Adds SetUserPassword plugin

Password management needs to be separated from the CreateUserPlugin.
2013-05-02 02:59:03 +03:00
parent 3e120de02a
commit af4e772137
5 changed files with 36 additions and 85 deletions
--- a/cloudbaseinit/plugins/windows/createuser.py
+++ b/cloudbaseinit/plugins/windows/createuser.py
@@ -14,15 +14,10 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

-import base64
-import os
-
-from cloudbaseinit.metadata.services import base as services_base
 from cloudbaseinit.openstack.common import cfg
 from cloudbaseinit.openstack.common import log as logging
 from cloudbaseinit.osutils import factory as osutils_factory
 from cloudbaseinit.plugins import base
-from cloudbaseinit.utils import crypt

 opts = [
    cfg.StrOpt('username', default='Admin', help='User to be added to the '
@@ -42,81 +37,25 @@ LOG = logging.getLogger(__name__)


 class CreateUserPlugin(base.BasePlugin):
-    _post_password_md_ver = '2013-04-04'
-
-    def _generate_random_password(self, length):
-        # On Windows os.urandom() uses CryptGenRandom, which is a
-        # cryptographically secure pseudorandom number generator
-        b64_password = base64.b64encode(os.urandom(256))
-        return b64_password.replace('/', '').replace('+', '')[:length]
-
-    def _encrypt_password(self, ssh_pub_key, password):
-        cm = crypt.CryptManager()
-        with cm.load_ssh_rsa_public_key(ssh_pub_key) as rsa:
-            enc_password = rsa.public_encrypt(password)
-        return base64.b64encode(enc_password)
-
-    def _get_ssh_public_key(self, service):
-        meta_data = service.get_meta_data('openstack',
-                                          self._post_password_md_ver)
-        if not 'public_keys' in meta_data:
-            return False
-
-        public_keys = meta_data['public_keys']
-        ssh_pub_key = None
-        for k in public_keys:
-            # Get the first key
-            ssh_pub_key = public_keys[k]
-            break
-        return ssh_pub_key
-
-    def _get_password(self, service):
+    def _get_password(self, service, osutils):
        meta_data = service.get_meta_data('openstack')
        if 'admin_pass' in meta_data and CONF.inject_user_password:
+            LOG.warn('Using admin_pass metadata user password. Consider '
+                     'changing it as soon as possible')
            password = meta_data['admin_pass']
        else:
-            LOG.debug('Generating random password')
-            # Generate a random password
-            # Limit to 14 chars for compatibility with NT
-            password = self._generate_random_password(14)
+            # Generate a temporary random password to be replaced
+            # by SetUserPasswordPlugin (starting from Grizzly)
+            password = osutils.generate_random_password(14)
        return password

-    def _set_metadata_password(self, password, service):
-        try:
-            ssh_pub_key = self._get_ssh_public_key(service)
-            if ssh_pub_key:
-                enc_password_b64 = self._encrypt_password(ssh_pub_key,
-                                                          password)
-                return service.post_password(enc_password_b64,
-                                             self._post_password_md_ver)
-            else:
-                LOG.info('No SSH public key available for password encryption')
-                return True
-        except services_base.NotExistingMetadataException:
-            # Requested version not available or password feature
-            # not implemented
-            LOG.info('Cannot set the password in the metadata as it is not '
-                     'supported by this metadata version')
-            return True
-
    def execute(self, service):
        user_name = CONF.username

-        password = self._get_password(service)
-
-        if service.can_post_password:
-            md_pwd_already_set = not self._set_metadata_password(password,
-                                                                 service)
-        else:
-            md_pwd_already_set = False
-            LOG.info('Cannot set the password in the metadata as it is not '
-                     'supported by this service')
-
        osutils = osutils_factory.OSUtilsFactory().get_os_utils()
        if not osutils.user_exists(user_name):
-            if md_pwd_already_set:
-                LOG.warning('Creating user, but the password was not set in '
-                            'the metadata as it was previously set')
+            password = self._get_password(service, osutils)
+
            osutils.create_user(user_name, password)
            # Create a user profile in order for other plugins
            # to access the user home, etc
@@ -124,12 +63,6 @@ class CreateUserPlugin(base.BasePlugin):
                                                      password,
                                                      True)
            osutils.close_user_logon_session(token)
-        else:
-            if not md_pwd_already_set:
-                osutils.set_user_password(user_name, password)
-            else:
-                LOG.warning('Cannot change the user\'s password as it is '
-                            'already set in the metadata')

        for group_name in CONF.groups:
            try: