def cleanup_security():
LOGGER.info('Cleaning up strict-mode security for Spark')
sdk_security.revoke_permissions(linux_user=user,
role_name=role,
service_account_name=service_account)
sdk_security.delete_service_account(service_account, secret)
LOGGER.info('Finished cleaning up strict-mode security for Spark')
def zookeeper_server(configure_security):
service_options = {
"service": {
"name": config.ZOOKEEPER_SERVICE_NAME,
"virtual_network_enabled": True,
}
}
zk_account = "test-zookeeper-service-account"
zk_secret = "test-zookeeper-secret"
try:
sdk_install.uninstall(
config.ZOOKEEPER_PACKAGE_NAME,
config.ZOOKEEPER_SERVICE_NAME,
)
if sdk_utils.is_strict_mode():
service_options = sdk_utils.merge_dictionaries(
{
"service": {
"service_account": zk_account,
"service_account_secret": zk_secret,
}
},
service_options,
)
sdk_security.setup_security(
config.ZOOKEEPER_SERVICE_NAME,
service_account=zk_account,
service_account_secret=zk_secret,
)
sdk_install.install(
config.ZOOKEEPER_PACKAGE_NAME,
config.ZOOKEEPER_SERVICE_NAME,
config.ZOOKEEPER_TASK_COUNT,
package_version=config.ZOOKEEPER_PACKAGE_VERSION,
additional_options=service_options,
timeout_seconds=30 * 60,
insert_strict_options=False,
)
yield {
**service_options,
**{
"package_name": config.ZOOKEEPER_PACKAGE_NAME
},
}
finally:
sdk_install.uninstall(
config.ZOOKEEPER_PACKAGE_NAME,
config.ZOOKEEPER_SERVICE_NAME,
)
if sdk_utils.is_strict_mode():
sdk_security.delete_service_account(
service_account_name=zk_account,
service_account_secret=zk_secret,
)
def configure_package(configure_security):
try:
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
# Create service account
sdk_security.create_service_account(
service_account_name=config.SERVICE_NAME,
service_account_secret=config.SERVICE_NAME + "-secret",
)
sdk_cmd.run_cli(
"security org groups add_user superusers {name}".format(
name=config.SERVICE_NAME))
sdk_install.install(
config.PACKAGE_NAME,
config.SERVICE_NAME,
6,
additional_options={
"service": {
"yaml": "tls",
"service_account": config.SERVICE_NAME,
"service_account_secret": config.SERVICE_NAME + "-secret",
# Legacy values
"principal": config.SERVICE_NAME,
"secret_name": config.SERVICE_NAME,
},
"tls": {
"discovery_task_prefix": DISCOVERY_TASK_PREFIX
},
},
)
sdk_plan.wait_for_completed_deployment(config.SERVICE_NAME)
yield # let the test session execute
finally:
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
sdk_security.delete_service_account(
service_account_name=config.SERVICE_NAME,
service_account_secret=config.SERVICE_NAME + "-secret",
)
# Make sure that all the TLS artifacts were removed from the secrets store.
_, output, _ = sdk_cmd.run_cli(
"security secrets list {name}".format(name=config.SERVICE_NAME))
artifact_suffixes = [
"certificate",
"private-key",
"root-ca-certificate",
"keystore",
"truststore",
]
for suffix in artifact_suffixes:
assert suffix not in output
def cleanup_security():
log.info('Cleaning up strict-mode security for Spark')
for user in users:
revoke_user_permissions(user, role, service_account)
# TODO: improve security setup/teardown to make it more fine-grained (allow different service names/accts/users)
# tracking issue: https://jira.mesosphere.com/browse/DCOS-50933
sdk_security.delete_service_account(service_account, secret)
log.info('Finished cleaning up strict-mode security for Spark')
def configure_package(configure_security):
try:
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
# Create service account
sdk_security.create_service_account(
service_account_name=config.SERVICE_NAME,
service_account_secret=config.SERVICE_NAME)
# TODO(mh): Fine grained permissions needs to be addressed in DCOS-16475
sdk_cmd.run_cli(
"security org groups add_user superusers {name}".format(
name=config.SERVICE_NAME))
sdk_install.install(
config.PACKAGE_NAME,
config.SERVICE_NAME,
6,
additional_options={
"service": {
"spec_file": "examples/tls.yml",
"service_account": config.SERVICE_NAME,
"service_account_secret": config.SERVICE_NAME,
# Legacy values
"principal": config.SERVICE_NAME,
"secret_name": config.SERVICE_NAME,
},
"tls": {
"discovery_task_prefix": DISCOVERY_TASK_PREFIX,
},
})
sdk_plan.wait_for_completed_deployment(config.SERVICE_NAME)
# Wait for service health check to pass
shakedown.service_healthy(config.SERVICE_NAME)
yield # let the test session execute
finally:
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
sdk_security.delete_service_account(
service_account_name=config.SERVICE_NAME,
service_account_secret=config.SERVICE_NAME)
# Make sure that all the TLS artifacts were removed from the secrets store.
output = sdk_cmd.run_cli(
'security secrets list {name}'.format(name=config.SERVICE_NAME))
artifact_suffixes = [
'certificate', 'private-key', 'root-ca-certificate', 'keystore',
'truststore'
]
for suffix in artifact_suffixes:
assert suffix not in output
def service_account():
"""
Creates service account with `elastic` name and yields the name.
"""
name = config.SERVICE_NAME
sdk_security.create_service_account(service_account_name=name,
service_account_secret=name)
# TODO(mh): Fine grained permissions needs to be addressed in DCOS-16475
sdk_cmd.run_cli(
"security org groups add_user superusers {name}".format(name=name))
yield name
sdk_security.delete_service_account(service_account_name=name,
service_account_secret=name)
def service_account(dcos_security_cli):
"""
Creates service account with `hello-world` name and yields the name.
"""
name = 'hello-world'
sdk_security.create_service_account(
service_account_name=name, secret_name=name)
# TODO(mh): Fine grained permissions needs to be addressed in DCOS-16475
sdk_cmd.run_cli(
"security org groups add_user superusers {name}".format(name=name))
yield name
sdk_security.delete_service_account(
service_account_name=name, secret_name=name)
def service_account():
"""
Creates service account and yields the name.
"""
name = config.SERVICE_NAME
sdk_security.create_service_account(
service_account_name=name, service_account_secret=name)
# TODO(mh): Fine grained permissions needs to be addressed in DCOS-16475
sdk_cmd.run_cli(
"security org groups add_user superusers {name}".format(name=name))
yield name
sdk_security.delete_service_account(
service_account_name=name, service_account_secret=name)
def configure_package(configure_security):
try:
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
# Create service account
sdk_security.create_service_account(
service_account_name=config.SERVICE_NAME, service_account_secret=config.SERVICE_NAME
)
sdk_cmd.run_cli(
"security org groups add_user superusers {name}".format(name=config.SERVICE_NAME)
)
sdk_install.install(
config.PACKAGE_NAME,
config.SERVICE_NAME,
6,
additional_options={
"service": {
"yaml": "tls",
"service_account": config.SERVICE_NAME,
"service_account_secret": config.SERVICE_NAME,
# Legacy values
"principal": config.SERVICE_NAME,
"secret_name": config.SERVICE_NAME,
},
"tls": {"discovery_task_prefix": DISCOVERY_TASK_PREFIX},
},
)
sdk_plan.wait_for_completed_deployment(config.SERVICE_NAME)
yield # let the test session execute
finally:
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
sdk_security.delete_service_account(
service_account_name=config.SERVICE_NAME, service_account_secret=config.SERVICE_NAME
)
# Make sure that all the TLS artifacts were removed from the secrets store.
_, output, _ = sdk_cmd.run_cli("security secrets list {name}".format(name=config.SERVICE_NAME))
artifact_suffixes = [
"certificate",
"private-key",
"root-ca-certificate",
"keystore",
"truststore",
]
for suffix in artifact_suffixes:
assert suffix not in output
def service_account():
"""
Creates service account with `hello-world` name and yields the name.
"""
# This name should be same as SERVICE_NAME as it determines scheduler DCOS_LABEL value.
name = SERVICE_NAME
sdk_security.create_service_account(service_account_name=name,
service_account_secret=name)
# TODO(mh): Fine grained permissions needs to be addressed in DCOS-16475
sdk_cmd.run_cli(
"security org groups add_user superusers {name}".format(name=name))
yield name
sdk_security.delete_service_account(service_account_name=name,
service_account_secret=name)
def service_account(configure_security):
"""
Creates service account and secret and yields dict containing both.
"""
try:
name = config.SERVICE_NAME
secret = "{}-secret".format(name)
sdk_security.create_service_account(service_account_name=name,
service_account_secret=secret)
# TODO(mh): Fine grained permissions needs to be addressed in DCOS-16475
sdk_cmd.run_cli(
"security org groups add_user superusers {name}".format(name=name))
yield {"name": name, "secret": secret}
finally:
sdk_security.delete_service_account(service_account_name=name,
service_account_secret=secret)
def package_registry_session(tmpdir_factory): # _pytest.TempdirFactory
pkg_reg_repo = {}
service_uid = "pkg-reg-uid-{}".format(sdk_utils.random_string())
secret_path = "{}-secret-{}".format(service_uid, sdk_utils.random_string())
try:
sdk_security.create_service_account(service_uid, secret_path)
grant_perms_for_registry_account(service_uid)
pkg_reg_repo = install_package_registry(secret_path)
add_dcos_files_to_registry(tmpdir_factory)
yield
finally:
log.info("Teardown of package_registry_session initiated")
sdk_repository.remove_universe_repos(pkg_reg_repo)
# TODO If/when adding S3 backend, remove `Added` packages.
sdk_install.uninstall(PACKAGE_REGISTRY_NAME, PACKAGE_REGISTRY_SERVICE_NAME)
# No need to revoke perms, just delete the secret; the following ignores any failures.
sdk_security.delete_service_account(service_uid, secret_path)
def package_registry_session(tmpdir_factory: TempdirFactory) -> Iterator[None]:
pkg_reg_repo: Dict[str, str] = {}
service_uid = "pkg-reg-uid-{}".format(sdk_utils.random_string())
secret_path = "{}-secret-{}".format(service_uid, sdk_utils.random_string())
try:
sdk_security.create_service_account(service_uid, secret_path)
grant_perms_for_registry_account(service_uid)
pkg_reg_repo = install_package_registry(secret_path)
add_dcos_files_to_registry(tmpdir_factory)
yield
finally:
log.info("Teardown of package_registry_session initiated")
sdk_repository.remove_universe_repos(pkg_reg_repo)
# TODO If/when adding S3 backend, remove `Added` packages.
sdk_install.uninstall(PACKAGE_REGISTRY_NAME, PACKAGE_REGISTRY_SERVICE_NAME)
# No need to revoke perms, just delete the secret; the following ignores any failures.
sdk_security.delete_service_account(service_uid, secret_path)
def cleanup(self) -> None:
sdk_security.install_enterprise_cli()
log.info("Removing the marathon KDC app")
sdk_marathon.destroy_app(self.app_definition["id"])
if self._temp_working_dir and isinstance(self._temp_working_dir,
tempfile.TemporaryDirectory):
log.info("Deleting temporary working directory")
self._temp_working_dir.cleanup()
sdk_security.delete_service_account(
service_account_name=KDC_SERVICE_ACCOUNT,
service_account_secret=KDC_SERVICE_ACCOUNT_SECRET,
)
# TODO: separate secrets handling into another module
log.info("Deleting keytab secret")
sdk_security.install_enterprise_cli()
sdk_security.delete_secret(self.get_keytab_path())
def zookeeper_server(configure_security):
service_options = {
"service": {
"name": config.ZOOKEEPER_SERVICE_NAME,
"virtual_network_enabled": True
}
}
zk_account = "test-zookeeper-service-account"
zk_secret = "test-zookeeper-secret"
try:
sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME)
if sdk_utils.is_strict_mode():
service_options = sdk_install.merge_dictionaries({
'service': {
'service_account': zk_account,
'service_account_secret': zk_secret,
}
}, service_options)
sdk_security.setup_security(config.ZOOKEEPER_SERVICE_NAME, zk_account, zk_secret)
sdk_install.install(
config.ZOOKEEPER_PACKAGE_NAME,
config.ZOOKEEPER_SERVICE_NAME,
config.ZOOKEEPER_TASK_COUNT,
additional_options=service_options,
timeout_seconds=30 * 60,
insert_strict_options=False)
yield {**service_options, **{"package_name": config.ZOOKEEPER_PACKAGE_NAME}}
finally:
sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME)
if sdk_utils.is_strict_mode():
sdk_security.delete_service_account(
service_account_name=zk_account, service_account_secret=zk_secret)
def package_registry_session(tmpdir_factory): # _pytest.TempdirFactory
pkg_reg_stub = {}
pkg_reg_repo = {}
try:
# TODO Remove stub. We should install from bootstrap registry.
pkg_reg_stub = add_package_registry_stub()
service_uid = 'pkg-reg-uid-{}'.format(sdk_utils.random_string())
secret_path = '{}-secret-{}'.format(service_uid,
sdk_utils.random_string())
sdk_security.create_service_account(service_uid, secret_path)
grant_perms_for_registry_account(service_uid)
pkg_reg_repo = install_package_registry(secret_path)
add_dcos_files_to_registry(tmpdir_factory)
yield
finally:
log.info('Teardown of package_registry_session initiated')
sdk_repository.remove_universe_repos(pkg_reg_repo)
# TODO If/when adding S3 backend, remove `Added` packages.
sdk_install.uninstall(PACKAGE_REGISTRY_NAME,
PACKAGE_REGISTRY_SERVICE_NAME)
sdk_repository.remove_universe_repos(pkg_reg_stub)
# No need to revoke perms, just delete the secret.
sdk_security.delete_service_account(service_uid, secret_path)
def configure_zookeeper(configure_security, install_zookeeper_stub):
service_options = {
"service": {
"virtual_network_enabled": True
}
}
zk_account = "test-zookeeper-service-account"
zk_secret = "test-zookeeper-secret"
try:
sdk_install.uninstall(ZK_PACKAGE, ZK_SERVICE_NAME)
if sdk_utils.is_strict_mode():
service_options = sdk_install.merge_dictionaries({
'service': {
'service_account': zk_account,
'service_account_secret': zk_secret,
}
}, service_options)
sdk_security.setup_security(ZK_SERVICE_NAME, zk_account, zk_secret)
sdk_install.install(
ZK_PACKAGE,
ZK_SERVICE_NAME,
6,
additional_options=service_options,
timeout_seconds=30 * 60,
insert_strict_options=False)
yield
finally:
sdk_install.uninstall(ZK_PACKAGE, ZK_SERVICE_NAME)
if sdk_utils.is_strict_mode():
sdk_security.delete_service_account(
service_account_name=zk_account, service_account_secret=zk_secret)
