1. 09 Jan, 2015 1 commit
  2. 03 Jan, 2015 1 commit
  3. 14 Dec, 2014 1 commit
  4. 27 Oct, 2014 1 commit
    • Leigh B Stoller's avatar
      Add methods to check for user having a valid encrypted ssl certificate, · e0d59dde
      Leigh B Stoller authored
      and to generate one. When generating one, look for a revoked/expired
      certificate and reuse the key (and password) otherwise generate a new
      key and new random password. This allows existing Emulab users who have
      never used Geni, to use the APT/Cloud interface without having to create
      a key via the web interface.
      e0d59dde
  5. 25 Sep, 2014 1 commit
  6. 15 Sep, 2014 1 commit
  7. 27 Aug, 2014 1 commit
    • Leigh B Stoller's avatar
      Large set of changes for using the Geni trusted signer tool, to · 980f6cbd
      Leigh B Stoller authored
      authenticate Geni users to CloudLab (who do not have Emulab accounts).
      CloudLab users must have an account to do anything (unlike APT which allows
      guest users). But instead of requiring them to go through the Emulab
      account creation (high bar), let then use their Geni credentials to prove
      who they are. We then build a local account for that new user, and save off
      the speaksfor credential so that we can act on their behalf when talking to
      the backend clusters (and their MA to get their ssh keys).
      
      These users do not have a local account password, so they cannot log into
      the web interface using the Emulab login page, nor do they have a shell on
      ops.
      
      Once authenticated, we put the appropriate cookies into the browser via
      javascript, so they can use the Cloud (okay, APT) web interface (they
      appear logged in).
      
      I make use of the nonlocal_id field of the users table, which was not being
      used for anything else. Officially, these are "nonlocal" users in the code
      (IsNonLocal()).
      
      When a nonlocal user instantiates a profile, we use their speaksfor
      credential to ask their home MA for their ssh keys, which we then store in
      the DB, and then provide to the aggregate via the CreateSliver call.
      Note that no provision has been made for users who edit their profile and
      add keys; I am not currently expecting these users to stumble into the web
      interface (yet).
      980f6cbd
  8. 24 Jan, 2014 1 commit
  9. 17 Jan, 2014 1 commit
  10. 08 Mar, 2013 1 commit
  11. 14 Feb, 2013 1 commit
  12. 02 Jan, 2013 1 commit
  13. 24 Sep, 2012 1 commit
    • Eric Eide's avatar
      Replace license symbols with {{{ }}}-enclosed license blocks. · 6df609a9
      Eric Eide authored
      This commit is intended to makes the license status of Emulab and
      ProtoGENI source files more clear.  It replaces license symbols like
      "EMULAB-COPYRIGHT" and "GENIPUBLIC-COPYRIGHT" with {{{ }}}-delimited
      blocks that contain actual license statements.
      
      This change was driven by the fact that today, most people acquire and
      track Emulab and ProtoGENI sources via git.
      
      Before the Emulab source code was kept in git, the Flux Research Group
      at the University of Utah would roll distributions by making tar
      files.  As part of that process, the Flux Group would replace the
      license symbols in the source files with actual license statements.
      
      When the Flux Group moved to git, people outside of the group started
      to see the source files with the "unexpanded" symbols.  This meant
      that people acquired source files without actual license statements in
      them.  All the relevant files had Utah *copyright* statements in them,
      but without the expanded *license* statements, the licensing status of
      the source files was unclear.
      
      This commit is intended to clear up that confusion.
      
      Most Utah-copyrighted files in the Emulab source tree are distributed
      under the terms of the Affero GNU General Public License, version 3
      (AGPLv3).
      
      Most Utah-copyrighted files related to ProtoGENI are distributed under
      the terms of the GENI Public License, which is a BSD-like open-source
      license.
      
      Some Utah-copyrighted files in the Emulab source tree are distributed
      under the terms of the GNU Lesser General Public License, version 2.1
      (LGPL).
      6df609a9
  14. 30 Apr, 2012 1 commit
  15. 15 Mar, 2012 1 commit
  16. 30 Jan, 2012 2 commits
    • Leigh B Stoller's avatar
      Changes to make it easier for ProtoGeni users! · 3dac3cb8
      Leigh B Stoller authored
      * When generating an encrypted SSL certificate, derive an SSH public
        key from the private key and store in the pubkeys table for the
        user. Note that SSH version 2 RSA keys are actually just openssl RSA
        keys, and that ssh-keygen can extract an ssh compatible public key
        from it.
      
      * Change getsslcert.php3 to return the ssh private and public key when
        give the "ssh" boolean argument. This is mostly for the benefit of
        Flack; we probably need a better UI for the user to get this stuff. 
      
      * Remove the requirement that users must upload an SSH key to use
        protogeni, since we now create one for them when they create their
        encrypted SSL certificate.
      
      * Some cleanup; instead of looking at the comment field to determine
        what pubkeys are Emulab created (and should not be deleted), use new
        internal and nodelete flags.
      3dac3cb8
    • Leigh B Stoller's avatar
  17. 02 Dec, 2011 1 commit
    • Leigh B Stoller's avatar
      Changes to allow new users to request their encrypted SSL certificate · 8def7e94
      Leigh B Stoller authored
      on the join/start project pages. At the moment this is conditional
      under the PROTOGENI flag, since users on non-protogeni sites rarely
      need an encrypted SSL certificate. The initial passphrase has to be
      store someplace since we cannot built the certificate until the user
      is approved, so put it into the users table, and delete when the first
      certificate is built (at approval).
      8def7e94
  18. 07 Nov, 2011 1 commit
  19. 30 Aug, 2011 2 commits
  20. 22 Aug, 2011 1 commit
  21. 12 Aug, 2011 1 commit
  22. 10 Aug, 2011 1 commit
  23. 07 Jul, 2011 1 commit
  24. 20 Apr, 2011 1 commit
    • Leigh B Stoller's avatar
      Changes our ssh key/account handling in RedeemTicket() and · 03c2107c
      Leigh B Stoller authored
      CreateSliver(), to handle multiple accounts.  This somewhat reflects
      the Geni AM API for keys, which allows the client to specify multiple
      users, each with a set of ssh keys.
      
      The keys argument to the CM now looks like the following (note that
      the old format is still accepted and will be for a while).
      
      [{'urn'   => 'urn:blabla'
        'login' => 'dopey',
        'keys'  => [ list of keys like before ]},
       {'login' => "leebee",
        'keys'  => [ list of keys ... ]}];
      
      Key Points:
      
      1. You can supply a urn or a login or both. Typically, it is going to
         be the result of getkeys() at the PG SA, and so it will include
         both.
      
      2. If a login is provided, use that. Otherwise use the id from the urn.
      
      3. No matter what, verify that the token is valid for Emulab an uid
         (standard 8 char unix login that is good on just about any unix
         variant), and transform it if not.
      
      4. For now, getkeys() at the SA will continue to return the old format
         (unless you supply version=2 argument) since we do not want to
         default to a keylist that most CMs will barf on.
      
      5. I have modified the AM code to transform the Geni AM version of the
         "users" argument into the above structure. Bottom line here, is
         that users of the AM interface will not actually need to do
         anything, although now multiple users are actually supported
         instead of ignored.
      
      Still to be done are the changes to the login services structure in
      the manifest. We have yet to settle on what these changes will look
      like, but since people generally supply valid login ids, you probably
      will not need this, since no transformation will take place.
      03c2107c
  25. 04 Nov, 2010 1 commit
    • David Johnson's avatar
      Add a method that explicitly returns *only* Emulab-generated pubkeys. · 649a30ac
      David Johnson authored
      This method looks to see if these keys were *likely* generated by us.
      The regular GetSSHKeys specifically filters these out.  This new method
      should be used carefully, since these keys are not passphrase-protected.
      For instance, I'm only using it for loading keys on switches that are
      only locally accessible right now.
      649a30ac
  26. 12 Oct, 2010 2 commits
  27. 11 Oct, 2010 1 commit
    • Leigh B Stoller's avatar
      Work on an optimization to the perl code. Maybe you have noticed, but · 92f83e48
      Leigh B Stoller authored
      starting any one of our scripts can take a second or two. That time is
      spent including and compiling 10000s of thousands of lines of perl
      code, both from our libraries and from the perl libraries.
      
      Mostly this is just a maintenance thing; we just never thought about
      it much and we have a lot more code these days.
      
      So I have done two things.
      
      1) I have used SelfLoader() on some of our biggest perl modules.
         SelfLoader delays compilation until code is used. This is not as
         good as AutoLoader() though, and so I did it with just a few 
         modules (the biggest ones).
      
      2) Mostly I reorganized things:
      
        a) Split libdb into an EmulabConstants module and all the rest of
           the code, which is slowly getting phased out.
      
        b) Move little things around to avoid including libdb or Experiment
           (the biggest files).
      
        c) Change "use foo" in many places to a "require foo" in the
           function that actually uses that module. This was really a big
           win cause we have dozens of cases where we would include a
           module, but use it in only one place and typically not all.
      
      Most things are now starting up in 1/3 the time. I am hoping this will
      help to reduce the load spiking we see on boss, and also help with the
      upcoming Geni tutorial (which kill boss last time).
      92f83e48
  28. 22 Mar, 2010 1 commit
    • Leigh B Stoller's avatar
      Finish up user deletion. The big visible change is that when a user is · 2965922b
      Leigh B Stoller authored
      deleted, they still remain in the user table with a status of
      "archived", but since all the queries in the system now use uid_idx
      instead of uid, it is safe to reuse a uid since they are no longer
      ambiguous. 
      
      The reason for not deleting users from the users table is so that the
      stats records can refer to the original record (who was that person
      named "mike"). This is very handy and worth the additional effort it
      has taken.
      
      There is no way to ressurect a user, but it would not be hard to add.
      2965922b
  29. 07 Dec, 2009 1 commit
    • Leigh B. Stoller's avatar
      No longer use the ssh keys in the Emulab database when the protogeni · d60b9acd
      Leigh B. Stoller authored
      user is a local user. Instead, all users have to send along their keys
      in the RedeemTicket() call, and those keys land in the new Emulab
      table called nonlocal_user_pubkeys, and tmcd will use that table when
      sending keys over local nodes.
      
      This change removes the inconsistency in key handling between slivers
      created locally and slivers created at a foreign CM.
      d60b9acd
  30. 24 Jun, 2009 1 commit
  31. 11 Jun, 2009 1 commit
  32. 27 Feb, 2009 1 commit
  33. 17 Nov, 2008 1 commit
  34. 04 Nov, 2008 1 commit
  35. 25 Sep, 2008 1 commit
  36. 03 Jun, 2008 1 commit
  37. 30 May, 2008 1 commit