def configure_zookeeper(configure_security, install_zookeeper_stub):
service_options = {
"service": {
"virtual_network_enabled": True
}
}
zk_account = "test-zookeeper-service-account"
zk_secret = "test-zookeeper-secret"
if sdk_utils.is_strict_mode():
service_options = sdk_install.merge_dictionaries({
'service': {
'service_account': zk_account,
'service_account_secret': zk_secret,
}
}, service_options)
try:
sdk_install.uninstall(ZK_PACKAGE, ZK_SERVICE_NAME)
sdk_security.setup_security(ZK_SERVICE_NAME, zk_account, zk_secret)
sdk_install.install(
ZK_PACKAGE,
ZK_SERVICE_NAME,
6,
additional_options=service_options,
timeout_seconds=30 * 60,
insert_strict_options=False)
yield
finally:
sdk_install.uninstall(ZK_PACKAGE, ZK_SERVICE_NAME)
def zookeeper_server(configure_security):
service_options = {
"service": {
"name": config.ZOOKEEPER_SERVICE_NAME,
"virtual_network_enabled": True,
}
}
zk_account = "test-zookeeper-service-account"
zk_secret = "test-zookeeper-secret"
try:
sdk_install.uninstall(
config.ZOOKEEPER_PACKAGE_NAME,
config.ZOOKEEPER_SERVICE_NAME,
)
if sdk_utils.is_strict_mode():
service_options = sdk_utils.merge_dictionaries(
{
"service": {
"service_account": zk_account,
"service_account_secret": zk_secret,
}
},
service_options,
)
sdk_security.setup_security(
config.ZOOKEEPER_SERVICE_NAME,
service_account=zk_account,
service_account_secret=zk_secret,
)
sdk_install.install(
config.ZOOKEEPER_PACKAGE_NAME,
config.ZOOKEEPER_SERVICE_NAME,
config.ZOOKEEPER_TASK_COUNT,
package_version=config.ZOOKEEPER_PACKAGE_VERSION,
additional_options=service_options,
timeout_seconds=30 * 60,
insert_strict_options=False,
)
yield {
**service_options,
**{
"package_name": config.ZOOKEEPER_PACKAGE_NAME
},
}
finally:
sdk_install.uninstall(
config.ZOOKEEPER_PACKAGE_NAME,
config.ZOOKEEPER_SERVICE_NAME,
)
if sdk_utils.is_strict_mode():
sdk_security.delete_service_account(
service_account_name=zk_account,
service_account_secret=zk_secret,
)
def zookeeper_server(kerberos):
service_options = {
"service": {
"name": config.ZOOKEEPER_SERVICE_NAME,
"security": {
"kerberos": {
"enabled": True,
"kdc": {
"hostname": kerberos.get_host(),
"port": int(kerberos.get_port())
},
"realm": kerberos.get_realm(),
"keytab_secret": kerberos.get_keytab_path(),
}
}
}
}
zk_account = "kafka-zookeeper-service-account"
zk_secret = "kakfa-zookeeper-secret"
if sdk_utils.is_strict_mode():
service_options = sdk_install.merge_dictionaries(
{
'service': {
'service_account': zk_account,
'service_account_secret': zk_secret,
}
}, service_options)
try:
sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME,
config.ZOOKEEPER_SERVICE_NAME)
sdk_security.setup_security(config.ZOOKEEPER_SERVICE_NAME, zk_account,
zk_secret)
sdk_install.install(config.ZOOKEEPER_PACKAGE_NAME,
config.ZOOKEEPER_SERVICE_NAME,
config.ZOOKEEPER_TASK_COUNT,
additional_options=service_options,
timeout_seconds=30 * 60,
insert_strict_options=False)
yield {
**service_options,
**{
"package_name": config.ZOOKEEPER_PACKAGE_NAME
}
}
finally:
sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME,
config.ZOOKEEPER_SERVICE_NAME)
def zookeeper_server(kerberos):
service_kerberos_options = {
"service": {
"name": "kafka-zookeeper",
"security": {
"kerberos": {
"enabled": True,
"kdc": {
"hostname": kerberos.get_host(),
"port": int(kerberos.get_port())
},
"realm": sdk_auth.REALM,
"keytab_secret": kerberos.get_keytab_path(),
}
}
}
}
zk_account = "kafka-zookeeper-service-account"
zk_secret = "kakfa-zookeeper-secret"
if sdk_utils.is_strict_mode():
service_kerberos_options = sdk_install.merge_dictionaries(
{
'service': {
'service_account': zk_account,
'service_account_secret': zk_secret,
}
}, service_kerberos_options)
try:
sdk_install.uninstall("beta-kafka-zookeeper", "kafka-zookeeper")
sdk_security.setup_security("kafka-zookeeper", zk_account, zk_secret)
sdk_install.install("beta-kafka-zookeeper",
"kafka-zookeeper",
6,
additional_options=service_kerberos_options,
timeout_seconds=30 * 60,
insert_strict_options=False)
yield {
**service_kerberos_options,
**{
"package_name": "beta-kafka-zookeeper"
}
}
finally:
sdk_install.uninstall("beta-kafka-zookeeper", "kafka-zookeeper")
def zookeeper_server(kerberos):
service_kerberos_options = {
"service": {
"name": config.ZOOKEEPER_SERVICE_NAME,
"security": {
"kerberos": {
"enabled": True,
"kdc": {
"hostname": kerberos.get_host(),
"port": int(kerberos.get_port())
},
"realm": sdk_auth.REALM,
"keytab_secret": kerberos.get_keytab_path(),
}
}
}
}
zk_account = "kafka-zookeeper-service-account"
zk_secret = "kakfa-zookeeper-secret"
if sdk_utils.is_strict_mode():
service_kerberos_options = sdk_install.merge_dictionaries({
'service': {
'service_account': zk_account,
'service_account_secret': zk_secret,
}
}, service_kerberos_options)
try:
sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME)
sdk_security.setup_security(config.ZOOKEEPER_SERVICE_NAME, zk_account, zk_secret)
sdk_install.install(
config.ZOOKEEPER_PACKAGE_NAME,
config.ZOOKEEPER_SERVICE_NAME,
config.ZOOKEEPER_TASK_COUNT,
additional_options=service_kerberos_options,
timeout_seconds=30 * 60,
insert_strict_options=False)
yield {**service_kerberos_options, **{"package_name": config.ZOOKEEPER_PACKAGE_NAME}}
finally:
sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME)
def setup_service_account(service_name: str,
service_account_secret: str = None) -> dict:
"""
Setup the service account for TLS. If the account or secret of the specified
name already exists, these are deleted.
"""
if sdk_utils.is_open_dcos():
log.error(
"The setup of a service account requires DC/OS EE. service_name=%s",
service_name)
raise Exception("The setup of a service account requires DC/OS EE")
name = service_name
secret = name if service_account_secret is None else service_account_secret
service_account_info = sdk_security.setup_security(
service_name,
linux_user="******",
service_account=name,
service_account_secret=secret)
log.info("Adding permissions required for TLS.")
if sdk_utils.dcos_version_less_than("1.11"):
sdk_cmd.run_cli(
"security org groups add_user superusers {name}".format(name=name))
else:
acls = [
{
"rid": "dcos:secrets:default:/{}/*".format(service_name),
"action": "full"
},
{
"rid": "dcos:secrets:list:default:/{}".format(service_name),
"action": "read"
},
{
"rid": "dcos:adminrouter:ops:ca:rw",
"action": "full"
},
{
"rid": "dcos:adminrouter:ops:ca:ro",
"action": "full"
},
]
for acl in acls:
cmd_list = [
"security", "org", "users", "grant", "--description",
"\"Allow provisioning TLS certificates\"", name, acl["rid"],
acl["action"]
]
sdk_cmd.run_cli(" ".join(cmd_list))
return service_account_info
def setup_service_account(
service_name: str,
service_account_secret: Optional[str] = None,
) -> Dict[str, Any]:
"""
Setup the service account for TLS. If the account or secret of the specified
name already exists, these are deleted.
"""
if sdk_utils.is_open_dcos():
log.error("The setup of a service account requires DC/OS EE. service_name=%s", service_name)
raise Exception("The setup of a service account requires DC/OS EE")
secret = service_name if service_account_secret is None else service_account_secret
service_account = "{}-service-account".format(service_name.replace("/", ""))
service_account_info = sdk_security.setup_security(
service_name,
linux_user="******",
service_account=service_account,
service_account_secret=secret,
)
log.info("Adding permissions required for TLS.")
if sdk_utils.dcos_version_less_than("1.11"):
sdk_cmd.run_cli("security org groups add_user superusers {sa}".format(sa=service_account))
else:
acls = [
{"rid": "dcos:secrets:default:/{}/*".format(service_name.strip("/")), "action": "full"},
{
"rid": "dcos:secrets:list:default:/{}".format(service_name.strip("/")),
"action": "read",
},
{"rid": "dcos:adminrouter:ops:ca:rw", "action": "full"},
{"rid": "dcos:adminrouter:ops:ca:ro", "action": "full"},
]
for acl in acls:
cmd_list = [
"security",
"org",
"users",
"grant",
"--description",
'"Allow provisioning TLS certificates"',
service_account,
acl["rid"],
acl["action"],
]
sdk_cmd.run_cli(" ".join(cmd_list))
return service_account_info
def zookeeper_service(configure_security):
service_options = sdk_utils.merge_dictionaries(
sdk_networks.ENABLE_VIRTUAL_NETWORKS_OPTIONS,
{"service": {
"name": config.ZOOKEEPER_SERVICE_NAME
}},
)
zk_account = "test-zookeeper-service-account"
zk_secret = "test-zookeeper-secret"
try:
sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME,
config.ZOOKEEPER_SERVICE_NAME)
if sdk_utils.is_strict_mode():
service_options = sdk_utils.merge_dictionaries(
{
"service": {
"service_account": zk_account,
"service_account_secret": zk_secret
}
},
service_options,
)
service_account_info = sdk_security.setup_security(
config.ZOOKEEPER_SERVICE_NAME,
linux_user="******",
service_account=zk_account,
service_account_secret=zk_secret,
)
sdk_install.install(
config.ZOOKEEPER_PACKAGE_NAME,
config.ZOOKEEPER_SERVICE_NAME,
config.ZOOKEEPER_TASK_COUNT,
additional_options=service_options,
timeout_seconds=30 * 60,
insert_strict_options=False,
)
yield {
**service_options,
**{
"package_name": config.ZOOKEEPER_PACKAGE_NAME
}
}
finally:
sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME,
config.ZOOKEEPER_SERVICE_NAME)
sdk_security.cleanup_security(config.ZOOKEEPER_SERVICE_NAME,
service_account_info)
def setup_security(service_name: str, linux_user: str) -> typing.Dict:
"""
Adds a service account and secret for the specified service name.
"""
if not sdk_utils.is_strict_mode():
return {}
service_account = normalize_string("{}-service-account".format(service_name))
service_account_secret = "{}-service-account-secret".format(service_name)
return sdk_security.setup_security(service_name,
linux_user,
service_account, service_account_secret)
def zookeeper_server(configure_security):
service_options = {
"service": {
"name": config.ZOOKEEPER_SERVICE_NAME,
"virtual_network_enabled": True
}
}
zk_account = "test-zookeeper-service-account"
zk_secret = "test-zookeeper-secret"
try:
sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME)
if sdk_utils.is_strict_mode():
service_options = sdk_install.merge_dictionaries({
'service': {
'service_account': zk_account,
'service_account_secret': zk_secret,
}
}, service_options)
sdk_security.setup_security(config.ZOOKEEPER_SERVICE_NAME, zk_account, zk_secret)
sdk_install.install(
config.ZOOKEEPER_PACKAGE_NAME,
config.ZOOKEEPER_SERVICE_NAME,
config.ZOOKEEPER_TASK_COUNT,
additional_options=service_options,
timeout_seconds=30 * 60,
insert_strict_options=False)
yield {**service_options, **{"package_name": config.ZOOKEEPER_PACKAGE_NAME}}
finally:
sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME, config.ZOOKEEPER_SERVICE_NAME)
if sdk_utils.is_strict_mode():
sdk_security.delete_service_account(
service_account_name=zk_account, service_account_secret=zk_secret)
def zookeeper_server(configure_security):
service_options = {
"service": {
"name": config.ZOOKEEPER_SERVICE_NAME,
"virtual_network_enabled": True
}
}
zk_account = "test-zookeeper-service-account"
zk_secret = "test-zookeeper-secret"
try:
sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME,
config.ZOOKEEPER_SERVICE_NAME)
if sdk_utils.is_strict_mode():
service_options = sdk_install.merge_dictionaries(
{
'service': {
'service_account': zk_account,
'service_account_secret': zk_secret,
}
}, service_options)
service_account_info = sdk_security.setup_security(
config.ZOOKEEPER_SERVICE_NAME,
linux_user="******",
service_account=zk_account,
service_account_secret=zk_secret)
sdk_install.install(config.ZOOKEEPER_PACKAGE_NAME,
config.ZOOKEEPER_SERVICE_NAME,
config.ZOOKEEPER_TASK_COUNT,
additional_options=service_options,
timeout_seconds=30 * 60,
insert_strict_options=False)
yield {
**service_options,
**{
"package_name": config.ZOOKEEPER_PACKAGE_NAME
}
}
finally:
sdk_install.uninstall(config.ZOOKEEPER_PACKAGE_NAME,
config.ZOOKEEPER_SERVICE_NAME)
sdk_security.cleanup_security(config.ZOOKEEPER_SERVICE_NAME,
service_account_info)
def _create_service_account(service_name):
if sdk_utils.is_strict_mode():
try:
log.info("Creating service accounts for '{}'"
.format(service_name))
sa_name = "{}-principal".format(service_name)
sa_secret = "{}-secret".format(service_name)
return sdk_security.setup_security(
service_name,
linux_user="******",
service_account=sa_name,
service_account_secret=sa_secret,
)
except Exception as e:
log.warning("Error encountered while creating service account: {}".format(e))
raise e
return None
def _create_service_account(service_name) -> None:
if sdk_utils.is_strict_mode():
try:
log.info("Creating service accounts for '{}'"
.format(service_name))
sa_name = "{}-principal".format(service_name)
sa_secret = "{}-secret".format(service_name)
return sdk_security.setup_security(
service_name,
linux_user="******",
service_account=sa_name,
service_account_secret=sa_secret,
)
except Exception as e:
log.warning("Error encountered while creating service account: {}".format(e))
raise e
return None
def setup_service_account(service_name: str,
service_account_secret: str=None) -> dict:
"""
Setup the service account for TLS. If the account or secret of the specified
name already exists, these are deleted.
"""
if sdk_utils.is_open_dcos():
log.error("The setup of a service account requires DC/OS EE. service_name=%s", service_name)
raise Exception("The setup of a service account requires DC/OS EE")
name = service_name
secret = name if service_account_secret is None else service_account_secret
service_account_info = sdk_security.setup_security(service_name,
service_account=name,
service_account_secret=secret)
log.info("Adding permissions required for TLS.")
if sdk_utils.dcos_version_less_than("1.11"):
sdk_cmd.run_cli("security org groups add_user superusers {name}".format(name=name))
else:
acls = [
{"rid": "dcos:secrets:default:/{}/*".format(service_name), "action": "full"},
{"rid": "dcos:secrets:list:default:/{}".format(service_name), "action": "read"},
{"rid": "dcos:adminrouter:ops:ca:rw", "action": "full"},
{"rid": "dcos:adminrouter:ops:ca:ro", "action": "full"},
]
for acl in acls:
cmd_list = ["security", "org", "users", "grant",
"--description", "\"Allow provisioning TLS certificates\"",
name, acl["rid"], acl["action"]
]
sdk_cmd.run_cli(" ".join(cmd_list))
return service_account_info
