Opened 12 years ago
Last modified 12 years ago
#87 assigned
User credentials incorrectly sufficient for local sliver creator
Reported by: | ahelsing@bbn.com | Owned by: | jaipuria@cs.duke.edu |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | AM | Version: | SPIRAL4 |
Keywords: | Cc: | ||
Dependencies: |
Description
User credential is sufficient to allow the local sliver creator to do any operation. That is wrong.
Our test scenario:
- user1 creates slice1
- user1 creates sliver at ExoGENI
- user1 gets user1's user credential file
- user1 uses user1's user credential file as a slice credential file to access AM API options for slice1: -listresources, sliverstatus, deletesliver, createsliver, renewsliver, and shutdown
- That is, as user1:
./omni.py listresources slice1 --slicecredfile user1_usercred.cred
This test incorrectly works. The ExoGENI AM allows the user who created the local slivers to do any operation, using just a valid user credential - one that does not reference the slice at all.
Attachments (1)
Change History (4)
comment:1 Changed 12 years ago by
comment:2 Changed 12 years ago by
Owner: | changed from somebody to jaipuria@cs.duke.edu |
---|---|
Status: | new → assigned |
Can you please attach the user credential that was used for the test.
Changed 12 years ago by
Attachment: | pgeni-lnevers-usercred.xml added |
---|
comment:3 Changed 12 years ago by
Attached the user credentials used in the test scenario described.
Also, here is the sequence of Omni commands used as user "lnevers":
$ omni.py createslice slice1 $ omni.py -a exobbn createsliver slice1 ./exo.rspec $ omni.py getusercred lnevers -o $ omni.py -a exobbn listresources slice1 --slicecredfile pgeni-lnevers-usercred.xml -o Result Summary: Retrieved resources for slice slice1 from 1 aggregates. Wrote rspecs from 1 aggregates to 1 files Saved listresources RSpec at 'unspecified_AM_URN' to file slice1-rspec-bbn-hn-exogeni-net-11443-orca.xml; .
For comparison, here is the behavior on an instageni rack:
$ omni.py -a insta-utah createsliver slice1 insta.rspec --api-version 2 -t GENI 3 $ omni.py -a insta-utah listresources slice1 --slicecredfile pgeni-lnevers-usercred.xml \ --api-version 2 -t GENI 3 -o Result Summary: Got no resources on slice slice1. No resources from AM https://boss.utah.geniracks.net/protogeni/xmlrpc/am/2.0: No permission to resolve [GeniSlice: bbn-pgeni.slice1, IDX: 1729]
See ticket #85 for the explanation from the AM API. The API requires that all methods receive a valid slice credential - one that grants the caller rights to the slice. In particular, a valid user credential should not be enough, even for the user who created the slivers locally at ExoGENI