def __generate_access_secret_keys(self, const_secret_string,
const_access_string):
"""Generates access and secret keys."""
cortx_access_key = CortxS3Cipher(None, True, 22,
const_access_string).generate_key()
cortx_secret_key = CortxS3Cipher(None, False, 40,
const_secret_string).generate_key()
return cortx_access_key, cortx_secret_key
def read_ldap_credentials(self):
"""Get 'ldapadmin' user name and password from confstore."""
try:
s3cipher_obj = CortxS3Cipher(
None, False, 0,
self.get_confkey('CONFSTORE_OPENLDAP_CONST_KEY'))
cipher_key = s3cipher_obj.generate_key()
self.ldap_user = self.get_confvalue(
self.get_confkey('CONFSTORE_LDAPADMIN_USER_KEY'))
encrypted_ldapadmin_pass = self.get_confvalue(
self.get_confkey('CONFSTORE_LDAPADMIN_PASSWD_KEY'))
encrypted_rootdn_pass = self.get_confvalue(
self.get_confkey('CONFSTORE_ROOTDN_PASSWD_KEY'))
if encrypted_ldapadmin_pass != None:
self.ldap_passwd = s3cipher_obj.decrypt(
cipher_key, encrypted_ldapadmin_pass)
if encrypted_rootdn_pass != None:
self.rootdn_passwd = s3cipher_obj.decrypt(
cipher_key, encrypted_rootdn_pass)
except Exception as e:
sys.stderr.write(f'read ldap credentials failed, error: {e}\n')
raise e
def update_rootdn_credentials(self):
"""Set rootdn username and password to opfile."""
try:
s3cipher_obj = CortxS3Cipher(None,
False,
0,
self.get_confkey('CONFSTORE_OPENLDAP_CONST_KEY'))
cipher_key = s3cipher_obj.generate_key()
self.ldap_root_user = self.get_confvalue_with_defaults('CONFIG>CONFSTORE_ROOTDN_USER_KEY')
encrypted_rootdn_pass = self.get_confvalue_with_defaults('CONFIG>CONFSTORE_ROOTDN_PASSWD_KEY')
if encrypted_rootdn_pass is not None:
self.rootdn_passwd = s3cipher_obj.decrypt(cipher_key, encrypted_rootdn_pass)
if encrypted_rootdn_pass is None:
raise S3PROVError('password cannot be None.')
op_file = "/opt/seagate/cortx/s3/s3backgrounddelete/s3_cluster.yaml"
key = 'cluster_config>rootdn_user'
opfileconfstore = S3CortxConfStore(f'yaml://{op_file}', 'write_rootdn_idx')
opfileconfstore.set_config(f'{key}', f'{self.ldap_root_user}', True)
key = 'cluster_config>rootdn_pass'
opfileconfstore.set_config(f'{key}', f'{encrypted_rootdn_pass}', True)
except Exception as e:
self.logger.error(f'update rootdn credentials failed, error: {e}')
raise e
def delete_background_delete_account(self, ldappasswd: str, keylen: int, key: str, s3background_cofig:str):
"""Delete s3 account which was used by s3background delete."""
cmd = 'ldapsearch -b "o=s3-background-delete-svc,ou=accounts,dc=s3,dc=seagate,dc=com" -x -w ' + ldappasswd + ' -D "cn=sgiamadmin,dc=seagate,dc=com" -H ldap://'
output,error = subprocess.Popen(cmd, universal_newlines=True, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE).communicate()
log.debug("\ncmd:{0},\noutput:{1},\nerror:{2}".format(cmd, output, error))
output = re.sub(r"[\n\t\s]*","",output)
if "result:32Nosuchobjectmatched" in output:
print("No s3-background-delete-svc account found")
return False
# Delete s3background delete account.
s3_cipher = CortxS3Cipher(None, True, keylen, key)
access_key = ""
try:
access_key = s3_cipher.generate_key()
except CipherInvalidToken as err:
log.debug("Cipher generate key failed with error : {0}, trying from flat file : {1}".format(err, s3background_cofig))
cmd = "awk '/background_account_access_key/ {print}' "+ s3background_cofig + " | cut -d " " -f 5 | sed -e 's/^\"//' -e 's/\"$//"
access_key,error = subprocess.Popen(cmd, universal_newlines=True, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE).communicate()
log.debug("\ncmd:{0},\noutput:{1},\nerror:{2}".format(cmd, access_key, error))
cmd = "ldapdelete -x -w " + ldappasswd + " -r \"ak=" + access_key + ",ou=accesskeys,dc=s3,dc=seagate,dc=com\" -D \"cn=sgiamadmin,dc=seagate,dc=com\" -H ldapi:///"
output,error = subprocess.Popen(cmd, universal_newlines=True, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE).communicate()
log.debug("\ncmd:{0},\noutput:{1},\nerror:{2}".format(cmd, output, error))
cmd = 'ldapdelete -x -w ' + ldappasswd + ' -r "o=s3-background-delete-svc,ou=accounts,dc=s3,dc=seagate,dc=com" -D "cn=sgiamadmin,dc=seagate,dc=com" -H ldapi:///'
output,error = subprocess.Popen(cmd, universal_newlines=True, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE).communicate()
log.debug("\ncmd:{0},\noutput:{1},\nerror:{2}".format(cmd, output, error))
if not error:
print ("Deleted s3backgrounddelete account successfully...")
return True
print ("Delete s3backgrounddelete account failed with: {}".format(error))
return False
def read_ldap_credentials(self):
"""Get 'ldapadmin' user name and password from confstore."""
prov_config_yaml = None
try:
with open(self.s3_prov_config) as provconf:
prov_config_yaml = yaml.safe_load(provconf)
s3cipher_obj = CortxS3Cipher(
None, False, 0,
prov_config_yaml['CONFSTORE_OPENLDAP_CONST_KEY'])
cipher_key = s3cipher_obj.generate_key()
encrypted_ldapadmin_pass = self.s3confstore.get_config(
prov_config_yaml['CONFSTORE_LDAPADMIN_PASSWD_KEY'])
self.ldap_passwd = s3cipher_obj.decrypt(cipher_key,
encrypted_ldapadmin_pass)
self.ldap_user = self.s3confstore.get_config(
prov_config_yaml['CONFSTORE_LDAPADMIN_USER_KEY'])
except IOError as ioe:
sys.stderr.write(
f'failed to open config file: {self.s3_prov_config}, err: {ioe}\n'
)
raise ioe
except YAMLError as ye:
sys.stderr.write(
f'yaml load failed for config file: {self.s3_prov_config}, err: {ye}\n'
)
raise ye
except Exception as e:
sys.stderr.write(f'unknown exception: {e}\n')
raise e
def get_iam_admin_credentials(self):
"""Used for reset and cleanup phase to get the iam-admin user and decrypted passwd."""
opfileconfstore = S3CortxConfStore(f'properties://{self.auth_conf_file}', 'read_ldap_idx')
s3cipher_obj = CortxS3Cipher(None,
False,
0,
self.get_confkey('CONFSTORE_OPENLDAP_CONST_KEY'))
enc_ldap_passwd = opfileconfstore.get_config('ldapLoginPW')
cipher_key = s3cipher_obj.generate_key()
if enc_ldap_passwd != None:
self.ldap_passwd = s3cipher_obj.decrypt(cipher_key, enc_ldap_passwd)
def read_ldap_credentials(self):
"""Get 'ldapadmin' user name and password from confstore."""
try:
localconfstore = S3CortxConfStore(f'yaml://{self.s3_prov_config}', 'read_ldap_credentialsidx')
s3cipher_obj = CortxS3Cipher(None, False, 0, localconfstore.get_config('CONFSTORE_OPENLDAP_CONST_KEY'))
cipher_key = s3cipher_obj.generate_key()
encrypted_ldapadmin_pass = self.s3confstore.get_config(localconfstore.get_config('CONFSTORE_LDAPADMIN_PASSWD_KEY'))
self.ldap_passwd = s3cipher_obj.decrypt(cipher_key, encrypted_ldapadmin_pass)
self.ldap_user = self.s3confstore.get_config(localconfstore.get_config('CONFSTORE_LDAPADMIN_USER_KEY'))
encrypted_rootdn_pass = self.s3confstore.get_config(localconfstore.get_config('CONFSTORE_ROOTDN_PASSWD_KEY'))
self.rootdn_passwd = s3cipher_obj.decrypt(cipher_key, encrypted_rootdn_pass)
except Exception as e:
sys.stderr.write(f'read ldap credentials failed, error: {e}\n')
raise e
def get_ldap_root_credentials(self):
"""Used for reset and cleanup phase to get the ldap root user and decrypted passwd."""
key = 'cluster_config>rootdn_user'
opfileconfstore = S3CortxConfStore(f'yaml://{self.s3_cluster_file}', 'read_rootdn_idx')
self.ldap_root_user = opfileconfstore.get_config(f'{key}')
key = 'cluster_config>rootdn_pass'
enc_rootdn_passwd = opfileconfstore.get_config(f'{key}')
s3cipher_obj = CortxS3Cipher(None,
False,
0,
self.get_confkey('CONFSTORE_OPENLDAP_CONST_KEY'))
cipher_key = s3cipher_obj.generate_key()
if enc_rootdn_passwd != None:
self.rootdn_passwd = s3cipher_obj.decrypt(cipher_key, enc_rootdn_passwd)
def delete_ldap_account(self, ldap_acc: str):
"""Delete the given s3 account."""
try:
acc_attributes_dict = self.account_cleanup_dict[ldap_acc]
s3cipher_obj = CortxS3Cipher(None, True, 22, acc_attributes_dict["cipherConstKey"])
access_key = s3cipher_obj.generate_key()
# delete the access key
try:
self.ldap_conn.delete_s(f'ak={access_key},ou=accesskeys,dc=s3,dc=seagate,dc=com')
except ldap.NO_SUCH_OBJECT:
pass
# delete the 'ldap_acc' account's subordinate objects
try:
self.ldap_conn.delete_s(f'ou=roles,o={ldap_acc},ou=accounts,dc=s3,dc=seagate,dc=com')
except ldap.NO_SUCH_OBJECT:
pass
try:
self.ldap_conn.delete_s(f's3UserId={acc_attributes_dict["s3userId"]},ou=users,o={ldap_acc},ou=accounts,dc=s3,dc=seagate,dc=com')
except ldap.NO_SUCH_OBJECT:
pass
try:
self.ldap_conn.delete_s(f'ou=users,o={ldap_acc},ou=accounts,dc=s3,dc=seagate,dc=com')
except ldap.NO_SUCH_OBJECT:
pass
try:
self.ldap_conn.delete_s(f'ou=groups,o={ldap_acc},ou=accounts,dc=s3,dc=seagate,dc=com')
except ldap.NO_SUCH_OBJECT:
pass
try:
self.ldap_conn.delete_s(f'ou=policies,o={ldap_acc},ou=accounts,dc=s3,dc=seagate,dc=com')
except ldap.NO_SUCH_OBJECT:
pass
# delete the 'ldap_acc' account
self.ldap_conn.delete_s(f'o={ldap_acc},ou=accounts,dc=s3,dc=seagate,dc=com')
except Exception as e:
sys.stderr.write(f'failed to delete account: {ldap_acc}, err: {e}\n')
raise e
def generate_key(config, use_base64, key_len, const_key):
"""
Generates a key based on input parameters.
"""
s3cipher = CortxS3Cipher(config, use_base64, key_len, const_key)
return s3cipher.generate_key()
def generate_key(self, config, use_base64, key_len, const_key):
s3cipher = CortxS3Cipher(config, use_base64, key_len, const_key)
return s3cipher.generate_key()