Ticket #343 (closed defect: fixed)

Opened 5 years ago

Last modified 4 years ago

recording the correct slice owner for speaks-for case

Reported by: anirban Owned by: anirban
Priority: major Milestone:
Component: ORCA: controllers - GENI AM Version: baseline
Keywords: Cc: ibaldin@…

Description

The issue is when slices are created using speaks-for credential, the correct slice owner is not recorded.

The slice owner is currently recorded as either subject alternative name or SubjectDN name in the 0'th certificate in the SSL clientcertchain. This is done in validateOrcaCredential() in XmlrpcHandlerHelper?. The userDN that is returned by this method is registered as XmlrpcOrcaState?.XMLRPC_USER_DN local property for each reservation in createSlice() in OrcaXmlRpcHandler?.

This does not work for the speaks-for case because the slice owner needs to be registered as the real user, and not the tool, which is at the client end of the SSL connection.

We need to modify validateOrcaCredential() by looking into the set of credentials passed (which are currently ignored). If one of the credentials is a speaks-for credential, the userDN must be culled from the user cert in the speaks-for credential. Remember that the speaks-for (tool) credential contains the signer (== user) certificate inside it. We can get the user certificate by doing

Gid userGid = credential.getSignature().getIssuerGid(); // user gid
X509Certificate userCert = userGid.getCertificate();

From userCert, we can get the subject alternative name or subjectDN name, which can be used to make userDN to be returned from validateOrcaCredential().

Change History

Changed 5 years ago by ibaldin

  • owner changed from ibaldin to anirban
  • component changed from Don't Know to ORCA: controllers - GENI AM

Changed 4 years ago by ibaldin

ping - what's the status of this?

Changed 4 years ago by anirban

  • status changed from new to closed
  • resolution set to fixed

changes checked in (-r 7073)

Note: See TracTickets for help on using tickets.