« back to all changes in this revision
Viewing changes to nova/auth/manager.py
- browse files at revision 477
- compare with another revision
- download diff
- download tarball
- view history from revision 477
- Committer: Tarmac
- Author(s): Vishvananda Ishaya
- Date: 2010-12-22 18:24:00 UTC
- mfrom: (396.6.14 project-vpns)
- Revision ID: tarmac-20101222182400-vh0j8lwp72auht1r
Fixes per-project vpns (cloudpipe) and adds manage commands and support for certificate revocation.
- files added:
- CA/genvpn.sh
- files removed:
- nova/api/cloudpipe
- files renamed:
- CA/INTER/ => CA/projects/
- nova/cloudpipe/bootscript.sh => nova/cloudpipe/bootscript.template
- files modified:
- CA/geninter.sh
added
removed
nova/auth/manager.py
64
64
'Filename of private key in credentials zip')
65
65
flags.DEFINE_string('credential_cert_file', 'cert.pem',
66
66
'Filename of certificate in credentials zip')
67
flags.DEFINE_string('credential_rc_file', 'novarc',
68
'Filename of rc in credentials zip')
69
flags.DEFINE_string('credential_cert_subject',
70
'/C=US/ST=California/L=MountainView/O=AnsoLabs/'
71
'OU=NovaDev/CN=%s-%s',
72
'Subject for certificate for users')
67
flags.DEFINE_string('credential_rc_file', '%src',
68
'Filename of rc in credentials zip, %s will be '
69
'replaced by name of the region (nova by default)')
73
70
flags.DEFINE_string('auth_driver', 'nova.auth.dbdriver.DbDriver',
74
71
'Driver that auth manager uses')
75
72
543
540
"""
544
541
545
542
network_ref = db.project_get_network(context.get_admin_context(),
546
Project.safe_id(project))
543
Project.safe_id(project), False)
547
544
548
if not network_ref['vpn_public_port']:
549
raise exception.NotFound(_('project network data has not '
550
'been set'))
545
if not network_ref:
546
return (None, None)
551
547
return (network_ref['vpn_public_address'],
552
548
network_ref['vpn_public_port'])
553
549
629
625
def get_key_pairs(context):
630
626
return db.key_pair_get_all_by_user(context.elevated(), context.user_id)
631
627
632
def get_credentials(self, user, project=None):
628
def get_credentials(self, user, project=None, use_dmz=True):
633
629
"""Get credential zip for user in project"""
634
630
if not isinstance(user, User):
635
631
user = self.get_user(user)
636
632
if project is None:
637
633
project = user.id
638
634
pid = Project.safe_id(project)
639
rc = self.__generate_rc(user.access, user.secret, pid)
640
private_key, signed_cert = self._generate_x509_cert(user.id, pid)
635
private_key, signed_cert = crypto.generate_x509_cert(user.id, pid)
641
636
642
637
tmpdir = tempfile.mkdtemp()
643
638
zf = os.path.join(tmpdir, "temp.zip")
644
639
zippy = zipfile.ZipFile(zf, 'w')
645
zippy.writestr(FLAGS.credential_rc_file, rc)
640
if use_dmz and FLAGS.region_list:
641
regions = {}
642
for item in FLAGS.region_list:
643
region, _sep, region_host = item.partition("=")
644
regions[region] = region_host
645
else:
646
regions = {'nova': FLAGS.cc_host}
647
for region, host in regions.iteritems():
648
rc = self.__generate_rc(user.access,
649
user.secret,
650
pid,
651
use_dmz,
652
host)
653
zippy.writestr(FLAGS.credential_rc_file % region, rc)
654
646
655
zippy.writestr(FLAGS.credential_key_file, private_key)
647
656
zippy.writestr(FLAGS.credential_cert_file, signed_cert)
648
657
649
try:
650
(vpn_ip, vpn_port) = self.get_project_vpn_data(project)
651
except exception.NotFound:
652
vpn_ip = None
658
(vpn_ip, vpn_port) = self.get_project_vpn_data(project)
653
659
if vpn_ip:
654
660
configfile = open(FLAGS.vpn_client_template, "r")
655
661
s = string.Template(configfile.read())
662
668
else:
663
669
logging.warn(_("No vpn data for project %s"), pid)
664
670
665
zippy.writestr(FLAGS.ca_file, crypto.fetch_ca(user.id))
671
zippy.writestr(FLAGS.ca_file, crypto.fetch_ca(pid))
666
672
zippy.close()
667
673
with open(zf, 'rb') as f:
668
674
read_buffer = f.read()
670
676
shutil.rmtree(tmpdir)
671
677
return read_buffer
672
678
673
def get_environment_rc(self, user, project=None):
679
def get_environment_rc(self, user, project=None, use_dmz=True):
674
680
"""Get credential zip for user in project"""
675
681
if not isinstance(user, User):
676
682
user = self.get_user(user)
677
683
if project is None:
678
684
project = user.id
679
685
pid = Project.safe_id(project)
680
return self.__generate_rc(user.access, user.secret, pid)
686
return self.__generate_rc(user.access, user.secret, pid, use_dmz)
681
687
682
688
@staticmethod
683
def __generate_rc(access, secret, pid):
689
def __generate_rc(access, secret, pid, use_dmz=True, host=None):
684
690
"""Generate rc file for user"""
691
if use_dmz:
692
cc_host = FLAGS.cc_dmz
693
else:
694
cc_host = FLAGS.cc_host
695
# NOTE(vish): Always use the dmz since it is used from inside the
696
# instance
697
s3_host = FLAGS.s3_dmz
698
if host:
699
s3_host = host
700
cc_host = host
685
701
rc = open(FLAGS.credentials_template).read()
686
702
rc = rc % {'access': access,
687
703
'project': pid,
688
704
'secret': secret,
689
'ec2': FLAGS.ec2_url,
690
's3': 'http://%s:%s' % (FLAGS.s3_host, FLAGS.s3_port),
705
'ec2': '%s://%s:%s%s' % (FLAGS.ec2_prefix,
706
cc_host,
707
FLAGS.cc_port,
708
FLAGS.ec2_suffix),
709
's3': 'http://%s:%s' % (s3_host, FLAGS.s3_port),
691
710
'nova': FLAGS.ca_file,
692
711
'cert': FLAGS.credential_cert_file,
693
712
'key': FLAGS.credential_key_file}
694
713
return rc
695
696
def _generate_x509_cert(self, uid, pid):
697
"""Generate x509 cert for user"""
698
(private_key, csr) = crypto.generate_x509_cert(
699
self.__cert_subject(uid))
700
# TODO(joshua): This should be async call back to the cloud controller
701
signed_cert = crypto.sign_csr(csr, pid)
702
return (private_key, signed_cert)
703
704
@staticmethod
705
def __cert_subject(uid):
706
"""Helper to generate cert subject"""
707
return FLAGS.credential_cert_subject % (uid, utils.isotime())
Loggerhead is a web-based interface for Breezy
Version: 2.0.1