1. 05 Oct, 2011 1 commit
  2. 29 Sep, 2011 1 commit
  3. 21 Sep, 2011 1 commit
    • Gary Wong's avatar
      Add support for sub-authorities. · 75f89a35
      Gary Wong authored
      Generate authority certificates for local sub-authorities (i.e. authorities
      corresponding to a local project) on demand.
      
      Map per-project URLs to the same XMLRPC server handled in the context of
      the authority for the specified project.
      
      Make the SA give out per-project credentials when it's asked for a
      GetCredential in a sub-authority.
      75f89a35
  4. 12 Sep, 2011 2 commits
  5. 22 Aug, 2011 1 commit
  6. 02 Jun, 2011 1 commit
  7. 20 Apr, 2011 1 commit
    • Leigh B Stoller's avatar
      Changes our ssh key/account handling in RedeemTicket() and · 03c2107c
      Leigh B Stoller authored
      CreateSliver(), to handle multiple accounts.  This somewhat reflects
      the Geni AM API for keys, which allows the client to specify multiple
      users, each with a set of ssh keys.
      
      The keys argument to the CM now looks like the following (note that
      the old format is still accepted and will be for a while).
      
      [{'urn'   => 'urn:blabla'
        'login' => 'dopey',
        'keys'  => [ list of keys like before ]},
       {'login' => "leebee",
        'keys'  => [ list of keys ... ]}];
      
      Key Points:
      
      1. You can supply a urn or a login or both. Typically, it is going to
         be the result of getkeys() at the PG SA, and so it will include
         both.
      
      2. If a login is provided, use that. Otherwise use the id from the urn.
      
      3. No matter what, verify that the token is valid for Emulab an uid
         (standard 8 char unix login that is good on just about any unix
         variant), and transform it if not.
      
      4. For now, getkeys() at the SA will continue to return the old format
         (unless you supply version=2 argument) since we do not want to
         default to a keylist that most CMs will barf on.
      
      5. I have modified the AM code to transform the Geni AM version of the
         "users" argument into the above structure. Bottom line here, is
         that users of the AM interface will not actually need to do
         anything, although now multiple users are actually supported
         instead of ignored.
      
      Still to be done are the changes to the login services structure in
      the manifest. We have yet to settle on what these changes will look
      like, but since people generally supply valid login ids, you probably
      will not need this, since no transformation will take place.
      03c2107c
  8. 16 Feb, 2011 2 commits
  9. 06 Jan, 2011 1 commit
  10. 29 Oct, 2010 1 commit
  11. 20 Oct, 2010 1 commit
    • Leigh B Stoller's avatar
      Do not register slices at the CH immediately; let the sa_daemon do · b4640223
      Leigh B Stoller authored
      that offline a couple of minutes later. Reduces the load on the CH
      when doing parallel registratons.
      
      Add caching of user and slice credentials, to avoid regenerating the
      same credentials over and over for the test scripts. Stored in the
      geni_credentials table, they are checked for expiration before handing
      them out. Also check to make sure that the user certificate has not
      changed, and regen/cache if it has.
      b4640223
  12. 11 Oct, 2010 1 commit
    • Leigh B Stoller's avatar
      Work on an optimization to the perl code. Maybe you have noticed, but · 92f83e48
      Leigh B Stoller authored
      starting any one of our scripts can take a second or two. That time is
      spent including and compiling 10000s of thousands of lines of perl
      code, both from our libraries and from the perl libraries.
      
      Mostly this is just a maintenance thing; we just never thought about
      it much and we have a lot more code these days.
      
      So I have done two things.
      
      1) I have used SelfLoader() on some of our biggest perl modules.
         SelfLoader delays compilation until code is used. This is not as
         good as AutoLoader() though, and so I did it with just a few 
         modules (the biggest ones).
      
      2) Mostly I reorganized things:
      
        a) Split libdb into an EmulabConstants module and all the rest of
           the code, which is slowly getting phased out.
      
        b) Move little things around to avoid including libdb or Experiment
           (the biggest files).
      
        c) Change "use foo" in many places to a "require foo" in the
           function that actually uses that module. This was really a big
           win cause we have dozens of cases where we would include a
           module, but use it in only one place and typically not all.
      
      Most things are now starting up in 1/3 the time. I am hoping this will
      help to reduce the load spiking we see on boss, and also help with the
      upcoming Geni tutorial (which kill boss last time).
      92f83e48
  13. 05 Oct, 2010 1 commit
  14. 04 Oct, 2010 1 commit
    • Leigh B Stoller's avatar
      More purging of UUIDs. Reminder, we still use them all over the place · b3c8e72e
      Leigh B Stoller authored
      internally, as the primary key in the tables, but the CM/SA APIs no
      longer use them. The CH still accepts them for now. We can probably
      stop putting them into manifests and advertisements at this point as
      well. 
      
      For slivers, stop using the uuid of the node as the uuid of the sliver
      itself; generate a new one. As above, this is cause the uuid is the
      primary key in the table, but the URN is what we use for lookups,
      etc.
      b3c8e72e
  15. 01 Oct, 2010 1 commit
    • Leigh B Stoller's avatar
      Change to previous revision wrt sliver registration. Need to be · 734bfd2a
      Leigh B Stoller authored
      backwards compatible with old SAs and CMs until new code makes it
      out to everyone. So the CM now does a version check at the target SA,
      and if an old version 1, use the bogus self signed cred. If the SA is
      version 1.01, send a proper sliver credential.
      
      In the SA, accept older bogus credential for now, but start accepting
      the new sliver credential, and apply more stringent checks.
      734bfd2a
  16. 29 Sep, 2010 2 commits
  17. 02 Aug, 2010 1 commit
  18. 26 Apr, 2010 1 commit
  19. 08 Apr, 2010 1 commit
  20. 06 Apr, 2010 2 commits
  21. 10 Mar, 2010 2 commits
  22. 23 Feb, 2010 1 commit
  23. 20 Jan, 2010 1 commit
  24. 06 Jan, 2010 1 commit
    • Leigh B. Stoller's avatar
      Slice expiration changes. The crux of these changes: · 5c63cf86
      Leigh B. Stoller authored
      1. You cannot unregister a slice at the SA before it has expired. This
         will be annoying at times, but the alphanumeric namespace for slice
         ames is probably big enough for us.
      
      2. To renew a slice, the easiest approach is to call the Renew method
         at the SA, get a new credential for the slice, and then pass that
         to renew on the CMs where you have slivers.
      
      The changes address the problem of slice expiration.  Before this
      change, when registering a slice at the Slice Authority, there was no
      way to give it an expiration time. The SA just assigns a default
      (currently one hour). Then when asking for a ticket at a CM, you can
      specify a "valid_until" field in the rspec, which becomes the sliver
      expiration time at that CM. You can later (before it expires) "renew"
      the sliver, extending the time. Both the sliver and the slice will
      expire from the CM at that time.
      
      Further complicating things is that credentials also have an
      expiration time in them so that credentials are not valid forever. A
      slice credential picks up the expiration time that the SA assigned to
      the slice (mentioned in the first paragraph).
      
      A problem is that this arrangement allows you to extend the expiration
      of a sliver past the expiration of the slice that is recorded at the
      SA. This makes it impossible to expire slice records at the SA since
      if we did, and there were outstanding slivers, you could get into a
      situation where you would have no ability to access those slivers. (an
      admin person can always kill off the sliver).
      
      Remember, the SA cannot know for sure if there are any slivers out
      there, especially if they can exist past the expiration of the slice.
      
      The solution:
      
      * Provide a Renew call at the SA to update the slice expiration time.
        Also allow for an expiration time in the Register() call.
      
        The SA will need to abide by these three rules:
        1. Never issue slice credentials which expire later than the
           corresponding slice
        2. Never allow the slice expiration time to be moved earlier
        3. Never deregister slices before they expire [*].
      
      * Change the CM to not set the expiration of a sliver past the
        expiration of the slice credential; the credential expiration is an
        upper bound on the valid_until field of the rspec. Instead, one must
        first extend the slice at the SA, get a new slice credential, and
        use that to extend the sliver at the CM.
      
      * For consistency with the SA, the CM API will changed so that
        RenewSliver() becomes RenewSlice(), and it will require the
        slice credential.
      5c63cf86
  25. 11 Dec, 2009 2 commits
  26. 07 Dec, 2009 1 commit
    • Leigh B. Stoller's avatar
      No longer use the ssh keys in the Emulab database when the protogeni · d60b9acd
      Leigh B. Stoller authored
      user is a local user. Instead, all users have to send along their keys
      in the RedeemTicket() call, and those keys land in the new Emulab
      table called nonlocal_user_pubkeys, and tmcd will use that table when
      sending keys over local nodes.
      
      This change removes the inconsistency in key handling between slivers
      created locally and slivers created at a foreign CM.
      d60b9acd
  27. 02 Dec, 2009 1 commit
    • Leigh B. Stoller's avatar
      Checkpoint. · f83ba977
      Leigh B. Stoller authored
      * More URN issues dealt with.
      
      * Sliver registration and unregistraton (CM to SA).
      
      * More V2 status stuff.
      
      * Other fixes.
      f83ba977
  28. 30 Oct, 2009 1 commit
  29. 16 Oct, 2009 1 commit
  30. 08 Oct, 2009 1 commit
  31. 28 Jul, 2009 1 commit
  32. 29 May, 2009 1 commit
  33. 12 May, 2009 1 commit
  34. 26 Mar, 2009 1 commit