1. 21 Jul, 2011 1 commit
  2. 15 Jun, 2011 1 commit
  3. 13 Jun, 2011 1 commit
  4. 20 Apr, 2011 1 commit
    • Leigh B Stoller's avatar
      Changes our ssh key/account handling in RedeemTicket() and · 03c2107c
      Leigh B Stoller authored
      CreateSliver(), to handle multiple accounts.  This somewhat reflects
      the Geni AM API for keys, which allows the client to specify multiple
      users, each with a set of ssh keys.
      
      The keys argument to the CM now looks like the following (note that
      the old format is still accepted and will be for a while).
      
      [{'urn'   => 'urn:blabla'
        'login' => 'dopey',
        'keys'  => [ list of keys like before ]},
       {'login' => "leebee",
        'keys'  => [ list of keys ... ]}];
      
      Key Points:
      
      1. You can supply a urn or a login or both. Typically, it is going to
         be the result of getkeys() at the PG SA, and so it will include
         both.
      
      2. If a login is provided, use that. Otherwise use the id from the urn.
      
      3. No matter what, verify that the token is valid for Emulab an uid
         (standard 8 char unix login that is good on just about any unix
         variant), and transform it if not.
      
      4. For now, getkeys() at the SA will continue to return the old format
         (unless you supply version=2 argument) since we do not want to
         default to a keylist that most CMs will barf on.
      
      5. I have modified the AM code to transform the Geni AM version of the
         "users" argument into the above structure. Bottom line here, is
         that users of the AM interface will not actually need to do
         anything, although now multiple users are actually supported
         instead of ignored.
      
      Still to be done are the changes to the login services structure in
      the manifest. We have yet to settle on what these changes will look
      like, but since people generally supply valid login ids, you probably
      will not need this, since no transformation will take place.
      03c2107c
  5. 07 Apr, 2011 1 commit
  6. 06 Apr, 2011 1 commit
  7. 24 Mar, 2011 1 commit
  8. 06 Jan, 2011 1 commit
  9. 12 Nov, 2010 1 commit
  10. 29 Sep, 2010 1 commit
  11. 26 Apr, 2010 1 commit
  12. 03 Feb, 2010 1 commit
    • Leigh B Stoller's avatar
      Couple of little fixes; · 2424c7fc
      Leigh B Stoller authored
      * When resolving a component, return the gif (certificate) of the
        authority it belongs to.
      
      * Quick fix for skiping links that are for another CM. This will
        change later when the schema defines it.
      2424c7fc
  13. 25 Jan, 2010 1 commit
  14. 06 Jan, 2010 2 commits
    • Leigh B. Stoller's avatar
      Minor fix. · b11f7ab4
      Leigh B. Stoller authored
      b11f7ab4
    • Leigh B. Stoller's avatar
      Slice expiration changes. The crux of these changes: · 5c63cf86
      Leigh B. Stoller authored
      1. You cannot unregister a slice at the SA before it has expired. This
         will be annoying at times, but the alphanumeric namespace for slice
         ames is probably big enough for us.
      
      2. To renew a slice, the easiest approach is to call the Renew method
         at the SA, get a new credential for the slice, and then pass that
         to renew on the CMs where you have slivers.
      
      The changes address the problem of slice expiration.  Before this
      change, when registering a slice at the Slice Authority, there was no
      way to give it an expiration time. The SA just assigns a default
      (currently one hour). Then when asking for a ticket at a CM, you can
      specify a "valid_until" field in the rspec, which becomes the sliver
      expiration time at that CM. You can later (before it expires) "renew"
      the sliver, extending the time. Both the sliver and the slice will
      expire from the CM at that time.
      
      Further complicating things is that credentials also have an
      expiration time in them so that credentials are not valid forever. A
      slice credential picks up the expiration time that the SA assigned to
      the slice (mentioned in the first paragraph).
      
      A problem is that this arrangement allows you to extend the expiration
      of a sliver past the expiration of the slice that is recorded at the
      SA. This makes it impossible to expire slice records at the SA since
      if we did, and there were outstanding slivers, you could get into a
      situation where you would have no ability to access those slivers. (an
      admin person can always kill off the sliver).
      
      Remember, the SA cannot know for sure if there are any slivers out
      there, especially if they can exist past the expiration of the slice.
      
      The solution:
      
      * Provide a Renew call at the SA to update the slice expiration time.
        Also allow for an expiration time in the Register() call.
      
        The SA will need to abide by these three rules:
        1. Never issue slice credentials which expire later than the
           corresponding slice
        2. Never allow the slice expiration time to be moved earlier
        3. Never deregister slices before they expire [*].
      
      * Change the CM to not set the expiration of a sliver past the
        expiration of the slice credential; the credential expiration is an
        upper bound on the valid_until field of the rspec. Instead, one must
        first extend the slice at the SA, get a new slice credential, and
        use that to extend the sliver at the CM.
      
      * For consistency with the SA, the CM API will changed so that
        RenewSliver() becomes RenewSlice(), and it will require the
        slice credential.
      5c63cf86
  15. 22 Dec, 2009 1 commit
  16. 30 Oct, 2009 1 commit
  17. 26 Aug, 2009 1 commit
  18. 10 Aug, 2009 1 commit
  19. 28 Jul, 2009 1 commit
  20. 27 Jul, 2009 1 commit
  21. 17 Jul, 2009 1 commit
  22. 16 Jul, 2009 1 commit
  23. 13 Jul, 2009 2 commits
  24. 30 Jun, 2009 1 commit
  25. 05 Jun, 2009 1 commit
  26. 24 Mar, 2009 1 commit
  27. 23 Mar, 2009 1 commit
  28. 04 Mar, 2009 1 commit
    • Leigh B. Stoller's avatar
      Change EMULAB-COPYRIGHT to GENIPUBLIC-COPYRIGHT, for future expansions · 6c8d30fc
      Leigh B. Stoller authored
      to the Geni Public License at http://www.geni.net/docs/GENIPubLic.pdf,
      whose expansion at this time is:
      
      -----
      Permission is hereby granted, free of charge, to any person obtaining
      a copy of this software and/or hardware specification (the "Work") to
      deal in the Work without restriction, including without limitation the
      rights to use, copy, modify, merge, publish, distribute, sublicense,
      and/or sell copies of the Work, and to permit persons to whom the Work
      is furnished to do so, subject to the following conditions:
      
      The above copyright notice and this permission notice shall be
      included in all copies or substantial portions of the Work.
      
      THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
      OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
      MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
      NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
      HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
      WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
      OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS
      IN THE WORK.
      6c8d30fc
  29. 02 Mar, 2009 2 commits
    • Leigh B. Stoller's avatar
      A bunch of changes for a "standalone" clearinghouse. Presently this · 60f04310
      Leigh B. Stoller authored
      its really a hugely stripped down Emulab boss install, using a very
      short version of install/boss-install to get a few things into place.
      
      I refactored a few things in both the protogeni code and the Emulab
      code, and whacked a bunch of makefiles and configure stuff. The result
      is that we only need to install about 10-12 files from the Emulab
      code, plus the protogeni code. Quite manageable, if you don't mind
      that it requires FreeBSD 6.X ... Still, I think it satisfies the
      requirement that we have a packaged clearinghouse that can be run
      standalone from a running Emulab site.
      60f04310
    • Gary Wong's avatar
      Implement fine-grained privileges. It should now be possible to · c47cebf8
      Gary Wong authored
      meaningfully delegate a subset of available privileges, so that the
      delegate is permitted to invoke only a restricted set of operations.
      c47cebf8
  30. 10 Feb, 2009 1 commit
  31. 09 Feb, 2009 2 commits
  32. 30 Jan, 2009 1 commit
  33. 08 Dec, 2008 1 commit
  34. 18 Nov, 2008 1 commit
  35. 03 Nov, 2008 1 commit
  36. 30 Oct, 2008 1 commit