def do_user_update(localconfig=None): # configure users into the system from configuration, once connected to the DB and boostrapped from anchore_engine.db import db_users, session_scope if localconfig: with session_scope() as dbsession: try: for userId in localconfig['credentials']['users']: if not localconfig['credentials']['users'][userId]: localconfig['credentials']['users'][userId] = {} cuser = localconfig['credentials']['users'][userId] password = cuser.pop('password', None) email = cuser.pop('email', None) if password and email: db_users.add(userId, password, {'email': email, 'active': True}, session=dbsession) else: raise Exception("user defined but has empty password/email: " + str(userId)) user_records = db_users.get_all(session=dbsession) for user_record in user_records: if user_record['userId'] == 'anchore-system': continue if user_record['userId'] not in localconfig['credentials']['users']: logger.info("flagging user '"+str(user_record['userId']) + "' as inactive (in DB, not in configuration)") db_users.update(user_record['userId'], user_record['password'], {'active': False}, session=dbsession) except Exception as err: raise Exception("Initialization failed: could not add users from config into DB - exception: " + str(err))
def user_account_upgrades_007_008(): logger.info('Upgrading user accounts for multi-user support') from anchore_engine.db import session_scope, db_users from anchore_engine.subsys.identities import manager_factory from anchore_engine.configuration.localconfig import SYSTEM_ACCOUNT_NAME, SYSTEM_IDENTITY_BOOTSTRAPPER, ADMIN_ACCOUNT_NAME with session_scope() as session: mgr = manager_factory.for_session(session) for user in db_users.get_all(): if user['userId'] == ADMIN_ACCOUNT_NAME: account_type = identities.AccountTypes.admin elif user['userId'] == SYSTEM_ACCOUNT_NAME: account_type = identities.AccountTypes.service else: account_type = identities.AccountTypes.user logger.info('Migrating user: {} to new account with name {}, type {}, is_active {}'.format(user['userId'], user['userId'], account_type, user['active'])) mgr.create_account(account_name=user['userId'], email=user['email'], account_type=account_type, creator=SYSTEM_IDENTITY_BOOTSTRAPPER, is_active=user['active']) logger.info('Creating new user record in new account {} with username {}'.format(user['userId'], user['userId'])) mgr.create_user(account_name=user['userId'], username=user['userId'], password=user['password'], creator_name=SYSTEM_IDENTITY_BOOTSTRAPPER) logger.info('Deleting old user record') db_users.delete(user['userId'], session) logger.info('User account upgrade complete')
def do_db_bootstrap(localconfig=None): with upgrade_context(my_module_upgrade_id) as ctx: from anchore_engine.db import db_users, session_scope with session_scope() as dbsession: # system user try: system_user_record = db_users.get('anchore-system', session=dbsession) if not system_user_record: rc = db_users.add('anchore-system', str(uuid.uuid4()), {'active': True}, session=dbsession) else: db_users.update(system_user_record['userId'], system_user_record['password'], {'active': True}, session=dbsession) except Exception as err: raise Exception("Initialization failed: could not fetch/add anchore-system user from/to DB - exception: " + str(err)) if False and localconfig: try: for userId in localconfig['credentials']['users']: if not localconfig['credentials']['users'][userId]: localconfig['credentials']['users'][userId] = {} cuser = localconfig['credentials']['users'][userId] password = cuser.pop('password', None) email = cuser.pop('email', None) if password and email: db_users.add(userId, password, {'email': email, 'active': True}, session=dbsession) else: raise Exception("user defined but has empty password/email: " + str(userId)) user_records = db_users.get_all(session=dbsession) for user_record in user_records: if user_record['userId'] == 'anchore-system': continue if user_record['userId'] not in localconfig['credentials']['users']: logger.info("flagging user '"+str(user_record['userId']) + "' as inactive (in DB, not in configuration)") db_users.update(user_record['userId'], user_record['password'], {'active': False}, session=dbsession) except Exception as err: raise Exception("Initialization failed: could not add users from config into DB - exception: " + str(err))
def initialize(localconfig=None, versions=None, bootstrap_db=False, specific_tables=None, bootstrap_users=False): """ Initialize the db for use. Optionally bootstrap it and optionally only for specific entities. :param versions: :param bootstrap_db: :param specific_entities: a list of entity classes to initialize if a subset is desired. Expects a list of classes. :return: """ global engine, Session if versions is None: versions = {} #localconfig = anchore_engine.configuration.localconfig.get_config() ret = True try: db_auth = localconfig['credentials']['database'] # connect to DB using db_connect from configuration db_connect = None db_connect_args = {} db_pool_size = 10 db_pool_max_overflow = 20 if 'db_connect' in db_auth and db_auth['db_connect']: db_connect = db_auth['db_connect'] if 'db_connect_args' in db_auth and db_auth['db_connect_args']: db_connect_args = db_auth['db_connect_args'] if 'db_pool_size' in db_auth: db_pool_size = int(db_auth['db_pool_size']) if 'db_pool_max_overflow' in db_auth: db_pool_max_overflow = int(db_auth['db_pool_max_overflow']) except: raise Exception( "could not locate credentials->database entry from configuration: add 'database' section to 'credentials' section in configuration file" ) db_connect_retry_max = 3 for count in range(0, db_connect_retry_max): try: if db_connect: try: if db_connect.startswith('sqlite://'): # Special case for testing with sqlite. Not for production use, unit tests only engine = sqlalchemy.create_engine(db_connect, echo=False) else: engine = sqlalchemy.create_engine( db_connect, connect_args=db_connect_args, echo=False, pool_size=db_pool_size, max_overflow=db_pool_max_overflow) except Exception as err: raise Exception("could not connect to DB - exception: " + str(err)) else: raise Exception( "could not locate db_connect string from configuration: add db_connect parameter to configuration file" ) # set up the global session try: Session = sessionmaker(bind=engine) except Exception as err: raise Exception("could not create DB session - exception: " + str(err)) # set up thread-local session factory init_thread_session() # create try: if specific_tables: logger.info( 'Initializing only a subset of tables as requested: {}' .format(specific_tables)) Base.metadata.create_all(engine, tables=specific_tables) else: Base.metadata.create_all(engine) except Exception as err: raise Exception( "could not create/re-create DB tables - exception: " + str(err)) break except Exception as err: if count > db_connect_retry_max: raise Exception( "could not establish connection to DB after retry - last exception: " + str(err)) else: log.err( "could not connect to db, retrying in 10 seconds - exception: " + str(err)) time.sleep(10) if bootstrap_db: from anchore_engine.db import db_anchore, db_users with session_scope() as dbsession: # version check version_record = db_anchore.get(session=dbsession) if not version_record: db_anchore.add(versions['service_version'], versions['db_version'], versions, session=dbsession) version_record = db_anchore.get(session=dbsession) if bootstrap_users: # system user try: system_user_record = db_users.get('anchore-system', session=dbsession) if not system_user_record: rc = db_users.add('anchore-system', str(uuid.uuid4()), {'active': True}, session=dbsession) else: db_users.update(system_user_record['userId'], system_user_record['password'], {'active': True}, session=dbsession) except Exception as err: raise Exception( "Initialization failed: could not fetch/add anchore-system user from/to DB - exception: " + str(err)) try: for userId in localconfig['credentials']['users']: if not localconfig['credentials']['users'][userId]: localconfig['credentials']['users'][userId] = {} cuser = localconfig['credentials']['users'][userId] password = cuser.pop('password', None) email = cuser.pop('email', None) if password and email: # try: # from passlib.hash import pbkdf2_sha256 # hashpw = pbkdf2_sha256.encrypt(password, rounds=200000, salt_size=16) # password = hashpw # except: # pass db_users.add(userId, password, { 'email': email, 'active': True }, session=dbsession) else: raise Exception( "user defined but has empty password/email: " + str(userId)) user_records = db_users.get_all(session=dbsession) for user_record in user_records: if user_record['userId'] == 'anchore-system': continue if user_record['userId'] not in localconfig[ 'credentials']['users']: logger.info( "flagging user '" + str(user_record['userId']) + "' as inactive (in DB, not in configuration)") db_users.update(user_record['userId'], user_record['password'], {'active': False}, session=dbsession) except Exception as err: raise Exception( "Initialization failed: could not add users from config into DB - exception: " + str(err)) print("Starting up version: " + json.dumps(versions)) print("\tDB version: " + json.dumps(version_record)) try: rc = do_upgrade(version_record, versions) if rc: # if successful upgrade, set the DB values to the incode values with session_scope() as dbsession: db_anchore.add(versions['service_version'], versions['db_version'], versions, session=dbsession) except Exception as err: raise Exception( "Initialization failed: upgrade failed - exception: " + str(err)) return (ret)