def configure_zookeeper(configure_security, install_zookeeper_stub): service_options = { "service": { "virtual_network_enabled": True } } zk_account = "test-zookeeper-service-account" zk_secret = "test-zookeeper-secret" if sdk_utils.is_strict_mode(): service_options = sdk_install.merge_dictionaries({ 'service': { 'service_account': zk_account, 'service_account_secret': zk_secret, } }, service_options) try: sdk_install.uninstall(ZK_PACKAGE, ZK_SERVICE_NAME) sdk_security.setup_security(ZK_SERVICE_NAME, zk_account, zk_secret) sdk_install.install( ZK_PACKAGE, ZK_SERVICE_NAME, 6, additional_options=service_options, timeout_seconds=30 * 60, insert_strict_options=False) yield finally: sdk_install.uninstall(ZK_PACKAGE, ZK_SERVICE_NAME)
def zookeeper_server(configure_security): service_options = { "service": { "name": config.ZOOKEEPER_SERVICE_NAME, "virtual_network_enabled": True, } } zk_account = "test-zookeeper-service-account" zk_secret = "test-zookeeper-secret" try: sdk_install.uninstall( config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME, ) if sdk_utils.is_strict_mode(): service_options = sdk_utils.merge_dictionaries( { "service": { "service_account": zk_account, "service_account_secret": zk_secret, } }, service_options, ) sdk_security.setup_security( config.ZOOKEEPER_SERVICE_NAME, service_account=zk_account, service_account_secret=zk_secret, ) sdk_install.install( config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME, config.ZOOKEEPER_TASK_COUNT, package_version=config.ZOOKEEPER_PACKAGE_VERSION, additional_options=service_options, timeout_seconds=30 * 60, insert_strict_options=False, ) yield { **service_options, **{ "package_name": config.ZOOKEEPER_PACKAGE_NAME }, } finally: sdk_install.uninstall( config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME, ) if sdk_utils.is_strict_mode(): sdk_security.delete_service_account( service_account_name=zk_account, service_account_secret=zk_secret, )
def zookeeper_server(kerberos): service_options = { "service": { "name": config.ZOOKEEPER_SERVICE_NAME, "security": { "kerberos": { "enabled": True, "kdc": { "hostname": kerberos.get_host(), "port": int(kerberos.get_port()) }, "realm": kerberos.get_realm(), "keytab_secret": kerberos.get_keytab_path(), } } } } zk_account = "kafka-zookeeper-service-account" zk_secret = "kakfa-zookeeper-secret" if sdk_utils.is_strict_mode(): service_options = sdk_install.merge_dictionaries( { 'service': { 'service_account': zk_account, 'service_account_secret': zk_secret, } }, service_options) try: sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME) sdk_security.setup_security(config.ZOOKEEPER_SERVICE_NAME, zk_account, zk_secret) sdk_install.install(config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME, config.ZOOKEEPER_TASK_COUNT, additional_options=service_options, timeout_seconds=30 * 60, insert_strict_options=False) yield { **service_options, **{ "package_name": config.ZOOKEEPER_PACKAGE_NAME } } finally: sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME)
def zookeeper_server(kerberos): service_kerberos_options = { "service": { "name": "kafka-zookeeper", "security": { "kerberos": { "enabled": True, "kdc": { "hostname": kerberos.get_host(), "port": int(kerberos.get_port()) }, "realm": sdk_auth.REALM, "keytab_secret": kerberos.get_keytab_path(), } } } } zk_account = "kafka-zookeeper-service-account" zk_secret = "kakfa-zookeeper-secret" if sdk_utils.is_strict_mode(): service_kerberos_options = sdk_install.merge_dictionaries( { 'service': { 'service_account': zk_account, 'service_account_secret': zk_secret, } }, service_kerberos_options) try: sdk_install.uninstall("beta-kafka-zookeeper", "kafka-zookeeper") sdk_security.setup_security("kafka-zookeeper", zk_account, zk_secret) sdk_install.install("beta-kafka-zookeeper", "kafka-zookeeper", 6, additional_options=service_kerberos_options, timeout_seconds=30 * 60, insert_strict_options=False) yield { **service_kerberos_options, **{ "package_name": "beta-kafka-zookeeper" } } finally: sdk_install.uninstall("beta-kafka-zookeeper", "kafka-zookeeper")
def zookeeper_server(kerberos): service_kerberos_options = { "service": { "name": config.ZOOKEEPER_SERVICE_NAME, "security": { "kerberos": { "enabled": True, "kdc": { "hostname": kerberos.get_host(), "port": int(kerberos.get_port()) }, "realm": sdk_auth.REALM, "keytab_secret": kerberos.get_keytab_path(), } } } } zk_account = "kafka-zookeeper-service-account" zk_secret = "kakfa-zookeeper-secret" if sdk_utils.is_strict_mode(): service_kerberos_options = sdk_install.merge_dictionaries({ 'service': { 'service_account': zk_account, 'service_account_secret': zk_secret, } }, service_kerberos_options) try: sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME) sdk_security.setup_security(config.ZOOKEEPER_SERVICE_NAME, zk_account, zk_secret) sdk_install.install( config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME, config.ZOOKEEPER_TASK_COUNT, additional_options=service_kerberos_options, timeout_seconds=30 * 60, insert_strict_options=False) yield {**service_kerberos_options, **{"package_name": config.ZOOKEEPER_PACKAGE_NAME}} finally: sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME)
def setup_service_account(service_name: str, service_account_secret: str = None) -> dict: """ Setup the service account for TLS. If the account or secret of the specified name already exists, these are deleted. """ if sdk_utils.is_open_dcos(): log.error( "The setup of a service account requires DC/OS EE. service_name=%s", service_name) raise Exception("The setup of a service account requires DC/OS EE") name = service_name secret = name if service_account_secret is None else service_account_secret service_account_info = sdk_security.setup_security( service_name, linux_user="******", service_account=name, service_account_secret=secret) log.info("Adding permissions required for TLS.") if sdk_utils.dcos_version_less_than("1.11"): sdk_cmd.run_cli( "security org groups add_user superusers {name}".format(name=name)) else: acls = [ { "rid": "dcos:secrets:default:/{}/*".format(service_name), "action": "full" }, { "rid": "dcos:secrets:list:default:/{}".format(service_name), "action": "read" }, { "rid": "dcos:adminrouter:ops:ca:rw", "action": "full" }, { "rid": "dcos:adminrouter:ops:ca:ro", "action": "full" }, ] for acl in acls: cmd_list = [ "security", "org", "users", "grant", "--description", "\"Allow provisioning TLS certificates\"", name, acl["rid"], acl["action"] ] sdk_cmd.run_cli(" ".join(cmd_list)) return service_account_info
def setup_service_account( service_name: str, service_account_secret: Optional[str] = None, ) -> Dict[str, Any]: """ Setup the service account for TLS. If the account or secret of the specified name already exists, these are deleted. """ if sdk_utils.is_open_dcos(): log.error("The setup of a service account requires DC/OS EE. service_name=%s", service_name) raise Exception("The setup of a service account requires DC/OS EE") secret = service_name if service_account_secret is None else service_account_secret service_account = "{}-service-account".format(service_name.replace("/", "")) service_account_info = sdk_security.setup_security( service_name, linux_user="******", service_account=service_account, service_account_secret=secret, ) log.info("Adding permissions required for TLS.") if sdk_utils.dcos_version_less_than("1.11"): sdk_cmd.run_cli("security org groups add_user superusers {sa}".format(sa=service_account)) else: acls = [ {"rid": "dcos:secrets:default:/{}/*".format(service_name.strip("/")), "action": "full"}, { "rid": "dcos:secrets:list:default:/{}".format(service_name.strip("/")), "action": "read", }, {"rid": "dcos:adminrouter:ops:ca:rw", "action": "full"}, {"rid": "dcos:adminrouter:ops:ca:ro", "action": "full"}, ] for acl in acls: cmd_list = [ "security", "org", "users", "grant", "--description", '"Allow provisioning TLS certificates"', service_account, acl["rid"], acl["action"], ] sdk_cmd.run_cli(" ".join(cmd_list)) return service_account_info
def zookeeper_service(configure_security): service_options = sdk_utils.merge_dictionaries( sdk_networks.ENABLE_VIRTUAL_NETWORKS_OPTIONS, {"service": { "name": config.ZOOKEEPER_SERVICE_NAME }}, ) zk_account = "test-zookeeper-service-account" zk_secret = "test-zookeeper-secret" try: sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME) if sdk_utils.is_strict_mode(): service_options = sdk_utils.merge_dictionaries( { "service": { "service_account": zk_account, "service_account_secret": zk_secret } }, service_options, ) service_account_info = sdk_security.setup_security( config.ZOOKEEPER_SERVICE_NAME, linux_user="******", service_account=zk_account, service_account_secret=zk_secret, ) sdk_install.install( config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME, config.ZOOKEEPER_TASK_COUNT, additional_options=service_options, timeout_seconds=30 * 60, insert_strict_options=False, ) yield { **service_options, **{ "package_name": config.ZOOKEEPER_PACKAGE_NAME } } finally: sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME) sdk_security.cleanup_security(config.ZOOKEEPER_SERVICE_NAME, service_account_info)
def setup_security(service_name: str, linux_user: str) -> typing.Dict: """ Adds a service account and secret for the specified service name. """ if not sdk_utils.is_strict_mode(): return {} service_account = normalize_string("{}-service-account".format(service_name)) service_account_secret = "{}-service-account-secret".format(service_name) return sdk_security.setup_security(service_name, linux_user, service_account, service_account_secret)
def zookeeper_server(configure_security): service_options = { "service": { "name": config.ZOOKEEPER_SERVICE_NAME, "virtual_network_enabled": True } } zk_account = "test-zookeeper-service-account" zk_secret = "test-zookeeper-secret" try: sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME) if sdk_utils.is_strict_mode(): service_options = sdk_install.merge_dictionaries({ 'service': { 'service_account': zk_account, 'service_account_secret': zk_secret, } }, service_options) sdk_security.setup_security(config.ZOOKEEPER_SERVICE_NAME, zk_account, zk_secret) sdk_install.install( config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME, config.ZOOKEEPER_TASK_COUNT, additional_options=service_options, timeout_seconds=30 * 60, insert_strict_options=False) yield {**service_options, **{"package_name": config.ZOOKEEPER_PACKAGE_NAME}} finally: sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME) if sdk_utils.is_strict_mode(): sdk_security.delete_service_account( service_account_name=zk_account, service_account_secret=zk_secret)
def zookeeper_server(configure_security): service_options = { "service": { "name": config.ZOOKEEPER_SERVICE_NAME, "virtual_network_enabled": True } } zk_account = "test-zookeeper-service-account" zk_secret = "test-zookeeper-secret" try: sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME) if sdk_utils.is_strict_mode(): service_options = sdk_install.merge_dictionaries( { 'service': { 'service_account': zk_account, 'service_account_secret': zk_secret, } }, service_options) service_account_info = sdk_security.setup_security( config.ZOOKEEPER_SERVICE_NAME, linux_user="******", service_account=zk_account, service_account_secret=zk_secret) sdk_install.install(config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME, config.ZOOKEEPER_TASK_COUNT, additional_options=service_options, timeout_seconds=30 * 60, insert_strict_options=False) yield { **service_options, **{ "package_name": config.ZOOKEEPER_PACKAGE_NAME } } finally: sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME) sdk_security.cleanup_security(config.ZOOKEEPER_SERVICE_NAME, service_account_info)
def _create_service_account(service_name): if sdk_utils.is_strict_mode(): try: log.info("Creating service accounts for '{}'" .format(service_name)) sa_name = "{}-principal".format(service_name) sa_secret = "{}-secret".format(service_name) return sdk_security.setup_security( service_name, linux_user="******", service_account=sa_name, service_account_secret=sa_secret, ) except Exception as e: log.warning("Error encountered while creating service account: {}".format(e)) raise e return None
def _create_service_account(service_name) -> None: if sdk_utils.is_strict_mode(): try: log.info("Creating service accounts for '{}'" .format(service_name)) sa_name = "{}-principal".format(service_name) sa_secret = "{}-secret".format(service_name) return sdk_security.setup_security( service_name, linux_user="******", service_account=sa_name, service_account_secret=sa_secret, ) except Exception as e: log.warning("Error encountered while creating service account: {}".format(e)) raise e return None
def setup_service_account(service_name: str, service_account_secret: str=None) -> dict: """ Setup the service account for TLS. If the account or secret of the specified name already exists, these are deleted. """ if sdk_utils.is_open_dcos(): log.error("The setup of a service account requires DC/OS EE. service_name=%s", service_name) raise Exception("The setup of a service account requires DC/OS EE") name = service_name secret = name if service_account_secret is None else service_account_secret service_account_info = sdk_security.setup_security(service_name, service_account=name, service_account_secret=secret) log.info("Adding permissions required for TLS.") if sdk_utils.dcos_version_less_than("1.11"): sdk_cmd.run_cli("security org groups add_user superusers {name}".format(name=name)) else: acls = [ {"rid": "dcos:secrets:default:/{}/*".format(service_name), "action": "full"}, {"rid": "dcos:secrets:list:default:/{}".format(service_name), "action": "read"}, {"rid": "dcos:adminrouter:ops:ca:rw", "action": "full"}, {"rid": "dcos:adminrouter:ops:ca:ro", "action": "full"}, ] for acl in acls: cmd_list = ["security", "org", "users", "grant", "--description", "\"Allow provisioning TLS certificates\"", name, acl["rid"], acl["action"] ] sdk_cmd.run_cli(" ".join(cmd_list)) return service_account_info