def __getitem__(self, name): """ - use Python types - enable lazy failure for unknown configs. """ try: value = super(ConfigDictionary, self).__getitem__(name) except KeyError: return UnknownConfiguration(name) value = ensure_decrypted(value) if value == "true": value = True elif value == "false": value = False return value
def generateJceks(self, commandJson): """ Generates the JCEKS file with passwords for the service specified in commandJson :param commandJson: command JSON :return: An exit value from the external process that generated the JCEKS file. None if there are no passwords in the JSON. """ cmd_result = None roleCommand = None if 'roleCommand' in commandJson: roleCommand = commandJson['roleCommand'] task_id = None if 'taskId' in commandJson: task_id = commandJson['taskId'] logger.info( 'Generating the JCEKS file: roleCommand={0} and taskId = {1}'. format(roleCommand, task_id)) # Set up the variables for the external command to generate a JCEKS file java_home = commandJson['ambariLevelParams']['java_home'] java_bin = '{java_home}/bin/java'.format(java_home=java_home) cs_lib_path = self.credential_shell_lib_path serviceName = commandJson['serviceName'] # Gather the password values and remove them from the configuration configtype_credentials = self.getConfigTypeCredentials(commandJson) # CS is enabled but no config property is available for this command if len(configtype_credentials) == 0: logger.info( "Credential store is enabled but no property are found that can be encrypted." ) commandJson['credentialStoreEnabled'] = "false" # CS is enabled and config properties are available else: commandJson['credentialStoreEnabled'] = "true" for config_type, credentials in configtype_credentials.items(): config = commandJson['configurations'][config_type] if 'role' in commandJson and commandJson['role']: roleName = commandJson['role'] file_path = os.path.join(self.getProviderDirectory(roleName), "{0}.jceks".format(config_type)) else: file_path = os.path.join( self.getProviderDirectory(serviceName), "{0}.jceks".format(config_type)) if os.path.exists(file_path): os.remove(file_path) provider_path = 'jceks://file{file_path}'.format( file_path=file_path) logger.info('provider_path={0}'.format(provider_path)) for alias, pwd in credentials.items(): logger.debug("config={0}".format(config)) pwd = ensure_decrypted(pwd, self.encryption_key) protected_pwd = PasswordString(pwd) # Generate the JCEKS file cmd = (java_bin, '-cp', cs_lib_path, self.credential_shell_cmd, 'create', alias, '-value', protected_pwd, '-provider', provider_path) logger.info(cmd) rmf_shell.checked_call(cmd) os.chmod( file_path, 0644 ) # group and others should have read access so that the service user can read # Add JCEKS provider path instead config[self.CREDENTIAL_PROVIDER_PROPERTY_NAME] = provider_path config[self.CREDENTIAL_STORE_CLASS_PATH_NAME] = cs_lib_path return cmd_result
def test_attr_to_bitmask(self): encypted_value = '${enc=aes256_hex, value=616639333036363938646230613262383a3a32313537386561376136326362656436656135626165313664613265316336663a3a6361633666333432653532393863313364393064626133653562353663663235}' encyption_key = 'i%r041K%1VC!C5 K=(' self.assertEquals('mysecret', ensure_decrypted(encypted_value, encyption_key))