shaba/one
1
0
Fork 0
mirror of https://github.com/OpenNebula/one.git synced 2024-12-27 03:21:29 +03:00
Code Releases Wiki Activity

feature #754: Removed unneeded files

Browse Source
This commit is contained in:
Ruben S. Montero 2011-08-25 18:20:00 +02:00
parent 606ff23435
commit 23a9743910
6 changed files with 0 additions and 640 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/authm_mad/auth_mad
View File

@ -1 +0,0 @@

90
src/authm_mad/one_usage.rb
View File

@ -1,90 +0,0 @@
# -------------------------------------------------------------------------- #
# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org) #
# #
# Licensed under the Apache License, Version 2.0 (the "License"); you may #
# not use this file except in compliance with the License. You may obtain #
# a copy of the License at #
# #
# http://www.apache.org/licenses/LICENSE-2.0 #
# #
# Unless required by applicable law or agreed to in writing, software #
# distributed under the License is distributed on an "AS IS" BASIS, #
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
# See the License for the specific language governing permissions and #
# limitations under the License. #
#--------------------------------------------------------------------------- #
require 'OpenNebula'
# This class holds usage information for a virtual machine or
# total usage for a user. Variables inside are cpu and memory
# consumption
class VmUsage
attr_accessor :cpu, :memory, :num_vms
def initialize(cpu, memory, num_vms=0)
@cpu=cpu
@memory=memory
@num_vms=num_vms
end
end
# This class retrieves and caches vms and its consuption grouped
# by users. 'update_user' method should be called to fill data for
# a user before any calculation is made
class OneUsage
# 'client' is an OpenNebula::Client object used to connect
# to OpenNebula daemon. Ideally it should connect as user 0
def initialize(client)
@client=client
@users=Hash.new
end
# Gets information about VMs defined for a user. It caches new
# VMs and takes out from the cache deleted VMs
def update_user(user)
@users[user]=Hash.new if !@users[user]
vmpool=OpenNebula::VirtualMachinePool.new(@client, user)
vmpool.info
one_ids=vmpool.map {|vm| vm.id }
vms=@users[user]
user_ids=vms.keys
deleted_vms=user_ids-one_ids
added_vms=one_ids-user_ids
deleted_vms.each {|vmid| vms.delete(vmid) }
added_vms.each do |vmid|
vm=OpenNebula::VirtualMachine.new(
OpenNebula::VirtualMachine.build_xml(vmid), @client)
vm.info
usage=VmUsage.new(vm['TEMPLATE/CPU'].to_f,
vm['TEMPLATE/MEMORY'].to_i)
vms[vmid.to_i]=usage
end
end
# Returns the cache of defined VMs for a user. It is a hash with
# VM id as key and VmUsage as value
def vms(user)
vms=@users[user]
@users[user]=vms=Hash.new if !vms
vms
end
# Returns total consumption by a user into a VmUsage object
def total(user)
usage=VmUsage.new(0.0, 0, 0)
@users[user].each do |id, vm|
usage.cpu+=vm.cpu
usage.memory+=vm.memory
usage.num_vms+=1
end if @users[user]
usage
end
end

167
src/authm_mad/oneauth
View File

@ -1,167 +0,0 @@
#!/usr/bin/env ruby
# -------------------------------------------------------------------------- #
# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org) #
# #
# Licensed under the Apache License, Version 2.0 (the "License"); you may #
# not use this file except in compliance with the License. You may obtain #
# a copy of the License at #
# #
# http://www.apache.org/licenses/LICENSE-2.0 #
# #
# Unless required by applicable law or agreed to in writing, software #
# distributed under the License is distributed on an "AS IS" BASIS, #
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
# See the License for the specific language governing permissions and #
# limitations under the License. #
#--------------------------------------------------------------------------- #
ONE_LOCATION=ENV["ONE_LOCATION"]
if !ONE_LOCATION
RUBY_LIB_LOCATION="/usr/lib/one/ruby"
ETC_LOCATION="/etc/one/"
VAR_LOCATION="/var/lib/one"
else
RUBY_LIB_LOCATION=ONE_LOCATION+"/lib/ruby"
ETC_LOCATION=ONE_LOCATION+"/etc/"
VAR_LOCATION="#{ONE_LOCATION}/var"
end
$: << RUBY_LIB_LOCATION
$: << RUBY_LIB_LOCATION+'/cli'
require 'OpenNebula'
require 'rubygems'
require 'sequel'
require 'ssh_auth'
require 'x509_auth'
require 'yaml'
require 'command_parser'
require 'one_helper'
cmd=CommandParser::CmdParser.new(ARGV) do
usage "oneauth COMMAND [args..]"
description "This command contains a set of utilities to " <<
"manage authorization module."
set :option, CommandParser::OPTIONS
set :format, :userid, OpenNebulaHelper.name_to_id_desc("USER") do |arg|
OpenNebulaHelper.name_to_id(arg, "USER")
end
# Helpers
def get_database
config_data=File.read(ETC_LOCATION+'/auth/auth.conf')
config=YAML::load(config_data)
database_url=config[:database]
db=Sequel.connect(database_url)
end
def add_quota(uid, cpu, memory, num_vms=nil)
db=get_database
quota=Quota.new(db, OpenNebula::Client.new)
quota.set(uid.to_i, cpu.to_f, memory.to_i, num_vms)
end
# Commands
quotaset_desc = <<-EOT.unindent
Sets CPU, MEMORY and NUM_VMs quota for a given user
EOT
command 'quota-set', quotaset_desc , :userid, :cpu, :memory, :num_vms do
Dir.chdir VAR_LOCATION
begin
add_quota(*args[1..4])
rescue Exception => e
exit_with_code -1, "Error starting server: #{e}"
end
exit_with_code 0
end
login_desc = <<-EOT.unindent
Generates authentication proxy. The last argument specifies
the expiration time in seconds
EOT
command 'login', login_desc, :text, :text do
user=args[0]
time=args[1]
pp args
if time
time=time.to_i
else
time=3600
end
ssh=SshAuth.new
ssh.login(user, time)
exit_with_code 0
end
loginx509_desc = <<-EOT.unindent
Generates an X509-based authenication proxy based on a user certificate.
oneauth x509_login <username> [<lifetime in seconds>] [<cert or proxy path>] [<key path>]
EOT
command 'loginx509', loginx509_desc, :text, :text, :text, :text do
user = args[0]
time = Integer(args[1]) rescue false
certpath = args[2]
keypath = args[3]
# Set default arguments
if !time
time=0
certpath = args[1]
keypath = args[2]
end
if !certpath
certpath=ENV["X509_PROXY_CERT"]
end
if !certpath
certpath='/tmp/x509up_u' + Process.uid.to_s
end
if !keypath
keypath=certpath
end
if !keypath
exit_with_code 1
end
# Read in the certificates
if @options[:certpath] && File.readable?(@options[:certpath])
certs_in = File.read(@options[:certpath])
certs_pem = certs_in.scan(/-+BEGIN CERTIFICATE-+\n([^-]*)\n-+END CERTIFICATE-+/)
certs_pem.flatten!
end
# Read in the key
if @options[:keypath] && File.readable?(@options[:keypath])
key_in = File.read(@options[:keypath])
rc = key_in.match(/-+BEGIN RSA PRIVATE KEY-+\n([^-]*)\n-+END RSA PRIVATE KEY-+/)
key_pem = rc[0]
end
# Invoke the login method
auth = X509Auth.new(:certs_pem=>certs_pem,:key_pem=>key_pem)
auth.login(user, time)
exit_with_code 0
end
command 'key', 'Gets public key' do
ssh=SshAuth.new
puts ssh.public_key
exit_with_code 0
end
end

56
src/authm_mad/remotes/x509_proxy/authenticate
View File

@ -1,56 +0,0 @@
#!/usr/bin/env ruby
# -------------------------------------------------------------------------- #
# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org) #
# #
# Licensed under the Apache License, Version 2.0 (the "License"); you may #
# not use this file except in compliance with the License. You may obtain #
# a copy of the License at #
# #
# http://www.apache.org/licenses/LICENSE-2.0 #
# #
# Unless required by applicable law or agreed to in writing, software #
# distributed under the License is distributed on an "AS IS" BASIS, #
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
# See the License for the specific language governing permissions and #
# limitations under the License. #
#--------------------------------------------------------------------------- #
ONE_LOCATION=ENV["ONE_LOCATION"]
if !ONE_LOCATION
RUBY_LIB_LOCATION="/usr/lib/one/ruby"
ETC_LOCATION="/etc/one/"
else
RUBY_LIB_LOCATION=ONE_LOCATION+"/lib/ruby"
ETC_LOCATION=ONE_LOCATION+"/etc/"
end
$: << RUBY_LIB_LOCATION
require 'x509_proxy_auth'
require 'scripts_common'
user = ARGV[0] # username as registered in OpenNebula
pass = ARGV[1] # DN registered for this user
secret = ARGV[2] # Base64 string in the form token:proxy_cert:user_cert
#OpenNebula.log_debug("Authenticating #{user}, with password #{pass} (#{secret})")
#TODO Check errors in these operations
dsecret = Base64::decode64(secret)
token, pcert, ucert = dsecret.split(':')
auth = X509ProxyAuth.new(:proxy => nil,
:proxy_cert => pcert,
:user_cert => ucert,
:ca_dir => nil)
rc = auth.authenticate(user, pass, token)
if rc == true
exit 0
else
OpenNebula.error_message rc
exit -1
end

214
src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb
View File

@ -1,214 +0,0 @@
# -------------------------------------------------------------------------- #
# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org) #
# #
# Licensed under the Apache License, Version 2.0 (the "License"); you may #
# not use this file except in compliance with the License. You may obtain #
# a copy of the License at #
# #
# http://www.apache.org/licenses/LICENSE-2.0 #
# #
# Unless required by applicable law or agreed to in writing, software #
# distributed under the License is distributed on an "AS IS" BASIS, #
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
# See the License for the specific language governing permissions and #
# limitations under the License. #
#--------------------------------------------------------------------------- #
require 'openssl'
require 'base64'
require 'fileutils'
# Authentication class based on x509 proxy certificate.
class X509ProxyAuth
PROXY_PATH = ENV['HOME']+'/.one/one_x509_proxy'
# Initialize x509ProxyAuth object
#
# @param [Hash] default options for path
# @option options [String] :proxy ($X509_PROXY_CERT)
# proxy cert for the user
# @option options [String] :proxy_cert (nil)
# public cert of a user proxy
# @option options [String] :user_cert (nil)
# user cert, used to generate the proxy
# @option options [String] :ca_dir (/etc/grid-security/certificates)
# trusted CA directory. If nil it will not be used to verify
# certificates
def initialize(options={})
@options={
:proxy => ENV['X509_PROXY_CERT']
:proxy_cert => nil,
:user_cert => nil,
:ca_dir => "/etc/grid-security/certificates",
}.merge!(options)
proxy_cert_txt = @options[:proxy_cert]
user_cert_txt = @options[:user_cert]
#Read certificates from a grid proxy file
if @options[:proxy] && File.readable?(@options[:proxy])
proxy = File.read(@options[:proxy])
rc = proxy.scan(/-+BEGIN CERTIFICATE-+\n([^-]*)\n-+END CERTIFICATE-+/)
rc.flatten!
proxy_cert_txt = rc[0]
user_cert_txt = rc[1]
rc = proxy.match(/-+BEGIN RSA PRIVATE KEY-+\n([^-]*)\n-+END RSA PRIVATE KEY-+/)
proxy_key_txt = rc[1]
end
if !proxy_cert_txt || !user_cert_txt
raise "Can not get user or proxy certificates"
end
@proxy_cert = OpenSSL::X509::Certificate.new(proxy_cert_txt)
@user_cert = OpenSSL::X509::Certificate.new(user_cert_txt)
@dn = @user_cert.subject.to_s
if proxy_ket_txt
@poxy_key = OpenSSL::PKey::RSA.new(proxy_key_txt)
end
# Load configuration file
#@auth_conf_path = ETC_LOCATION+'/auth/auth.conf'
#if File.readable?(@auth_conf_path)
# config = File.read(@auth_conf_path)
# config = YAML::load(config_data)
# @options.merge!(config)
#end
end
###########################################################################
# Client side
###########################################################################
# Creates the login file for x509 authentication at ~/.one/one_x509_proxy.
def login(user)
# Init proxy file path and creates ~/.one directory if needed
# Set instance variables
proxy_dir=File.dirname(PROXY_PATH)
begin
FileUtils.mkdir_p(proxy_dir)
rescue Errno::EEXIST
end
#Generate token for authentication
text_to_sign = "#{user}:#{@dn}"
signed_text = encrypt(text_to_sign)
token = "#{signed_text}:#{@proxy_cert.to_pem}:#{@user_cert.to_pem}"
token64 = Base64::encode64(token).strip.delete!("\n")
proxy="#{user}:grid:#{token64}"
file = File.open(PROXY_PATH, "w")
file.write(proxy)
file.close
# Help string
puts "export ONE_AUTH=#{ENV['HOME']}/.one/one_x509_proxy"
token64
end
###########################################################################
# Server side
###########################################################################
# auth method for auth_mad
def authenticate(user, pass, token)
begin
validate_chain
plain = decrypt(token)
_user, subject = plain.split(':')
if (user != _user)
return "User name missmatch"
elsif ((subject != @dn) || (subject != pass))
return "Certificate subject missmatch"
end
return true
rescue => e
return e.message
end
private
###########################################################################
# Methods to encrpyt/decrypt keys
###########################################################################
# Encrypts data with the private key of the user and returns
# base 64 encoded output in a single line
def encrypt(data)
return nil if !@proxy_key
Base64::encode64(@proxy_key.private_encrypt(data)).delete!("\n").strip
end
# Decrypts base 64 encoded data with pub_key (public key)
def decrypt(data)
@proxy_cert.public_key.public_decrypt(Base64::decode64(data))
end
###########################################################################
# Validates the certificate chain
###########################################################################
def validate_chain
now = Time.now
failed = "Could not validate user credentials: "
# Check start time and end time of proxy
if @proxy_cert.not_before > now || @proxy_cert.not_after < now
raise failed + "Certificate not valid. Current time is " +
now.localtime.to_s + "."
end
# Check that the issuer of the proxy is the same user as in the user certificate
if @proxy_cert.issuer.to_s != @user_cert.subject.to_s
raise failed + "Proxy with issuer " + @proxy_cert.issuer.to_s +
" does not match user " + @dn
end
# Check that the user signed the proxy
if !@proxy_cert.verify(@user_cert.public_key)
raise "Proxy with subject " + @proxy_cert.subject.to_s +
" was not verified by " + @dn + "."
end
# Check the rest of the certificate chain if specified
if !@options[:ca_dir]
return
end
begin
signee = @user_cert
begin
ca_hash = signee.issuer.hash.to_s(16)
ca_path = @options[:ca_dir] + '/' + ca_hash + '.0'
ca_cert = OpenSSL::X509::Certificate.new(File.read(ca_path))
if !((signee.issuer.to_s == ca_cert.subject.to_s) &&
(signee.verify(ca_cert.public_key)))
raise failed + signee.subject.to_s + " with issuer " +
signee.issuer.to_s + " was not verified by " +
ca.subject.to_s + "."
end
signee = ca_cert
end while ca_cert.subject.to_s != ca_cert.issuer.to_s
rescue
raise
end
end
end

112
src/authm_mad/simple_permissions.rb
View File

@ -1,112 +0,0 @@
# -------------------------------------------------------------------------- #
# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org) #
# #
# Licensed under the Apache License, Version 2.0 (the "License"); you may #
# not use this file except in compliance with the License. You may obtain #
# a copy of the License at #
# #
# http://www.apache.org/licenses/LICENSE-2.0 #
# #
# Unless required by applicable law or agreed to in writing, software #
# distributed under the License is distributed on an "AS IS" BASIS, #
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
# See the License for the specific language governing permissions and #
# limitations under the License. #
#--------------------------------------------------------------------------- #
require 'quota'
require 'base64'
class SimplePermissions
def initialize(database, client, conf={})
@quota=Quota.new(database, client, conf[:quota] || {})
@quota_enabled=conf[:quota][:enabled]
end
# Returns message if result is false, true otherwise
def auth_message(result, message)
result ? true : message
end
# Extracts cpu and memory resources from the VM template sent in
# authorization message
def get_vm_usage(data)
vm_xml=Base64::decode64(data)
vm=OpenNebula::VirtualMachine.new(
OpenNebula::XMLElement.build_xml(vm_xml, 'TEMPLATE'),
OpenNebula::Client.new)
# Should set more sensible defaults or get driver configuration
cpu=vm['CPU']
cpu||=1.0
cpu=cpu.to_f
memory=vm['MEMORY']
memory||=64
memory=memory.to_f
VmUsage.new(cpu, memory)
end
# Checks if the quota is enabled, and if it is not exceeded
def check_quota_enabled(uid, object, id, auth_result)
if @quota_enabled and object=='VM' and auth_result
STDERR.puts 'quota enabled'
@quota.update(uid.to_i)
if message=@quota.check(uid.to_i, get_vm_usage(id))
auth_result=message
end
end
return auth_result
end
# Method called by authorization driver
def auth(uid, tokens)
result=true
tokens.each do |token|
object, id, action, owner, pub=token.split(':')
result=auth_object(uid.to_s, object, id, action, owner, pub)
break result if result!=true
end
result
end
# Authorizes each of the tokens. All parameters are strings. Pub
# means public when "1" and private when "0"
def auth_object(uid, object, id, action, owner, pub)
return true if uid=='0'
auth_result=false
case action
when 'CREATE'
auth_result=true if %w{VM NET IMAGE TEMPLATE}.include? object
auth_result = check_quota_enabled(uid, object, id, auth_result)
when 'INSTANTIATE'
auth_result = true if %w{VM}.include? object
auth_result = check_quota_enabled(uid, object, id, auth_result)
when 'DELETE'
auth_result = (owner == uid)
when 'USE'
if %w{VM NET IMAGE TEMPLATE}.include? object
auth_result = ((owner == uid) | (pub=='1'))
elsif object == 'HOST'
auth_result=true
end
when 'MANAGE'
auth_result = (owner == uid)
when 'INFO'
end
return auth_result
end
end