login modal, must use the original direct geni-login.php page
until we go live.

authenticate Geni users to CloudLab (who do not have Emulab accounts).
CloudLab users must have an account to do anything (unlike APT which allows
guest users). But instead of requiring them to go through the Emulab
account creation (high bar), let then use their Geni credentials to prove
who they are. We then build a local account for that new user, and save off
the speaksfor credential so that we can act on their behalf when talking to
the backend clusters (and their MA to get their ssh keys).

These users do not have a local account password, so they cannot log into
the web interface using the Emulab login page, nor do they have a shell on
ops.

Once authenticated, we put the appropriate cookies into the browser via
javascript, so they can use the Cloud (okay, APT) web interface (they
appear logged in).

I make use of the nonlocal_id field of the users table, which was not being
used for anything else. Officially, these are "nonlocal" users in the code
(IsNonLocal()).

When a nonlocal user instantiates a profile, we use their speaksfor
credential to ask their home MA for their ssh keys, which we then store in
the DB, and then provide to the aggregate via the CreateSliver call.
Note that no provision has been made for users who edit their profile and
add keys; I am not currently expecting these users to stumble into the web
interface (yet).

cloudlab/aptlab generated projects.

The protocol now works perfectly.

TODO: Figure out why certificate parsing is failing

going to ignore the listed flag, and show users (guest or logged in) those
profiles they are allowed to instantiate.

are different from Emulab.

messes up the stats. Reorg a little to allow for APT and
CloudLab keys.

* Add a uuid to the profile itself. So now we have a uuid for each specific
  version, and a uuid that points to the profile as a whole.

* On the manage page, move the URL to the left hand panel, and add a second
  URL. One is the URL of the specific version, and the other is a URL to
  the entire profile. Add popovers to explain the difference between.

* On the instantiate page, when you use this URL, we instantiate the most
  recently published version of the profile.

* Add a bit of verbiage to the publish modal.

and less scary (to Mike).

Tweaked uritemplate.js to allow '-' character in identifiers which is technically illegal according to the RFC. Might need to revisit this later.

The only kind of key allowed so far is of the form 'host-clientid' where client id is a node in the rspec.

support code.