def test_user_validation(self): valid_name = self._get_random_name(65535) usr = models.CassandraUser(valid_name, 'password') self.assertEqual(valid_name, usr.name) self.assertEqual('password', usr.password) with ExpectedException(ValueError): models.CassandraUser(self._get_random_name(65536))
def test_get_listed_users(self, conn): usr1 = models.CassandraUser(self._get_random_name(1025)) usr2 = models.CassandraUser(self._get_random_name(1025)) usr3 = models.CassandraUser(self._get_random_name(1025)) db1 = models.CassandraSchema('db1') db2 = models.CassandraSchema('db2') usr1.databases.append(db1.serialize()) usr3.databases.append(db2.serialize()) rv_1 = NonCallableMagicMock() rv_1.configure_mock(name=usr1.name, super=False) rv_2 = NonCallableMagicMock() rv_2.configure_mock(name=usr2.name, super=False) rv_3 = NonCallableMagicMock() rv_3.configure_mock(name=usr3.name, super=True) with patch.object(conn.return_value, 'execute', return_value=iter( [rv_1, rv_2, rv_3])): with patch.object(self.admin, '_get_acl', return_value={usr1.name: {db1.name: {'SELECT'}, db2.name: {}}, usr3.name: {db2.name: {'SELECT'}}} ): usrs = self.manager.list_users(self.context) conn.return_value.execute.assert_has_calls([ call(self.__LIST_USR_FORMAT), ], any_order=True) self.assertIn(usr1.serialize(), usrs[0]) self.assertIn(usr2.serialize(), usrs[0]) self.assertIn(usr3.serialize(), usrs[0])
def secure(self, update_user=None): """Configure the Trove administrative user. Update an existing user if given. Create a new one using the default database credentials otherwise and drop the built-in user when finished. """ LOG.info(_('Configuring Trove superuser.')) current_superuser = update_user or models.CassandraUser( self.default_superuser_name, self.default_superuser_password) if update_user: os_admin = models.CassandraUser(update_user.name, utils.generate_random_password()) CassandraAdmin(current_superuser).alter_user_password(os_admin) else: os_admin = models.CassandraUser(self._ADMIN_USER, utils.generate_random_password()) CassandraAdmin(current_superuser)._create_superuser(os_admin) CassandraAdmin(os_admin).drop_user(current_superuser) self.__create_cqlsh_config({ self._CONF_AUTH_SEC: { self._CONF_USR_KEY: os_admin.name, self._CONF_PWD_KEY: os_admin.password } }) # Update the internal status with the new user. self.status = CassandraAppStatus(os_admin) return os_admin
def test_create_user(self): usr1 = models.CassandraUser('usr1') usr2 = models.CassandraUser('usr2', '') usr3 = models.CassandraUser(self._get_random_name(1025), 'password') self.manager.create_user(self.context, self._serialize_collection(usr1, usr2, usr3)) self.conn.execute.assert_has_calls([ call(self.__CREATE_USR_FORMAT, (usr1.name, ), (usr1.password, )), call(self.__CREATE_USR_FORMAT, (usr2.name, ), (usr2.password, )), call(self.__CREATE_USR_FORMAT, (usr3.name, ), (usr3.password, )) ])
def test_revoke_access(self, conn): usr1 = models.CassandraUser('usr1') usr2 = models.CassandraUser('usr1', 'password') db1 = models.CassandraSchema('db1') db2 = models.CassandraSchema('db2') self.manager.revoke_access(self.context, usr1.name, None, db1.name) self.manager.revoke_access(self.context, usr2.name, None, db2.name) conn.return_value.execute.assert_has_calls([ call(self.__REVOKE_FORMAT, (db1.name, usr1.name)), call(self.__REVOKE_FORMAT, (db2.name, usr2.name)) ])
def test_change_passwords(self, conn): usr1 = models.CassandraUser('usr1') usr2 = models.CassandraUser('usr2', '') usr3 = models.CassandraUser(self._get_random_name(1025), 'password') self.manager.change_passwords( self.context, self._serialize_collection(usr1, usr2, usr3)) conn.return_value.execute.assert_has_calls([ call(self.__ALTER_USR_FORMAT, (usr1.name, ), (usr1.password, )), call(self.__ALTER_USR_FORMAT, (usr2.name, ), (usr2.password, )), call(self.__ALTER_USR_FORMAT, (usr3.name, ), (usr3.password, )) ])
def test_alter_user_password(self, conn): usr1 = models.CassandraUser('usr1') usr2 = models.CassandraUser('usr2', '') usr3 = models.CassandraUser(self._get_random_name(1025), 'password') self.admin.alter_user_password(usr1) self.admin.alter_user_password(usr2) self.admin.alter_user_password(usr3) conn.return_value.execute.assert_has_calls([ call(self.__ALTER_USR_FORMAT, (usr1.name, ), (usr1.password, )), call(self.__ALTER_USR_FORMAT, (usr2.name, ), (usr2.password, )), call(self.__ALTER_USR_FORMAT, (usr3.name, ), (usr3.password, )) ])
def test_get_user(self, conn): usr1 = models.CassandraUser('usr1') usr2 = models.CassandraUser('usr2') usr3 = models.CassandraUser(self._get_random_name(1025), 'password') with patch.object(self.admin, self.__N_GLU, return_value={usr1, usr2, usr3}): found = self.manager.get_user(self.context, usr2.name, None) self.assertEqual(usr2.serialize(), found) with patch.object(self.admin, self.__N_GLU, return_value=set()): self.assertIsNone( self.manager.get_user(self.context, usr2.name, None))
def setUp(self, *args, **kwargs): super(GuestAgentCassandraDBManagerTest, self).setUp() self.real_status = cass_service.CassandraAppStatus.set_status class FakeInstanceServiceStatus(object): status = ServiceStatuses.NEW def save(self): pass cass_service.CassandraAppStatus.set_status = MagicMock( return_value=FakeInstanceServiceStatus()) self.context = trove_testtools.TroveTestContext(self) self.manager = cass_manager.Manager() self.manager._Manager__admin = cass_service.CassandraAdmin( models.CassandraUser('Test')) self.admin = self.manager._Manager__admin self.pkg = cass_service.packager self.origin_os_path_exists = os.path.exists self.origin_format = volume.VolumeDevice.format self.origin_migrate_data = volume.VolumeDevice.migrate_data self.origin_mount = volume.VolumeDevice.mount self.origin_mount_points = volume.VolumeDevice.mount_points self.origin_stop_db = cass_service.CassandraApp.stop_db self.origin_start_db = cass_service.CassandraApp.start_db self.origin_install_db = cass_service.CassandraApp._install_db self.original_get_ip = netutils.get_my_ipv4 self.orig_make_host_reachable = ( cass_service.CassandraApp.apply_initial_guestagent_configuration)
def test_list_users(self, conn): usr1 = models.CassandraUser('usr1') usr2 = models.CassandraUser('usr2') usr3 = models.CassandraUser(self._get_random_name(1025), 'password') with patch.object(self.admin, self.__N_GLU, return_value={usr1, usr2, usr3}): found = self.manager.list_users(self.context) self.assertEqual(2, len(found)) self.assertEqual(3, len(found[0])) self.assertEqual(None, found[1]) self.assertIn(usr1.serialize(), found[0]) self.assertIn(usr2.serialize(), found[0]) self.assertIn(usr3.serialize(), found[0]) with patch.object(self.admin, self.__N_GLU, return_value=set()): self.assertEqual(([], None), self.manager.list_users(self.context))
def revoke_access(self, context, username, hostname, database): """ Revoke all permissions on any database resources from a given username. """ user = models.CassandraUser(username) with CassandraLocalhostConnection(self.__admin_user) as client: self._revoke_all_access_on_keyspace( client, models.CassandraSchema(database), user)
def grant_access(self, context, username, hostname, databases): """ Grant full access on keyspaces to a given username. """ user = models.CassandraUser(username) with CassandraLocalhostConnection(self.__admin_user) as client: for db in databases: self._grant_full_access_on_keyspace(client, models.CassandraSchema(db), user)
def test_grant_access(self, conn): usr1 = models.CassandraUser('usr1') usr2 = models.CassandraUser('usr1', 'password') db1 = models.CassandraSchema('db1') db2 = models.CassandraSchema('db2') db3 = models.CassandraSchema('db3') self.manager.grant_access(self.context, usr1.name, None, [db1.name, db2.name]) self.manager.grant_access(self.context, usr2.name, None, [db3.name]) expected = [] for modifier in self.__ACCESS_MODIFIERS: expected.append( call(self.__GRANT_FORMAT, (modifier, db1.name, usr1.name))) expected.append( call(self.__GRANT_FORMAT, (modifier, db3.name, usr2.name))) conn.return_value.execute.assert_has_calls(expected, any_order=True)
def _rename_user(self, client, user, new_username, new_password): """ Rename a given user also updating its password. Transfer the current permissions to the new username. Drop the old username therefore revoking its permissions. """ LOG.debug("Renaming user '%s' to '%s'" % (user.name, new_username)) new_user = models.CassandraUser(new_username, new_password) new_user.databases.extend(user.databases) self._create_user_and_grant(client, new_user) self._drop_user(client, user)
def _reset_user_password_to_default(self, username): LOG.debug("Resetting the password of user '%s' to '%s'." % (username, self.default_superuser_password)) user = models.CassandraUser(username, self.default_superuser_password) with community_service.CassandraLocalhostConnection(user) as client: client.execute( "UPDATE system_auth.roles SET salted_hash=%s " "WHERE role='{}';", (user.name, ), (self.default_superuser_pwd_hash, )) return user
def test_rename_user(self, conn, ks_deserializer): usr = models.CassandraUser('usr') db1 = models.CassandraSchema('db1').serialize() db2 = models.CassandraSchema('db2').serialize() usr.databases.append(db1) usr.databases.append(db2) new_user = models.CassandraUser('new_user') with patch(self.__N_CAU, return_value=new_user): with patch.object(self.admin, self.__N_BU, return_value=usr): with patch.object(self.admin, self.__N_CU) as create: with patch.object(self.admin, self.__N_GFA) as grant: with patch.object(self.admin, self.__N_DU) as drop: usr_attrs = {'name': 'user', 'password': '******'} self.manager.update_attributes( self.context, usr.name, None, usr_attrs) create.assert_called_once_with(ANY, new_user) grant.assert_has_calls( [call(ANY, db1, ANY), call(ANY, db2, ANY)]) drop.assert_called_once_with(ANY, usr)
def test_list_access(self, conn): usr1 = models.CassandraUser('usr1') usr2 = models.CassandraUser('usr2') usr3 = models.CassandraUser(self._get_random_name(1025), 'password') db1 = models.CassandraSchema('db1').serialize() db2 = models.CassandraSchema('db2').serialize() usr2.databases.append(db1) usr3.databases.append(db1) usr3.databases.append(db2) with patch.object(self.admin, self.__N_GLU, return_value={usr1, usr2, usr3}): usr1_dbs = self.manager.list_access(self.context, usr1.name, None) usr2_dbs = self.manager.list_access(self.context, usr2.name, None) usr3_dbs = self.manager.list_access(self.context, usr3.name, None) self.assertEqual([], usr1_dbs) self.assertEqual([db1], usr2_dbs) self.assertEqual([db1, db2], usr3_dbs) with patch.object(self.admin, self.__N_GLU, return_value=set()): with ExpectedException(exception.UserNotFound): self.manager.list_access(self.context, usr3.name, None)
def get_current_superuser(self): """ Build the Trove superuser. Use the stored credentials. If not available fall back to the defaults. """ if self.has_user_config(): return self._load_current_superuser() LOG.warn( _("Trove administrative user has not been configured yet. " "Using the built-in default: %s") % self.default_superuser_name) return models.CassandraUser(self.default_superuser_name, self.default_superuser_password)
def get_cluster_admin(self): cluster_password = CouchbaseRootAccess.get_password() return models.CassandraUser(self._ADMIN_USER, cluster_password)
def test_update_attributes(self, conn): usr = models.CassandraUser('usr', 'pwd') with patch.object(self.admin, self.__N_BU, return_value=usr): usr_attrs = {'name': usr.name, 'password': usr.password} with patch.object(self.admin, self.__N_RU) as rename: with patch.object(self.admin, self.__N_AUP) as alter: self.manager.update_attributes(self.context, usr.name, None, usr_attrs) self.assertEqual(0, rename.call_count) self.assertEqual(0, alter.call_count) usr_attrs = {'name': 'user', 'password': '******'} with patch.object(self.admin, self.__N_RU) as rename: with patch.object(self.admin, self.__N_AUP) as alter: self.manager.update_attributes(self.context, usr.name, None, usr_attrs) rename.assert_called_once_with(ANY, usr, usr_attrs['name'], usr_attrs['password']) self.assertEqual(0, alter.call_count) usr_attrs = {'name': 'user', 'password': usr.password} with patch.object(self.admin, self.__N_RU) as rename: with patch.object(self.admin, self.__N_AUP) as alter: self.manager.update_attributes(self.context, usr.name, None, usr_attrs) rename.assert_called_once_with(ANY, usr, usr_attrs['name'], usr_attrs['password']) self.assertEqual(0, alter.call_count) usr_attrs = {'name': 'user'} with patch.object(self.admin, self.__N_RU) as rename: with patch.object(self.admin, self.__N_AUP) as alter: with ExpectedException( exception.UnprocessableEntity, "Updating username " "requires specifying a password as well."): self.manager.update_attributes(self.context, usr.name, None, usr_attrs) self.assertEqual(0, rename.call_count) self.assertEqual(0, alter.call_count) usr_attrs = {'name': usr.name, 'password': '******'} with patch.object(self.admin, self.__N_RU) as rename: with patch.object(self.admin, self.__N_AUP) as alter: self.manager.update_attributes(self.context, usr.name, None, usr_attrs) alter.assert_called_once_with(ANY, usr) self.assertEqual(0, rename.call_count) usr_attrs = {'password': usr.password} with patch.object(self.admin, self.__N_RU) as rename: with patch.object(self.admin, self.__N_AUP) as alter: self.manager.update_attributes(self.context, usr.name, None, usr_attrs) self.assertEqual(0, rename.call_count) self.assertEqual(0, alter.call_count) usr_attrs = {'password': '******'} with patch.object(self.admin, self.__N_RU) as rename: with patch.object(self.admin, self.__N_AUP) as alter: self.manager.update_attributes(self.context, usr.name, None, usr_attrs) alter.assert_called_once_with(ANY, usr) self.assertEqual(0, rename.call_count)
def _load_current_superuser(self): config = operating_system.read_file(self._get_cqlsh_conf_path(), codec=IniCodec()) return models.CassandraUser( config[self._CONF_AUTH_SEC][self._CONF_USR_KEY], config[self._CONF_AUTH_SEC][self._CONF_PWD_KEY])
def _build_user(self, username, acl): user = models.CassandraUser(username) for ks, permissions in acl.get(username, {}).items(): if permissions: user.databases.append(models.CassandraSchema(ks).serialize()) return user
def test_delete_user(self, conn): usr = models.CassandraUser(self._get_random_name(1025), 'password') self.manager.delete_user(self.context, usr.serialize()) conn.return_value.execute.assert_called_once_with( self.__DROP_USR_FORMAT, (usr.name, ))