def create_sa_secret(secret_name, service_account, strict=False, private_key_filename='private-key.pem'): """Create an sa-secret with a given private key file for passed service account in the vault. Both (service account and secret) should share the same key pair. `{strict}` parameter should be `True` when creating a secret in a `strict` secure cluster. Private key file will be removed after secret is successfully created. This method uses `dcos security org` command and assumes that `dcos-enterprise-cli` package is installed. :param secret_name: secret name :type secret_name: str :param service_account: service account name :type service_account: str :param strict: `True` is this a `strict` secure cluster :type strict: bool :param private_key_filename: private key file name :type private_key_filename: str """ assert os.path.isfile( private_key_filename), "Failed to create secret: private key not found" logger.info('Creating new sa-secret {} for service-account: {}'.format( secret_name, service_account)) strict_opt = '--strict' if strict else '' with attached_cli(): stdout, stderr, return_code = run_dcos_command( 'security secrets create-sa-secret {} {} {} {}'.format( strict_opt, private_key_filename, service_account, secret_name)) os.remove(private_key_filename) assert return_code == 0, "Failed to create a secret"
def install_enterprise_cli_package(): """Install `dcos-enterprise-cli` package. It is required by the `dcos security` command to create secrets, manage service accounts etc. """ logger.info('Installing dcos-enterprise-cli package') with attached_cli(): cmd = 'package install dcos-enterprise-cli --cli --yes' stdout, stderr, return_code = run_dcos_command(cmd, raise_on_error=True)
def delete_service_account(service_account): """Removes an existing service account. This method uses `dcos security org` command and assumes that `dcos-enterprise-cli` package is installed. :param service_account: service account name :type service_account: str """ logger.info('Removing existing service account {}'.format(service_account)) with attached_cli(): cmd = 'security org service-accounts delete {}'.format(service_account) stdout, stderr, return_code = run_dcos_command(cmd) assert return_code == 0, "Failed to create a service account"
def create_service_account(service_account, private_key_filename='private-key.pem', public_key_filename='public-key.pem', account_description='SI test account'): """Create new private and public key pair and use them to add a new service with a give name. Public key file is then removed, however private key file is left since it might be used to create a secret. If you don't plan on creating a secret afterwards, please remove it manually. This method uses `dcos security org` command and assumes that `dcos-enterprise-cli` package is installed. :param service_account: service account name :type service_account: str :param private_key_filename: optional private key file name :type private_key_filename: str :param public_key_filename: optional public key file name :type public_key_filename: str :param account_description: service account description :type account_description: str """ logger.info('Creating a key pair for the service account') with attached_cli(): cmd = 'security org service-accounts keypair {} {}'.format( private_key_filename, public_key_filename) run_dcos_command(cmd) assert os.path.isfile( private_key_filename ), "Private key of the service account key pair not found" assert os.path.isfile( public_key_filename ), "Public key of the service account key pair not found" logger.info('Creating {} service account'.format(service_account)) stdout, stderr, return_code = run_dcos_command( 'security org service-accounts create -p {} -d "{}" {}'.format( public_key_filename, account_description, service_account)) os.remove(public_key_filename) assert return_code == 0
def has_service_account(service_account): """Returns `True` if a service account with a given name already exists. This method uses `dcos security org` command and assumes that `dcos-enterprise-cli` package is installed. :param service_account: service account name :type service_account: str """ with attached_cli(): stdout, stderr, return_code = run_dcos_command( 'security org service-accounts show --json') result_json = json.loads(stdout) return service_account in result_json
def delete_secret(secret_name): """Delete a secret with a given name from the vault. This method uses `dcos security org` command and assumes that `dcos-enterprise-cli` package is installed. :param secret_name: secret name :type secret_name: str """ logger.info('Removing existing secret {}'.format(secret_name)) with attached_cli(): stdout, stderr, return_code = run_dcos_command( 'security secrets delete {}'.format(secret_name)) assert return_code == 0, "Failed to remove existing secret"
def is_enterprise_cli_package_installed(): """Returns `True` if `dcos-enterprise-cli` package is installed.""" with attached_cli(): stdout, stderr, return_code = run_dcos_command('package list --json') logger.info( 'package list command returned code:{}, stderr:{}, stdout: {}'. format(return_code, stderr, stdout)) try: result_json = json.loads(stdout) except JSONDecodeError as error: raise DCOSException( 'Could not parse: "{}"'.format(stdout)) from error return any(cmd['name'] == 'dcos-enterprise-cli' for cmd in result_json)
def has_secret(secret_name): """Returns `True` if the secret with given name exists in the vault. This method uses `dcos security secrets` command and assumes that `dcos-enterprise-cli` package is installed. :param secret_name: secret name :type secret_name: str """ with attached_cli(): stdout, stderr, return_code = run_dcos_command( 'security secrets list / --json') if stdout: result_json = json.loads(stdout) return secret_name in result_json return False
def create_secret(name, value=None, description=None): """Create a secret with a passed `{name}` and optional `{value}`. This method uses `dcos security secrets` command and assumes that `dcos-enterprise-cli` package is installed. :param name: secret name :type name: str :param value: optional secret value :type value: str :param description: option secret description :type description: str """ logger.info('Creating new secret {}:{}'.format(name, value)) value_opt = '-v {}'.format(shlex.quote(value)) if value else '' description_opt = '-d "{}"'.format(description) if description else '' with attached_cli(): stdout, stderr, return_code = run_dcos_command( 'security secrets create {} {} "{}"'.format( value_opt, description_opt, name), print_output=True) assert return_code == 0, "Failed to create a secret"