#!/usr/bin/python # # Copyright (C) 2006, 2007 Google Inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA # 02110-1301, USA. """Ganeti Remote API master script. """ # pylint: disable-msg=C0103,W0142 # C0103: Invalid name ganeti-watcher import logging import optparse import sys import os import os.path from ganeti import constants from ganeti import http from ganeti import daemon from ganeti import ssconf from ganeti import luxi from ganeti import serializer from ganeti.rapi import connector import ganeti.http.auth # pylint: disable-msg=W0611 import ganeti.http.server class RemoteApiRequestContext(object): """Data structure for Remote API requests. """ def __init__(self): self.handler = None self.handler_fn = None self.handler_access = None class JsonErrorRequestExecutor(http.server.HttpServerRequestExecutor): """Custom Request Executor class that formats HTTP errors in JSON. """ error_content_type = "application/json" def _FormatErrorMessage(self, values): """Formats the body of an error message. @type values: dict @param values: dictionary with keys code, message and explain. @rtype: string @return: the body of the message """ return serializer.DumpJson(values, indent=True) class RemoteApiHttpServer(http.auth.HttpServerRequestAuthentication, http.server.HttpServer): """REST Request Handler Class. """ AUTH_REALM = "Ganeti Remote API" def __init__(self, *args, **kwargs): http.server.HttpServer.__init__(self, *args, **kwargs) http.auth.HttpServerRequestAuthentication.__init__(self) self._resmap = connector.Mapper() # Load password file if os.path.isfile(constants.RAPI_USERS_FILE): self._users = http.auth.ReadPasswordFile(constants.RAPI_USERS_FILE) else: self._users = None def _GetRequestContext(self, req): """Returns the context for a request. The context is cached in the req.private variable. """ if req.private is None: (HandlerClass, items, args) = \ self._resmap.getController(req.request_path) ctx = RemoteApiRequestContext() ctx.handler = HandlerClass(items, args, req) method = req.request_method.upper() try: ctx.handler_fn = getattr(ctx.handler, method) except AttributeError: raise http.HttpNotImplemented("Method %s is unsupported for path %s" % (method, req.request_path)) ctx.handler_access = getattr(ctx.handler, "%s_ACCESS" % method, None) # Require permissions definition (usually in the base class) if ctx.handler_access is None: raise AssertionError("Permissions definition missing") req.private = ctx # Check for expected attributes assert req.private.handler assert req.private.handler_fn assert req.private.handler_access is not None return req.private def AuthenticationRequired(self, req): """Determine whether authentication is required. """ return bool(self._GetRequestContext(req).handler_access) def Authenticate(self, req, username, password): """Checks whether a user can access a resource. """ ctx = self._GetRequestContext(req) # Check username and password valid_user = False if self._users: user = self._users.get(username, None) if user and self.VerifyBasicAuthPassword(req, username, password, user.password): valid_user = True if not valid_user: # Unknown user or password wrong return False if (not ctx.handler_access or set(user.options).intersection(ctx.handler_access)): # Allow access return True # Access forbidden raise http.HttpForbidden() def HandleRequest(self, req): """Handles a request. """ ctx = self._GetRequestContext(req) try: result = ctx.handler_fn() sn = ctx.handler.getSerialNumber() if sn: req.response_headers[http.HTTP_ETAG] = str(sn) except luxi.TimeoutError: raise http.HttpGatewayTimeout() except luxi.ProtocolError, err: raise http.HttpBadGateway(str(err)) except: method = req.request_method.upper() logging.exception("Error while handling the %s request", method) raise return result def CheckRapi(options, args): """Initial checks whether to run or exit with a failure. """ if args: # rapi doesn't take any arguments print >> sys.stderr, ("Usage: %s [-f] [-d] [-p port] [-b ADDRESS]" % sys.argv[0]) sys.exit(constants.EXIT_FAILURE) ssconf.CheckMaster(options.debug) def ExecRapi(options, _): """Main remote API function, executed with the PID file held. """ # Read SSL certificate if options.ssl: ssl_params = http.HttpSslParams(ssl_key_path=options.ssl_key, ssl_cert_path=options.ssl_cert) else: ssl_params = None mainloop = daemon.Mainloop() server = RemoteApiHttpServer(mainloop, options.bind_address, options.port, ssl_params=ssl_params, ssl_verify_peer=False, request_executor_class=JsonErrorRequestExecutor) server.Start() try: mainloop.Run() finally: server.Stop() def main(): """Main function. """ parser = optparse.OptionParser(description="Ganeti Remote API", usage="%prog [-f] [-d] [-p port] [-b ADDRESS]", version="%%prog (ganeti) %s" % constants.RAPI_VERSION) dirs = [(val, constants.RUN_DIRS_MODE) for val in constants.SUB_RUN_DIRS] dirs.append((constants.LOG_OS_DIR, 0750)) daemon.GenericMain(constants.RAPI, parser, dirs, CheckRapi, ExecRapi) if __name__ == "__main__": main()