GitLab

1. Do not allow guest users to use anything but the APT cluster. We had
   talked about this a while back, and today it caused a problem:

2. Because a guest tried to use the Mothership (cause of a URN in the
   profile), we had GeniUser lookup confusion. We store guest users in the
   geni-sa geni_users table, but because PROTOGENI_LOCALUSER=1, we end up
   creating a nonlocal account on the Geni path, and that conflicts.
   Changed how we do lookups.

1) Implement the latest dataset read/write access settings from frontend to
   backend. Also updates for simultaneous read-only usage.

2) New configure options: PROTOGENI_LOCALUSER and PROTOGENI_GENIWEBLOGIN.

   The first changes the way that projects and users are treated at the
   CM. When set, we create real accounts (marked as nonlocal) for users and
   also create real projects (also marked as nonlocal). Users are added to
   those projects according to their credentials. The underlying experiment
   is thus owned by the user and in the project, although all the work is
   still done by the geniuser pseudo user. The advantage of this approach
   is that we can use standard emulab access checks to control access to
   objects like datasets. Maybe images too at some point.

   NOTE: Users are not removed from projects once they are added; we are
   going to need to deal with this, perhaps by adding an expiration stamp
   to the groups_membership tables, and using the credential expiration to
   mark it.

   The second new configure option turns on the web login via the geni
   trusted signer. So, if I create a sliver on a backend cluster when both
   options are set, I can use the trusted signer to log into my newly
   created account on the cluster, and see it (via the emulab classic web
   interface).

   All this is in flux, might end up being a bogus approach in the end.

* Add a .htaccess file that does the rewrites, instead of in the httpd
  confile file. Added Rob's stuff for rewriting urls to hide the .php
  although not sure this is working correctly yet.

* Add simple MyExperiments page so that logged in users can find their
  way back to running profiles.

* Move the DB table holding the running experiment records from the
  geni-sa DB into the main Emulab DB. Lots of little changes for that.

* Change logout to plain link instead of ajax call. That was a silly
  thing to do.

* Bug fixes to ssh keys and shell login from the status page.

start of a page to create new profiles, lots of other changes
and additions.

This commit is intended to makes the license status of Emulab and
ProtoGENI source files more clear.  It replaces license symbols like
"EMULAB-COPYRIGHT" and "GENIPUBLIC-COPYRIGHT" with {{{ }}}-delimited
blocks that contain actual license statements.

This change was driven by the fact that today, most people acquire and
track Emulab and ProtoGENI sources via git.

Before the Emulab source code was kept in git, the Flux Research Group
at the University of Utah would roll distributions by making tar
files.  As part of that process, the Flux Group would replace the
license symbols in the source files with actual license statements.

When the Flux Group moved to git, people outside of the group started
to see the source files with the "unexpanded" symbols.  This meant
that people acquired source files without actual license statements in
them.  All the relevant files had Utah *copyright* statements in them,
but without the expanded *license* statements, the licensing status of
the source files was unclear.

This commit is intended to clear up that confusion.

Most Utah-copyrighted files in the Emulab source tree are distributed
under the terms of the Affero GNU General Public License, version 3
(AGPLv3).

Most Utah-copyrighted files related to ProtoGENI are distributed under
the terms of the GENI Public License, which is a BSD-like open-source
license.

Some Utah-copyrighted files in the Emulab source tree are distributed
under the terms of the GNU Lesser General Public License, version 2.1
(LGPL).

push to stable. These changes properly record URNs in the aggregate
and manifest history tables.

CreateSliver(), to handle multiple accounts.  This somewhat reflects
the Geni AM API for keys, which allows the client to specify multiple
users, each with a set of ssh keys.

The keys argument to the CM now looks like the following (note that
the old format is still accepted and will be for a while).

[{'urn'   => 'urn:blabla'
  'login' => 'dopey',
  'keys'  => [ list of keys like before ]},
 {'login' => "leebee",
  'keys'  => [ list of keys ... ]}];

Key Points:

1. You can supply a urn or a login or both. Typically, it is going to
   be the result of getkeys() at the PG SA, and so it will include
   both.

2. If a login is provided, use that. Otherwise use the id from the urn.

3. No matter what, verify that the token is valid for Emulab an uid
   (standard 8 char unix login that is good on just about any unix
   variant), and transform it if not.

4. For now, getkeys() at the SA will continue to return the old format
   (unless you supply version=2 argument) since we do not want to
   default to a keylist that most CMs will barf on.

5. I have modified the AM code to transform the Geni AM version of the
   "users" argument into the above structure. Bottom line here, is
   that users of the AM interface will not actually need to do
   anything, although now multiple users are actually supported
   instead of ignored.

Still to be done are the changes to the login services structure in
the manifest. We have yet to settle on what these changes will look
like, but since people generally supply valid login ids, you probably
will not need this, since no transformation will take place.

is a valid Emulab user id (as for creating accounts on nodes) and for
inserting into the Emulab DB.

If the uid is not valid for us, make up a new one from a hash of the
certificate. This will give us a (typically) unique but always
consistent uid to use.

Also add the uid to the services/login section of the manifest so that
the client always knows what uid to use when logging in.

which confuse things.

to all of the API functions, and prefer that to any UUID argument.
There are a lot of little changes.

At this point, the CH and SA will no longer accept certificates that
do not have URNs in them. The CH will send email to the email address
listed in the certificate.

1. You cannot unregister a slice at the SA before it has expired. This
   will be annoying at times, but the alphanumeric namespace for slice
   ames is probably big enough for us.

2. To renew a slice, the easiest approach is to call the Renew method
   at the SA, get a new credential for the slice, and then pass that
   to renew on the CMs where you have slivers.

The changes address the problem of slice expiration.  Before this
change, when registering a slice at the Slice Authority, there was no
way to give it an expiration time. The SA just assigns a default
(currently one hour). Then when asking for a ticket at a CM, you can
specify a "valid_until" field in the rspec, which becomes the sliver
expiration time at that CM. You can later (before it expires) "renew"
the sliver, extending the time. Both the sliver and the slice will
expire from the CM at that time.

Further complicating things is that credentials also have an
expiration time in them so that credentials are not valid forever. A
slice credential picks up the expiration time that the SA assigned to
the slice (mentioned in the first paragraph).

A problem is that this arrangement allows you to extend the expiration
of a sliver past the expiration of the slice that is recorded at the
SA. This makes it impossible to expire slice records at the SA since
if we did, and there were outstanding slivers, you could get into a
situation where you would have no ability to access those slivers. (an
admin person can always kill off the sliver).

Remember, the SA cannot know for sure if there are any slivers out
there, especially if they can exist past the expiration of the slice.

The solution:

* Provide a Renew call at the SA to update the slice expiration time.
  Also allow for an expiration time in the Register() call.

  The SA will need to abide by these three rules:
  1. Never issue slice credentials which expire later than the
     corresponding slice
  2. Never allow the slice expiration time to be moved earlier
  3. Never deregister slices before they expire [*].

* Change the CM to not set the expiration of a sliver past the
  expiration of the slice credential; the credential expiration is an
  upper bound on the valid_until field of the rspec. Instead, one must
  first extend the slice at the SA, get a new slice credential, and
  use that to extend the sliver at the CM.

* For consistency with the SA, the CM API will changed so that
  RenewSliver() becomes RenewSlice(), and it will require the
  slice credential.

user is a local user. Instead, all users have to send along their keys
in the RedeemTicket() call, and those keys land in the new Emulab
table called nonlocal_user_pubkeys, and tmcd will use that table when
sending keys over local nodes.

This change removes the inconsistency in key handling between slivers
created locally and slivers created at a foreign CM.

Change urn() function to return urn from the certificate, rather
generating one (which is always wrong). If the certificate has
no urn, return the uuid instead.

* More URN issues dealt with.

* Sliver registration and unregistraton (CM to SA).

* More V2 status stuff.

* Other fixes.

is very conservative so far: URNs are accepted as input, but all output
and database formats are unchanged to preserve compatibility.  Those more
pervasive changes will have to be made gradually, once the rest of the
federation has been updated.

created, the keys were never updated.

This fix is temporary, a better fix next week.

to the Geni Public License at http://www.geni.net/docs/GENIPubLic.pdf,
whose expansion at this time is:

-----
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and/or hardware specification (the "Work") to
deal in the Work without restriction, including without limitation the
rights to use, copy, modify, merge, publish, distribute, sublicense,
and/or sell copies of the Work, and to permit persons to whom the Work
is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Work.

THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS
IN THE WORK.

its really a hugely stripped down Emulab boss install, using a very
short version of install/boss-install to get a few things into place.

I refactored a few things in both the protogeni code and the Emulab
code, and whacked a bunch of makefiles and configure stuff. The result
is that we only need to install about 10-12 files from the Emulab
code, plus the protogeni code. Quite manageable, if you don't mind
that it requires FreeBSD 6.X ... Still, I think it satisfies the
requirement that we have a packaged clearinghouse that can be run
standalone from a running Emulab site.