def data_source_update(self, context, id, values):
"""Update the Data Source or raise if it does not exist."""
values = copy.deepcopy(values)
values["id"] = id
# in cases where the credentials to access the data source are
# stored with the record and the external key manager is being
# used, we need to delete the old key from the manager and
# create a new one. the other option here would be to retrieve
# the previous key and check to see if it has changed, but it
# seems less expensive to just delete the old and create a new
# one.
# it should be noted that the jsonschema validation ensures that
# if the proxy domain is not in use then credentials must be
# sent with this record.
if (CONF.use_barbican_key_manager and not
CONF.use_domain_for_proxy_users):
# first we retrieve the original record to get the old key
# uuid, and delete it.
ds_record = self.data_source_get(context, id)
if (ds_record.get('credentials') and
ds_record['credentials'].get('password')):
key_manager.delete_secret(
ds_record['credentials']['password'], context)
# next we create the new key.
if (values.get('credentials') and
values['credentials'].get('password')):
values['credentials']['password'] = key_manager.store_secret(
values['credentials']['password'], context)
return self.db.data_source_update(context, values)
def job_binary_update(self, context, id, values):
"""Update a JobBinary from the values dictionary."""
values = copy.deepcopy(values)
values['id'] = id
# in cases where the credentials to access the job binary are
# stored with the record and the external key manager is being
# used, we need to delete the old key from the manager and
# create a new one. the other option here would be to retrieve
# the previous key and check to see if it has changed, but it
# seems less expensive to just delete the old and create a new
# one.
if (CONF.use_barbican_key_manager and not
CONF.use_domain_for_proxy_users):
# first we retrieve the original record to get the old key
# uuid, and delete it.
jb_record = self.job_binary_get(context, id)
if jb_record.get('extra') and jb_record['extra'].get('password'):
key_manager.delete_secret(jb_record['extra']['password'],
context)
# next we create the new key.
if values.get('extra') and values['extra'].get('password'):
values['extra']['password'] = key_manager.store_secret(
values['extra']['password'], context)
return self.db.job_binary_update(context, values)
def job_binary_destroy(self, context, job_binary):
"""Destroy the JobBinary or raise if it does not exist."""
# in cases where the credentials to access the job binary are
# stored with the record and the external key manager is being
# used, we need to delete the key from the external manager.
if (CONF.use_barbican_key_manager and not
CONF.use_domain_for_proxy_users):
jb_record = self.job_binary_get(context, job_binary)
if jb_record.get('extra') and jb_record['extra'].get('password'):
key_manager.delete_secret(jb_record['extra']['password'],
context)
self.db.job_binary_destroy(context, job_binary)
def data_source_destroy(self, context, data_source):
"""Destroy the Data Source or raise if it does not exist."""
# in cases where the credentials to access the data source are
# stored with the record and the external key manager is being
# used, we need to delete the key from the external manager.
if (CONF.use_barbican_key_manager and not
CONF.use_domain_for_proxy_users):
ds_record = self.data_source_get(context, data_source)
if (ds_record.get('credentials') and
ds_record['credentials'].get('password')):
key_manager.delete_secret(
ds_record['credentials']['password'], context)
return self.db.data_source_destroy(context, data_source)
def delete_proxy_user_for_cluster(cluster):
'''Delete a proxy user based on a Cluster
:param cluster: The cluster model with proxy user information
'''
proxy_configs = cluster.cluster_configs.get('proxy_configs')
if proxy_configs is not None:
proxy_username = proxy_configs.get('proxy_username')
proxy_trust_id = proxy_configs.get('proxy_trust_id')
proxy_user = k.auth_for_proxy(proxy_username,
key_manager.get_secret(
proxy_configs.get('proxy_password')),
proxy_trust_id)
t.delete_trust(proxy_user, proxy_trust_id)
proxy_user_delete(proxy_username)
key_manager.delete_secret(proxy_configs.get('proxy_password'))
update = {'cluster_configs': cluster.cluster_configs.to_dict()}
del update['cluster_configs']['proxy_configs']
conductor.cluster_update(context.ctx(), cluster, update)
def delete_proxy_user_for_cluster(cluster):
'''Delete a proxy user based on a Cluster
:param cluster: The cluster model with proxy user information
'''
proxy_configs = cluster.cluster_configs.get('proxy_configs')
if proxy_configs is not None:
proxy_username = proxy_configs.get('proxy_username')
proxy_trust_id = proxy_configs.get('proxy_trust_id')
proxy_user = k.auth_for_proxy(
proxy_username,
key_manager.get_secret(proxy_configs.get('proxy_password')),
proxy_trust_id)
t.delete_trust(proxy_user, proxy_trust_id)
proxy_user_delete(proxy_username)
key_manager.delete_secret(proxy_configs.get('proxy_password'))
update = {'cluster_configs': cluster.cluster_configs.to_dict()}
del update['cluster_configs']['proxy_configs']
conductor.cluster_update(context.ctx(), cluster, update)
def delete_proxy_user_for_job_execution(job_execution):
'''Delete a proxy user based on a JobExecution
:param job_execution: The job execution with proxy user information
:returns: An updated job_configs dictionary or None
'''
proxy_configs = job_execution.job_configs.get('proxy_configs')
if proxy_configs is not None:
proxy_username = proxy_configs.get('proxy_username')
proxy_trust_id = proxy_configs.get('proxy_trust_id')
proxy_user = k.auth_for_proxy(
proxy_username,
key_manager.get_secret(proxy_configs.get('proxy_password')),
proxy_trust_id)
t.delete_trust(proxy_user, proxy_trust_id)
proxy_user_delete(proxy_username)
key_manager.delete_secret(proxy_configs.get('proxy_password'))
update = job_execution.job_configs.to_dict()
del update['proxy_configs']
return update
return None
def delete_proxy_user_for_job_execution(job_execution):
'''Delete a proxy user based on a JobExecution
:param job_execution: The job execution with proxy user information
:returns: An updated job_configs dictionary or None
'''
proxy_configs = job_execution.job_configs.get('proxy_configs')
if proxy_configs is not None:
proxy_username = proxy_configs.get('proxy_username')
proxy_trust_id = proxy_configs.get('proxy_trust_id')
proxy_user = k.auth_for_proxy(proxy_username,
key_manager.get_secret(
proxy_configs.get('proxy_password')),
proxy_trust_id)
t.delete_trust(proxy_user, proxy_trust_id)
proxy_user_delete(proxy_username)
key_manager.delete_secret(proxy_configs.get('proxy_password'))
update = job_execution.job_configs.to_dict()
del update['proxy_configs']
return update
return None
def delete_oozie_password(cluster):
extra = cluster.extra.to_dict()
if 'oozie_pass_id' in extra:
castellan.delete_secret(extra['oozie_pass_id'])
else:
LOG.warning(_LW("Cluster hasn't Oozie password"))
def delete_secret(id, ctx=None, **kwargs):
castellan_utils.delete_secret(id, ctx=ctx)
def delete_secret(id, ctx=None, **kwargs):
castellan_utils.delete_secret(id, ctx=ctx)
def delete_oozie_password(cluster):
extra = cluster.extra.to_dict()
if 'oozie_pass_id' in extra:
castellan.delete_secret(extra['oozie_pass_id'])
else:
LOG.warning(_LW("Cluster hasn't Oozie password"))
def delete_hive_password(cluster):
extra = cluster.extra.to_dict()
if 'hive_pass_id' in extra:
castellan.delete_secret(extra['hive_pass_id'])
else:
LOG.warning("Cluster hasn't hive password")
