From bdaa3f3f1d341ad88a1c31520d1730e1a723b8cd Mon Sep 17 00:00:00 2001 From: Michael McCune Date: Wed, 13 Jan 2016 12:01:24 -0500 Subject: [PATCH] add cdh plugin passwords to key manager This patch changes the way that the cdh plugin handles its generated passwords for the ClouderaManager, Hive, and Sentry. The helper functions for generating and retrieving passwords has been modified to use the key manager interface for store, retrieving, and deleting passwords. * modify the get_password_from_db helper function to use the key manager interface * add methods to delete passwords from the key manager * add convenience definitions for the individual password names * add deletion to the on_terminate_cluster function of the AbstractVersionHandler Change-Id: Ia55758010e42961a1ebe8159f5fc0e1787069731 Partial-Implements: blueprint improved-secret-storage --- sahara/plugins/cdh/abstractversionhandler.py | 4 +- sahara/plugins/cdh/db_helper.py | 50 ++++++++++++++++++-- sahara/plugins/cdh/v5/db_helper.py | 2 +- sahara/plugins/cdh/v5_3_0/db_helper.py | 4 +- sahara/plugins/cdh/v5_4_0/db_helper.py | 4 +- 5 files changed, 55 insertions(+), 9 deletions(-) diff --git a/sahara/plugins/cdh/abstractversionhandler.py b/sahara/plugins/cdh/abstractversionhandler.py index 5ba3cb36a1..7bff14ca94 100644 --- a/sahara/plugins/cdh/abstractversionhandler.py +++ b/sahara/plugins/cdh/abstractversionhandler.py @@ -17,6 +17,8 @@ import abc import six +from sahara.plugins.cdh import db_helper as dh + @six.add_metaclass(abc.ABCMeta) class AbstractVersionHandler(object): @@ -70,4 +72,4 @@ class AbstractVersionHandler(object): return def on_terminate_cluster(self, cluster): - pass + dh.delete_passwords_from_keymanager(cluster) diff --git a/sahara/plugins/cdh/db_helper.py b/sahara/plugins/cdh/db_helper.py index 4c85f846e8..3cb81af376 100644 --- a/sahara/plugins/cdh/db_helper.py +++ b/sahara/plugins/cdh/db_helper.py @@ -19,26 +19,70 @@ import six from sahara import conductor from sahara import context +from sahara.service.castellan import utils as key_manager + +CM_PASSWORD = 'cm_password' +HIVE_DB_PASSWORD = 'hive_db_password' +SENTRY_DB_PASSWORD = 'sentry_db_password' conductor = conductor.API +def delete_password_from_keymanager(cluster, pwname): + """delete the named password from the key manager + + This function will lookup the named password in the cluster entry + and delete it from the key manager. + + :param cluster: The cluster record containing the password + :param pwname: The name associated with the password + """ + ctx = context.ctx() + cluster = conductor.cluster_get(ctx, cluster.id) + key_id = cluster.extra.get(pwname) if cluster.extra else None + if key_id is not None: + key_manager.delete_key(key_id, ctx) + + +def delete_passwords_from_keymanager(cluster): + """delete all passwords associated with a cluster + + This function will remove all passwords stored in a cluster database + entry from the key manager. + + :param cluster: The cluster record containing the passwords + """ + delete_password_from_keymanager(cluster, CM_PASSWORD) + delete_password_from_keymanager(cluster, HIVE_DB_PASSWORD) + delete_password_from_keymanager(cluster, SENTRY_DB_PASSWORD) + + def get_password_from_db(cluster, pwname): + """return a password for the named entry + + This function will return, or create and return, a password for the + named entry. It will store the password in the key manager and use + the ID in the database entry. + + :param cluster: The cluster record containing the password + :param pwname: The entry name associated with the password + :returns: The cleartext password + """ ctx = context.ctx() cluster = conductor.cluster_get(ctx, cluster.id) passwd = cluster.extra.get(pwname) if cluster.extra else None if passwd: - return passwd + return key_manager.get_secret(passwd, ctx) passwd = six.text_type(uuid.uuid4()) extra = cluster.extra.to_dict() if cluster.extra else {} - extra[pwname] = passwd + extra[pwname] = key_manager.store_secret(passwd, ctx) cluster = conductor.cluster_update(ctx, cluster, {'extra': extra}) return passwd def get_cm_password(cluster): - return get_password_from_db(cluster, 'cm_password') + return get_password_from_db(cluster, CM_PASSWORD) def remote_execute_db_script(remote, script_content): diff --git a/sahara/plugins/cdh/v5/db_helper.py b/sahara/plugins/cdh/v5/db_helper.py index d66a3652f8..c892fd7f7f 100644 --- a/sahara/plugins/cdh/v5/db_helper.py +++ b/sahara/plugins/cdh/v5/db_helper.py @@ -18,7 +18,7 @@ from sahara.utils import files def get_hive_db_password(cluster): - return dh.get_password_from_db(cluster, 'hive_db_password') + return dh.get_password_from_db(cluster, dh.HIVE_DB_PASSWORD) def create_hive_database(cluster, remote): diff --git a/sahara/plugins/cdh/v5_3_0/db_helper.py b/sahara/plugins/cdh/v5_3_0/db_helper.py index c4bfccf746..e867dc22af 100644 --- a/sahara/plugins/cdh/v5_3_0/db_helper.py +++ b/sahara/plugins/cdh/v5_3_0/db_helper.py @@ -18,11 +18,11 @@ from sahara.utils import files def get_hive_db_password(cluster): - return dh.get_password_from_db(cluster, 'hive_db_password') + return dh.get_password_from_db(cluster, dh.HIVE_DB_PASSWORD) def get_sentry_db_password(cluster): - return dh.get_password_from_db(cluster, 'sentry_db_password') + return dh.get_password_from_db(cluster, dh.SENTRY_DB_PASSWORD) def create_hive_database(cluster, remote): diff --git a/sahara/plugins/cdh/v5_4_0/db_helper.py b/sahara/plugins/cdh/v5_4_0/db_helper.py index e430609666..8a2511ffaf 100644 --- a/sahara/plugins/cdh/v5_4_0/db_helper.py +++ b/sahara/plugins/cdh/v5_4_0/db_helper.py @@ -18,11 +18,11 @@ from sahara.utils import files def get_hive_db_password(cluster): - return dh.get_password_from_db(cluster, 'hive_db_password') + return dh.get_password_from_db(cluster, dh.HIVE_DB_PASSWORD) def get_sentry_db_password(cluster): - return dh.get_password_from_db(cluster, 'sentry_db_password') + return dh.get_password_from_db(cluster, dh.SENTRY_DB_PASSWORD) def create_hive_database(cluster, remote):