def cleanup_security(): LOGGER.info('Cleaning up strict-mode security for Spark') sdk_security.revoke_permissions(linux_user=user, role_name=role, service_account_name=service_account) sdk_security.delete_service_account(service_account, secret) LOGGER.info('Finished cleaning up strict-mode security for Spark')
def zookeeper_server(configure_security): service_options = { "service": { "name": config.ZOOKEEPER_SERVICE_NAME, "virtual_network_enabled": True, } } zk_account = "test-zookeeper-service-account" zk_secret = "test-zookeeper-secret" try: sdk_install.uninstall( config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME, ) if sdk_utils.is_strict_mode(): service_options = sdk_utils.merge_dictionaries( { "service": { "service_account": zk_account, "service_account_secret": zk_secret, } }, service_options, ) sdk_security.setup_security( config.ZOOKEEPER_SERVICE_NAME, service_account=zk_account, service_account_secret=zk_secret, ) sdk_install.install( config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME, config.ZOOKEEPER_TASK_COUNT, package_version=config.ZOOKEEPER_PACKAGE_VERSION, additional_options=service_options, timeout_seconds=30 * 60, insert_strict_options=False, ) yield { **service_options, **{ "package_name": config.ZOOKEEPER_PACKAGE_NAME }, } finally: sdk_install.uninstall( config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME, ) if sdk_utils.is_strict_mode(): sdk_security.delete_service_account( service_account_name=zk_account, service_account_secret=zk_secret, )
def configure_package(configure_security): try: sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME) # Create service account sdk_security.create_service_account( service_account_name=config.SERVICE_NAME, service_account_secret=config.SERVICE_NAME + "-secret", ) sdk_cmd.run_cli( "security org groups add_user superusers {name}".format( name=config.SERVICE_NAME)) sdk_install.install( config.PACKAGE_NAME, config.SERVICE_NAME, 6, additional_options={ "service": { "yaml": "tls", "service_account": config.SERVICE_NAME, "service_account_secret": config.SERVICE_NAME + "-secret", # Legacy values "principal": config.SERVICE_NAME, "secret_name": config.SERVICE_NAME, }, "tls": { "discovery_task_prefix": DISCOVERY_TASK_PREFIX }, }, ) sdk_plan.wait_for_completed_deployment(config.SERVICE_NAME) yield # let the test session execute finally: sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME) sdk_security.delete_service_account( service_account_name=config.SERVICE_NAME, service_account_secret=config.SERVICE_NAME + "-secret", ) # Make sure that all the TLS artifacts were removed from the secrets store. _, output, _ = sdk_cmd.run_cli( "security secrets list {name}".format(name=config.SERVICE_NAME)) artifact_suffixes = [ "certificate", "private-key", "root-ca-certificate", "keystore", "truststore", ] for suffix in artifact_suffixes: assert suffix not in output
def cleanup_security(): log.info('Cleaning up strict-mode security for Spark') for user in users: revoke_user_permissions(user, role, service_account) # TODO: improve security setup/teardown to make it more fine-grained (allow different service names/accts/users) # tracking issue: https://jira.mesosphere.com/browse/DCOS-50933 sdk_security.delete_service_account(service_account, secret) log.info('Finished cleaning up strict-mode security for Spark')
def configure_package(configure_security): try: sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME) # Create service account sdk_security.create_service_account( service_account_name=config.SERVICE_NAME, service_account_secret=config.SERVICE_NAME) # TODO(mh): Fine grained permissions needs to be addressed in DCOS-16475 sdk_cmd.run_cli( "security org groups add_user superusers {name}".format( name=config.SERVICE_NAME)) sdk_install.install( config.PACKAGE_NAME, config.SERVICE_NAME, 6, additional_options={ "service": { "spec_file": "examples/tls.yml", "service_account": config.SERVICE_NAME, "service_account_secret": config.SERVICE_NAME, # Legacy values "principal": config.SERVICE_NAME, "secret_name": config.SERVICE_NAME, }, "tls": { "discovery_task_prefix": DISCOVERY_TASK_PREFIX, }, }) sdk_plan.wait_for_completed_deployment(config.SERVICE_NAME) # Wait for service health check to pass shakedown.service_healthy(config.SERVICE_NAME) yield # let the test session execute finally: sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME) sdk_security.delete_service_account( service_account_name=config.SERVICE_NAME, service_account_secret=config.SERVICE_NAME) # Make sure that all the TLS artifacts were removed from the secrets store. output = sdk_cmd.run_cli( 'security secrets list {name}'.format(name=config.SERVICE_NAME)) artifact_suffixes = [ 'certificate', 'private-key', 'root-ca-certificate', 'keystore', 'truststore' ] for suffix in artifact_suffixes: assert suffix not in output
def service_account(): """ Creates service account with `elastic` name and yields the name. """ name = config.SERVICE_NAME sdk_security.create_service_account(service_account_name=name, service_account_secret=name) # TODO(mh): Fine grained permissions needs to be addressed in DCOS-16475 sdk_cmd.run_cli( "security org groups add_user superusers {name}".format(name=name)) yield name sdk_security.delete_service_account(service_account_name=name, service_account_secret=name)
def service_account(dcos_security_cli): """ Creates service account with `hello-world` name and yields the name. """ name = 'hello-world' sdk_security.create_service_account( service_account_name=name, secret_name=name) # TODO(mh): Fine grained permissions needs to be addressed in DCOS-16475 sdk_cmd.run_cli( "security org groups add_user superusers {name}".format(name=name)) yield name sdk_security.delete_service_account( service_account_name=name, secret_name=name)
def service_account(): """ Creates service account and yields the name. """ name = config.SERVICE_NAME sdk_security.create_service_account( service_account_name=name, service_account_secret=name) # TODO(mh): Fine grained permissions needs to be addressed in DCOS-16475 sdk_cmd.run_cli( "security org groups add_user superusers {name}".format(name=name)) yield name sdk_security.delete_service_account( service_account_name=name, service_account_secret=name)
def configure_package(configure_security): try: sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME) # Create service account sdk_security.create_service_account( service_account_name=config.SERVICE_NAME, service_account_secret=config.SERVICE_NAME ) sdk_cmd.run_cli( "security org groups add_user superusers {name}".format(name=config.SERVICE_NAME) ) sdk_install.install( config.PACKAGE_NAME, config.SERVICE_NAME, 6, additional_options={ "service": { "yaml": "tls", "service_account": config.SERVICE_NAME, "service_account_secret": config.SERVICE_NAME, # Legacy values "principal": config.SERVICE_NAME, "secret_name": config.SERVICE_NAME, }, "tls": {"discovery_task_prefix": DISCOVERY_TASK_PREFIX}, }, ) sdk_plan.wait_for_completed_deployment(config.SERVICE_NAME) yield # let the test session execute finally: sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME) sdk_security.delete_service_account( service_account_name=config.SERVICE_NAME, service_account_secret=config.SERVICE_NAME ) # Make sure that all the TLS artifacts were removed from the secrets store. _, output, _ = sdk_cmd.run_cli("security secrets list {name}".format(name=config.SERVICE_NAME)) artifact_suffixes = [ "certificate", "private-key", "root-ca-certificate", "keystore", "truststore", ] for suffix in artifact_suffixes: assert suffix not in output
def service_account(): """ Creates service account with `hello-world` name and yields the name. """ # This name should be same as SERVICE_NAME as it determines scheduler DCOS_LABEL value. name = SERVICE_NAME sdk_security.create_service_account(service_account_name=name, service_account_secret=name) # TODO(mh): Fine grained permissions needs to be addressed in DCOS-16475 sdk_cmd.run_cli( "security org groups add_user superusers {name}".format(name=name)) yield name sdk_security.delete_service_account(service_account_name=name, service_account_secret=name)
def service_account(configure_security): """ Creates service account and secret and yields dict containing both. """ try: name = config.SERVICE_NAME secret = "{}-secret".format(name) sdk_security.create_service_account(service_account_name=name, service_account_secret=secret) # TODO(mh): Fine grained permissions needs to be addressed in DCOS-16475 sdk_cmd.run_cli( "security org groups add_user superusers {name}".format(name=name)) yield {"name": name, "secret": secret} finally: sdk_security.delete_service_account(service_account_name=name, service_account_secret=secret)
def package_registry_session(tmpdir_factory): # _pytest.TempdirFactory pkg_reg_repo = {} service_uid = "pkg-reg-uid-{}".format(sdk_utils.random_string()) secret_path = "{}-secret-{}".format(service_uid, sdk_utils.random_string()) try: sdk_security.create_service_account(service_uid, secret_path) grant_perms_for_registry_account(service_uid) pkg_reg_repo = install_package_registry(secret_path) add_dcos_files_to_registry(tmpdir_factory) yield finally: log.info("Teardown of package_registry_session initiated") sdk_repository.remove_universe_repos(pkg_reg_repo) # TODO If/when adding S3 backend, remove `Added` packages. sdk_install.uninstall(PACKAGE_REGISTRY_NAME, PACKAGE_REGISTRY_SERVICE_NAME) # No need to revoke perms, just delete the secret; the following ignores any failures. sdk_security.delete_service_account(service_uid, secret_path)
def package_registry_session(tmpdir_factory: TempdirFactory) -> Iterator[None]: pkg_reg_repo: Dict[str, str] = {} service_uid = "pkg-reg-uid-{}".format(sdk_utils.random_string()) secret_path = "{}-secret-{}".format(service_uid, sdk_utils.random_string()) try: sdk_security.create_service_account(service_uid, secret_path) grant_perms_for_registry_account(service_uid) pkg_reg_repo = install_package_registry(secret_path) add_dcos_files_to_registry(tmpdir_factory) yield finally: log.info("Teardown of package_registry_session initiated") sdk_repository.remove_universe_repos(pkg_reg_repo) # TODO If/when adding S3 backend, remove `Added` packages. sdk_install.uninstall(PACKAGE_REGISTRY_NAME, PACKAGE_REGISTRY_SERVICE_NAME) # No need to revoke perms, just delete the secret; the following ignores any failures. sdk_security.delete_service_account(service_uid, secret_path)
def cleanup(self) -> None: sdk_security.install_enterprise_cli() log.info("Removing the marathon KDC app") sdk_marathon.destroy_app(self.app_definition["id"]) if self._temp_working_dir and isinstance(self._temp_working_dir, tempfile.TemporaryDirectory): log.info("Deleting temporary working directory") self._temp_working_dir.cleanup() sdk_security.delete_service_account( service_account_name=KDC_SERVICE_ACCOUNT, service_account_secret=KDC_SERVICE_ACCOUNT_SECRET, ) # TODO: separate secrets handling into another module log.info("Deleting keytab secret") sdk_security.install_enterprise_cli() sdk_security.delete_secret(self.get_keytab_path())
def zookeeper_server(configure_security): service_options = { "service": { "name": config.ZOOKEEPER_SERVICE_NAME, "virtual_network_enabled": True } } zk_account = "test-zookeeper-service-account" zk_secret = "test-zookeeper-secret" try: sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME) if sdk_utils.is_strict_mode(): service_options = sdk_install.merge_dictionaries({ 'service': { 'service_account': zk_account, 'service_account_secret': zk_secret, } }, service_options) sdk_security.setup_security(config.ZOOKEEPER_SERVICE_NAME, zk_account, zk_secret) sdk_install.install( config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME, config.ZOOKEEPER_TASK_COUNT, additional_options=service_options, timeout_seconds=30 * 60, insert_strict_options=False) yield {**service_options, **{"package_name": config.ZOOKEEPER_PACKAGE_NAME}} finally: sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME) if sdk_utils.is_strict_mode(): sdk_security.delete_service_account( service_account_name=zk_account, service_account_secret=zk_secret)
def package_registry_session(tmpdir_factory): # _pytest.TempdirFactory pkg_reg_stub = {} pkg_reg_repo = {} try: # TODO Remove stub. We should install from bootstrap registry. pkg_reg_stub = add_package_registry_stub() service_uid = 'pkg-reg-uid-{}'.format(sdk_utils.random_string()) secret_path = '{}-secret-{}'.format(service_uid, sdk_utils.random_string()) sdk_security.create_service_account(service_uid, secret_path) grant_perms_for_registry_account(service_uid) pkg_reg_repo = install_package_registry(secret_path) add_dcos_files_to_registry(tmpdir_factory) yield finally: log.info('Teardown of package_registry_session initiated') sdk_repository.remove_universe_repos(pkg_reg_repo) # TODO If/when adding S3 backend, remove `Added` packages. sdk_install.uninstall(PACKAGE_REGISTRY_NAME, PACKAGE_REGISTRY_SERVICE_NAME) sdk_repository.remove_universe_repos(pkg_reg_stub) # No need to revoke perms, just delete the secret. sdk_security.delete_service_account(service_uid, secret_path)
def configure_zookeeper(configure_security, install_zookeeper_stub): service_options = { "service": { "virtual_network_enabled": True } } zk_account = "test-zookeeper-service-account" zk_secret = "test-zookeeper-secret" try: sdk_install.uninstall(ZK_PACKAGE, ZK_SERVICE_NAME) if sdk_utils.is_strict_mode(): service_options = sdk_install.merge_dictionaries({ 'service': { 'service_account': zk_account, 'service_account_secret': zk_secret, } }, service_options) sdk_security.setup_security(ZK_SERVICE_NAME, zk_account, zk_secret) sdk_install.install( ZK_PACKAGE, ZK_SERVICE_NAME, 6, additional_options=service_options, timeout_seconds=30 * 60, insert_strict_options=False) yield finally: sdk_install.uninstall(ZK_PACKAGE, ZK_SERVICE_NAME) if sdk_utils.is_strict_mode(): sdk_security.delete_service_account( service_account_name=zk_account, service_account_secret=zk_secret)