ganeti.server.rapi

1 # 2 # 3 4 # Copyright (C) 2006, 2007, 2008, 2009, 2010, 2012, 2013 Google Inc. 5 # All rights reserved. 6 # 7 # Redistribution and use in source and binary forms, with or without 8 # modification, are permitted provided that the following conditions are 9 # met: 10 # 11 # 1. Redistributions of source code must retain the above copyright notice, 12 # this list of conditions and the following disclaimer. 13 # 14 # 2. Redistributions in binary form must reproduce the above copyright 15 # notice, this list of conditions and the following disclaimer in the 16 # documentation and/or other materials provided with the distribution. 17 # 18 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS 19 # IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 20 # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 21 # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR 22 # CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 23 # EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 24 # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 25 # PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 26 # LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 27 # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 28 # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 29 30 """Ganeti Remote API master script. 31 32 """ 33 34 # pylint: disable=C0103,W0142 35 36 # C0103: Invalid name ganeti-watcher 37 38 import logging 39 import optparse 40 import sys 41 import os 42 import os.path 43 import errno 44 45 try: 46 from pyinotify import pyinotify # pylint: disable=E0611 47 except ImportError: 48 import pyinotify 49 50 from ganeti import asyncnotifier 51 from ganeti import constants 52 from ganeti import http 53 from ganeti import daemon 54 from ganeti import ssconf 55 import ganeti.rpc.errors as rpcerr 56 from ganeti import serializer 57 from ganeti import compat 58 from ganeti import utils 59 from ganeti import pathutils 60 from ganeti.rapi import connector 61 from ganeti.rapi import baserlib 62 63 import ganeti.http.auth # pylint: disable=W0611 64 import ganeti.http.server

65 66 67 -class RemoteApiRequestContext(object):

68 """Data structure for Remote API requests. 69 70 """

71 - def __init__(self):

72 self.handler = None 73 self.handler_fn = None 74 self.handler_access = None 75 self.body_data = None

76

77 78 -class RemoteApiHandler(http.auth.HttpServerRequestAuthentication, 79 http.server.HttpServerHandler):

80 """REST Request Handler Class. 81 82 """ 83 AUTH_REALM = "Ganeti Remote API" 84

85 - def __init__(self, user_fn, reqauth, _client_cls=None):

86 """Initializes this class. 87 88 @type user_fn: callable 89 @param user_fn: Function receiving username as string and returning 90 L{http.auth.PasswordFileUser} or C{None} if user is not found 91 @type reqauth: bool 92 @param reqauth: Whether to require authentication 93 94 """ 95 # pylint: disable=W0233 96 # it seems pylint doesn't see the second parent class there 97 http.server.HttpServerHandler.__init__(self) 98 http.auth.HttpServerRequestAuthentication.__init__(self) 99 self._client_cls = _client_cls 100 self._resmap = connector.Mapper() 101 self._user_fn = user_fn 102 self._reqauth = reqauth

103 104 @staticmethod

105 - def FormatErrorMessage(values):

106 """Formats the body of an error message. 107 108 @type values: dict 109 @param values: dictionary with keys C{code}, C{message} and C{explain}. 110 @rtype: tuple; (string, string) 111 @return: Content-type and response body 112 113 """ 114 return (http.HTTP_APP_JSON, serializer.DumpJson(values))

115

116 - def _GetRequestContext(self, req):

117 """Returns the context for a request. 118 119 The context is cached in the req.private variable. 120 121 """ 122 if req.private is None: 123 (HandlerClass, items, args) = \ 124 self._resmap.getController(req.request_path) 125 126 ctx = RemoteApiRequestContext() 127 ctx.handler = HandlerClass(items, args, req, _client_cls=self._client_cls) 128 129 method = req.request_method.upper() 130 try: 131 ctx.handler_fn = getattr(ctx.handler, method) 132 except AttributeError: 133 raise http.HttpNotImplemented("Method %s is unsupported for path %s" % 134 (method, req.request_path)) 135 136 ctx.handler_access = baserlib.GetHandlerAccess(ctx.handler, method) 137 138 # Require permissions definition (usually in the base class) 139 if ctx.handler_access is None: 140 raise AssertionError("Permissions definition missing") 141 142 # This is only made available in HandleRequest 143 ctx.body_data = None 144 145 req.private = ctx 146 147 # Check for expected attributes 148 assert req.private.handler 149 assert req.private.handler_fn 150 assert req.private.handler_access is not None 151 152 return req.private

153

154 - def AuthenticationRequired(self, req):

155 """Determine whether authentication is required. 156 157 """ 158 return self._reqauth or bool(self._GetRequestContext(req).handler_access)

159

160 - def Authenticate(self, req, username, password):

161 """Checks whether a user can access a resource. 162 163 """ 164 ctx = self._GetRequestContext(req) 165 166 user = self._user_fn(username) 167 if not (user and 168 self.VerifyBasicAuthPassword(req, username, password, 169 user.password)): 170 # Unknown user or password wrong 171 return False 172 173 if (not ctx.handler_access or 174 set(user.options).intersection(ctx.handler_access)): 175 # Allow access 176 return True 177 178 # Access forbidden 179 raise http.HttpForbidden()

180

181 - def HandleRequest(self, req):

182 """Handles a request. 183 184 """ 185 ctx = self._GetRequestContext(req) 186 187 # Deserialize request parameters 188 if req.request_body: 189 # RFC2616, 7.2.1: Any HTTP/1.1 message containing an entity-body SHOULD 190 # include a Content-Type header field defining the media type of that 191 # body. [...] If the media type remains unknown, the recipient SHOULD 192 # treat it as type "application/octet-stream". 193 req_content_type = req.request_headers.get(http.HTTP_CONTENT_TYPE, 194 http.HTTP_APP_OCTET_STREAM) 195 if req_content_type.lower() != http.HTTP_APP_JSON.lower(): 196 raise http.HttpUnsupportedMediaType() 197 198 try: 199 ctx.body_data = serializer.LoadJson(req.request_body) 200 except Exception: 201 raise http.HttpBadRequest(message="Unable to parse JSON data") 202 else: 203 ctx.body_data = None 204 205 try: 206 result = ctx.handler_fn() 207 except rpcerr.TimeoutError: 208 raise http.HttpGatewayTimeout() 209 except rpcerr.ProtocolError, err: 210 raise http.HttpBadGateway(str(err)) 211 212 req.resp_headers[http.HTTP_CONTENT_TYPE] = http.HTTP_APP_JSON 213 214 return serializer.DumpJson(result)

215

216 217 -class RapiUsers(object):

218 - def __init__(self):

219 """Initializes this class. 220 221 """ 222 self._users = None

223

224 - def Get(self, username):

225 """Checks whether a user exists. 226 227 """ 228 if self._users: 229 return self._users.get(username, None) 230 else: 231 return None

232

233 - def Load(self, filename):

234 """Loads a file containing users and passwords. 235 236 @type filename: string 237 @param filename: Path to file 238 239 """ 240 logging.info("Reading users file at %s", filename) 241 try: 242 try: 243 contents = utils.ReadFile(filename) 244 except EnvironmentError, err: 245 self._users = None 246 if err.errno == errno.ENOENT: 247 logging.warning("No users file at %s", filename) 248 else: 249 logging.warning("Error while reading %s: %s", filename, err) 250 return False 251 252 users = http.auth.ParsePasswordFile(contents) 253 254 except Exception, err: # pylint: disable=W0703 255 # We don't care about the type of exception 256 logging.error("Error while parsing %s: %s", filename, err) 257 return False 258 259 self._users = users 260 261 return True

262

263 264 -class FileEventHandler(asyncnotifier.FileEventHandlerBase):

265 - def __init__(self, wm, path, cb):

266 """Initializes this class. 267 268 @param wm: Inotify watch manager 269 @type path: string 270 @param path: File path 271 @type cb: callable 272 @param cb: Function called on file change 273 274 """ 275 asyncnotifier.FileEventHandlerBase.__init__(self, wm) 276 277 self._cb = cb 278 self._filename = os.path.basename(path) 279 280 # Different Pyinotify versions have the flag constants at different places, 281 # hence not accessing them directly 282 mask = (pyinotify.EventsCodes.ALL_FLAGS["IN_CLOSE_WRITE"] | 283 pyinotify.EventsCodes.ALL_FLAGS["IN_DELETE"] | 284 pyinotify.EventsCodes.ALL_FLAGS["IN_MOVED_FROM"] | 285 pyinotify.EventsCodes.ALL_FLAGS["IN_MOVED_TO"]) 286 287 self._handle = self.AddWatch(os.path.dirname(path), mask)

288

289 - def process_default(self, event):

290 """Called upon inotify event. 291 292 """ 293 if event.name == self._filename: 294 logging.debug("Received inotify event %s", event) 295 self._cb()

296

297 298 -def SetupFileWatcher(filename, cb):

299 """Configures an inotify watcher for a file. 300 301 @type filename: string 302 @param filename: File to watch 303 @type cb: callable 304 @param cb: Function called on file change 305 306 """ 307 wm = pyinotify.WatchManager() 308 handler = FileEventHandler(wm, filename, cb) 309 asyncnotifier.AsyncNotifier(wm, default_proc_fun=handler)

310

311 312 -def CheckRapi(options, args):

313 """Initial checks whether to run or exit with a failure. 314 315 """ 316 if args: # rapi doesn't take any arguments 317 print >> sys.stderr, ("Usage: %s [-f] [-d] [-p port] [-b ADDRESS]" % 318 sys.argv[0]) 319 sys.exit(constants.EXIT_FAILURE) 320 321 ssconf.CheckMaster(options.debug) 322 323 # Read SSL certificate (this is a little hackish to read the cert as root) 324 if options.ssl: 325 options.ssl_params = http.HttpSslParams(ssl_key_path=options.ssl_key, 326 ssl_cert_path=options.ssl_cert) 327 else: 328 options.ssl_params = None

329

330 331 -def PrepRapi(options, _):

332 """Prep remote API function, executed with the PID file held. 333 334 """ 335 mainloop = daemon.Mainloop() 336 337 users = RapiUsers() 338 339 handler = RemoteApiHandler(users.Get, options.reqauth) 340 341 # Setup file watcher (it'll be driven by asyncore) 342 SetupFileWatcher(pathutils.RAPI_USERS_FILE, 343 compat.partial(users.Load, pathutils.RAPI_USERS_FILE)) 344 345 users.Load(pathutils.RAPI_USERS_FILE) 346 347 server = \ 348 http.server.HttpServer(mainloop, options.bind_address, options.port, 349 handler, 350 ssl_params=options.ssl_params, ssl_verify_peer=False) 351 server.Start() 352 353 return (mainloop, server)

354

355 356 -def ExecRapi(options, args, prep_data): # pylint: disable=W0613

357 """Main remote API function, executed with the PID file held. 358 359 """ 360 (mainloop, server) = prep_data 361 try: 362 mainloop.Run() 363 finally: 364 server.Stop() 365

366 367 -def Main():

368 """Main function. 369 370 """ 371 parser = optparse.OptionParser(description="Ganeti Remote API", 372 usage=("%prog [-f] [-d] [-p port] [-b ADDRESS]" 373 " [-i INTERFACE]"), 374 version="%%prog (ganeti) %s" % 375 constants.RELEASE_VERSION) 376 parser.add_option("--require-authentication", dest="reqauth", 377 default=False, action="store_true", 378 help=("Disable anonymous HTTP requests and require" 379 " authentication")) 380 381 daemon.GenericMain(constants.RAPI, parser, CheckRapi, PrepRapi, ExecRapi, 382 default_ssl_cert=pathutils.RAPI_CERT_FILE, 383 default_ssl_key=pathutils.RAPI_CERT_FILE)

384

Source Code for Module ganeti.server.rapi