord: ## # Set the type of the record # - # @param type is a string: user | sa | ma | slice | component + # @param type is a string: user | authority | slice | component def set_type(self, type): """ diff --git a/geni/util/rights.py b/geni/util/rights.py index 84c5f1e7..50f1374d 100644 --- a/geni/util/rights.py +++ b/geni/util/rights.py @@ -126,6 +126,9 @@ class RightList: if string: self.load_from_string(string) + def is_empty(self): + return self.rights == [] + ## # Add a right to this list # -- 2.43.0