def create_root_account():
""" Inserts the default root account to an existing database. Make sure to change the default password later. """
up_id = 'ddmlab'
up_pwd = '2ccee6f6dd1bc2269cddd7cd5e47578e98e430539807c36df23fab7dd13e7583'
up_email = '*****@*****.**'
x509_id = '/C=CH/ST=Geneva/O=CERN/OU=PH-ADP-CO/CN=DDMLAB Client Certificate/[email protected]'
x509_email = '*****@*****.**'
gss_id = '*****@*****.**'
gss_email = '*****@*****.**'
ssh_id = 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq5LySllrQFpPL614sulXQ7wnIr1aGhGtl8b+HCB/'\
'0FhMSMTHwSjX78UbfqEorZV16rXrWPgUpvcbp2hqctw6eCbxwqcgu3uGWaeS5A0iWRw7oXUh6ydn'\
'Vy89zGzX1FJFFDZ+AgiZ3ytp55tg1bjqqhK1OSC0pJxdNe878TRVVo5MLI0S/rZY2UovCSGFaQG2'\
'iLj14wz/YqI7NFMUuJFR4e6xmNsOP7fCZ4bGMsmnhR0GmY0dWYTupNiP5WdYXAfKExlnvFLTlDI5'\
'Mgh4Z11NraQ8pv4YE1woolYpqOc/IMMBBXFniTT4tC7cgikxWb9ZmFe+r4t6yCDpX4IL8L5GOQ== ddmlab'
ssh_email = '*****@*****.**'
try:
up_id = config_get('bootstrap', 'userpass_identity')
up_pwd = config_get('bootstrap', 'userpass_pwd')
up_email = config_get('bootstrap', 'userpass_email')
x509_id = config_get('bootstrap', 'x509_identity')
x509_email = config_get('bootstrap', 'x509_email')
gss_id = config_get('bootstrap', 'gss_identity')
gss_email = config_get('bootstrap', 'gss_email')
ssh_id = config_get('bootstrap', 'ssh_identity')
ssh_email = config_get('bootstrap', 'ssh_email')
except:
pass
# print 'Config values are missing (check rucio.cfg{.template}). Using hardcoded defaults.'
s = session.get_session()
account = models.Account(account=InternalAccount('root'), account_type=AccountType.SERVICE, status=AccountStatus.ACTIVE)
identity1 = models.Identity(identity=up_id, identity_type=IdentityType.USERPASS, password=up_pwd, salt='0', email=up_email)
iaa1 = models.IdentityAccountAssociation(identity=identity1.identity, identity_type=identity1.identity_type, account=account.account, is_default=True)
# X509 authentication
identity2 = models.Identity(identity=x509_id, identity_type=IdentityType.X509, email=x509_email)
iaa2 = models.IdentityAccountAssociation(identity=identity2.identity, identity_type=identity2.identity_type, account=account.account, is_default=True)
# GSS authentication
identity3 = models.Identity(identity=gss_id, identity_type=IdentityType.GSS, email=gss_email)
iaa3 = models.IdentityAccountAssociation(identity=identity3.identity, identity_type=identity3.identity_type, account=account.account, is_default=True)
# SSH authentication
identity4 = models.Identity(identity=ssh_id, identity_type=IdentityType.SSH, email=ssh_email)
iaa4 = models.IdentityAccountAssociation(identity=identity4.identity, identity_type=identity4.identity_type, account=account.account, is_default=True)
# Account counters
create_counters_for_new_account(account=account.account, session=s)
# Apply
s.add_all([account, identity1, identity2, identity3, identity4])
s.commit()
s.add_all([iaa1, iaa2, iaa3, iaa4])
s.commit()
def add_account_identity(identity, type, account, email, default=False, password=None, session=None):
"""
Adds a membership association between identity and account.
:param identity: The identity key name. For example x509 DN, or a username.
:param type: The type of the authentication (x509, gss, userpass, ssh, saml, oidc).
:param account: The account name.
:param email: The Email address associated with the identity.
:param default: If True, the account should be used by default with the provided identity.
:param password: Password if type is userpass.
:param session: The database session in use.
"""
if not account_exists(account, session=session):
raise exception.AccountNotFound('Account \'%s\' does not exist.' % account)
id = session.query(models.Identity).filter_by(identity=identity, identity_type=type).first()
if id is None:
add_identity(identity=identity, type=type, email=email, password=password, session=session)
id = session.query(models.Identity).filter_by(identity=identity, identity_type=type).first()
iaa = models.IdentityAccountAssociation(identity=id.identity, identity_type=id.identity_type, account=account)
try:
iaa.save(session=session)
except IntegrityError:
raise exception.Duplicate('Identity pair \'%s\',\'%s\' already exists!' % (identity, type))
def add_account_identity(identity, type_, account, email, default=False, password=None, session=None):
"""
Adds a membership association between identity and account.
:param identity: The identity key name. For example x509 DN, or a username.
:param type_: The type of the authentication (x509, gss, userpass, ssh, saml, oidc).
:param account: The account name.
:param email: The Email address associated with the identity.
:param default: If True, the account should be used by default with the provided identity.
:param password: Password if type is userpass.
:param session: The database session in use.
"""
if not account_exists(account, session=session):
raise exception.AccountNotFound('Account \'%s\' does not exist.' % account)
id_ = session.query(models.Identity).filter_by(identity=identity, identity_type=type_).first()
if id_ is None:
add_identity(identity=identity, type_=type_, email=email, password=password, session=session)
id_ = session.query(models.Identity).filter_by(identity=identity, identity_type=type_).first()
iaa = models.IdentityAccountAssociation(identity=id_.identity, identity_type=id_.identity_type, account=account,
is_default=default)
try:
iaa.save(session=session)
except IntegrityError as error:
if match('.*IntegrityError.*ORA-00001: unique constraint.*violated.*', error.args[0]) \
or match('.*IntegrityError.*UNIQUE constraint failed.*', error.args[0]) \
or match('.*IntegrityError.*1062.*Duplicate entry.*for key.*', error.args[0]) \
or match('.*IntegrityError.*duplicate key value violates unique constraint.*', error.args[0]) \
or match('.*UniqueViolation.*duplicate key value violates unique constraint.*', error.args[0]) \
or match('.*IntegrityError.*columns? .*not unique.*', error.args[0]):
raise exception.Duplicate('Identity pair \'%s\',\'%s\' already exists!' % (identity, type_))
def create_root_account(create_counters=True):
"""
Inserts the default root account to an existing database. Make sure to change the default password later.
:param create_counters: If True, create counters for the new account at existing RSEs.
"""
multi_vo = bool(config_get('common', 'multi_vo', False, False))
up_id = 'ddmlab'
up_pwd = 'secret'
up_email = '*****@*****.**'
x509_id = '/C=CH/ST=Geneva/O=CERN/OU=PH-ADP-CO/CN=DDMLAB Client Certificate/[email protected]'
x509_email = '*****@*****.**'
gss_id = '*****@*****.**'
gss_email = '*****@*****.**'
ssh_id = 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq5LySllrQFpPL614sulXQ7wnIr1aGhGtl8b+HCB/'\
'0FhMSMTHwSjX78UbfqEorZV16rXrWPgUpvcbp2hqctw6eCbxwqcgu3uGWaeS5A0iWRw7oXUh6ydn'\
'Vy89zGzX1FJFFDZ+AgiZ3ytp55tg1bjqqhK1OSC0pJxdNe878TRVVo5MLI0S/rZY2UovCSGFaQG2'\
'iLj14wz/YqI7NFMUuJFR4e6xmNsOP7fCZ4bGMsmnhR0GmY0dWYTupNiP5WdYXAfKExlnvFLTlDI5'\
'Mgh4Z11NraQ8pv4YE1woolYpqOc/IMMBBXFniTT4tC7cgikxWb9ZmFe+r4t6yCDpX4IL8L5GOQ== ddmlab'
ssh_email = '*****@*****.**'
try:
up_id = config_get('bootstrap', 'userpass_identity')
up_pwd = config_get('bootstrap', 'userpass_pwd')
up_email = config_get('bootstrap', 'userpass_email')
x509_id = config_get('bootstrap', 'x509_identity')
x509_email = config_get('bootstrap', 'x509_email')
gss_id = config_get('bootstrap', 'gss_identity')
gss_email = config_get('bootstrap', 'gss_email')
ssh_id = config_get('bootstrap', 'ssh_identity')
ssh_email = config_get('bootstrap', 'ssh_email')
except:
pass
# print 'Config values are missing (check rucio.cfg{.template}). Using hardcoded defaults.'
s = get_session()
if multi_vo:
access = 'super_root'
else:
access = 'root'
account = models.Account(account=InternalAccount(access, 'def'), account_type=AccountType.SERVICE, status=AccountStatus.ACTIVE)
salt = urandom(255)
salted_password = salt + up_pwd.encode()
hashed_password = sha256(salted_password).hexdigest()
identity1 = models.Identity(identity=up_id, identity_type=IdentityType.USERPASS, password=hashed_password, salt=salt, email=up_email)
iaa1 = models.IdentityAccountAssociation(identity=identity1.identity, identity_type=identity1.identity_type, account=account.account, is_default=True)
# X509 authentication
identity2 = models.Identity(identity=x509_id, identity_type=IdentityType.X509, email=x509_email)
iaa2 = models.IdentityAccountAssociation(identity=identity2.identity, identity_type=identity2.identity_type, account=account.account, is_default=True)
# GSS authentication
identity3 = models.Identity(identity=gss_id, identity_type=IdentityType.GSS, email=gss_email)
iaa3 = models.IdentityAccountAssociation(identity=identity3.identity, identity_type=identity3.identity_type, account=account.account, is_default=True)
# SSH authentication
identity4 = models.Identity(identity=ssh_id, identity_type=IdentityType.SSH, email=ssh_email)
iaa4 = models.IdentityAccountAssociation(identity=identity4.identity, identity_type=identity4.identity_type, account=account.account, is_default=True)
# Account counters
if create_counters:
create_counters_for_new_account(account=account.account, session=s)
# Apply
for identity in [identity1, identity2, identity3, identity4]:
try:
s.add(identity)
s.commit()
except IntegrityError:
# Identities may already be in the DB when running multi-VO conversion
s.rollback()
s.add(account)
s.commit()
s.add_all([iaa1, iaa2, iaa3, iaa4])
s.commit()
