def create_service_account(service_account, private_key_filename='private-key.pem',
public_key_filename='public-key.pem', account_description='SI test account'):
"""Create new private and public key pair and use them to add a new service
with a give name. Public key file is then removed, however private key file
is left since it might be used to create a secret. If you don't plan on creating
a secret afterwards, please remove it manually.
This method uses `dcos security org` command and assumes that `dcos-enterprise-cli`
package is installed.
:param service_account: service account name
:type service_account: str
:param private_key_filename: optional private key file name
:type private_key_filename: str
:param public_key_filename: optional public key file name
:type public_key_filename: str
:param account_description: service account description
:type account_description: str
"""
logger.info('Creating a key pair for the service account')
with attached_cli():
cmd = 'security org service-accounts keypair {} {}'.format(private_key_filename, public_key_filename)
run_dcos_command(cmd)
assert os.path.isfile(private_key_filename), "Private key of the service account key pair not found"
assert os.path.isfile(public_key_filename), "Public key of the service account key pair not found"
logger.info('Creating {} service account'.format(service_account))
stdout, stderr, return_code = run_dcos_command('security org service-accounts create -p {} -d "{}" {}'.format(
public_key_filename, account_description, service_account))
os.remove(public_key_filename)
assert return_code == 0
def create_sa_secret(secret_name, service_account, strict=False, private_key_filename='private-key.pem'):
"""Create an sa-secret with a given private key file for passed service account in the vault. Both
(service account and secret) should share the same key pair. `{strict}` parameter should be
`True` when creating a secret in a `strict` secure cluster. Private key file will be removed
after secret is successfully created.
This method uses `dcos security org` command and assumes that `dcos-enterprise-cli`
package is installed.
:param secret_name: secret name
:type secret_name: str
:param service_account: service account name
:type service_account: str
:param strict: `True` is this a `strict` secure cluster
:type strict: bool
:param private_key_filename: private key file name
:type private_key_filename: str
"""
assert os.path.isfile(private_key_filename), "Failed to create secret: private key not found"
logger.info('Creating new sa-secret {} for service-account: {}'.format(secret_name, service_account))
strict_opt = '--strict' if strict else ''
with attached_cli():
stdout, stderr, return_code = run_dcos_command('security secrets create-sa-secret {} {} {} {}'.format(
strict_opt,
private_key_filename,
service_account,
secret_name))
os.remove(private_key_filename)
assert return_code == 0, "Failed to create a secret"
def create_sa_secret(secret_name,
service_account,
strict=False,
private_key_filename='private-key.pem'):
"""Create an sa-secret with a given private key file for passed service account in the vault. Both
(service account and secret) should share the same key pair. `{strict}` parameter should be
`True` when creating a secret in a `strict` secure cluster. Private key file will be removed
after secret is successfully created.
This method uses `dcos security org` command and assumes that `dcos-enterprise-cli`
package is installed.
:param secret_name: secret name
:type secret_name: str
:param service_account: service account name
:type service_account: str
:param strict: `True` is this a `strict` secure cluster
:type strict: bool
:param private_key_filename: private key file name
:type private_key_filename: str
"""
assert os.path.isfile(
private_key_filename), "Failed to create secret: private key not found"
logger.info('Creating new sa-secret {} for service-account: {}'.format(
secret_name, service_account))
strict_opt = '--strict' if strict else ''
with attached_cli():
stdout, stderr, return_code = run_dcos_command(
'security secrets create-sa-secret {} {} {} {}'.format(
strict_opt, private_key_filename, service_account,
secret_name))
os.remove(private_key_filename)
assert return_code == 0, "Failed to create a secret"
def install_enterprise_cli_package():
"""Install `dcos-enterprise-cli` package. It is required by the `dcos security`
command to create secrets, manage service accounts etc.
"""
logger.info('Installing dcos-enterprise-cli package')
with attached_cli():
cmd = 'package install dcos-enterprise-cli --cli --yes'
stdout, stderr, return_code = run_dcos_command(cmd, raise_on_error=True)
def install_enterprise_cli_package():
"""Install `dcos-enterprise-cli` package. It is required by the `dcos security`
command to create secrets, manage service accounts etc.
"""
logger.info('Installing dcos-enterprise-cli package')
with attached_cli():
cmd = 'package install dcos-enterprise-cli --cli --yes'
stdout, stderr, return_code = run_dcos_command(cmd,
raise_on_error=True)
def is_enterprise_cli_package_installed():
"""Returns `True` if `dcos-enterprise-cli` package is installed."""
with attached_cli():
stdout, stderr, return_code = run_dcos_command('package list --json')
logger.info('package list command returned code:{}, stderr:{}, stdout: {}'.format(return_code, stderr, stdout))
try:
result_json = json.loads(stdout)
except JSONDecodeError as error:
raise DCOSException('Could not parse: "{}"'.format(stdout)) from error
return any(cmd['name'] == 'dcos-enterprise-cli' for cmd in result_json)
def delete_service_account(service_account):
"""Removes an existing service account. This method uses `dcos security org`
command and assumes that `dcos-enterprise-cli` package is installed.
:param service_account: service account name
:type service_account: str
"""
logger.info('Removing existing service account {}'.format(service_account))
with attached_cli():
cmd = 'security org service-accounts delete {}'.format(service_account)
stdout, stderr, return_code = run_dcos_command(cmd)
assert return_code == 0, "Failed to create a service account"
def delete_secret(secret_name):
"""Delete a secret with a given name from the vault.
This method uses `dcos security org` command and assumes that `dcos-enterprise-cli`
package is installed.
:param secret_name: secret name
:type secret_name: str
"""
logger.info('Removing existing secret {}'.format(secret_name))
with attached_cli():
stdout, stderr, return_code = run_dcos_command('security secrets delete {}'.format(secret_name))
assert return_code == 0, "Failed to remove existing secret"
def delete_service_account(service_account):
"""Removes an existing service account. This method uses `dcos security org`
command and assumes that `dcos-enterprise-cli` package is installed.
:param service_account: service account name
:type service_account: str
"""
logger.info('Removing existing service account {}'.format(service_account))
with attached_cli():
cmd = 'security org service-accounts delete {}'.format(service_account)
stdout, stderr, return_code = run_dcos_command(cmd)
assert return_code == 0, "Failed to create a service account"
def has_service_account(service_account):
"""Returns `True` if a service account with a given name already exists.
This method uses `dcos security org` command and assumes that `dcos-enterprise-cli`
package is installed.
:param service_account: service account name
:type service_account: str
"""
with attached_cli():
stdout, stderr, return_code = run_dcos_command('security org service-accounts show --json')
result_json = json.loads(stdout)
return service_account in result_json
def has_service_account(service_account):
"""Returns `True` if a service account with a given name already exists.
This method uses `dcos security org` command and assumes that `dcos-enterprise-cli`
package is installed.
:param service_account: service account name
:type service_account: str
"""
with attached_cli():
stdout, stderr, return_code = run_dcos_command(
'security org service-accounts show --json')
result_json = json.loads(stdout)
return service_account in result_json
def delete_secret(secret_name):
"""Delete a secret with a given name from the vault.
This method uses `dcos security org` command and assumes that `dcos-enterprise-cli`
package is installed.
:param secret_name: secret name
:type secret_name: str
"""
logger.info('Removing existing secret {}'.format(secret_name))
with attached_cli():
stdout, stderr, return_code = run_dcos_command(
'security secrets delete {}'.format(secret_name))
assert return_code == 0, "Failed to remove existing secret"
def is_enterprise_cli_package_installed():
"""Returns `True` if `dcos-enterprise-cli` package is installed."""
with attached_cli():
stdout, stderr, return_code = run_dcos_command('package list --json')
logger.info(
'package list command returned code:{}, stderr:{}, stdout: {}'.
format(return_code, stderr, stdout))
try:
result_json = json.loads(stdout)
except JSONDecodeError as error:
raise DCOSException(
'Could not parse: "{}"'.format(stdout)) from error
return any(cmd['name'] == 'dcos-enterprise-cli' for cmd in result_json)
def has_secret(secret_name):
"""Returns `True` if the secret with given name exists in the vault.
This method uses `dcos security secrets` command and assumes that `dcos-enterprise-cli`
package is installed.
:param secret_name: secret name
:type secret_name: str
"""
with attached_cli():
stdout, stderr, return_code = run_dcos_command('security secrets list / --json')
if stdout:
result_json = json.loads(stdout)
return secret_name in result_json
return False
def has_secret(secret_name):
"""Returns `True` if the secret with given name exists in the vault.
This method uses `dcos security secrets` command and assumes that `dcos-enterprise-cli`
package is installed.
:param secret_name: secret name
:type secret_name: str
"""
with attached_cli():
stdout, stderr, return_code = run_dcos_command(
'security secrets list / --json')
if stdout:
result_json = json.loads(stdout)
return secret_name in result_json
return False
def create_service_account(service_account,
private_key_filename='private-key.pem',
public_key_filename='public-key.pem',
account_description='SI test account'):
"""Create new private and public key pair and use them to add a new service
with a give name. Public key file is then removed, however private key file
is left since it might be used to create a secret. If you don't plan on creating
a secret afterwards, please remove it manually.
This method uses `dcos security org` command and assumes that `dcos-enterprise-cli`
package is installed.
:param service_account: service account name
:type service_account: str
:param private_key_filename: optional private key file name
:type private_key_filename: str
:param public_key_filename: optional public key file name
:type public_key_filename: str
:param account_description: service account description
:type account_description: str
"""
logger.info('Creating a key pair for the service account')
with attached_cli():
cmd = 'security org service-accounts keypair {} {}'.format(
private_key_filename, public_key_filename)
run_dcos_command(cmd)
assert os.path.isfile(
private_key_filename
), "Private key of the service account key pair not found"
assert os.path.isfile(
public_key_filename
), "Public key of the service account key pair not found"
logger.info('Creating {} service account'.format(service_account))
stdout, stderr, return_code = run_dcos_command(
'security org service-accounts create -p {} -d "{}" {}'.format(
public_key_filename, account_description, service_account))
os.remove(public_key_filename)
assert return_code == 0
def create_secret(name, value=None, description=None):
"""Create a secret with a passed `{name}` and optional `{value}`.
This method uses `dcos security secrets` command and assumes that `dcos-enterprise-cli`
package is installed.
:param name: secret name
:type name: str
:param value: optional secret value
:type value: str
:param description: option secret description
:type description: str
"""
logger.info('Creating new secret {}:{}'.format(name, value))
value_opt = '-v {}'.format(shlex.quote(value)) if value else ''
description_opt = '-d "{}"'.format(description) if description else ''
with attached_cli():
stdout, stderr, return_code = run_dcos_command(
'security secrets create {} {} "{}"'.format(
value_opt, description_opt, name),
print_output=True)
assert return_code == 0, "Failed to create a secret"
def create_secret(name, value=None, description=None):
"""Create a secret with a passed `{name}` and optional `{value}`.
This method uses `dcos security secrets` command and assumes that `dcos-enterprise-cli`
package is installed.
:param name: secret name
:type name: str
:param value: optional secret value
:type value: str
:param description: option secret description
:type description: str
"""
logger.info('Creating new secret {}:{}'.format(name, value))
value_opt = '-v {}'.format(shlex.quote(value)) if value else ''
description_opt = '-d "{}"'.format(description) if description else ''
with attached_cli():
stdout, stderr, return_code = run_dcos_command('security secrets create {} {} "{}"'.format(
value_opt,
description_opt,
name), print_output=True)
assert return_code == 0, "Failed to create a secret"