1. 08 Jan, 2013 1 commit
  2. 06 Nov, 2012 1 commit
  3. 24 Sep, 2012 1 commit
    • Eric Eide's avatar
      Replace license symbols with {{{ }}}-enclosed license blocks. · 6df609a9
      Eric Eide authored
      This commit is intended to makes the license status of Emulab and
      ProtoGENI source files more clear.  It replaces license symbols like
      "EMULAB-COPYRIGHT" and "GENIPUBLIC-COPYRIGHT" with {{{ }}}-delimited
      blocks that contain actual license statements.
      This change was driven by the fact that today, most people acquire and
      track Emulab and ProtoGENI sources via git.
      Before the Emulab source code was kept in git, the Flux Research Group
      at the University of Utah would roll distributions by making tar
      files.  As part of that process, the Flux Group would replace the
      license symbols in the source files with actual license statements.
      When the Flux Group moved to git, people outside of the group started
      to see the source files with the "unexpanded" symbols.  This meant
      that people acquired source files without actual license statements in
      them.  All the relevant files had Utah *copyright* statements in them,
      but without the expanded *license* statements, the licensing status of
      the source files was unclear.
      This commit is intended to clear up that confusion.
      Most Utah-copyrighted files in the Emulab source tree are distributed
      under the terms of the Affero GNU General Public License, version 3
      Most Utah-copyrighted files related to ProtoGENI are distributed under
      the terms of the GENI Public License, which is a BSD-like open-source
      Some Utah-copyrighted files in the Emulab source tree are distributed
      under the terms of the GNU Lesser General Public License, version 2.1
  4. 12 Jun, 2012 1 commit
    • Leigh B Stoller's avatar
      Minor change to credential verification and load. · f3310749
      Leigh B Stoller authored
      Move the expiration test into verifygenicred. Change the invocation to
      capture the output so that we can say something useful in the error
      response, instead of what we do now which is just tell the user there
      is an error.
  5. 27 May, 2012 1 commit
  6. 27 Apr, 2012 1 commit
  7. 26 Apr, 2012 1 commit
  8. 21 Jul, 2011 1 commit
  9. 29 Jun, 2011 1 commit
  10. 07 Apr, 2011 1 commit
    • Leigh B Stoller's avatar
      Add delegation support to run on boss to make it easier for an admin · c50139c6
      Leigh B Stoller authored
      to delegate a credential to a user. Say you want to delegate a CH
      credential to a local user so they can lookup things:
      boss> getchcredential | delegatecredential 'urn:publicid:IDN+emulab.net+user+XXX' resolve:0
      This will spit out a delegated credential. Save that in a file and
      give to the user. The user then sends that along as the credential
  11. 06 Apr, 2011 4 commits
  12. 20 Oct, 2010 1 commit
    • Leigh B Stoller's avatar
      Store credentials with their own unique UUID (since that is the · 9b8e57b2
      Leigh B Stoller authored
      primary key still) instead of using the uuid of the slice. We do this
      so that we can easily cache slice credentials for different users (or
      multiple credentials of any kind).
      Add IsExpired() and SameCerts() tests.
      Add DeleteForTarget() which remove asny cached credentials for a
      target object (such as a slice), as when a slice is expired or
      Add sanity check to watch for duplicate credentials (same target and
      owner). Never supposed to happen.
  13. 30 Sep, 2010 1 commit
  14. 29 Sep, 2010 1 commit
  15. 06 Aug, 2010 2 commits
  16. 09 Jun, 2010 1 commit
  17. 21 May, 2010 1 commit
    • Tom Mitchell's avatar
      Made UUID checks optional, defaulted to on. · f35d8297
      Tom Mitchell authored
      GeniCredential now exports $CHECK_UUID, a variable that controls UUID
      checks on credentials. If set to a true value (like 1), UUID checks
      are made. If set to a false value (like 0), the UUID checks are
      $GeniCredential::$CHECK_UUID defaults to enabled.
  18. 26 Apr, 2010 1 commit
  19. 14 Apr, 2010 1 commit
  20. 13 Apr, 2010 1 commit
  21. 07 Apr, 2010 1 commit
  22. 06 Apr, 2010 2 commits
  23. 05 Apr, 2010 5 commits
  24. 24 Feb, 2010 1 commit
  25. 23 Feb, 2010 1 commit
  26. 12 Feb, 2010 1 commit
  27. 04 Feb, 2010 1 commit
  28. 03 Feb, 2010 1 commit
  29. 06 Jan, 2010 1 commit
    • Leigh B. Stoller's avatar
      Slice expiration changes. The crux of these changes: · 5c63cf86
      Leigh B. Stoller authored
      1. You cannot unregister a slice at the SA before it has expired. This
         will be annoying at times, but the alphanumeric namespace for slice
         ames is probably big enough for us.
      2. To renew a slice, the easiest approach is to call the Renew method
         at the SA, get a new credential for the slice, and then pass that
         to renew on the CMs where you have slivers.
      The changes address the problem of slice expiration.  Before this
      change, when registering a slice at the Slice Authority, there was no
      way to give it an expiration time. The SA just assigns a default
      (currently one hour). Then when asking for a ticket at a CM, you can
      specify a "valid_until" field in the rspec, which becomes the sliver
      expiration time at that CM. You can later (before it expires) "renew"
      the sliver, extending the time. Both the sliver and the slice will
      expire from the CM at that time.
      Further complicating things is that credentials also have an
      expiration time in them so that credentials are not valid forever. A
      slice credential picks up the expiration time that the SA assigned to
      the slice (mentioned in the first paragraph).
      A problem is that this arrangement allows you to extend the expiration
      of a sliver past the expiration of the slice that is recorded at the
      SA. This makes it impossible to expire slice records at the SA since
      if we did, and there were outstanding slivers, you could get into a
      situation where you would have no ability to access those slivers. (an
      admin person can always kill off the sliver).
      Remember, the SA cannot know for sure if there are any slivers out
      there, especially if they can exist past the expiration of the slice.
      The solution:
      * Provide a Renew call at the SA to update the slice expiration time.
        Also allow for an expiration time in the Register() call.
        The SA will need to abide by these three rules:
        1. Never issue slice credentials which expire later than the
           corresponding slice
        2. Never allow the slice expiration time to be moved earlier
        3. Never deregister slices before they expire [*].
      * Change the CM to not set the expiration of a sliver past the
        expiration of the slice credential; the credential expiration is an
        upper bound on the valid_until field of the rspec. Instead, one must
        first extend the slice at the SA, get a new slice credential, and
        use that to extend the sliver at the CM.
      * For consistency with the SA, the CM API will changed so that
        RenewSliver() becomes RenewSlice(), and it will require the
        slice credential.
  30. 01 Dec, 2009 1 commit
  31. 19 Nov, 2009 1 commit