geni-nsf / geni-ch Goto Github PK

geni-pgch responds to listaggregates on ch5.gpolab.bbn.com (sandbox) with:

$ ~/src/gcf/src/omni.py -c ~/tmp/portal5/omni_config listaggregates
INFO:omni:Loading config file /home/chaos/tmp/portal5/omni_config
INFO:omni:Using control framework portal
INFO:omni:Listing 1 aggregates...
INFO:omni:  Aggregate 1:
        urn:publicid:IDN+pgeni3.gpolab.bbn.com+authority+cm 
        https://www.pgeni3.gpolab.bbn.com:12369/protogeni/xmlrpc/am/2.0
INFO:omni: ------------------------------------------------------------
INFO:omni: Completed listaggregates:

  Options as run:
                configfile: /home/chaos/tmp/portal5/omni_config
                framework: portal
                project: chaostest

  Args: listaggregates

  Result Summary: Found 1 aggregate. URN: urn:publicid:IDN+pgeni3.gpolab.bbn.com+authority+cm; URL: https://www.pgeni3.gpolab.bbn.com:12369/protogeni/xmlrpc/am/2.0 
INFO:omni: ============================================================

The PGCH handler of CHAPI says:

$ ~/src/gcf/src/omni.py -c ~/tmp/portal5/omni_config listaggregates
INFO:omni:Loading config file /home/chaos/tmp/portal5/omni_config
INFO:omni:Using control framework portal
ERROR:omni.pgch:Cannot list GENI Clearinghouse components: 
ERROR:omni.pgch:Received error code: 101
ERROR:omni.pgch:Received error message: [SERVER] SERVER_ERROR ('CHv1Handler' object has no attribute 'get_aggregates')
INFO:omni:Listing 0 aggregates...
INFO:omni: ------------------------------------------------------------
INFO:omni: Completed listaggregates:

  Options as run:
                configfile: /home/chaos/tmp/portal5/omni_config
                framework: portal
                project: chaostest

  Args: listaggregates

  Result Summary: No aggregates found. 
INFO:omni: ============================================================

Imported from trac ticket #38, created by chaos on 11-14-2013 at 07:09, last modified: 11-15-2013 at 08:08

The chapi default parameters are stored in /usr/share/geni-ch/chapi/chapi/plugins/chapiv1rpc/chapi/Parameters.py. We need to be able to override those parameters using a config file. A file in a config directory like /etc/geni-ch/ would be ideal.

Imported from trac ticket #1, created by chaos on 11-07-2013 at 11:04, last modified: 11-08-2013 at 12:40

The proto-ch.git make process installs a git hash in /etc/geni-ch/geni-ch-githash. The chapi.git make process should do similarly --- i assume it should put the chapi-specific git hash under /etc/geni-chapi/, but i don't feel strongly.

Imported from trac ticket #35, created by chaos on 11-12-2013 at 16:43, last modified: 11-20-2013 at 14:49

The directory /usr/share/geni-ch/chapi/AMsoil/deploy contains example config files, at least one utility script, and a subdirectory called trusted/, all of which seem like things that shouldn't be writable by www-data. It also contains some database files which need to be written by www-data. This configuration is unsafe because it gives apache write access to parts of the installation.

Move the .db files to a dedicated "CHAPI spool" directory (e.g. /var/spool/chapi/ or /usr/share/geni-ch/var/chapi/)

Imported from trac ticket #32, created by chaos on 11-12-2013 at 13:32, last modified: 07-15-2014 at 13:03

I removed myself from a project on which I was the lead using the geni-remove-project-member script. Once I was removed, I could no longer view the project so added myself back in using geni-add-project-member. I was put in as auditor, which is expected. When I go to the "Project" page for the project, the member who was an admin is now listed as lead and I'm listed as auditor, which is correct.

However if I go to the "Projects" page, I am still listed as Project Lead.

Imported from trac ticket #47, created by phelinek on 11-15-2013 at 10:24, last modified: 11-15-2013 at 16:02

The install script leaves obsolete lines in the apache config:

    Include /usr/share/geni-ch/sa/apache2.conf
    Include /usr/share/geni-ch/ma/apache2.conf
    Include /usr/share/geni-ch/pa/apache2.conf
    Include /usr/share/geni-ch/sr/apache2.conf
    Include /usr/share/geni-ch/cs/apache2.conf
    Include /usr/share/geni-ch/logging/apache2.conf

Imported from trac ticket #7, created by ahelsing on 11-07-2013 at 16:02, last modified: 11-14-2013 at 13:08
CCing: chaos@...

Right now, the CHAPI installation process (install_ch in particular) installs the nginx package. Don't install nginx unless it is actually needed.

Imported from trac ticket #6, created by chaos on 11-07-2013 at 15:12, last modified: 11-11-2013 at 10:24

I see hard coded paths in a couple spots

./chapi/plugins/marm/MAv1Implementation.py:        self.kmcert = '/usr/share/geni-ch/km/km-cert.pem'
./chapi/tools/cert_utils.py:                         '-config', '/usr/share/geni-ch/CA/openssl.cnf', 
./chapi/tools/.bashrc:export GCFHOME=/usr/share/geni-ch/gcf/src

Imported from trac ticket #25, created by ahelsing on 11-08-2013 at 16:41, last modified: 03-31-2015 at 14:13

"List object has no attribute has_key" when you click 'join a project'

Imported from trac ticket #42, created by ahelsing on 11-14-2013 at 14:09, last modified: 11-19-2013 at 15:10

It's not ideal to compile ABAC in situ on each CHAPI end-host, primarily because it could introduce compile-related discrepancies between portal/CH hosts which are hard to debug. Is it possible to compile ABAC once and have the CH install simply unpack it?

This would remove the need for g++, autoconf-archive, and swig, on portal/CH nodes.

Imported from trac ticket #13, created by chaos on 11-08-2013 at 12:00, last modified: 11-15-2013 at 08:12

The install script checks out special dev tags currently

For the 'real' install on nye, this will need to work from master or similar.

Imported from trac ticket #22, created by ahelsing on 11-08-2013 at 16:15, last modified: 11-13-2013 at 17:28

In the old CH, we input the role as an integer. In the new chapi, we input the role as a string, all caps. The string later gets converted to an int using the cs_attribute table.

The geni-add-project-member script is still using an int to input the role.

Will check the API to see which format is correct and change the script or code as appropriate.

Imported from trac ticket #10, created by phelinek on 11-07-2013 at 17:30, last modified: 11-15-2013 at 08:12

Software installed into central directories on Ubuntu systems via easy_install is difficult to maintain. Install the python lxml module by installing the python-lxml package via apt-get, rather than by using easy_install.

Imported from trac ticket #14, created by chaos on 11-08-2013 at 12:10, last modified: 11-15-2013 at 08:10

When Flack is launched via a portal backed by chapi the user is not logged in. The initialize user task in Flack has the error "tlsError: Certificate is not trusted."

Imported from trac ticket #34, created by tmitchel on 11-12-2013 at 15:55, last modified: 11-18-2013 at 18:17

The CHAPI installation creates an empty /usr/share/geni-chapi directory. Remove this if it's not needed.

Imported from trac ticket #30, created by chaos on 11-12-2013 at 13:02, last modified: 11-15-2013 at 08:12

The /usr/share/geni-ch/chapi/ directory is installed by install_chapi with the git artifacts of its various component repositories attached, including .gitignore and .git/. Perhaps the tar commands could be modified to exclude git artifacts.

Imported from trac ticket #5, created by chaos on 11-07-2013 at 14:22, last modified: 11-13-2013 at 17:26

A single load of the home page results in 480K of data in the log file. Two loads is nearly 1MB of log info. None of these messages are at DEBUG level. This may be too much data. We may need to tune what gets logged at what level.

Imported from trac ticket #16, created by tmitchel on 11-08-2013 at 12:11, last modified: 11-28-2013 at 06:31

Remove project member:
Check if member is a lead, can't remove lead
Remove member from all project slices:
-if member was lead of the slice, make project lead the slice lead (add project lead to slice if not a slice member)

Modify project member:
If member is becoming the new lead:
-make sure he/she is authorized
-put the new lead as admin on all project slices
Admin cannot change his own role

NOTE:MOVING THIS TO NEW TICKET
Add project member:
Send email

Imported from trac ticket #11, created by phelinek on 11-07-2013 at 17:32, last modified: 11-15-2013 at 13:57

I am now able to swap lead and admin roles using the scripts, but when I tried to do it in the portal (I'm lead and Tom is admin, and I tried to switch them), I get a server error (below). Looks like it is using urn and it expects uuid.

2013-11-15 14:40:30,650 [ERROR] - [sav1] [SERVER] SERVER_ERROR ((DataError) invalid input syntax for uuid: "urn:publicid:IDN+ch-ph.gpolab.bbn.c
om+user+tmitchel"
LINE 3: WHERE ma_member_attribute.member_id = E'urn:publicid:IDN+ch-...
^
'SELECT ma_member_attribute.value AS ma_member_attribute_value \nFROM ma_member_attribute \nWHERE ma_member_attribute.member_id = %(member_id_
1)s AND ma_member_attribute.name = %(name_1)s' {'name_1': 'PROJECT_LEAD', 'member_id_1': 'urn:publicid:IDN+ch-ph.gpolab.bbn.com+user+tmitchel'}
)
2013-11-15 14:40:30,651 [ERROR] - [sav1] Traceback (most recent call last):
File "/usr/share/geni-ch/chapi/AMsoil/src/plugins/chapiv1rpc/chapi/SliceAuthority.py", line 426, in modify_project_membership
credentials, options)
File "/usr/share/geni-ch/chapi/AMsoil/src/plugins/sarm/SAv1PersistentImplementation.py", line 782, in modify_project_membership
rows = q.all()
File "/usr/local/lib/python2.6/dist-packages/SQLAlchemy-0.8.2-py2.6-linux-i686.egg/sqlalchemy/orm/query.py", line 2237, in all
return list(self)
File "/usr/local/lib/python2.6/dist-packages/SQLAlchemy-0.8.2-py2.6-linux-i686.egg/sqlalchemy/orm/query.py", line 2349, in iter
return self._execute_and_instances(context)
File "/usr/local/lib/python2.6/dist-packages/SQLAlchemy-0.8.2-py2.6-linux-i686.egg/sqlalchemy/orm/query.py", line 2364, in _execute_and_insta
nces
result = conn.execute(querycontext.statement, self._params)
File "/usr/local/lib/python2.6/dist-packages/SQLAlchemy-0.8.2-py2.6-linux-i686.egg/sqlalchemy/engine/base.py", line 662, in execute
params)
File "/usr/local/lib/python2.6/dist-packages/SQLAlchemy-0.8.2-py2.6-linux-i686.egg/sqlalchemy/engine/base.py", line 761, in _execute_clauseel
ement
compiled_sql, distilled_params
File "/usr/local/lib/python2.6/dist-packages/SQLAlchemy-0.8.2-py2.6-linux-i686.egg/sqlalchemy/engine/base.py", line 874, in _execute_context
context)
File "/usr/local/lib/python2.6/dist-packages/SQLAlchemy-0.8.2-py2.6-linux-i686.egg/sqlalchemy/engine/base.py", line 1024, in _handle_dbapi_ex
ception
exc_info
File "/usr/local/lib/python2.6/dist-packages/SQLAlchemy-0.8.2-py2.6-linux-i686.egg/sqlalchemy/util/compat.py", line 195, in raise_from_cause
reraise(type(exception), exception, tb=exc_tb)
File "/usr/local/lib/python2.6/dist-packages/SQLAlchemy-0.8.2-py2.6-linux-i686.egg/sqlalchemy/engine/base.py", line 867, in execute_context
context)
File "/usr/local/lib/python2.6/dist-packages/SQLAlchemy-0.8.2-py2.6-linux-i686.egg/sqlalchemy/engine/default.py", line 324, in do_execute
cursor.execute(statement, parameters)
DataError: (DataError) invalid input syntax for uuid: "urn:publicid:IDN+ch-ph.gpolab.bbn.com+user+tmitchel"
LINE 3: WHERE ma_member_attribute.member_id = E'urn:publicid:IDN+ch-...
^
'SELECT ma_member_attribute.value AS ma_member_attribute_value \nFROM ma_member_attribute \nWHERE ma_member_attribute.member_id = %(member_id
1)s AND ma_member_attribute.name = %(name_1)s' {'name_1': 'PROJECT_LEAD', 'member_id_1': 'urn:publicid:IDN+ch-ph.gpolab.bbn.com+user+tmitchel'}

Imported from trac ticket #49, created by phelinek on 11-15-2013 at 14:44, last modified: 11-19-2013 at 11:59

secure/omni-bundle.php

This page should have a drop-down of your projects.

In my case, the home page shows me a list of projects, but this page does not.

Imported from trac ticket #20, created by ahelsing on 11-08-2013 at 15:07, last modified: 11-19-2013 at 11:57

When I upload a new ssh key, I don't get any errors reported, but the new key doesn't appear in the list as it should

Imported from trac ticket #29, created by phelinek on 11-12-2013 at 11:32, last modified: 11-13-2013 at 23:30

The install_chapi script installs /usr/share/geni-ch/chapi and its contents as owned by whatever user ran the script. This should instead be owned by root --- nothing centrally installed should depend on a particular Unix user.

Imported from trac ticket #2, created by chaos on 11-07-2013 at 11:35, last modified: 11-08-2013 at 14:37

Right now the Parameters.py file contains:

    {   
        'name': "flask.debug.client_cert_file",
        'val': "/home/mbrinn/.gcf/mbrinn-cert.pem",
        'desc': "Debug client cert file"
    },

Change that to something real if it's needed, or remove it if it's not.

Imported from trac ticket #9, created by chaos on 11-07-2013 at 17:02, last modified: 11-08-2013 at 12:42

If AMsoil is handed a request from apache it doesn't like, it appears to handle the request without logging anything. This seems to include:

1. Requests handed to AMsoil via a URL which AMsoil doesn't recognize as a handler it has registered (e.g. via xmlrpc.registerXMLRPC, i think)

2. Requests handed to AMsoil via a valid handler, which it responds to with a 405 "Method Not Allowed" response
   and possibly other things. These issues make debugging hard, and issue 1 in particular means we need to make sure to lock down apache's configuration and never send AMsoil anything it can't handle (not trivial because of how fastcgi works), because if we do, we'll never know.

   Imported from trac ticket #37, created by chaos on 11-13-2013 at 17:57, last modified: 03-31-2015 at 14:13

AMsoil v0.4 has been released. It may have all the local fixes, or at least some of them.

Upgrade chapi to work with AMsoil v0.4.

Imported from trac ticket #40, created by tmitchel on 11-14-2013 at 13:22, last modified: 07-15-2014 at 13:03

The return value from MA.lookup_keys changed but PGCH is trying to parse the old structure. Update PGCH to parse the new result structure.

Stack trace from chapi.log:

[14:42:38,098](2013-11-14) [ERROR] PGCH: Exception: string indices must be integers
  File "/usr/share/geni-ch/chapi/AMsoil-gpo-0.3.2/src/plugins/pgch/PGCH.py", line 111, in GetKeys
    result = self._delegate.GetKeys(client_cert, args)
  File "/usr/share/geni-ch/chapi/AMsoil-gpo-0.3.2/src/plugins/pgch/PGCH.py", line 503, in GetKeys
    for ssh_key in ssh_keys_result['value']]

Imported from trac ticket #45, created by tmitchel on 11-14-2013 at 15:13, last modified: 11-14-2013 at 17:37

Flack adds "/ch" to the flashvars.churl which causes AMsoil to report a 404 not found error. Flack should use the URL it is given, not modify the URL.

Imported from trac ticket #46, created by tmitchel on 11-14-2013 at 15:26, last modified: 11-20-2013 at 12:16

This functionality was in the old SA but not the new SA

Imported from trac ticket #33, created by phelinek on 11-12-2013 at 14:28, last modified: 12-09-2013 at 10:50

Ensure that omni 2.4 operates properly with chapi:

• Generate an outside cert in all 3 ways, download it, and confirm it is reasonable

• download an omni bundle, run omni_configure, and talk to a chapi server

  • Manually edit the config to talk to pgch on port 8443

• Run all the usual omni commands:

  • get_ch_version
  • clean up fields
  • list_aggregates
  • listmyslices
  • listmykeys
  • listslices <username - not you>
  • createslice
  • getslicecred
  • renewslice

  Imported from trac ticket #24, created by ahelsing on 11-08-2013 at 16:23, last modified: 11-20-2013 at 14:51

Use the autoconf/automake method to install chapi instead of tar.

Also, remove update_ch because it is no longer needed due to the implementation of autoconf/automake.

Imported from trac ticket #17, created by tmitchel on 11-08-2013 at 13:10, last modified: 11-13-2013 at 17:27

CHv1Guard uses method names get_member_authorities, get_slice_authorities and get_aggregates rather than the revised names lookup_member_authorities, lookup_slice_authorities and lookup_aggregates.

This means the there is no argument checking on any of these calls.

Imported from trac ticket #39, created by mbrinn on 11-14-2013 at 08:48, last modified: 11-21-2013 at 14:07

We need some scaling testing of the portal on top of the new chapi - like 20 people doing the same things at once

Imported from trac ticket #26, created by ahelsing on 11-08-2013 at 16:46, last modified: 07-15-2014 at 12:59

Currently, logs go to

• /tmp/chapi.log (really the config param chapi.log_file)
• apache2/error.log (only for exceptional items)
• apache2/ch_error.log
• amsoil.log

Clean this up so that for most purposes, you can look at a single log file (perhaps except for developers). And log all messages in a standard format that includes the usual suspects (timestamp, log level, file/module logging the message, etc). Also, send critical things to syslog. And be sure all log files are suitably rotated.

Finally, check that all the right thing are being logged with reasonable text from the actual methods.

Imported from trac ticket #23, created by ahelsing on 11-08-2013 at 16:19, last modified: 11-28-2013 at 06:34

After importing a new db to emmons from nye, I need to have my new certificate for running the geni scripts. When I try to download the key I get a zero-length file

Imported from trac ticket #4, created by phelinek on 11-07-2013 at 13:36, last modified: 11-08-2013 at 14:34

Software installed into central directories on Ubuntu systems via easy_install is difficult to maintain. Install the python sqlalchemy module by installing the python-sqlalchemy package via apt-get, rather than by using easy_install.

Imported from trac ticket #15, created by chaos on 11-08-2013 at 12:11, last modified: 11-15-2013 at 08:10

The install_ch script creates /usr/share/geni-ch/.bashrc, which is confusing. I believe this script is an example bashrc, so it should be installed somewhere which makes that more clear, e.g. /etc/geni-chapi/example-bashrc to match other similar files.

Imported from trac ticket #31, created by chaos on 11-12-2013 at 13:16, last modified: 02-05-2015 at 17:04

[SERVER] SERVER_ERROR ((DataError) invalid input syntax for type timestamp: "" LINE 1: ...roject SET project_purpose=E'testing', expiration=E_ WHERE ... ^ 'UPDATE pa_project SET project_purpose=%(project_purpose)s, expiration=%(expiration)s WHERE pa_project.project_name = %(project_name_1)s' {'project_name_1': 'ahscaletest', 'project_purpose': 'testing', 'expiration': _})

Imported from trac ticket #44, created by ahelsing on 11-14-2013 at 14:11, last modified: 11-19-2013 at 11:55

We want them to be going to ch_error.log

Imported from trac ticket #3, created by somebody on 11-07-2013 at 13:35, last modified: 04-02-2014 at 16:35

When i install CHAPI using the instructions in chapi/INSTALL, including copying /etc/geni-chapi/example-chapi.ini to chapi.ini and changing the settings recommended by INSTALL, AMsoil fails, logging:

[Mon Nov 11 17:48:24 2013] [warn] FastCGI: server "/usr/share/geni-ch/chapi/AMsoil/src/main.py" restarted (pid 5465)
Traceback (most recent call last):
  File "/usr/share/geni-ch/chapi/AMsoil/src/main.py", line 40, in <module>
    main()
  File "/usr/share/geni-ch/chapi/AMsoil/src/main.py", line 19, in main
    pm.init(config.PLUGINS_PATH)
  File "/usr/share/geni-ch/chapi/AMsoil/src/amsoil/core/pluginmanager.py", line 256, in init
    pluginInfo.setup()
  File "/usr/share/geni-ch/chapi/AMsoil/src/amsoil/core/pluginmanager.py", line 145, in setup
    self._pluginModule.setup()
  File "/usr/share/geni-ch/chapi/AMsoil/src/plugins/marm/plugin.py", line 35, in setup
    delegate = MAv1Implementation()
  File "/usr/share/geni-ch/chapi/AMsoil/src/plugins/marm/MAv1Implementation.py", line 171, in __init__
    for f in os.listdir(trusted_root) if not f.startswith('CAT')]
OSError: [Errno 2] No such file or directory: '/path/to/trusted/roots/directory'

Looks like my chapi.ini now contains a bunch of entries like:

; Folder which includes trusted clearinghouse certificates for GENI
;  API v3 (in .pem format). If relative path, the root is assumed to be
;  git repo root.
ch_cert_root=/path/to/trusted/roots/directory

; Location of CH certificate
ch_cert=/path/to/root/certificate.pem

etc.

Imported from trac ticket #28, created by chaos on 11-11-2013 at 17:53, last modified: 11-15-2013 at 08:11

It looks like CHAPI installs:

/usr/local/bin/util/chapi.py
/usr/local/bin/util/__init__.py

At a glance, those also seem to be executables and not to have main() routines, so i think they're meant to be included as modules. I think they should be (a) non-executable, and (b) in a lib directory, preferably under a geni-ch or geni-chapi specific path, not under /usr/local/bin

Imported from trac ticket #36, created by chaos on 11-12-2013 at 17:37, last modified: 11-15-2013 at 08:10

[SERVER] SERVER_ERROR ('list' object has no attribute 'has_key')

Imported from trac ticket #43, created by phelinek on 11-14-2013 at 14:10, last modified: 11-19-2013 at 11:58

When the CH is in active use, there seem to regularly be a couple of defunct python processes lying around on the system, e.g.

www-data 19503 17538  1 17:16 ?        00:00:00 [python] <defunct>
www-data 19504 17538  2 17:16 ?        00:00:00 [python] <defunct>

The number of these doesn't appear to grow, so it may not be very harmful, but it seems unclean (and i'm not entirely sure the number will never grow).

Imported from trac ticket #27, created by chaos on 11-11-2013 at 17:19, last modified: 04-02-2014 at 16:45

Investigate whether the following easy_install packages are needed for chapi, and remove them from install_ch if they are not:

blinker
pika
flask
Flask-XML-RPC

Imported from trac ticket #18, created by chaos on 11-08-2013 at 14:13, last modified: 11-15-2013 at 08:11

When the apache deflate module is enabled omni gets confused about the output from PGCH and gets errors like:

IncompleteRead(313 bytes read, 765 more expected)

Disabling deflation of mime type text/xml fixes the issue.

Is there a way to disable deflation only in the relevant servers (ch:443, ch:8443)? Or do we need to disable this globally?

Imported from trac ticket #50, created by tmitchel on 11-15-2013 at 16:01, last modified: 11-18-2013 at 09:38

Recently I added functionality to geni-revoke-member-privilege when removing lead privileges. The new code finds all projects for which the member is a lead, checks if there is an admin who is authorized to lead, and transfers the project lead role to the authorized admin. If there is no authorized admin on a project, the code refuses to revoke the privilege.

This functionality has been removed in the new chapi.

Imported from trac ticket #19, created by phelinek on 11-08-2013 at 14:27, last modified: 11-19-2013 at 11:35

The config parameter chapiv1rpc.ch_cert controls which certificate is used to create ABAC assertions. Consider asserting from more specific entities like the MA and the SA.

Imported from trac ticket #12, created by tmitchel on 11-08-2013 at 11:58, last modified: 07-15-2014 at 13:02

I needed to log in as another member to give myself back lead role on a project. When I logged in as Tom, I got the server error (below). However, I was still able to see projects, edit membership,etc

2013-11-15 11:26:23,761 [ERROR] - [csv1] [SERVER] SERVER_ERROR ((ProgrammingError) SSL error: block type is not 01
'SELECT cs_action.name AS cs_action_name, cs_action.context_type AS cs_action_context_type, sa_slice_member.slice_id AS context \nFROM cs_acti
on, sa_slice_member, cs_policy \nWHERE sa_slice_member.member_id = %(member_id_1)s AND sa_slice_member.role = cs_policy.attribute AND cs_action
.privilege = cs_policy.privilege AND cs_policy.context_type = %(context_type_1)s AND cs_action.context_type = cs_policy.context_type' {'member_
id_1': '2a14f82f-0ceb-429f-a4ce-e443c064ead4', 'context_type_1': 2})
2013-11-15 11:26:23,761 [ERROR] - [csv1] Traceback (most recent call last):
File "/usr/share/geni-ch/chapi/AMsoil/src/plugins/csrm/CredentialStore.py", line 92, in get_permissions
credentials, options)
File "/usr/share/geni-ch/chapi/AMsoil/src/plugins/csrm/CredentialStore.py", line 192, in get_permissions
slice_rows = q.all()
File "/usr/local/lib/python2.6/dist-packages/SQLAlchemy-0.8.2-py2.6-linux-i686.egg/sqlalchemy/orm/query.py", line 2237, in all
return list(self)
File "/usr/local/lib/python2.6/dist-packages/SQLAlchemy-0.8.2-py2.6-linux-i686.egg/sqlalchemy/orm/query.py", line 2349, in iter
return self._execute_and_instances(context)
File "/usr/local/lib/python2.6/dist-packages/SQLAlchemy-0.8.2-py2.6-linux-i686.egg/sqlalchemy/orm/query.py", line 2364, in _execute_and_insta
nces
result = conn.execute(querycontext.statement, self._params)
File "/usr/local/lib/python2.6/dist-packages/SQLAlchemy-0.8.2-py2.6-linux-i686.egg/sqlalchemy/engine/base.py", line 662, in execute
params)
File "/usr/local/lib/python2.6/dist-packages/SQLAlchemy-0.8.2-py2.6-linux-i686.egg/sqlalchemy/engine/base.py", line 761, in _execute_clauseel
ement
compiled_sql, distilled_params
File "/usr/local/lib/python2.6/dist-packages/SQLAlchemy-0.8.2-py2.6-linux-i686.egg/sqlalchemy/engine/base.py", line 874, in _execute_context
context)
File "/usr/local/lib/python2.6/dist-packages/SQLAlchemy-0.8.2-py2.6-linux-i686.egg/sqlalchemy/engine/base.py", line 1024, in _handle_dbapi_ex
ception
exc_info
File "/usr/local/lib/python2.6/dist-packages/SQLAlchemy-0.8.2-py2.6-linux-i686.egg/sqlalchemy/util/compat.py", line 195, in raise_from_cause
reraise(type(exception), exception, tb=exc_tb)
File "/usr/local/lib/python2.6/dist-packages/SQLAlchemy-0.8.2-py2.6-linux-i686.egg/sqlalchemy/engine/base.py", line 867, in execute_context
context)
File "/usr/local/lib/python2.6/dist-packages/SQLAlchemy-0.8.2-py2.6-linux-i686.egg/sqlalchemy/engine/default.py", line 324, in do_execute
cursor.execute(statement, parameters)
ProgrammingError: (ProgrammingError) SSL error: block type is not 01
'SELECT cs_action.name AS cs_action_name, cs_action.context_type AS cs_action_context_type, sa_slice_member.slice_id AS context \nFROM cs_acti
on, sa_slice_member, cs_policy \nWHERE sa_slice_member.member_id = %(member_id_1)s AND sa_slice_member.role = cs_policy.attribute AND cs_action
.privilege = cs_policy.privilege AND cs_policy.context_type = %(context_type_1)s AND cs_action.context_type = cs_policy.context_type' {'member
id_1': '2a14f82f-0ceb-429f-a4ce-e443c064ead4', 'context_type_1': 2}

Imported from trac ticket #48, created by phelinek on 11-15-2013 at 11:33, last modified: 12-16-2013 at 16:48

We don't really need to install the 3MB of AMSoil docs in AMsoil/doc (installed in /usr/share/geni-ch/chapi)

Imported from trac ticket #8, created by ahelsing on 11-07-2013 at 16:04, last modified: 07-15-2014 at 13:01

On project page the list of project members, other than the current user shows only the username not the other user's Pretty Name

Imported from trac ticket #41, created by ahelsing on 11-14-2013 at 14:08, last modified: 11-19-2013 at 11:34

I have operator and lead privileges on my portal so I think I should be authorized to do anything. When I tried to revoke a members lead privilege (using geni-revoke-member-privilege) I get the following amsoil stacktrace:

2013-11-08 15:06:57,601 [INFO] - [mav1] Called: <revoke_member_privilege>
2013-11-08 15:06:57,605 [ERROR] - [mav1] [AUTHORIZATION] AUTHORIZATION_ERROR (Caller not authorized to call method revoke_member_privilege with options {} arguments {'privilege': 'PROJECT_LEAD', 'member_uid': '2a
14f82f-0ceb-429f-a4ce-e443c064ead4'} query ME.MAY_REVOKE_MEMBER_PRIVILEGE<-CALLER)
2013-11-08 15:06:57,605 [ERROR] - [mav1] Traceback (most recent call last):
File "/usr/share/geni-ch/chapi/AMsoil/src/plugins/chapiv1rpc/chapi/MemberAuthority.py", line 451, in revoke_member_privilege
'privilege': privilege})
File "/usr/share/geni-ch/chapi/AMsoil/src/plugins/chrm/ABACGuard.py", line 223, in validate_call
credentials, options, arguments)
File "/usr/share/geni-ch/chapi/AMsoil/src/plugins/chrm/ABACGuard.py", line 66, in validate
self.authorize_call(client_cert, method, credentials, options, arguments)
File "/usr/share/geni-ch/chapi/AMsoil/src/plugins/chrm/ABACGuard.py", line 183, in authorize_call
(method, options, arguments, query));
CHAPIv1AuthorizationError: [AUTHORIZATION] AUTHORIZATION_ERROR (Caller not authorized to call method revoke_member_privilege with options {} arguments {'privilege': 'PROJECT_LEAD', 'member_uid': '2a14f82f-0ceb-429f-a4ce-e443c064ead4'} query ME.MAY_REVOKE_MEMBER_PRIVILEGE<-CALLER)

Imported from trac ticket #21, created by phelinek on 11-08-2013 at 16:11, last modified: 11-19-2013 at 11:57