Opened 10 years ago

Last modified 10 years ago

#87 assigned

User credentials incorrectly sufficient for local sliver creator

Reported by: ahelsing@bbn.com Owned by: jaipuria@cs.duke.edu
Priority: major Milestone:
Component: AM Version: SPIRAL4
Keywords: Cc:
Dependencies:

Description

User credential is sufficient to allow the local sliver creator to do any operation. That is wrong.

Our test scenario:

  • user1 creates slice1
  • user1 creates sliver at ExoGENI
  • user1 gets user1's user credential file
  • user1 uses user1's user credential file as a slice credential file to access AM API options for slice1: -listresources, sliverstatus, deletesliver, createsliver, renewsliver, and shutdown
  • That is, as user1:

./omni.py listresources slice1 --slicecredfile user1_usercred.cred

This test incorrectly works. The ExoGENI AM allows the user who created the local slivers to do any operation, using just a valid user credential - one that does not reference the slice at all.

Attachments (1)

pgeni-lnevers-usercred.xml (6.5 KB) - added by lnevers@bbn.com 10 years ago.

Download all attachments as: .zip

Change History (4)

comment:1 Changed 10 years ago by ahelsing@bbn.com

See ticket #85 for the explanation from the AM API. The API requires that all methods receive a valid slice credential - one that grants the caller rights to the slice. In particular, a valid user credential should not be enough, even for the user who created the slivers locally at ExoGENI

comment:2 Changed 10 years ago by jaipuria@cs.duke.edu

Owner: changed from somebody to jaipuria@cs.duke.edu
Status: newassigned

Can you please attach the user credential that was used for the test.

Changed 10 years ago by lnevers@bbn.com

Attachment: pgeni-lnevers-usercred.xml added

comment:3 Changed 10 years ago by lnevers@bbn.com

Attached the user credentials used in the test scenario described.

Also, here is the sequence of Omni commands used as user "lnevers":

 $ omni.py createslice slice1
 $ omni.py -a exobbn createsliver slice1 ./exo.rspec 
 $ omni.py getusercred lnevers -o
 $ omni.py -a exobbn listresources slice1 --slicecredfile pgeni-lnevers-usercred.xml -o
   Result Summary: Retrieved resources for slice slice1 from 1 aggregates.
   Wrote rspecs from 1 aggregates to 1 files
   Saved listresources RSpec at 'unspecified_AM_URN' to file 
   slice1-rspec-bbn-hn-exogeni-net-11443-orca.xml; .

For comparison, here is the behavior on an instageni rack:

 $ omni.py -a insta-utah createsliver slice1 insta.rspec  --api-version 2 -t GENI 3
 $ omni.py -a insta-utah listresources slice1 --slicecredfile pgeni-lnevers-usercred.xml \
    --api-version 2 -t GENI 3 -o
   Result Summary: Got no resources on slice slice1. No resources from AM    
   https://boss.utah.geniracks.net/protogeni/xmlrpc/am/2.0: No permission to resolve 
   [GeniSlice: bbn-pgeni.slice1, IDX: 1729]
Note: See TracTickets for help on using tickets.