def setup_service_account(service_name: str,
service_account_secret: str = None) -> dict:
"""
Setup the service account for TLS. If the account or secret of the specified
name already exists, these are deleted.
"""
if sdk_utils.is_open_dcos():
log.error(
"The setup of a service account requires DC/OS EE. service_name=%s",
service_name)
raise Exception("The setup of a service account requires DC/OS EE")
name = service_name
secret = name if service_account_secret is None else service_account_secret
service_account_info = sdk_security.setup_security(
service_name,
linux_user="******",
service_account=name,
service_account_secret=secret)
log.info("Adding permissions required for TLS.")
if sdk_utils.dcos_version_less_than("1.11"):
sdk_cmd.run_cli(
"security org groups add_user superusers {name}".format(name=name))
else:
acls = [
{
"rid": "dcos:secrets:default:/{}/*".format(service_name),
"action": "full"
},
{
"rid": "dcos:secrets:list:default:/{}".format(service_name),
"action": "read"
},
{
"rid": "dcos:adminrouter:ops:ca:rw",
"action": "full"
},
{
"rid": "dcos:adminrouter:ops:ca:ro",
"action": "full"
},
]
for acl in acls:
cmd_list = [
"security", "org", "users", "grant", "--description",
"\"Allow provisioning TLS certificates\"", name, acl["rid"],
acl["action"]
]
sdk_cmd.run_cli(" ".join(cmd_list))
return service_account_info
def setup_service_account(
service_name: str,
service_account_secret: Optional[str] = None,
) -> Dict[str, Any]:
"""
Setup the service account for TLS. If the account or secret of the specified
name already exists, these are deleted.
"""
if sdk_utils.is_open_dcos():
log.error("The setup of a service account requires DC/OS EE. service_name=%s", service_name)
raise Exception("The setup of a service account requires DC/OS EE")
secret = service_name if service_account_secret is None else service_account_secret
service_account = "{}-service-account".format(service_name.replace("/", ""))
service_account_info = sdk_security.setup_security(
service_name,
linux_user="******",
service_account=service_account,
service_account_secret=secret,
)
log.info("Adding permissions required for TLS.")
if sdk_utils.dcos_version_less_than("1.11"):
sdk_cmd.run_cli("security org groups add_user superusers {sa}".format(sa=service_account))
else:
acls = [
{"rid": "dcos:secrets:default:/{}/*".format(service_name.strip("/")), "action": "full"},
{
"rid": "dcos:secrets:list:default:/{}".format(service_name.strip("/")),
"action": "read",
},
{"rid": "dcos:adminrouter:ops:ca:rw", "action": "full"},
{"rid": "dcos:adminrouter:ops:ca:ro", "action": "full"},
]
for acl in acls:
cmd_list = [
"security",
"org",
"users",
"grant",
"--description",
'"Allow provisioning TLS certificates"',
service_account,
acl["rid"],
acl["action"],
]
sdk_cmd.run_cli(" ".join(cmd_list))
return service_account_info
def spark_security_session(
users=[SPARK_USER],
service_names=[SPARK_SERVICE_NAME, FOLDERED_SPARK_SERVICE_NAME]):
'''
Spark strict mode setup is slightly different from dcos-commons, so can't use sdk_security::security_session.
Differences:
(1) the role is "*", (2) the driver itself is a framework and needs permission to execute tasks.
'''
role = '*'
service_account = SPARK_SERVICE_ACCOUNT
secret = SPARK_SERVICE_ACCOUNT_SECRET
def setup_security():
log.info('Setting up strict-mode security for Spark')
sdk_security.create_service_account(
service_account_name=service_account,
service_account_secret=secret)
for user in users:
grant_user_permissions(user, role, service_account)
for service_name in service_names:
grant_launch_task_permission(service_name)
log.info('Finished setting up strict-mode security for Spark')
def cleanup_security():
log.info('Cleaning up strict-mode security for Spark')
for user in users:
revoke_user_permissions(user, role, service_account)
# TODO: improve security setup/teardown to make it more fine-grained (allow different service names/accts/users)
# tracking issue: https://jira.mesosphere.com/browse/DCOS-50933
sdk_security.delete_service_account(service_account, secret)
log.info('Finished cleaning up strict-mode security for Spark')
try:
if not sdk_utils.is_open_dcos():
sdk_security.install_enterprise_cli()
if sdk_utils.is_strict_mode():
setup_security()
yield
finally:
if sdk_utils.is_strict_mode():
cleanup_security()
def setup_service_account(service_name: str,
service_account_secret: str=None) -> dict:
"""
Setup the service account for TLS. If the account or secret of the specified
name already exists, these are deleted.
"""
if sdk_utils.is_open_dcos():
log.error("The setup of a service account requires DC/OS EE. service_name=%s", service_name)
raise Exception("The setup of a service account requires DC/OS EE")
name = service_name
secret = name if service_account_secret is None else service_account_secret
service_account_info = sdk_security.setup_security(service_name,
service_account=name,
service_account_secret=secret)
log.info("Adding permissions required for TLS.")
if sdk_utils.dcos_version_less_than("1.11"):
sdk_cmd.run_cli("security org groups add_user superusers {name}".format(name=name))
else:
acls = [
{"rid": "dcos:secrets:default:/{}/*".format(service_name), "action": "full"},
{"rid": "dcos:secrets:list:default:/{}".format(service_name), "action": "read"},
{"rid": "dcos:adminrouter:ops:ca:rw", "action": "full"},
{"rid": "dcos:adminrouter:ops:ca:ro", "action": "full"},
]
for acl in acls:
cmd_list = ["security", "org", "users", "grant",
"--description", "\"Allow provisioning TLS certificates\"",
name, acl["rid"], acl["action"]
]
sdk_cmd.run_cli(" ".join(cmd_list))
return service_account_info
import sdk_plan
import sdk_utils
from security import transport_encryption
from tests import auth
from tests import config
from tests import test_utils
log = logging.getLogger(__name__)
pytestmark = [
pytest.mark.skip(
reason="INFINTY-INFINITY-3367: Address issues in Kafka security toggle"
),
pytest.mark.skipif(sdk_utils.is_open_dcos(),
reason="Security tests require DC/OS EE"),
pytest.mark.skipif(sdk_utils.dcos_version_less_than("1.10"),
reason="Security tests require DC/OS 1.10+"),
]
MESSAGES = []
@pytest.fixture(scope='module', autouse=True)
def service_account(configure_security):
"""
Sets up a service account for use with TLS.
"""
try:
name = config.SERVICE_NAME
def is_cli_supports_service_options_update() -> bool:
"""Service updates are supported in [EE 1.9+] or [Open 1.11+]"""
return sdk_utils.dcos_version_at_least("1.9") and (
not sdk_utils.is_open_dcos()
or sdk_utils.dcos_version_at_least("1.11"))
def is_cli_supports_service_version_upgrade() -> bool:
"""Version upgrades are supported for [EE 1.9+] only"""
return is_cli_supports_service_options_update(
) and not sdk_utils.is_open_dcos()
def is_cli_supports_service_options_update() -> bool:
"""Service updates are supported in [EE 1.9+] or [Open 1.11+]"""
return sdk_utils.dcos_version_at_least("1.9") and (
not sdk_utils.is_open_dcos() or sdk_utils.dcos_version_at_least("1.11")
)
def is_cli_supports_service_version_upgrade() -> bool:
"""Version upgrades are supported for [EE 1.9+] only"""
return is_cli_supports_service_options_update() and not sdk_utils.is_open_dcos()
import sdk_marathon
import sdk_utils
from security import transport_encryption
from tests import auth
from tests import config
from tests import test_utils
log = logging.getLogger(__name__)
pytestmark = pytest.mark.skipif(sdk_utils.is_open_dcos(),
reason='Feature only supported in DC/OS EE')
@pytest.fixture(scope='module', autouse=True)
def service_account(configure_security):
"""
Sets up a service account for use with TLS.
"""
try:
name = config.SERVICE_NAME
service_account_info = transport_encryption.setup_service_account(name)
yield service_account_info
finally:
transport_encryption.cleanup_service_account(config.SERVICE_NAME,
import sdk_utils
from security import transport_encryption
from tests import auth
from tests import client
from tests import config
log = logging.getLogger(__name__)
pytestmark = pytest.mark.skipif(
sdk_utils.is_open_dcos(), reason="Feature only supported in DC/OS EE"
)
@pytest.fixture(scope="module", autouse=True)
def service_account(configure_security):
"""
Sets up a service account for use with TLS.
"""
try:
name = config.SERVICE_NAME
service_account_info = transport_encryption.setup_service_account(name)
yield service_account_info
finally:
transport_encryption.cleanup_service_account(config.SERVICE_NAME, service_account_info)
import pytest
import sdk_cmd
import sdk_install
import sdk_networks
import sdk_recovery
import sdk_security
import sdk_tasks
import sdk_utils
from security import transport_encryption, cipher_suites
from tests import config, test_utils
pytestmark = [
pytest.mark.skipif(sdk_utils.is_open_dcos(), reason="Feature only supported in DC/OS EE"),
pytest.mark.skipif(
sdk_utils.dcos_version_less_than("1.10"), reason="TLS tests require DC/OS 1.10+"
),
]
log = logging.getLogger(__name__)
# Name of the broker TLS vip
BROKER_TLS_ENDPOINT = "broker-tls"
@pytest.fixture(scope="module")
def service_account(configure_security):
"""
Sets up a service account for use with TLS.
