def job_binary_update(self, context, id, values):
"""Update a JobBinary from the values dictionary."""
values = copy.deepcopy(values)
values['id'] = id
# in cases where the credentials to access the job binary are
# stored with the record and the external key manager is being
# used, we need to delete the old key from the manager and
# create a new one. the other option here would be to retrieve
# the previous key and check to see if it has changed, but it
# seems less expensive to just delete the old and create a new
# one.
if CONF.use_barbican_key_manager:
# first we retrieve the original record to get the old key
# uuid, and delete it.
# next we create the new key.
jb_record = self.job_binary_get(context, id)
if not CONF.use_domain_for_proxy_users:
if (jb_record.get('extra') and
jb_record['extra'].get('password')):
key_manager.delete_secret(jb_record['extra']['password'],
context)
if values.get('extra') and values['extra'].get('password'):
values['extra']['password'] = key_manager.store_secret(
values['extra']['password'], context)
if jb_record.get('extra') and jb_record['extra'].get('secretkey'):
key_manager.delete_secret(jb_record['extra']['secretkey'],
context)
if values.get('extra') and values['extra'].get('secretkey'):
values['extra']['secretkey'] = key_manager.store_secret(
values['extra']['secretkey'], context)
return self.db.job_binary_update(context, values)
def job_binary_update(self, context, id, values):
"""Update a JobBinary from the values dictionary."""
values = copy.deepcopy(values)
values['id'] = id
# in cases where the credentials to access the job binary are
# stored with the record and the external key manager is being
# used, we need to delete the old key from the manager and
# create a new one. the other option here would be to retrieve
# the previous key and check to see if it has changed, but it
# seems less expensive to just delete the old and create a new
# one.
if CONF.use_barbican_key_manager:
# first we retrieve the original record to get the old key
# uuid, and delete it.
# next we create the new key.
jb_record = self.job_binary_get(context, id)
if not CONF.use_domain_for_proxy_users:
if (jb_record.get('extra')
and jb_record['extra'].get('password')):
key_manager.delete_secret(jb_record['extra']['password'],
context)
if values.get('extra') and values['extra'].get('password'):
values['extra']['password'] = key_manager.store_secret(
values['extra']['password'], context)
if jb_record.get('extra') and jb_record['extra'].get('secretkey'):
key_manager.delete_secret(jb_record['extra']['secretkey'],
context)
if values.get('extra') and values['extra'].get('secretkey'):
values['extra']['secretkey'] = key_manager.store_secret(
values['extra']['secretkey'], context)
return self.db.job_binary_update(context, values)
def job_binary_create(self, context, values):
"""Create a JobBinary from the values dictionary."""
values = copy.deepcopy(values)
values = _apply_defaults(values, JOB_BINARY_DEFAULTS)
values['tenant_id'] = context.tenant_id
# if credentials are being passed in, we use the key_manager
# to store the password.
if values.get('extra') and values['extra'].get('password'):
values['extra']['password'] = key_manager.store_secret(
values['extra']['password'], context)
if values.get('extra') and values['extra'].get('secretkey'):
values['extra']['secretkey'] = key_manager.store_secret(
values['extra']['secretkey'], context)
return self.db.job_binary_create(context, values)
def job_binary_create(self, context, values):
"""Create a JobBinary from the values dictionary."""
values = copy.deepcopy(values)
values = _apply_defaults(values, JOB_BINARY_DEFAULTS)
values['tenant_id'] = context.tenant_id
# if credentials are being passed in, we use the key_manager
# to store the password.
if values.get('extra') and values['extra'].get('password'):
values['extra']['password'] = key_manager.store_secret(
values['extra']['password'], context)
if values.get('extra') and values['extra'].get('secretkey'):
values['extra']['secretkey'] = key_manager.store_secret(
values['extra']['secretkey'], context)
return self.db.job_binary_create(context, values)
def data_source_update(self, context, id, values):
"""Update the Data Source or raise if it does not exist."""
values = copy.deepcopy(values)
values["id"] = id
# in cases where the credentials to access the data source are
# stored with the record and the external key manager is being
# used, we need to delete the old key from the manager and
# create a new one. the other option here would be to retrieve
# the previous key and check to see if it has changed, but it
# seems less expensive to just delete the old and create a new
# one.
# it should be noted that the jsonschema validation ensures that
# if the proxy domain is not in use then credentials must be
# sent with this record.
if (CONF.use_barbican_key_manager and not
CONF.use_domain_for_proxy_users):
# first we retrieve the original record to get the old key
# uuid, and delete it.
ds_record = self.data_source_get(context, id)
if (ds_record.get('credentials') and
ds_record['credentials'].get('password')):
key_manager.delete_secret(
ds_record['credentials']['password'], context)
# next we create the new key.
if (values.get('credentials') and
values['credentials'].get('password')):
values['credentials']['password'] = key_manager.store_secret(
values['credentials']['password'], context)
return self.db.data_source_update(context, values)
def data_source_create(self, context, values):
"""Create a Data Source from the values dictionary."""
values = copy.deepcopy(values)
values = _apply_defaults(values, DATA_SOURCE_DEFAULTS)
values['tenant_id'] = context.tenant_id
# if credentials are being passed in, we use the key_manager
# to store the password.
if (values.get('credentials') and
values['credentials'].get('password')):
values['credentials']['password'] = key_manager.store_secret(
values['credentials']['password'], context)
if (values.get('credentials') and
values['credentials'].get('secretkey')):
values['credentials']['secretkey'] = key_manager.store_secret(
values['credentials']['secretkey'], context)
return self.db.data_source_create(context, values)
def data_source_create(self, context, values):
"""Create a Data Source from the values dictionary."""
values = copy.deepcopy(values)
values = _apply_defaults(values, DATA_SOURCE_DEFAULTS)
values['tenant_id'] = context.tenant_id
# if credentials are being passed in, we use the key_manager
# to store the password.
if (values.get('credentials')
and values['credentials'].get('password')):
values['credentials']['password'] = key_manager.store_secret(
values['credentials']['password'], context)
if (values.get('credentials')
and values['credentials'].get('secretkey')):
values['credentials']['secretkey'] = key_manager.store_secret(
values['credentials']['secretkey'], context)
return self.db.data_source_create(context, values)
def get_server_password(cluster):
if using_existing_kdc(cluster):
return get_admin_password(cluster)
ctx = context.ctx()
cluster = conductor.cluster_get(ctx, cluster)
extra = cluster.extra.to_dict() if cluster.extra else {}
passwd_key = 'admin-passwd-kdc'
if passwd_key not in extra:
passwd = _get_short_uuid()
key_id = key_manager.store_secret(passwd, ctx)
extra[passwd_key] = key_id
cluster = conductor.cluster_update(ctx, cluster, {'extra': extra})
passwd = key_manager.get_secret(extra.get(passwd_key), ctx)
return passwd
def get_server_password(cluster):
if using_existing_kdc(cluster):
return get_admin_password(cluster)
ctx = context.ctx()
cluster = conductor.cluster_get(ctx, cluster)
extra = cluster.extra.to_dict() if cluster.extra else {}
passwd_key = 'admin-passwd-kdc'
if passwd_key not in extra:
passwd = _get_short_uuid()
key_id = key_manager.store_secret(passwd, ctx)
extra[passwd_key] = key_id
cluster = conductor.cluster_update(ctx, cluster, {'extra': extra})
passwd = key_manager.get_secret(extra.get(passwd_key), ctx)
return passwd
def create_proxy_user_for_job_execution(job_execution):
'''Creates a proxy user and adds the credentials to the job execution
:param job_execution: The job execution model to update
'''
username = '******'.format(job_execution.id)
password = key_manager.store_secret(proxy_user_create(username))
current_user = k.auth()
proxy_user = k.auth_for_proxy(username, password)
trust_id = t.create_trust(trustor=current_user,
trustee=proxy_user,
role_names=CONF.proxy_user_role_names)
update = {'job_configs': job_execution.job_configs.to_dict()}
update['job_configs']['proxy_configs'] = {
'proxy_username': username,
'proxy_password': password,
'proxy_trust_id': trust_id
}
conductor.job_execution_update(context.ctx(), job_execution, update)
def create_proxy_user_for_job_execution(job_execution):
'''Creates a proxy user and adds the credentials to the job execution
:param job_execution: The job execution model to update
'''
username = '******'.format(job_execution.id)
password = key_manager.store_secret(proxy_user_create(username))
current_user = k.auth()
proxy_user = k.auth_for_proxy(username, password)
trust_id = t.create_trust(trustor=current_user,
trustee=proxy_user,
role_names=CONF.proxy_user_role_names)
update = {'job_configs': job_execution.job_configs.to_dict()}
update['job_configs']['proxy_configs'] = {
'proxy_username': username,
'proxy_password': password,
'proxy_trust_id': trust_id
}
conductor.job_execution_update(context.ctx(), job_execution, update)
def get_password(cluster, pw_name):
"""return a password for the named entry
This function will return, or create and return, a password for the
named entry. It will store the password in the key manager and use
the ID in the database entry.
:param cluster: The cluster record containing the password
:param pw_name: The entry name associated with the password
:returns: The cleartext password
"""
ctx = context.ctx()
cluster = conductor.cluster_get(ctx, cluster.id)
passwd = cluster.extra.get(pw_name) if cluster.extra else None
if passwd:
return key_manager.get_secret(passwd, ctx)
passwd = six.text_type(uuid.uuid4())
extra = cluster.extra.to_dict() if cluster.extra else {}
extra[pw_name] = key_manager.store_secret(passwd, ctx)
cluster = conductor.cluster_update(ctx, cluster, {'extra': extra})
return passwd
def create_proxy_user_for_cluster(cluster):
'''Creates a proxy user and adds the credentials to the cluster
:param cluster: The cluster model to update
'''
if cluster.cluster_configs.get('proxy_configs'):
return cluster
username = '******'.format(cluster.id)
password = key_manager.store_secret(proxy_user_create(username))
current_user = k.auth()
proxy_user = k.auth_for_proxy(username, password)
trust_id = t.create_trust(trustor=current_user,
trustee=proxy_user,
role_names=CONF.proxy_user_role_names)
update = {'cluster_configs': cluster.cluster_configs.to_dict()}
update['cluster_configs']['proxy_configs'] = {
'proxy_username': username,
'proxy_password': password,
'proxy_trust_id': trust_id
}
return conductor.cluster_update(context.ctx(), cluster, update)
def get_password(cluster, pw_name):
"""return a password for the named entry
This function will return, or create and return, a password for the
named entry. It will store the password in the key manager and use
the ID in the database entry.
:param cluster: The cluster record containing the password
:param pw_name: The entry name associated with the password
:returns: The cleartext password
"""
ctx = context.ctx()
cluster = conductor.cluster_get(ctx, cluster.id)
passwd = cluster.extra.get(pw_name) if cluster.extra else None
if passwd:
return key_manager.get_secret(passwd, ctx)
passwd = six.text_type(uuid.uuid4())
extra = cluster.extra.to_dict() if cluster.extra else {}
extra[pw_name] = key_manager.store_secret(passwd, ctx)
cluster = conductor.cluster_update(ctx, cluster, {'extra': extra})
return passwd
def create_proxy_user_for_cluster(cluster):
'''Creates a proxy user and adds the credentials to the cluster
:param cluster: The cluster model to update
'''
if cluster.cluster_configs.get('proxy_configs'):
return cluster
username = '******'.format(cluster.id)
password = key_manager.store_secret(proxy_user_create(username))
current_user = k.auth()
proxy_user = k.auth_for_proxy(username, password)
trust_id = t.create_trust(trustor=current_user,
trustee=proxy_user,
role_names=CONF.proxy_user_role_names)
update = {'cluster_configs': cluster.cluster_configs.to_dict()}
update['cluster_configs']['proxy_configs'] = {
'proxy_username': username,
'proxy_password': password,
'proxy_trust_id': trust_id
}
return conductor.cluster_update(context.ctx(), cluster, update)
def generate_random_password():
password = six.text_type(uuid.uuid4())
return castellan.store_secret(password)
def store_secret(secret, ctx=None, **kwargs):
return castellan_utils.store_secret(secret)
def generate_random_password():
password = uuidutils.generate_uuid()
return castellan.store_secret(password)
def store_secret(secret, ctx=None, **kwargs):
return castellan_utils.store_secret(secret)
