diff --git a/CHANGES b/CHANGES index 78c399a..9b759ad 100644 --- a/CHANGES +++ b/CHANGES @@ -5,22 +5,34 @@ = GENI Clearinghouse Release Notes = +== 2.1 == + * Migrate CH tables from geni-portal to geni-ch (#103). + * Support lists of project_ids in option for lookup_project_attributes (#391). + * Return most recent slice from SA.lookup and SA.lookup_slices (#393) + * Allow JSON booleans for boolean type arguments to API calls (#394) + +== 2.0 == + * Add procedure to add new aggregate (#383). + * Minor tweaks to `portal_stats.sql` + == 1.29 == - * `geni-check-errors` now suppresses certificate generation output, + * remove hard-coded names in SAv1Implementation.py, + MAv1Implementation.py and cert-utils.py (#25) + * Add geni-list-idp-members query script to print the number of + users per IDP (by eppn suffix). (#263). + * Add geni-list-pending-requests query script to print all pending + project join requests (project_name, requestor username and request + time) (#263) + * `geni-check-errors` now suppresses certificate generation output, Certificate Verification errors from apache when someone accesses ch.geni.net (like PG AMs), messages about users creating or renewing certs, messages about members setting their own attributes or their irods_username, and messages about failing to access the system during maintenance. It also looks at the older `chapi.log.1` and `error.log.1`. (#360) * `geni-check-errors` now also ignores collector tool speaksfor. (#361) - * remove hard-coded names in SAv1Implementation.py, - MAv1Implementation.py and cert-utils.py (#25) - * Add geni-list-idp-members query script to print the number of - users per IDP (by eppn suffix). (#364). - * Add geni-list-pending-requests query script to print all pending - project join requests (project_name, requestor username and request time) * Add iMinds w-iLab.t and Virtual Wall 1 aggregates (#367) * Migrate management scripts from geni-portal to geni-ch (#101) + * Add Kaiserslautern OpenGENI aggreate (#374) == 1.28 == * Update aggregate info for some stitchable aggregates diff --git a/Makefile.am b/Makefile.am index 1b91347..2e4aab7 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,6 +1,6 @@ ## Process this file with automake to produce Makefile.in -SUBDIRS = plugins tools etc bin man data +SUBDIRS = plugins tools etc bin man data db .PHONY: $(SUBDIRS) diff --git a/configure.ac b/configure.ac index 5a188b9..25a2502 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT([geni-chapi], [1.29], [portal-help@geni.net]) +AC_INIT([geni-chapi], [2.1], [portal-help@geni.net]) AM_INIT_AUTOMAKE([foreign -Wall -Wno-portability]) AC_PROG_MKDIR_P AC_PROG_INSTALL @@ -20,5 +20,5 @@ AM_CONDITIONAL([GPO_LAB], [test x$gpo_lab = xtrue]) AM_CONDITIONAL(INSTALL_GITHASH, [test -f etc/geni-chapi-githash]) AC_CONFIG_FILES([Makefile plugins/Makefile tools/Makefile etc/Makefile]) -AC_CONFIG_FILES([bin/Makefile man/Makefile data/Makefile]) +AC_CONFIG_FILES([bin/Makefile man/Makefile data/Makefile db/Makefile]) AC_OUTPUT diff --git a/data/Makefile.am b/data/Makefile.am index aeffc1e..6b8c18f 100644 --- a/data/Makefile.am +++ b/data/Makefile.am @@ -27,6 +27,7 @@ AM_SQL = \ sr/sql/add-gpo-og.sql \ sr/sql/add-im-wilab.sql \ sr/sql/add-im-vw1.sql \ + sr/sql/add-ukl-og.sql \ sr/sql/add-moxi-ig-of.sql \ sr/sql/add-moxi-ig.sql \ sr/sql/add-moxi-of.sql \ @@ -116,6 +117,7 @@ sr/sql/add-gpo-eg.sql: $(srcdir)/sr/sql/add-gpo-eg.sql.in sr/sql/add-gpo-og.sql: $(srcdir)/sr/sql/add-gpo-og.sql.in sr/sql/add-im-wilab.sql: $(srcdir)/sr/sql/add-im-wilab.sql.in sr/sql/add-im-vw1.sql: $(srcdir)/sr/sql/add-im-vw1.sql.in +sr/sql/add-ukl-og.sql: $(srcdir)/sr/sql/add-ukl-og.sql.in sr/sql/add-moxi-ig-of.sql: $(srcdir)/sr/sql/add-moxi-ig-of.sql.in sr/sql/add-moxi-ig.sql: $(srcdir)/sr/sql/add-moxi-ig.sql.in sr/sql/add-moxi-of.sql: $(srcdir)/sr/sql/add-moxi-of.sql.in @@ -195,6 +197,7 @@ dist_srcerts_DATA = \ sr/certs/im-wilab-ssl.pem \ sr/certs/im-vw1-cm.pem \ sr/certs/im-vw1-ssl.pem \ + sr/certs/ukl-og.pem \ sr/certs/moxi-ig-boss.pem \ sr/certs/moxi-ig-cm.pem \ sr/certs/moxi-ig-of.pem \ diff --git a/data/sr/aggdata.csv b/data/sr/aggdata.csv index 2ecf508..122bc55 100644 --- a/data/sr/aggdata.csv +++ b/data/sr/aggdata.csv @@ -17,6 +17,7 @@ gpo-eg-of,https://bbn-hn.exogeni.net:3626/foam/gapi/2,gpo-eg-of.pem,GPO ExoGENI gpo-og,https://bbn-cam-ctrl-1.gpolab.bbn.com:5002,gpo-og.pem,GPO OpenGENI,GPO OpenGENI Rack,urn:publicid:IDN+bbn-cam-ctrl-1.gpolab.bbn.com+authority+am,gpo-og.pem,ui_other_am,ui_prod_cat ui_compute_cat,Y im-wilab,https://www.wilab2.ilabt.iminds.be:12369/protogeni/xmlrpc/am/2.0,im-wilab-cm.pem,iMinds w-iLab.t,iMinds w-iLab.t,urn:publicid:IDN+wilab2.ilabt.iminds.be+authority+cm,im-wilab-ssl.pem,ui_instageni_am,ui_federated_cat ui_compute_cat,Y im-vw1,https://www.wall1.ilabt.iminds.be:12369/protogeni/xmlrpc/am/2.0,im-vw1-cm.pem,iMinds Virtual Wall 1,iMinds Virtual Wall 1,urn:publicid:IDN+wall1.ilabt.iminds.be+authority+cm,im-vw1-ssl.pem,ui_instageni_am,ui_federated_cat ui_compute_cat,Y +ukl-og,https://glab077.e4.ukl.german-lab.de:5002,ukl-og.pem,Kaiserslautern OpenGENI,Kaiserslautern OpenGENI Rack,urn:publicid:IDN+glab077.e4.ukl.german-lab.de:gcf+authority+am,ukl-og.pem,ui_other_am,ui_federated_cat ui_compute_cat,Y moxi-ig,https://instageni.iu.edu:12369/protogeni/xmlrpc/am/2.0,moxi-ig-cm.pem,MOXI InstaGENI,MOXI InstaGENI Rack,urn:publicid:IDN+instageni.iu.edu+authority+cm,moxi-ig-boss.pem,ui_instageni_am,ui_prod_cat ui_compute_cat,Y moxi-ig-of,https://foam.instageni.iu.edu:3626/foam/gapi/2,moxi-ig-of.pem,MOXI InstaGENI OpenFlow,MOXI InstaGENI Rack OpenFlow,urn:publicid:IDN+openflow:foam:foam.instageni.iu.edu+authority+am,moxi-ig-of.pem,ui_foam_am,ui_prod_cat ui_network_cat,N moxi-of,https://moxifoam.600wchicag.omnipop.cic.net:3626/foam/gapi/2,moxi-of.pem,MOXI OpenFlow,MOXI OpenFlow,urn:publicid:IDN+openflow:foam:moxifoam.ictc.indiana.gigapop.net+authority+am,moxi-of.pem,ui_other_am,ui_prod_cat ui_network_cat,N diff --git a/data/sr/certs/ukl-og.pem b/data/sr/certs/ukl-og.pem new file mode 100644 index 0000000..8af9884 --- /dev/null +++ b/data/sr/certs/ukl-og.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIClDCCAf2gAwIBAgIBAzANBgkqhkiG9w0BAQQFADA/MT0wOwYDVQQDEzRnZW5p +Ly9nbGFiMDc3LmU0LnVrbC5nZXJtYW4tbGFiLmRlLy9nY2YuYXV0aG9yaXR5LnNh +MB4XDTE1MDEwNDIxNTEyMloXDTIwMDEwMzIxNTEyMlowRTFDMEEGA1UEAxM6Z2Vu +aS8vZ2xhYjA3Ny5lNC51a2wuZ2VybWFuLWxhYi5kZS8vZ2NmLy9ncmFtLmF1dGhv +cml0eS5hbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr4tDyO8Vu5AFH0SL +px80sQm1HxqqB+6EOx8QLK532UiLyzPx2t0e3ToRtYkeYaG7CuAkc5qNWAeemd5I +ypDURskexLctCCv7xpLl2HfNrpmZBGL8xOtYVeQ+de+vI/xCLMfIR36Z8QqPF51E +V3WOpKfUUpf+VgBck8NjeASw0WkCAwEAAaOBmTCBljAPBgNVHRMBAf8EBTADAQH/ +MIGCBgNVHREEezB5hkh1cm46cHVibGljaWQ6SUROK2dlbmk6Z2xhYjA3Ny5lNC51 +a2wuZ2VybWFuLWxhYi5kZTpnY2Y6Z3JhbSthdXRob3JpdHkrYW2GLXVybjp1dWlk +OjdiNWZmMmRmLTYxMTgtNDJjNS1iYTllLWNmNWQwMDllMTI0YTANBgkqhkiG9w0B +AQQFAAOBgQCFN3GfxEpPhf7T3XZFwDqXvBCGduPevGpYwxinG/Qp1Q60qiO8Viit +WBCoJTZWK5ZcBj5tMEQ77JBXNxXi6z22b92cIBlOgdaUJpN2mzODDIdYSfQTQT6q +EMKHzTKHJ5juQDLee4UBdjgRKLpxnZQHM8ZWJKc9nAGHjOuyyxaixA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICiDCCAfGgAwIBAgIBAzANBgkqhkiG9w0BAQQFADA/MT0wOwYDVQQDEzRnZW5p +Ly9nbGFiMDc3LmU0LnVrbC5nZXJtYW4tbGFiLmRlLy9nY2YuYXV0aG9yaXR5LnNh +MB4XDTE1MDEwNDIxNTEyMloXDTIwMDEwMzIxNTEyMlowPzE9MDsGA1UEAxM0Z2Vu +aS8vZ2xhYjA3Ny5lNC51a2wuZ2VybWFuLWxhYi5kZS8vZ2NmLmF1dGhvcml0eS5z +YTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAv76cqQLqz1RBVvORMNY0KURt +4KOudBeQDyAQWpEHosYaFY+QR2uSLjxrILdtEekixkMAQmgBE0jFRCDFT7RPfDvV +cu8ZSsurnPJtDjQmKh+L5C74kk1iJPXk1zgmZ15JZi65rJwdWUqkNFj7IVIvcJ3o +/Hj8WoAaIg2zJ40WVSUCAwEAAaOBkzCBkDAPBgNVHRMBAf8EBTADAQH/MH0GA1Ud +EQR2MHSGQ3VybjpwdWJsaWNpZDpJRE4rZ2VuaTpnbGFiMDc3LmU0LnVrbC5nZXJt +YW4tbGFiLmRlOmdjZithdXRob3JpdHkrc2GGLXVybjp1dWlkOjk4NTMwMzhlLTJh +ODUtNGZhZi05ZTkyLTljYzA0ZGJhMzIzNjANBgkqhkiG9w0BAQQFAAOBgQBCy8AO +Nfyyrf5j+pPbjxLhjuoHNkNtlsZDtbMEsa/knoNSYjNChUdQp9beCMfC1MZub8mC +htsjJlYqn++QBpwZTyb3gIEld0PRsT4ibbtkjcgrDKqYulChGmoJ6AO8U8Ijyul+ +foxjB/BExNJkNRxUsnFygV+RtFuPFTPz4Eb+Iw== +-----END CERTIFICATE----- diff --git a/db/Makefile.am b/db/Makefile.am new file mode 100644 index 0000000..ef6326a --- /dev/null +++ b/db/Makefile.am @@ -0,0 +1,50 @@ +# Put the db files in a subdirectory of pkgdatadir +dbdir = $(pkgdatadir)/db + +nobase_dist_db_DATA = \ + cs/postgresql/data.sql \ + cs/postgresql/disable_lockdown.sql \ + cs/postgresql/enable_lockdown.sql \ + cs/postgresql/schema.sql \ + cs/postgresql/update-1.sql \ + cs/postgresql/update-2.sql \ + cs/postgresql/update-3.sql \ + cs/postgresql/update-4.sql \ + cs/postgresql/update-5.sql \ + cs/postgresql/update-6.sql \ + cs/postgresql/update-7.sql \ + cs/postgresql/update-8.sql \ + logging/postgresql/data.sql \ + logging/postgresql/schema.sql \ + logging/postgresql/update-1.sql \ + logging/postgresql/update-2.sql \ + logging/postgresql/update-3.sql \ + ma/postgresql/data.sql \ + ma/postgresql/schema.sql \ + ma/postgresql/update-1.sql \ + ma/postgresql/update-2.sql \ + ma/postgresql/update-3.sql \ + ma/postgresql/update-4.sql \ + ma/postgresql/update-5.sql \ + migration/migrate-assertions.sql \ + migration/sliver-info.sql \ + pa/postgresql/data.sql \ + pa/postgresql/schema.sql \ + pa/postgresql/update-1.sql \ + pa/postgresql/update-2.sql \ + pa/postgresql/update-3.sql \ + pa/postgresql/update-4.sql \ + pa/postgresql/update-5.sql \ + sa/postgresql/data.sql \ + sa/postgresql/README.txt \ + sa/postgresql/schema.sql \ + sa/postgresql/update-1.sql \ + sa/postgresql/update-2.sql \ + sa/postgresql/update-3.sql \ + sr/postgresql/data.sql \ + sr/postgresql/README.txt \ + sr/postgresql/schema.sql \ + sr/postgresql/update-1.sql \ + sr/postgresql/update-2.sql \ + sr/postgresql/update-3.sql \ + sr/postgresql/update-4.sql diff --git a/db/cs/postgresql/data.sql b/db/cs/postgresql/data.sql new file mode 100644 index 0000000..4956d4e --- /dev/null +++ b/db/cs/postgresql/data.sql @@ -0,0 +1,73 @@ + +-- ---------------------------------------------------------------------- +-- A few initial records to insert into the database +-- ---------------------------------------------------------------------- + +-- Define attributes +INSERT INTO cs_attribute (id, name) values (1, 'LEAD'); +INSERT INTO cs_attribute (id, name) values (2, 'ADMIN'); +INSERT INTO cs_attribute (id, name) values (3, 'MEMBER'); +INSERT INTO cs_attribute (id, name) values (4, 'AUDITOR'); +INSERT INTO cs_attribute (id, name) values (5, 'OPERATOR'); + +-- Define privileges +INSERT INTO cs_privilege (id, name) values (1, 'DELEGATE'); +INSERT INTO cs_privilege (id, name) values (2, 'READ'); +INSERT INTO cs_privilege (id, name) values (3, 'WRITE'); +INSERT INTO cs_privilege (id, name) values (4, 'USE'); + +-- Define context types +insert into cs_context_type (id, name) values (1, 'PROJECT'); +insert into cs_context_type (id, name) values (2, 'SLICE'); +insert into cs_context_type (id, name) values (3, 'RESOURCE'); +insert into cs_context_type (id, name) values (4, 'SERVICE'); +insert into cs_context_type (id, name) values (5, 'MEMBER'); + +-- Define actions +insert into cs_action (name, privilege, context_type) values ('project_read', 2, 1); +insert into cs_action (name, privilege, context_type) values ('project_write', 3, 1); +insert into cs_action (name, privilege, context_type) values ('project_use', 4, 1); +insert into cs_action (name, privilege, context_type) values ('slice_read', 2, 2); +insert into cs_action (name, privilege, context_type) values ('slice_write', 3, 2); +insert into cs_action (name, privilege, context_type) values ('slice_use', 4, 2); +insert into cs_action (name, privilege, context_type) values ('create_project', 3, 3); +insert into cs_action (name, privilege, context_type) values ('administer_members', 3, 5); + +-- Define initial set of policies based on PROJECT/SLICE READ/WRITE/USE +insert into cs_policy (attribute, context_type, privilege) values ('1', '1','2'); +insert into cs_policy (attribute, context_type, privilege) values ('1', '1','3'); +insert into cs_policy (attribute, context_type, privilege) values ('1', '1','4'); +insert into cs_policy (attribute, context_type, privilege) values ('2', '1','2'); +insert into cs_policy (attribute, context_type, privilege) values ('2', '1','3'); +insert into cs_policy (attribute, context_type, privilege) values ('2', '1','4'); +insert into cs_policy (attribute, context_type, privilege) values ('3', '1','2'); +insert into cs_policy (attribute, context_type, privilege) values ('3', '1','4'); +insert into cs_policy (attribute, context_type, privilege) values ('4', '1','2'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '1','2'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '1','3'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '1','4'); +insert into cs_policy (attribute, context_type, privilege) values ('1', '2','2'); +insert into cs_policy (attribute, context_type, privilege) values ('1', '2','3'); +insert into cs_policy (attribute, context_type, privilege) values ('1', '2','4'); +insert into cs_policy (attribute, context_type, privilege) values ('2', '2','2'); +insert into cs_policy (attribute, context_type, privilege) values ('2', '2','3'); +insert into cs_policy (attribute, context_type, privilege) values ('2', '2','4'); +insert into cs_policy (attribute, context_type, privilege) values ('3', '2','2'); +insert into cs_policy (attribute, context_type, privilege) values ('3', '2','4'); +insert into cs_policy (attribute, context_type, privilege) values ('4', '2','2'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '2','2'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '2','3'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '2','4'); +insert into cs_policy (attribute, context_type, privilege) values ('1', '3','3'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '3','1'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '3','2'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '3','3'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '4','1'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '4','2'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '4','3'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '5','1'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '5','2'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '5','3'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '3','4'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '4','4'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '5','4'); diff --git a/db/cs/postgresql/disable_lockdown.sql b/db/cs/postgresql/disable_lockdown.sql new file mode 100644 index 0000000..63e9b0b --- /dev/null +++ b/db/cs/postgresql/disable_lockdown.sql @@ -0,0 +1 @@ +update cs_action set privilege = privilege + 100 where privilege < 0; diff --git a/db/cs/postgresql/enable_lockdown.sql b/db/cs/postgresql/enable_lockdown.sql new file mode 100644 index 0000000..056d846 --- /dev/null +++ b/db/cs/postgresql/enable_lockdown.sql @@ -0,0 +1,50 @@ +update cs_action +set privilege = privilege - 100 +where +privilege > 0 and +name in ('create_assertion', + 'create_policy' + 'create_assertion', + 'create_policy', + 'renew_assertion', + 'delete_policy', +-- 'query_assertions', +-- 'query_policies', +-- 'lookup_slice', +-- 'lookup_slices', +-- 'lookup_slice_ids', +-- 'get_slice_credential', +-- 'add_slivers', +-- 'delete_slivers', + 'renew_slice', +-- 'get_slice_members', +-- 'get_slices_for_member', +-- 'lookup_slices_by_ids', +-- 'get_slice_members_for_project', +-- 'list_resources', +-- 'get_services', +-- 'get_services_of_type', + 'register_service', + 'remove_service', + 'create_project', + 'delete_project', +-- 'get_projects', +-- 'get_project_by_lead', +-- 'lookup_project', +-- 'update_project', +-- 'get_project_members', +-- 'get_projects_for_member', + 'administer_resources', + 'administer_services', + 'administer_members', + 'change_lead', + 'add_project_member', + 'remove_project_member', + 'change_member_role', + 'remove_slice_member', + 'add_slice_member', + 'change_slice_member_role', + 'create_slice', + 'invite_member', + 'modify_slice_membership', + 'modify_project_membership'); diff --git a/db/cs/postgresql/schema.sql b/db/cs/postgresql/schema.sql new file mode 100644 index 0000000..6627bd7 --- /dev/null +++ b/db/cs/postgresql/schema.sql @@ -0,0 +1,72 @@ +-- Tables for CS (Credential Store) of GENI Prototype Clearinghouse + +-- avoid innocuous NOTICEs about automatic sequence creation +set client_min_messages='WARNING'; + +-- Tell psql to stop on an error. Default behavior is to proceed. +\set ON_ERROR_STOP 1 + +-- ---------------------------------------------------------------------- +-- +-- ---------------------------------------------------------------------- +-- Drop the data first, then the type. +DROP TABLE IF EXISTS cs_assertion CASCADE; +DROP TABLE IF EXISTS cs_policy CASCADE; +DROP TABLE IF EXISTS cs_action CASCADE; +DROP TABLE IF EXISTS cs_attribute CASCADE; +DROP TABLE IF EXISTS cs_privilege CASCADE; +DROP TABLE IF EXISTS cs_context_type CASCADE; + +-- List of all known attributes/roles on a principal +CREATE TABLE cs_attribute ( + id SERIAL PRIMARY KEY, + name VARCHAR NOT NULL UNIQUE +); + +-- List of all known privileges that a principal may take +CREATE TABLE cs_privilege ( + id SERIAL PRIMARY KEY, + name VARCHAR NOT NULL UNIQUE +); + +-- A mapping of context type ID to name +CREATE TABLE cs_context_type ( + id SERIAL PRIMARY KEY, + name VARCHAR NOT NULL UNIQUE +); + +-- List of all known actions and the required privilege and context type +CREATE TABLE cs_action ( + id SERIAL PRIMARY KEY, + name VARCHAR NOT NULL, + privilege int, + context_type int NOT NULL REFERENCES cs_context_type(id) +); + +-- An assertion is a signed statement that a given principal has a given +-- attribute, possibly in a given context +CREATE TABLE cs_assertion ( + id SERIAL, + signer UUID, + principal UUID NOT NULL, + attribute INT NOT NULL REFERENCES cs_attribute(id), -- Index into cs_attribute table + context_type INT NOT NULL REFERENCES cs_context_type(id), -- 0 = NONE, 1 = PROJECT, 2 = SLICE, 3 = SLIVER + context UUID, + expiration TIMESTAMP, + assertion_cert VARCHAR, + PRIMARY KEY (id) +); +-- can signer, principal, context by authorities who aren't in tables? + +-- A policy is a signed statement that a given holder of a given attribute +-- has a given privilege. Again, this is potentially context dependent. +CREATE TABLE cs_policy ( + id SERIAL PRIMARY KEY, + signer UUID, + attribute INT NOT NULL REFERENCES cs_attribute(id), -- Index into cs_attribute + context_type INT NOT NULL REFERENCES cs_context_type(id), -- 0 = NONE, 1 = PROJECT, 2 = SLICE, 3 = SLIVER + privilege INT NOT NULL REFERENCES cs_privilege(id), -- Index into cs_privilege + policy_cert VARCHAR +); + + diff --git a/db/cs/postgresql/update-1.sql b/db/cs/postgresql/update-1.sql new file mode 100644 index 0000000..da611e9 --- /dev/null +++ b/db/cs/postgresql/update-1.sql @@ -0,0 +1,40 @@ + +-- ------------------------------------------------------------------- +-- Add an OPERATOR, and give OPERATORs all privileges in all contexts. +-- ------------------------------------------------------------------- + +-- Add an OPERATOR attribute +INSERT INTO cs_attribute (id, name) values (5, 'OPERATOR'); + +-- An OPERATOR of a context_type has DELEGATE, READ AND WRITE PRIVILEGE +-- in that context +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) + VALUES (null, 5, 1, 1, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) + VALUES (null, 5, 1, 2, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) + VALUES (null, 5, 1, 3, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) + VALUES (null, 5, 2, 1, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) + VALUES (null, 5, 2, 2, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) + VALUES (null, 5, 2, 3, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) + VALUES (null, 5, 3, 1, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) + VALUES (null, 5, 3, 2, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) + VALUES (null, 5, 3, 3, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) + VALUES (null, 5, 4, 1, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) + VALUES (null, 5, 4, 2, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) + VALUES (null, 5, 4, 3, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) + VALUES (null, 5, 5, 1, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) + VALUES (null, 5, 5, 2, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) + VALUES (null, 5, 5, 3, null); diff --git a/db/cs/postgresql/update-2.sql b/db/cs/postgresql/update-2.sql new file mode 100644 index 0000000..b25254e --- /dev/null +++ b/db/cs/postgresql/update-2.sql @@ -0,0 +1,73 @@ +-- ------------------------------------------------------------------- +-- Fix some incorrect/undesired privilege semantics +-- ------------------------------------------------------------------- + +-- Create a new privilege "USE" = 4 +INSERT INTO cs_privilege (id, name) values (4, 'USE'); + + +-- Set the create_slice method to be a 'USE' on the project +UPDATE cs_action set privilege = 4 where name = 'create_slice'; + +-- Give PROJECT USE privilege to LEAD, OPERATOR, ADMIN, MEMBER +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) values + (null, 1, 1, 4, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) values + (null, 1, 2, 4, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) values + (null, 1, 3, 4, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) values + (null, 1, 4, 4, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) values + (null, 1, 5, 4, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) values + (null, 2, 1, 4, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) values + (null, 2, 2, 4, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) values + (null, 2, 3, 4, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) values + (null, 2, 4, 4, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) values + (null, 2, 5, 4, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) values + (null, 3, 1, 4, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) values + (null, 3, 2, 4, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) values + (null, 3, 3, 4, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) values + (null, 3, 4, 4, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) values + (null, 3, 5, 4, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) values + (null, 5, 1, 4, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) values + (null, 5, 2, 4, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) values + (null, 5, 3, 4, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) values + (null, 5, 4, 4, null); +INSERT INTO cs_policy (signer, attribute, context_type, privilege, policy_cert) values + (null, 5, 5, 4, null); + + + + + +-- Make these actions part of the DELEGATE privilege group +UPDATE cs_action SET privilege = 1 +WHERE name IN ('change_lead', 'add_project_member', + 'remove_project_member', 'change_member_role'); + +-- Remove WRITE privileges for PROJECT MEMBERS +DELETE FROM cs_policy WHERE attribute = 3 AND context_type = 1 AND privilege = 3; + +-- Make these actions part of the DELEGATE privilege group +UPDATE cs_action SET privilege = 1 +WHERE name IN ('add_slice_member', 'remove_slice_member', + 'change_slice_member_role'); + +-- Remove the action 'delete_slice' : no such thing +DELETE FROM cs_action WHERE name = 'delete_slice'; + diff --git a/db/cs/postgresql/update-3.sql b/db/cs/postgresql/update-3.sql new file mode 100644 index 0000000..f4af501 --- /dev/null +++ b/db/cs/postgresql/update-3.sql @@ -0,0 +1,4 @@ +------ +------ Add support for new 'invite_member' action in PA +------ +INSERT INTO cs_action (name, privilege, context_type) values ('invite_member', 1, 1); diff --git a/db/cs/postgresql/update-4.sql b/db/cs/postgresql/update-4.sql new file mode 100644 index 0000000..6e74526 --- /dev/null +++ b/db/cs/postgresql/update-4.sql @@ -0,0 +1,6 @@ +------ +------ Add support for new bulk membership management services in SA, PA +------ +INSERT INTO cs_action (name, privilege, context_type) values ('modify_slice_membership', 1, 2); +INSERT INTO cs_action (name, privilege, context_type) values ('modify_project_membership', 1, 1); + diff --git a/db/cs/postgresql/update-5.sql b/db/cs/postgresql/update-5.sql new file mode 100644 index 0000000..cf70806 --- /dev/null +++ b/db/cs/postgresql/update-5.sql @@ -0,0 +1,16 @@ +------ +------ Add support for other SA/PA methods +------ +-- PA +INSERT INTO cs_action (name, privilege, context_type) values ('lookup_projects', 2, 3); +INSERT INTO cs_action (name, privilege, context_type) values ('lookup_project_details', 2, 3); +INSERT INTO cs_action (name, privilege, context_type) values ('lookup_project_attributes', 2, 1); +INSERT INTO cs_action (name, privilege, context_type) values ('add_project_attribute', 3, 1); +UPDATE cs_action SET context_type = 3 where name = 'get_projects_for_member'; + +-- accept_invitation + +-- SA +INSERT INTO cs_action (name, privilege, context_type) values ('lookup_slice_by_urn', 2, 2); +INSERT INTO cs_action (name, privilege, context_type) values ('lookup_slice_details', 2, 2); +INSERT INTO cs_action (name, privilege, context_type) values ('get_slices_for_projects', 2, 2); diff --git a/db/cs/postgresql/update-6.sql b/db/cs/postgresql/update-6.sql new file mode 100644 index 0000000..02fef89 --- /dev/null +++ b/db/cs/postgresql/update-6.sql @@ -0,0 +1,2 @@ +-- added remove_project_attribute function +INSERT INTO cs_action (name, privilege, context_type) values ('remove_project_attribute', 3, 1); diff --git a/db/cs/postgresql/update-7.sql b/db/cs/postgresql/update-7.sql new file mode 100644 index 0000000..d30c55d --- /dev/null +++ b/db/cs/postgresql/update-7.sql @@ -0,0 +1,53 @@ +-- Replace all actions and policies with simpler project/slice read/write/use +-- scheme, retaining all operator/project_lead privileges + +delete from cs_action; + +insert into cs_action (name, privilege, context_type) values ('project_read', 2, 1); +insert into cs_action (name, privilege, context_type) values ('project_write', 3, 1); +insert into cs_action (name, privilege, context_type) values ('project_use', 4, 1); +insert into cs_action (name, privilege, context_type) values ('slice_read', 2, 2); +insert into cs_action (name, privilege, context_type) values ('slice_write', 3, 2); +insert into cs_action (name, privilege, context_type) values ('slice_use', 4, 2); +insert into cs_action (name, privilege, context_type) values ('create_project', 3, 3); +insert into cs_action (name, privilege, context_type) values ('administer_members', 3, 5); + +delete from cs_policy; + +insert into cs_policy (attribute, context_type, privilege) values ('1', '1','2'); +insert into cs_policy (attribute, context_type, privilege) values ('1', '1','3'); +insert into cs_policy (attribute, context_type, privilege) values ('1', '1','4'); +insert into cs_policy (attribute, context_type, privilege) values ('2', '1','2'); +insert into cs_policy (attribute, context_type, privilege) values ('2', '1','3'); +insert into cs_policy (attribute, context_type, privilege) values ('2', '1','4'); +insert into cs_policy (attribute, context_type, privilege) values ('3', '1','2'); +insert into cs_policy (attribute, context_type, privilege) values ('3', '1','4'); +insert into cs_policy (attribute, context_type, privilege) values ('4', '1','2'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '1','2'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '1','3'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '1','4'); +insert into cs_policy (attribute, context_type, privilege) values ('1', '2','2'); +insert into cs_policy (attribute, context_type, privilege) values ('1', '2','3'); +insert into cs_policy (attribute, context_type, privilege) values ('1', '2','4'); +insert into cs_policy (attribute, context_type, privilege) values ('2', '2','2'); +insert into cs_policy (attribute, context_type, privilege) values ('2', '2','3'); +insert into cs_policy (attribute, context_type, privilege) values ('2', '2','4'); +insert into cs_policy (attribute, context_type, privilege) values ('3', '2','2'); +insert into cs_policy (attribute, context_type, privilege) values ('3', '2','4'); +insert into cs_policy (attribute, context_type, privilege) values ('4', '2','2'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '2','2'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '2','3'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '2','4'); +insert into cs_policy (attribute, context_type, privilege) values ('1', '3','3'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '3','1'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '3','2'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '3','3'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '4','1'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '4','2'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '4','3'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '5','1'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '5','2'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '5','3'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '3','4'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '4','4'); +insert into cs_policy (attribute, context_type, privilege) values ('5', '5','4'); diff --git a/db/cs/postgresql/update-8.sql b/db/cs/postgresql/update-8.sql new file mode 100644 index 0000000..b3d2201 --- /dev/null +++ b/db/cs/postgresql/update-8.sql @@ -0,0 +1,42 @@ +-- ------------------- +-- Apply changes to add unique and no null and foreign key constraints, and related indices +-- See chapi #174, proto-ch #943, proto-ch #1081 +-- ------------------- + +ALTER TABLE cs_attribute + ADD PRIMARY KEY (id), + ALTER COLUMN name SET NOT NULL, + ADD UNIQUE (name); + +ALTER TABLE cs_privilege + ADD PRIMARY KEY (id), + ALTER COLUMN name SET NOT NULL, + ADD UNIQUE (name); + +ALTER TABLE cs_context_type + ADD PRIMARY KEY (id), + ALTER COLUMN name SET NOT NULL, + ADD UNIQUE (name); + +ALTER TABLE cs_action + ADD PRIMARY KEY (id), + ALTER COLUMN name SET NOT NULL, + ALTER COLUMN context_type SET NOT NULL, + ADD FOREIGN KEY (context_type) REFERENCES cs_context_type(id); + +ALTER TABLE cs_assertion + ALTER COLUMN principal SET NOT NULL, + ALTER COLUMN attribute SET NOT NULL, + ADD FOREIGN KEY (attribute) REFERENCES cs_attribute(id), + ALTER COLUMN context_type SET NOT NULL, + ADD FOREIGN KEY (context_type) REFERENCES cs_context_type(id); + +ALTER TABLE cs_policy + ADD PRIMARY KEY (id), + ALTER COLUMN attribute SET NOT NULL, + ADD FOREIGN KEY (attribute) REFERENCES cs_attribute(id), + ALTER COLUMN context_type SET NOT NULL, + ADD FOREIGN KEY (context_type) REFERENCES cs_context_type(id), + ALTER COLUMN privilege SET NOT NULL, + ADD FOREIGN KEY (privilege) REFERENCES cs_privilege(id); + diff --git a/db/logging/postgresql/data.sql b/db/logging/postgresql/data.sql new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/db/logging/postgresql/data.sql @@ -0,0 +1 @@ + diff --git a/db/logging/postgresql/schema.sql b/db/logging/postgresql/schema.sql new file mode 100644 index 0000000..92237b3 --- /dev/null +++ b/db/logging/postgresql/schema.sql @@ -0,0 +1,52 @@ + +-- avoid innocuous NOTICEs about automatic sequence creation +set client_min_messages='WARNING'; + +-- Tell psql to stop on an error. Default behavior is to proceed. +\set ON_ERROR_STOP 1 + +-- Drop table to recreate +DROP INDEX IF EXISTS logging_entry_event_time; +DROP INDEX IF EXISTS logging_entry_attribute_event_id; + +DROP TABLE IF EXISTS logging_entry_attribute; +DROP TABLE IF EXISTS logging_entry; +DROP TABLE IF EXISTS logging_entry_context; +DROP TABLE IF EXISTS logging_entry_attribute_old; +DROP TABLE IF EXISTS logging_entry_old; + +-- Now create the table +CREATE TABLE logging_entry ( + id SERIAL, + event_time TIMESTAMP NOT NULL, + user_id UUID, -- could be an authority or null + message VARCHAR, + PRIMARY KEY (id) +); + +CREATE INDEX logging_entry_event_time ON logging_entry(event_time); + +CREATE TABLE logging_entry_attribute ( + event_id INT NOT NULL REFERENCES logging_entry(id), + attribute_name VARCHAR NOT NULL, + attribute_value VARCHAR +); + +CREATE INDEX logging_entry_attribute_event_id + ON logging_entry_attribute(event_id); + +-- Now create the table +CREATE TABLE logging_entry_old ( + id SERIAL, + event_time TIMESTAMP NOT NULL, + user_id UUID, + message VARCHAR, + PRIMARY KEY (id) +); + +CREATE TABLE logging_entry_attribute_old ( + event_id INT NOT NULL REFERENCES logging_entry_old(id), + attribute_name VARCHAR NOT NULL, + attribute_value VARCHAR +); + diff --git a/db/logging/postgresql/update-1.sql b/db/logging/postgresql/update-1.sql new file mode 100644 index 0000000..2e413dd --- /dev/null +++ b/db/logging/postgresql/update-1.sql @@ -0,0 +1,16 @@ + +-- Now create the archiving table +CREATE TABLE logging_entry_old ( + id SERIAL, + event_time TIMESTAMP, + user_id UUID, + message VARCHAR, + PRIMARY KEY (id) +); + +CREATE TABLE logging_entry_attribute_old ( + event_id INT, + attribute_name VARCHAR, + attribute_value VARCHAR +); + diff --git a/db/logging/postgresql/update-2.sql b/db/logging/postgresql/update-2.sql new file mode 100644 index 0000000..71c860b --- /dev/null +++ b/db/logging/postgresql/update-2.sql @@ -0,0 +1,13 @@ +-------------------------------------------------------- +--- Add index by time on logging entry +-------------------------------------------------------- + +CREATE INDEX logging_entry_event_time ON logging_entry(event_time); + +-------------------------------------------------------- +--- Add index by event_id on logging entry_attribute +-------------------------------------------------------- +CREATE INDEX logging_entry_attribute_event_id + ON logging_entry_attribute(event_id); + + diff --git a/db/logging/postgresql/update-3.sql b/db/logging/postgresql/update-3.sql new file mode 100644 index 0000000..849680a --- /dev/null +++ b/db/logging/postgresql/update-3.sql @@ -0,0 +1,29 @@ +-- ------------------- +-- Apply changes to add unique and no null and foreign key constraints, and related indices +-- See chapi #174, proto-ch #943, proto-ch #1081 +-- ------------------- + +ALTER TABLE logging_entry + ALTER COLUMN event_time SET NOT NULL; + +ALTER TABLE logging_entry_attribute + ALTER COLUMN event_id SET NOT NULL, + ADD FOREIGN KEY (event_id) REFERENCES logging_entry(id), + ALTER COLUMN attribute_name SET NOT NULL; + +-- Somehow these 2 tables were never created by a previous update script, so do it now + +CREATE TABLE logging_entry_old ( + id SERIAL, + event_time TIMESTAMP NOT NULL, + user_id UUID, + message VARCHAR, + PRIMARY KEY (id) +); + +CREATE TABLE logging_entry_attribute_old ( + event_id INT NOT NULL REFERENCES logging_entry_old(id), + attribute_name VARCHAR NOT NULL, + attribute_value VARCHAR +); + diff --git a/db/ma/postgresql/data.sql b/db/ma/postgresql/data.sql new file mode 100644 index 0000000..2b60cf6 --- /dev/null +++ b/db/ma/postgresql/data.sql @@ -0,0 +1,5 @@ +-- Data files for filling Member Authority (MA) tables + +-- Define privileges +INSERT INTO ma_privilege (id, privilege) values (1, 'PROJECT_LEAD'); +INSERT INTO ma_privilege (id, privilege) values (2, 'OPERATOR'); diff --git a/db/ma/postgresql/schema.sql b/db/ma/postgresql/schema.sql new file mode 100644 index 0000000..93d5132 --- /dev/null +++ b/db/ma/postgresql/schema.sql @@ -0,0 +1,127 @@ +-- avoid innocuous NOTICEs about automatic sequence creation +set client_min_messages='WARNING'; + +-- Tell psql to stop on an error. Default behavior is to proceed. +\set ON_ERROR_STOP 1 + +-- Tables for the MA (Member Authority) + +-- ---------------------------------------------------------------------- +-- Member table. Store the member ids. Attribute are in +-- ma_member_attribute. +-- ---------------------------------------------------------------------- +DROP TABLE IF EXISTS ma_member CASCADE; + +CREATE TABLE ma_member ( + id SERIAL PRIMARY KEY, + member_id UUID UNIQUE NOT NULL +); + +-- No need to index member_id since it is already declared unique + +-- ---------------------------------------------------------------------- +-- Member attribute table. Store all attributes of members as name/value +-- pairs keyed to the member id. +-- ---------------------------------------------------------------------- +DROP TABLE IF EXISTS ma_member_attribute; + +CREATE TABLE ma_member_attribute ( + id SERIAL PRIMARY KEY, + member_id UUID NOT NULL REFERENCES ma_member (member_id), + name VARCHAR NOT NULL, + value VARCHAR NOT NULL, + self_asserted BOOLEAN NOT NULL +); + +CREATE INDEX ma_member_attribute_index_member_id + ON ma_member_attribute (member_id); + +CREATE INDEX ma_member_attribute_name_value + ON ma_member_attribute (name, value); + +-- ---------------------------------------------------------------------- +-- Privilege table. List all available privileges. +-- ---------------------------------------------------------------------- +DROP TABLE IF EXISTS ma_privilege CASCADE; + +CREATE TABLE ma_privilege ( + id INT PRIMARY KEY, + privilege VARCHAR NOT NULL +); + +-- ---------------------------------------------------------------------- +-- Member privilege table. Store all privileges based on their CS types. +-- ---------------------------------------------------------------------- +DROP TABLE IF EXISTS ma_member_privilege; + +CREATE TABLE ma_member_privilege ( + id SERIAL PRIMARY KEY, + member_id UUID NOT NULL REFERENCES ma_member (member_id), + privilege_id INT NOT NULL REFERENCES ma_privilege (id), + expiration TIMESTAMP +); + +CREATE INDEX ma_member_privilege_index_member_id + ON ma_member_privilege (member_id); + +-- privilege_id not indexed + +-- ---------------------------------------------------------------------- +-- Client table. Each client has a certificate and is "approved" in +-- some way. +-- ---------------------------------------------------------------------- +DROP TABLE IF EXISTS ma_client CASCADE; + +CREATE TABLE ma_client ( + id SERIAL PRIMARY KEY, + client_name VARCHAR UNIQUE NOT NULL, + client_urn VARCHAR UNIQUE NOT NULL +); + +-- ---------------------------------------------------------------------- +-- Inside keys +-- ---------------------------------------------------------------------- +DROP TABLE IF EXISTS ma_inside_key; + +CREATE TABLE ma_inside_key ( + id SERIAL PRIMARY KEY, + client_urn VARCHAR REFERENCES ma_client (client_urn), + member_id UUID NOT NULL REFERENCES ma_member (member_id), + private_key VARCHAR NOT NULL, + certificate VARCHAR NOT NULL, + expiration TIMESTAMP, + UNIQUE (client_urn, member_id) +); + +CREATE INDEX ma_inside_key_index_member_id ON ma_inside_key (member_id); +-- client_urn is not indexed + +-- ---------------------------------------------------------------------- +-- ssh keys +-- ---------------------------------------------------------------------- +DROP TABLE IF EXISTS ma_ssh_key; +CREATE TABLE ma_ssh_key ( + id SERIAL, + member_id UUID NOT NULL REFERENCES ma_member (member_id), + filename VARCHAR, + description VARCHAR, + public_key VARCHAR NOT NULL, + private_key VARCHAR, + key_type VARCHAR, + PRIMARY KEY (id) +); +CREATE INDEX ma_ssh_key_member_id ON ma_ssh_key (member_id); + +-- ---------------------------------------------------------------------- +-- Member cert/key for outside tools (for use "outside" the portal). +-- ---------------------------------------------------------------------- +DROP TABLE IF EXISTS ma_outside_cert; +CREATE TABLE ma_outside_cert ( + id SERIAL PRIMARY KEY, + member_id UUID REFERENCES ma_member (member_id) NOT NULL, + certificate VARCHAR NOT NULL, + private_key VARCHAR, + expiration TIMESTAMP +); + +CREATE INDEX ma_outside_cert_index_member_id ON ma_outside_cert (member_id); diff --git a/db/ma/postgresql/update-1.sql b/db/ma/postgresql/update-1.sql new file mode 100644 index 0000000..b79fdeb --- /dev/null +++ b/db/ma/postgresql/update-1.sql @@ -0,0 +1,6 @@ + +-- ------------------------------------------------------------------- +-- Add an OPERATOR privilege +-- ------------------------------------------------------------------- + +INSERT INTO ma_privilege (id, privilege) values (2, 'OPERATOR'); diff --git a/db/ma/postgresql/update-2.sql b/db/ma/postgresql/update-2.sql new file mode 100644 index 0000000..605e229 --- /dev/null +++ b/db/ma/postgresql/update-2.sql @@ -0,0 +1,7 @@ + +-- ------------------------------------------------------------------- +-- Add key_type to the ma_ssh_key table +-- ------------------------------------------------------------------- + +ALTER TABLE ma_ssh_key ADD COLUMN key_type VARCHAR; + diff --git a/db/ma/postgresql/update-3.sql b/db/ma/postgresql/update-3.sql new file mode 100644 index 0000000..2aab86a --- /dev/null +++ b/db/ma/postgresql/update-3.sql @@ -0,0 +1,11 @@ + +-- ------------------------------------------------------------------- +-- Add expiration column to certificate tables +-- ------------------------------------------------------------------- + +ALTER TABLE ma_outside_cert ADD COLUMN expiration TIMESTAMP; + +ALTER TABLE ma_inside_key ADD COLUMN expiration TIMESTAMP; + +-- ALTER TABLE ma_outside_cert DROP COLUMN expiration; +-- ALTER TABLE ma_inside_key DROP COLUMN expiration; diff --git a/db/ma/postgresql/update-4.sql b/db/ma/postgresql/update-4.sql new file mode 100644 index 0000000..ec443a2 --- /dev/null +++ b/db/ma/postgresql/update-4.sql @@ -0,0 +1,5 @@ +-------------------------------------------------------- +--- Add index by name AND value on ma_member_attribute +-------------------------------------------------------- +CREATE INDEX ma_member_attribute_name_value + ON ma_member_attribute (name, value); diff --git a/db/ma/postgresql/update-5.sql b/db/ma/postgresql/update-5.sql new file mode 100644 index 0000000..f2a0329 --- /dev/null +++ b/db/ma/postgresql/update-5.sql @@ -0,0 +1,18 @@ +-- ------------------- +-- Apply changes to add unique and no null and foreign key constraints, and related indices +-- See chapi #174, proto-ch #943, proto-ch #1081 +-- ------------------- + +ALTER TABLE ma_member + ALTER COLUMN member_id SET NOT NULL; + +-- Since the column is already unique this is un-necessary +DROP INDEX IF EXISTS ma_member_index_member_id; + +-- Since the column is already unique this is un-necessary +DROP INDEX IF EXISTS ma_client_index_client_urn; + +ALTER TABLE ma_inside_key + ALTER COLUMN member_id SET NOT NULL, + ALTER COLUMN private_key SET NOT NULL, + ALTER COLUMN certificate SET NOT NULL; \ No newline at end of file diff --git a/db/pa/postgresql/data.sql b/db/pa/postgresql/data.sql new file mode 100644 index 0000000..8a55e08 --- /dev/null +++ b/db/pa/postgresql/data.sql @@ -0,0 +1,4 @@ + +-- ---------------------------------------------------------------------- +-- A few fake records to insert into the database +-- ---------------------------------------------------------------------- diff --git a/db/pa/postgresql/schema.sql b/db/pa/postgresql/schema.sql new file mode 100644 index 0000000..fb356aa --- /dev/null +++ b/db/pa/postgresql/schema.sql @@ -0,0 +1,95 @@ +-- avoid innocuous NOTICEs about automatic sequence creation +set client_min_messages='WARNING'; + +-- Tell psql to stop on an error. Default behavior is to proceed. +\set ON_ERROR_STOP 1 + +-- Tables for the PA (Project Authority) +-- ---------------------------------------------------------------------- +-- +-- ---------------------------------------------------------------------- +-- Drop the data first, then the type. +DROP TABLE IF EXISTS pa_project CASCADE; + +CREATE TABLE pa_project ( + id SERIAL PRIMARY KEY, + project_id UUID UNIQUE NOT NULL, + project_name VARCHAR UNIQUE NOT NULL, + lead_id UUID NOT NULL REFERENCES ma_member (member_id), + project_email VARCHAR, + project_purpose VARCHAR, + creation TIMESTAMP NOT NULL, + expiration TIMESTAMP, + expired BOOLEAN NOT NULL DEFAULT 'FALSE' +); + +-- Postgres implicitly indexes unique columns, so project_id, project_name. + +-- lead_id is not indexed unless we do so explicitly + +-- These are for common queries, but so far the DB doesn't use these. Tables too small? +-- CREATE INDEX project_index_project_id ON pa_project (project_id); +-- CREATE INDEX project_index_lead_project ON pa_project (lead_id, project_id); + +DROP TABLE IF EXISTS pa_project_member CASCADE; +CREATE TABLE pa_project_member ( + id SERIAL PRIMARY KEY, + project_id UUID NOT NULL REFERENCES pa_project (project_id), + member_id UUID NOT NULL REFERENCES ma_member (member_id), + role int NOT NULL +); + +-- Foreign keys are not indexed by default +CREATE INDEX project_member_project_id ON pa_project_member(project_id); +CREATE INDEX project_member_member_id ON pa_project_member(member_id); + +-- Create tables for requests relative to membership on projects +drop TABLE IF EXISTS pa_project_member_request; +create table pa_project_member_request ( + id SERIAL PRIMARY KEY, + context_type INT NOT NULL, + context_id UUID NOT NULL, + request_text VARCHAR, + -- 0 = JOIN, 1 = UPDATE_ATTRIBUTES, 2 = .... [That's all for now] + request_type INT NOT NULL, + -- This is a JSON string with a dictionary of requested attributes + -- for the case of a user wanting a change to his attributes + request_details VARCHAR, + requestor UUID NOT NULL REFERENCES ma_member (member_id), + status INT NOT NULL DEFAULT '0', -- 0 = PENDING, 1 = APPROVED, 2 = CANCELED, 3 = REJECTED + creation_timestamp TIMESTAMP NOT NULL, + resolver UUID, -- if an authority can resolve then it isn't a member_id + resolution_timestamp TIMESTAMP, + resolution_description VARCHAR +); + +-- requestor is not indexed by default +-- Is context_id a project_id? + +-- Create table of invitations from leads to candidate members +drop TABLE if EXISTS pa_project_member_invitation; +create TABLE pa_project_member_invitation( + id SERIAL PRIMARY KEY, + invite_id UUID NOT NULL, + project_id UUID NOT NULL REFERENCES pa_project (project_id), + role INT, + expiration TIMESTAMP +); + +-- project_id is not indexed by default + +-- ---------------------------------------------------------------------- +-- Project attribute table. Store all attributes of project as name/value +-- pairs keyed to the project id. +-- ---------------------------------------------------------------------- +DROP TABLE IF EXISTS pa_project_attribute; + +CREATE TABLE pa_project_attribute ( + id SERIAL PRIMARY KEY, + project_id UUID NOT NULL REFERENCES pa_project (project_id), + name VARCHAR NOT NULL, + value VARCHAR NOT NULL +); + +CREATE INDEX pa_project_attribute_index_project_id + ON pa_project_attribute (project_id); diff --git a/db/pa/postgresql/update-1.sql b/db/pa/postgresql/update-1.sql new file mode 100644 index 0000000..85e8ac2 --- /dev/null +++ b/db/pa/postgresql/update-1.sql @@ -0,0 +1,7 @@ + +-- Add an expiration column to the pa_project table. Existing projects +-- will not have an expiration time, and thus will never expire. New +-- projects will either be configured to expire at a given date/time, +-- or will have no expiration and never expire. + +ALTER TABLE pa_project ADD expiration TIMESTAMP; diff --git a/db/pa/postgresql/update-2.sql b/db/pa/postgresql/update-2.sql new file mode 100644 index 0000000..62dd337 --- /dev/null +++ b/db/pa/postgresql/update-2.sql @@ -0,0 +1,8 @@ + +-- Add an expired column pa_project table. Projects whose +-- expiration time has passed but aren't yet expired +-- will be periodically checked and expired, causing +-- a log message, Much like we do for slices. + +ALTER TABLE pa_project ADD expired BOOLEAN NOT NULL DEFAULT 'FALSE'; + diff --git a/db/pa/postgresql/update-3.sql b/db/pa/postgresql/update-3.sql new file mode 100644 index 0000000..5c76b5c --- /dev/null +++ b/db/pa/postgresql/update-3.sql @@ -0,0 +1,9 @@ +-- Create table of invitations from leads to candidate members +drop TABLE if EXISTS pa_project_member_invitation; +create TABLE pa_project_member_invitation( + id SERIAL, + invite_id UUID, + project_id UUID, + role INT, + expiration TIMESTAMP +); diff --git a/db/pa/postgresql/update-4.sql b/db/pa/postgresql/update-4.sql new file mode 100644 index 0000000..971e894 --- /dev/null +++ b/db/pa/postgresql/update-4.sql @@ -0,0 +1,15 @@ +-- ---------------------------------------------------------------------- +-- Project attribute table. Store all attributes of project as name/value +-- pairs keyed to the project id. +-- ---------------------------------------------------------------------- +DROP TABLE IF EXISTS pa_project_attribute; + +CREATE TABLE pa_project_attribute ( + id SERIAL PRIMARY KEY, + project_id UUID NOT NULL, + name VARCHAR NOT NULL, + value VARCHAR NOT NULL +); + +CREATE INDEX pa_project_attribute_index_project_id + ON pa_project_attribute (project_id); diff --git a/db/pa/postgresql/update-5.sql b/db/pa/postgresql/update-5.sql new file mode 100644 index 0000000..bf9d089 --- /dev/null +++ b/db/pa/postgresql/update-5.sql @@ -0,0 +1,47 @@ +-- ------------------- +-- Apply changes to add unique and no null and foreign key constraints, and related indices +-- See chapi #174, proto-ch #943, proto-ch #1081 +-- ------------------- + +ALTER TABLE pa_project + ALTER COLUMN project_id SET NOT NULL, + ADD UNIQUE (project_id), + ALTER COLUMN project_name SET NOT NULL, + ADD UNIQUE (project_name), + ALTER COLUMN lead_id SET NOT NULL, + ADD FOREIGN KEY(lead_id) REFERENCES ma_member(member_id), + ALTER COLUMN creation SET NOT NULL; + +-- Postgres implicitly indexes unique columns, so project_id, project_name. +-- lead_id is not indexed unless we do so explicitly + +ALTER TABLE pa_project_member + ALTER COLUMN project_id SET NOT NULL, + ADD FOREIGN KEY(project_id) REFERENCES pa_project(project_id), + ALTER COLUMN member_id SET NOT NULL, + ADD FOREIGN KEY(member_id) REFERENCES ma_member(member_id), + ALTER COLUMN role SET NOT NULL; + +-- Foreign keys are not indexed by default +CREATE INDEX project_member_project_id ON pa_project_member(project_id); +CREATE INDEX project_member_member_id ON pa_project_member(member_id); + +ALTER TABLE pa_project_member_request + ADD PRIMARY KEY (id), + ALTER COLUMN context_type SET NOT NULL, + ALTER COLUMN context_id SET NOT NULL, + ALTER COLUMN request_type SET NOT NULL, + ALTER COLUMN requestor SET NOT NULL, + ADD FOREIGN KEY(requestor) REFERENCES ma_member(member_id), + ALTER COLUMN status SET NOT NULL, + ALTER COLUMN status SET DEFAULT '0', + ALTER COLUMN creation_timestamp SET NOT NULL; + +ALTER TABLE pa_project_member_invitation + ADD PRIMARY KEY (id), + ALTER COLUMN invite_id SET NOT NULL, + ALTER COLUMN project_id SET NOT NULL, + ADD FOREIGN KEY (project_id) REFERENCES pa_project(project_id); + +ALTER TABLE pa_project_attribute + ADD FOREIGN KEY (project_id) REFERENCES pa_project(project_id); \ No newline at end of file diff --git a/db/sa/postgresql/README.txt b/db/sa/postgresql/README.txt new file mode 100644 index 0000000..a832421 --- /dev/null +++ b/db/sa/postgresql/README.txt @@ -0,0 +1,12 @@ + +To create a database and a user in PostgreSQL: + +CREATE USER svcreg WITH PASSWORD 'svcreg'; + +CREATE DATABASE genisr; + +GRANT ALL PRIVILEGES ON DATABASE genisr to svcreg; + + +# Login as credstore attached to database genica +psql -d genisr -U svcreg -h localhost diff --git a/db/sa/postgresql/data.sql b/db/sa/postgresql/data.sql new file mode 100644 index 0000000..4c50cc8 --- /dev/null +++ b/db/sa/postgresql/data.sql @@ -0,0 +1,4 @@ + +-- ---------------------------------------------------------------------- +-- A few fake records to insert into the database for SA_SLICE +-- ---------------------------------------------------------------------- diff --git a/db/sa/postgresql/schema.sql b/db/sa/postgresql/schema.sql new file mode 100644 index 0000000..8e5a832 --- /dev/null +++ b/db/sa/postgresql/schema.sql @@ -0,0 +1,125 @@ + +-- avoid innocuous NOTICEs about automatic sequence creation +set client_min_messages='WARNING'; + +-- Tell psql to stop on an error. Default behavior is to proceed. +\set ON_ERROR_STOP 1 + +-- ---------------------------------------------------------------------- +-- +-- ---------------------------------------------------------------------- +-- Drop the data first, then the type. +DROP TABLE IF EXISTS sa_slice CASCADE; + +create TABLE sa_slice ( + id SERIAL, + slice_id UUID NOT NULL UNIQUE, + owner_id UUID NOT NULL REFERENCES ma_member (member_id), + project_id UUID NOT NULL REFERENCES pa_project (project_id), + creation TIMESTAMP NOT NULL, + expiration TIMESTAMP, + expired BOOLEAN NOT NULL DEFAULT 'FALSE', + slice_name VARCHAR NOT NULL, + slice_urn VARCHAR NOT NULL, + slice_email VARCHAR, + certificate VARCHAR, + private_key VARCHAR, -- supports extending slices while reusing the same keypair + slice_description VARCHAR, + PRIMARY KEY (id) +); + +CREATE INDEX sa_slice_expired ON sa_slice (expired); +-- owner_id and project_id are not indexed by default + +DROP TABLE IF EXISTS sa_slice_member CASCADE; +CREATE TABLE sa_slice_member ( + id SERIAL, + slice_id UUID NOT NULL REFERENCES sa_slice (slice_id), + member_id UUID NOT NULL REFERENCES ma_member (member_id), + role int NOT NULL, + PRIMARY KEY (id) +); + +CREATE INDEX sa_slice_member_member_id on sa_slice_member(member_id); +CREATE INDEX sa_slice_member_slice_id on sa_slice_member(slice_id); + +-- These match our common queries, but in my simple tests my DB doesn't use these +-- CREATE INDEX sa_slice_index_name_project ON sa_slice (slice_name, project_id); +-- CREATE INDEX sa_slice_index_slice_id ON sa_slice(slice_id); +-- CREATE INDEX sa_slice_index_project_owner ON sa_slice(project_id, owner_id); +-- CREATE INDEX sa_slice_index_owner ON sa_slice(owner_id); + +-- Create tables for requests relative to membership on slices +DROP TABLE IF EXISTS sa_slice_member_request; +CREATE TABLE sa_slice_member_request ( + id SERIAL PRIMARY KEY, + context_type INT NOT NULL, + context_id UUID NOT NULL, + request_text VARCHAR, + -- 0 = JOIN, 1 = UPDATE_ATTRIBUTES, 2 = .... [That's all for now] + request_type INT NOT NULL, + -- This is a JSON string with a dictionary of requested attributes + -- for the case of a user wanting a change to his attributes + request_details VARCHAR, + requestor UUID NOT NULL REFERENCES ma_member (member_id), + status INT NOT NULL DEFAULT '0', -- 0 = PENDING, 1 = APPROVED, 2 = CANCELED, 3 = REJECTED + creation_timestamp TIMESTAMP NOT NULL, + resolver UUID, + resolution_timestamp TIMESTAMP, + resolution_description VARCHAR +); + +-- Is context_id a slice_id? +-- requestor is not indexed by default + +-- Add tables for sliver info in SA + +DROP TABLE if EXISTS sa_sliver_info CASCADE; + +CREATE TABLE sa_sliver_info ( + id SERIAL, + slice_urn VARCHAR NOT NULL, + sliver_urn VARCHAR UNIQUE NOT NULL, + creation TIMESTAMP WITHOUT TIME ZONE, + expiration TIMESTAMP WITHOUT TIME ZONE, + creator_urn VARCHAR NOT NULL, + aggregate_urn VARCHAR NOT NULL, + PRIMARY KEY (id) +); +CREATE INDEX sa_sliver_info_urn ON sa_sliver_info(sliver_urn); +-- slice_urn should be a value in sa_slice(slice_urn) + +-- Update the schema version +INSERT INTO schema_version + (key, extra) +VALUES ('006', 'sa_sliver_info'); + +-- Add archiving tables sa_slice_old and sa_slice_member_old +DROP TABLE IF EXISTS sa_slice_old CASCADE; + +CREATE TABLE sa_slice_old ( + id SERIAL, + slice_id UUID NOT NULL UNIQUE, + owner_id UUID NOT NULL REFERENCES ma_member (member_id), + project_id UUID NOT NULL REFERENCES pa_project (project_id), + creation TIMESTAMP NOT NULL, + expiration TIMESTAMP, + expired BOOLEAN NOT NULL DEFAULT 'FALSE', + slice_name VARCHAR NOT NULL, + slice_urn VARCHAR NOT NULL, + slice_email VARCHAR, + certificate VARCHAR, + private_key VARCHAR, + slice_description VARCHAR, + PRIMARY KEY (id) +); + +DROP TABLE IF EXISTS sa_slice_member_old CASCADE; +CREATE TABLE sa_slice_member_old ( + id SERIAL, + slice_id UUID NOT NULL REFERENCES sa_slice_old (slice_id), + member_id UUID NOT NULL REFERENCES ma_member(member_id), + role INT NOT NULL, + PRIMARY KEY (id) +); + diff --git a/db/sa/postgresql/update-1.sql b/db/sa/postgresql/update-1.sql new file mode 100644 index 0000000..aa8b9d3 --- /dev/null +++ b/db/sa/postgresql/update-1.sql @@ -0,0 +1,28 @@ +-- Add archiving tables sa_slice_old and sa_slice_member_old +DROP TABLE IF EXISTS sa_slice_old CASCADE; + +create TABLE sa_slice_old ( + id SERIAL, + slice_id UUID, + owner_id UUID, + project_id UUID, + creation TIMESTAMP, + expiration TIMESTAMP, + expired BOOLEAN NOT NULL DEFAULT 'FALSE', + slice_name VARCHAR, + slice_urn VARCHAR, + slice_email VARCHAR, + certificate VARCHAR, + slice_description VARCHAR, + PRIMARY KEY (id) +); + +DROP TABLE IF EXISTS sa_slice_member_old CASCADE; +CREATE TABLE sa_slice_member_old ( + id SERIAL, + slice_id UUID, + member_id UUID, + role int, + PRIMARY KEY (id) +); + diff --git a/db/sa/postgresql/update-2.sql b/db/sa/postgresql/update-2.sql new file mode 100644 index 0000000..1ed5786 --- /dev/null +++ b/db/sa/postgresql/update-2.sql @@ -0,0 +1,4 @@ +-------------------------------------------------------- +--- Add index by member_id on sa_slice_member +-------------------------------------------------------- +CREATE INDEX sa_slice_member_member_id on sa_slice_member(member_id); diff --git a/db/sa/postgresql/update-3.sql b/db/sa/postgresql/update-3.sql new file mode 100644 index 0000000..32a8314 --- /dev/null +++ b/db/sa/postgresql/update-3.sql @@ -0,0 +1,62 @@ +-- ------------------- +-- Apply changes to add unique and no null and foreign key constraints, and related indices +-- See chapi #174, proto-ch #943, proto-ch #1081 +-- ------------------- + +ALTER TABLE sa_slice + ALTER COLUMN slice_id SET NOT NULL, + ADD UNIQUE(slice_id), + ALTER COLUMN owner_id SET NOT NULL, + ADD FOREIGN KEY (owner_id) REFERENCES ma_member(member_id), + ALTER COLUMN project_id SET NOT NULL, + ADD FOREIGN KEY (project_id) REFERENCES pa_project(project_id), + ALTER COLUMN creation SET NOT NULL, + ALTER COLUMN slice_name SET NOT NULL, + ALTER COLUMN slice_urn SET NOT NULL, + ADD COLUMN private_key VARCHAR; -- supports extending slices reusing the same keypair + +ALTER TABLE sa_slice_member + ALTER COLUMN slice_id SET NOT NULL, + ADD FOREIGN KEY (slice_id) REFERENCES sa_slice(slice_id), + ALTER COLUMN member_id SET NOT NULL, + ADD FOREIGN KEY (member_id) REFERENCES ma_member(member_id), + ALTER COLUMN role SET NOT NULL; + +CREATE INDEX sa_slice_member_slice_id on sa_slice_member(slice_id); + +ALTER TABLE sa_slice_member_request + ADD PRIMARY KEY (id), + ALTER COLUMN context_type SET NOT NULL, + ALTER COLUMN context_id SET NOT NULL, + ALTER COLUMN request_type SET NOT NULL, + ALTER COLUMN requestor SET NOT NULL, + ADD FOREIGN KEY (requestor) REFERENCES ma_member(member_id), + ALTER COLUMN status SET NOT NULL, + ALTER COLUMN status SET DEFAULT '0', + ALTER COLUMN creation_timestamp SET NOT NULL; + +-- _old tables haven't been created yet +CREATE TABLE sa_slice_old ( + id SERIAL, + slice_id UUID NOT NULL UNIQUE, + owner_id UUID NOT NULL REFERENCES ma_member (member_id), + project_id UUID NOT NULL REFERENCES pa_project (project_id), + creation TIMESTAMP NOT NULL, + expiration TIMESTAMP, + expired BOOLEAN NOT NULL DEFAULT 'FALSE', + slice_name VARCHAR NOT NULL, + slice_urn VARCHAR NOT NULL, + slice_email VARCHAR, + certificate VARCHAR, + private_key VARCHAR, + slice_description VARCHAR, + PRIMARY KEY (id) +); + +CREATE TABLE sa_slice_member_old ( + id SERIAL, + slice_id UUID NOT NULL REFERENCES sa_slice_old (slice_id), + member_id UUID NOT NULL REFERENCES ma_member(member_id), + role INT NOT NULL, + PRIMARY KEY (id) +); diff --git a/db/sr/postgresql/README.txt b/db/sr/postgresql/README.txt new file mode 100644 index 0000000..a832421 --- /dev/null +++ b/db/sr/postgresql/README.txt @@ -0,0 +1,12 @@ + +To create a database and a user in PostgreSQL: + +CREATE USER svcreg WITH PASSWORD 'svcreg'; + +CREATE DATABASE genisr; + +GRANT ALL PRIVILEGES ON DATABASE genisr to svcreg; + + +# Login as credstore attached to database genica +psql -d genisr -U svcreg -h localhost diff --git a/db/sr/postgresql/data.sql b/db/sr/postgresql/data.sql new file mode 100644 index 0000000..699d388 --- /dev/null +++ b/db/sr/postgresql/data.sql @@ -0,0 +1,8 @@ + +-- ---------------------------------------------------------------------- +-- A few fake records to insert into the database +-- ---------------------------------------------------------------------- +--insert into service_registry (service_type, service_url) values (0, 'http://foo.bar/AM1'); +--insert into service_registry (service_type, service_url) values (0, 'http://foo.bar/AM2'); +--insert into service_registry (service_type, service_url) values (1, 'http://foo.bar/SA'); +--insert into service_registry (service_type, service_url) values (2, 'http://foo.bar/PA'); diff --git a/db/sr/postgresql/schema.sql b/db/sr/postgresql/schema.sql new file mode 100644 index 0000000..7f51bc6 --- /dev/null +++ b/db/sr/postgresql/schema.sql @@ -0,0 +1,35 @@ + +-- avoid innocuous NOTICEs about automatic sequence creation +set client_min_messages='WARNING'; + +-- Tell psql to stop on an error. Default behavior is to proceed. +\set ON_ERROR_STOP 1 + +-- Drop tables to recreate +DROP TABLE IF EXISTS service_registry_attribute; +DROP TABLE IF EXISTS service_registry; + +-- Now create the tables + +CREATE TABLE service_registry ( + id SERIAL, + service_type INT NOT NULL, + service_url VARCHAR NOT NULL, + service_urn VARCHAR, + service_cert VARCHAR, + service_name VARCHAR, + service_description VARCHAR, + PRIMARY KEY (id) +); + +CREATE TABLE service_registry_attribute ( + id SERIAL PRIMARY KEY, + service_id INT NOT NULL REFERENCES service_registry, + name VARCHAR, + value VARCHAR +); + +-- service_id is not indexed + +-- Common query but DB not using it ?yet? +-- CREATE INDEX service_registry_index_type ON service_registry(service_type); diff --git a/db/sr/postgresql/update-1.sql b/db/sr/postgresql/update-1.sql new file mode 100644 index 0000000..21bbeb1 --- /dev/null +++ b/db/sr/postgresql/update-1.sql @@ -0,0 +1,30 @@ + +-- Add the service URN column to the service registry +ALTER TABLE service_registry ADD COLUMN + service_urn VARCHAR; + + +-- ig gpo +UPDATE service_registry + SET service_urn = 'urn:publicid:IDN+instageni.gpolab.bbn.com+authority+cm' + WHERE service_url = 'https://www.instageni.gpolab.bbn.com:12369/protogeni/xmlrpc/am/2.0'; + +-- ig utah +UPDATE service_registry + SET service_urn = 'urn:publicid:IDN+utah.geniracks.net+authority+cm' + WHERE service_url = 'https://www.utah.geniracks.net:12369/protogeni/xmlrpc/am/2.0'; + +-- pg uky +UPDATE service_registry + SET service_urn = 'urn:publicid:IDN+uky.emulab.net+authority+cm' + WHERE service_url = 'https://www.uky.emulab.net:12369/protogeni/xmlrpc/am/2.0'; + +-- pgeni3 +UPDATE service_registry + SET service_urn = 'urn:publicid:IDN+pgeni3.gpolab.bbn.com+authority+cm' + WHERE service_url = 'https://www.pgeni3.gpolab.bbn.com:12369/protogeni/xmlrpc/am/2.0'; + +-- utah +UPDATE service_registry + SET service_urn = 'urn:publicid:IDN+emulab.net+authority+cm' + WHERE service_url = 'https://www.emulab.net:12369/protogeni/xmlrpc/am/2.0'; diff --git a/db/sr/postgresql/update-2.sql b/db/sr/postgresql/update-2.sql new file mode 100644 index 0000000..fe34065 --- /dev/null +++ b/db/sr/postgresql/update-2.sql @@ -0,0 +1,17 @@ +-- Add Exo AM URNs + +-- eg gpo +UPDATE service_registry + SET service_urn = 'urn:publicid:IDN+exogeni.net:bbnvmsite+authority+am' + WHERE service_url = 'https://bbn-hn.exogeni.net:11443/orca/xmlrpc'; + +-- eg renci +UPDATE service_registry + SET service_urn = 'urn:publicid:IDN+exogeni.net:rcivmsite+authority+am' + WHERE service_url = 'https://rci-hn.exogeni.net:11443/orca/xmlrpc'; + +-- eg exosm +UPDATE service_registry + SET service_urn = 'urn:publicid:IDN+exogeni.net+authority+am' + WHERE service_url = 'https://geni.renci.org:11443/orca/xmlrpc'; + diff --git a/db/sr/postgresql/update-3.sql b/db/sr/postgresql/update-3.sql new file mode 100644 index 0000000..aa390a3 --- /dev/null +++ b/db/sr/postgresql/update-3.sql @@ -0,0 +1,10 @@ +-- Replace previous definition of service_registry_attribute table +-- to current (consistent) definition +DROP TABLE IF EXISTS service_registry_attribute; + +CREATE TABLE service_registry_attribute ( + id SERIAL PRIMARY KEY, + service_id INT, + name VARCHAR, + value VARCHAR +); diff --git a/db/sr/postgresql/update-4.sql b/db/sr/postgresql/update-4.sql new file mode 100644 index 0000000..12f51c8 --- /dev/null +++ b/db/sr/postgresql/update-4.sql @@ -0,0 +1,11 @@ +-- ------------------- +-- Apply changes to add unique and no null and foreign key constraints, and related indices +-- See chapi #174, proto-ch #943, proto-ch #1081 +-- ------------------- + +-- Somehow there are some rows with a null service_id. But that makes no sense: delete them +DELETE FROM service_registry_attribute where service_id is null; + +ALTER TABLE service_registry_attribute + ALTER COLUMN service_id SET NOT NULL, + ADD FOREIGN KEY (service_id) REFERENCES service_registry(id); \ No newline at end of file diff --git a/docs/add_new_aggregate.txt b/docs/add_new_aggregate.txt new file mode 100644 index 0000000..6486d79 --- /dev/null +++ b/docs/add_new_aggregate.txt @@ -0,0 +1,174 @@ +Instructions for installing a new aggreate + +This note describes the steps to add a new aggregate to the GENI +clearinghouse Service Registry. + +1. Gather the required information + + Where possible, get the information from the aggregate itself, either + from its advertisement RSpec (from listresources), its version + info (from getversion) or its SSL certificate + + cert: The x509 certificate of the aggregate (the server end of the + AM API presented by the aggregate) + cacert: The SSL cert (or signer of the SSL cert). Used for Flack to allow + flash to connect. This is really a misnomer: it is not a cacert. + May be the same as CERT for some aggregates; typically the + IG has X-cm.pem as the CERT and X-boss.pem as the CACERT. + shortname: Short name of the aggregate, matches the nickname used by omni + longname: Long/complete name of the aggregate + description: Text description of the aggregate + URN: URN of aggregate. Must satisfy the requirements described in + http://groups.geni.net/geni/wiki/GeniApiIdentifiers + URL: URL of the AM. For some aggregates, there may be two: + one for V2 AM, one for V3 AM. If so, use the V2 AM. + Type of aggregate: + InstaGENI: ui_instageni_am + ExoGENI: ui_exogeni_am + FOAM: ui_foam_am + Other (including OpenGENI): ui_other_am + Category + + Note: Every aggregate must have one and only one of + ui_prod_cat, ui_dev_cat, ui_experimental_cat. Likewise, every aggregate + gets one and only one of ui_compute_cat and ui_network_cat. + ui_stitchable_cat and ui_federated_cat are optional attributes. + + ui_compute_cat: Is this aggregate a compute aggregate (provides PCs / VMs) + ui_network_cat : Is this aggregate a network aggregate + (provides paths / flows) + ui_prod_cat: Is this aggreate deemed to be 'production' + i.e. the aggregate is stable and running according to documented + procedures in the aggregate-providers agreement. + ui_dev_cat : Is this aggregate deemed to be 'development' + i.e. the aggregate is under development and isn't considered + to be stable (could come down at any time, may have bugs or + new untested features) + ui_experimental_cat: Is this aggregate deemed to be 'experimental' + i.e. the aggregate provides new experimental capabilities to + ressearchers, and is, like 'development', provided without + stability assurances. + ui_stitchable_cat: Is this aggregate stitchable (listed in SCS, connected + to a switch configured with stitching VLANs etc.) + ui_federated_cat : Is this agggregate a member of a different (non-GENI) + federation, and is federated by mutual agreement between GENI and + the aggregate's federation? + Speaks-for: Y if the aggregate handles speaks-for credentials, N if not. + Currently, this is Y for InstaGENI and OpenGENI aggregates, N for ExoGENI + and FOAM aggregates. + +There are instructions for gathering the relevant data for FOAM and +InstaGENI/ProtoGENI on the syseng wiki +(http://groups.geni.net/syseng/wiki/SwClearinghouse/Federation/FOAM, +http://groups.geni.net/syseng/wiki/SwClearinghouse/Federation/ProtoGENI). +These explain, for instance, how to get the misnamed ‘cacert’ and how to +get the CM cert (ProtoGENI-only). + +2. Test the UI + +Use omni to test adherence to AM API: + + V2 [Only if the aggregate advertises support for V2.] + getversion + listresources + createsliver SLICENAME (RSPEC WITH two slivers with a single link) + ... login and ping between two slivers + listresources SLICENAME + sliverstatus SLICENAME + renewsliver SLICENAME new-renew-time + deletesliver SLICENAME + + V3 [Only if the aggregate advertises support for V3. Note: the portal + does not use V3]. + getversion + listresources + allocate SLICENAME (RSPEC with two slivers and a single link) + provision SLICENAME + ... login and ping between two slivers + describe SLICENAME + status SLICENAME + renew SLICENAME new-renew-time + delete SLICENAME + + Verify that the returns from getversion and listresources (advertisement) + are consistent with the expected values gathered in #1. + + Verify that the advertisement returned from listresources is + well-formatted (passes rspec-lint). + Verify that the manifest returned from listresources/describe + well-formatted (passes rspec-lint). + + If aggreagte is stitchable , do stitch testing as well. + [Out of scope of this document.] + +3. Gain approval for adding aggregate + +Adding the new aggregate to the GENI Clearinghouse Service Registry +reguires proper approval that: +1) GENI wants to add this aggregate to its service registry and +2) the aggregate passes tests and requirements set for GENI aggregates of +different categories. + +Currently, the GPO infra group has approval authority for production +aggregates and the GPO software group has approval authority for federated and +experimental aggregates. + +This approval process will surely change as management of the GENI +Clearinghouse transitions to the GENI community. + +4. Update geni-ch/data/sr/aggdata.csv + +Add entry for agg: +shortname,url,amcert,longname,description,urn,cacert,type,category,speaksfor + +Note: For 'category', list all categories that apply, separated by a space, +e.g. "ui_prod_cat ui_network_cat" + +If there are two urls (V2 and V3), add two different lines, making sure +they have different short-names, url, longname, description. + +5. Update geni-ch/data/Makefile.am + +Add entry for agg to these Make targets: + +- AM_SQL +- sr/sql/add-.sql: $(srcdir)/sr/sql/add-.sql.in +- dist_srcerts_DATA + +6. Update Jacks Context + +Add the aggregate to the Jacks-GENI/jacks-context portal.sh file. +These are the geni-lib names (which are often reversed relative to omni +short names) and may require adding the aggregate to geni-lib as well. + +geni-lib is maintained at https://bitbucket.org/barnstorm/geni-lib. +jacks-context is maintained in https://github.com/Jacks-GENI/jacks-context. + + +7. Edit syseng ticket for release. + +[Note: This step is part of GPO-internal process.] + +Edit the syseng ticket for the clearinghouse update event at which this +aggregate will be added to production Service Registry (SR): + +Indicate: + * Add aggregate to Service Registry + {{{ + psql -U portal -h localhost -f /usr/shre/geni-chapi/sr/sql/add-.sql + }}} + + +8. Post install testing + +After install, validate that aggregate appears in Portal list on +jacks-app, jacks-editor-app and slice aggregate view page. Allocate resources +from Portal and make sure you can SSH from portal, resources turn green, etc. + + +9. Update Portal Map + +After the installation and the new aggregate is in the service registry, +new map data should be generated. There are two scripts for this: +geni-get-ad-rspecs and geni-parse-map-data. + diff --git a/plugins/chrm/ArgumentCheck.py b/plugins/chrm/ArgumentCheck.py index e106b92..f575ba4 100644 --- a/plugins/chrm/ArgumentCheck.py +++ b/plugins/chrm/ArgumentCheck.py @@ -220,7 +220,8 @@ def validateTypedField(self, field, field_type, value): elif field_type == "KEY": pass # *** No standard format elif field_type == "BOOLEAN": - properly_formed = value.lower() in ['t', 'f', 'true', 'false'] + properly_formed = (type(value) is bool or + value.lower() in ['t', 'f', 'true', 'false']) elif field_type == "CREDENTIALS": try: Credential(string=value) diff --git a/plugins/sarm/SAv1PersistentImplementation.py b/plugins/sarm/SAv1PersistentImplementation.py index ece5f17..ce88daa 100644 --- a/plugins/sarm/SAv1PersistentImplementation.py +++ b/plugins/sarm/SAv1PersistentImplementation.py @@ -226,6 +226,10 @@ def lookup_slices(self, client_cert, credentials, options, session): q = add_filters(q, match_criteria, self.db.SLICE_TABLE, SA.slice_field_mapping, session) + # Order by expiration to get the active one or the most recently + # expired instance and to provide deterministic behavior + q = q.order_by(self.db.SLICE_TABLE.c.expiration) + rows = q.all() # in python 2.7, could do dictionary comprehension !!!!!!!! @@ -1480,16 +1484,23 @@ def lookup_project_attributes(self, client_cert, project_urn, \ client_uuid = get_uuid_from_cert(client_cert) self.update_project_expirations(client_uuid, session) - name = from_project_urn(project_urn) - project_id = self.get_project_id(session, "project_name", name) + if "match" in options and "PROJECT_UID" in options["match"]: + project_ids = options["match"]["PROJECT_UID"] + else: + name = from_project_urn(project_urn) + project_id = self.get_project_id(session, "project_name", name) + project_ids = [project_id] + q = session.query(self.db.PROJECT_ATTRIBUTE_TABLE ) - q = q.filter(self.db.PROJECT_ATTRIBUTE_TABLE.c.project_id==project_id) + q = q.filter(self.db.PROJECT_ATTRIBUTE_TABLE.c.project_id.in_(project_ids)) rows = q.all() attribs = [] for row in rows: + attrib_project_id = row.project_id attrib_name = row.name attrib_value = row.value - attrib = {'name' : attrib_name, 'value' : attrib_value} + attrib = {'project_id' : attrib_project_id, + 'name' : attrib_name, 'value' : attrib_value} attribs.append(attrib) result = self._successReturn(attribs) return result diff --git a/tools/portal_stats.sql b/tools/portal_stats.sql index 3dc452d..dd01199 100644 --- a/tools/portal_stats.sql +++ b/tools/portal_stats.sql @@ -22,10 +22,10 @@ select count(*) as "Active International Members" from ma_member_attribute where -- Most popular institutions (using EPPN) -select trim(leading '@' from substring(value from '@.*$')) as "Most common member institutions", count(*) as members from ma_member_attribute where name = 'eppn' group by "Most common member institutions" order by members desc limit 30; +select trim(leading '@' from substring(lower(value) from '@.*$')) as "Most common member institutions", count(*) as members from ma_member_attribute where name = 'eppn' group by "Most common member institutions" order by members desc limit 30; -- Most popular institutions using email, non tutorial -select trim(leading '@' from substring(value from '@.*$')) as "Most common member institutions by email", count(*) as members from ma_member_attribute where name = 'email_address' and value not like '%gpolab.bbn.com' group by "Most common member institutions" order by members desc limit 100; +select trim(leading '@' from substring(lower(value) from '@.*$')) as "Most common member institutions by email", count(*) as members from ma_member_attribute where name = 'email_address' and value not like '%gpolab.bbn.com' group by "Most common member institutions by email" order by members descq limit 100; -- Most popular countries / top level domains select distinct substring(lower(value) from '%.#"_+#"' for '#') as "Most common TLDs", count(*) as members from ma_member_attribute where name = 'email_address' group by substring(lower(value) from '%.#"_+#"' for '#') order by members desc limit 25;