1. 31 Aug, 2016 1 commit
  2. 29 Aug, 2016 3 commits
  3. 20 Jul, 2016 1 commit
  4. 14 Jul, 2016 1 commit
  5. 10 Jun, 2016 2 commits
    • Leigh Stoller's avatar
      Fix to CreateDatasetCreds(); we do not need a credential for a local lease, · f74b1548
      Leigh Stoller authored
      it goes through normal emulab permission checks.
      f74b1548
    • Leigh Stoller's avatar
      NFS mount changes, still a work in progress, bound to change: · e369c1a8
      Leigh Stoller authored
      * The Emulab portal now adds a toplevel element (Emulab namespace)
        directing the CM to use standard emulab mounts (read: /users).
        We clear that element from the other portals.
      
      * The CM looks for that tag, and allows it only if the caller is the local
        SA. The default for nfsmounts setting for geni experiment containers is
        "genidefault", but that is set to "emulabdefault" when allowed.
      
      * tmcd changes; no using nfsmounts slot instead of nonfsmounts. "none"
        means no mounts (duh), "emulabdefault" means standard mounts we all know
        and love, "genidefault" means no /users mounts.
      
        In addition, when we are doing emulabdefault mounts on a geni experiment
        node, we do not return accounts that are specified in the rspec, but
        rather we return the local project accounts only.
      e369c1a8
  6. 19 May, 2016 1 commit
  7. 29 Apr, 2016 1 commit
  8. 12 Apr, 2016 1 commit
  9. 06 Apr, 2016 1 commit
  10. 26 Mar, 2016 1 commit
  11. 16 Mar, 2016 1 commit
  12. 14 Mar, 2016 1 commit
  13. 09 Mar, 2016 1 commit
  14. 01 Mar, 2016 1 commit
    • Leigh Stoller's avatar
      Some tweaks to credential handling: · 3ebffb34
      Leigh Stoller authored
      1) Anytime we need to generate a slice credential, and the slice has
         expired, bump the slice expiration so we can create a valid credential
         and then reset the expiration. Consider if the slice expires but we
         missed it and its still active; we gotta be able to control it.
      
      2) From the beginning, we have done almost all RPC operations as the
         creator of the experiment. Made sense when the portal interface was not
         project aware, but now other users in the project can see and mess with
         experiments in their project. But we are still doing all the RPC
         operations as the creator of the experiment, which will need to change
         at some point, but in the short term I am seeing a lot of credential
         errors caused by an expired speaks-for credential for that creator (if
         they have not logged into the portal in a while). When this happens,
         lets generate a plain slice credential, issued to the SA, so that we can
         complete the operation. Eventually we have to make the backend project
         aware, and issue the operations as the web user doing the driving.
         Maybe as part of the larger portalization project.
      3ebffb34
  15. 29 Feb, 2016 2 commits
  16. 22 Feb, 2016 1 commit
  17. 05 Feb, 2016 1 commit
  18. 27 Jan, 2016 1 commit
  19. 21 Jan, 2016 1 commit
    • Leigh Stoller's avatar
      A couple of fixes for guest users: · c363234d
      Leigh Stoller authored
      1. Do not allow guest users to use anything but the APT cluster. We had
         talked about this a while back, and today it caused a problem:
      
      2. Because a guest tried to use the Mothership (cause of a URN in the
         profile), we had GeniUser lookup confusion. We store guest users in the
         geni-sa geni_users table, but because PROTOGENI_LOCALUSER=1, we end up
         creating a nonlocal account on the Geni path, and that conflicts.
         Changed how we do lookups.
      c363234d
  20. 06 Jan, 2016 1 commit
  21. 04 Jan, 2016 1 commit
  22. 21 Dec, 2015 1 commit
  23. 16 Dec, 2015 1 commit
  24. 01 Dec, 2015 1 commit
    • Leigh Stoller's avatar
      Add support for cancelation; stopping an experiment setup early, instead of · 32c3d934
      Leigh Stoller authored
      waiting till it finished setting up (or fails). This is really nice when a
      1000 node experiment has gone awry and it is pointless to wait for it to
      finish. When we do this, we mark the instance as canceled in the DB, and
      then wait for create_instance() to notice it. When it does, it stops
      waiting and invokes terminate with a new cancel option at the backend.
      32c3d934
  25. 16 Nov, 2015 1 commit
  26. 13 Nov, 2015 2 commits
  27. 29 Oct, 2015 1 commit
  28. 28 Oct, 2015 2 commits
  29. 27 Oct, 2015 1 commit
    • Leigh Stoller's avatar
      Add simple (initial) support passing encrypted secrets to the cluster CM, · 46757729
      Leigh Stoller authored
      to be decrypted using the per-exp ssl keypair we create and store on the
      nodes. In this case, you can add this to your rspec in the node element.
      You can add as many as you want, use the name attribute. We generate a
      random password and encrypt the plain text:
      
        <emulab:password></emulab:password>
      
      which becomes:
      
          <emulab:password name="foo" encrypted="true">-----BEGIN PKCS7-----
      MIIBpAYJKoZIhvcNAQcDoIIBlTCCAZECAQAxggFMMIIBSAIBADCBsDCBqDELMAkG
      A1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5
      MR0wGwYDVQQKExRVdGFoIE5ldHdvcmsgVGVzdGJlZDEPMA0GA1UECxMGQVBUTEFC
      MRcwFQYDVQQDEw53d3cuYXB0bGFiLm5ldDEoMCYGCSqGSIb3DQEJARYZdGVzdGJl
      ZC1vcHNAZmx1eC51dGFoLmVkdQIDAs8NMA0GCSqGSIb3DQEBAQUABIGAKeyo7mPO
      rHRF2G9t0h8/ALBBh7ChD1zCYvRFi2qvvUIIv/kfCNPhujRfodIYR65dP3tfM+BH
      VTRxjJrMYH63m8Fz9KMZlVYn+DhMeiwerqTxvVs823zyxcDrOUzTzzakWmJVSqvl
      33Po/7CYZ2iq67ATF1Xym3DsRQbQSuwgzu8wPAYJKoZIhvcNAQcBMB0GCWCGSAFl
      AwQBKgQQRw0kmvwhIur/ZlfFbB75qoAQXTKjzwN1HDJW4x5GAcWNPA==
      -----END PKCS7-----
          </emulab:password>
      
      which can then be decrypted using the private key to get the plaintext
      password.
      46757729
  30. 25 Oct, 2015 1 commit
  31. 22 Oct, 2015 1 commit
  32. 21 Oct, 2015 1 commit
  33. 20 Oct, 2015 1 commit
  34. 19 Oct, 2015 1 commit