def create_root_account(): """ Inserts the default root account to an existing database. Make sure to change the default password later. """ up_id = 'ddmlab' up_pwd = '2ccee6f6dd1bc2269cddd7cd5e47578e98e430539807c36df23fab7dd13e7583' up_email = '*****@*****.**' x509_id = '/C=CH/ST=Geneva/O=CERN/OU=PH-ADP-CO/CN=DDMLAB Client Certificate/[email protected]' x509_email = '*****@*****.**' gss_id = '*****@*****.**' gss_email = '*****@*****.**' ssh_id = 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq5LySllrQFpPL614sulXQ7wnIr1aGhGtl8b+HCB/'\ '0FhMSMTHwSjX78UbfqEorZV16rXrWPgUpvcbp2hqctw6eCbxwqcgu3uGWaeS5A0iWRw7oXUh6ydn'\ 'Vy89zGzX1FJFFDZ+AgiZ3ytp55tg1bjqqhK1OSC0pJxdNe878TRVVo5MLI0S/rZY2UovCSGFaQG2'\ 'iLj14wz/YqI7NFMUuJFR4e6xmNsOP7fCZ4bGMsmnhR0GmY0dWYTupNiP5WdYXAfKExlnvFLTlDI5'\ 'Mgh4Z11NraQ8pv4YE1woolYpqOc/IMMBBXFniTT4tC7cgikxWb9ZmFe+r4t6yCDpX4IL8L5GOQ== ddmlab' ssh_email = '*****@*****.**' try: up_id = config_get('bootstrap', 'userpass_identity') up_pwd = config_get('bootstrap', 'userpass_pwd') up_email = config_get('bootstrap', 'userpass_email') x509_id = config_get('bootstrap', 'x509_identity') x509_email = config_get('bootstrap', 'x509_email') gss_id = config_get('bootstrap', 'gss_identity') gss_email = config_get('bootstrap', 'gss_email') ssh_id = config_get('bootstrap', 'ssh_identity') ssh_email = config_get('bootstrap', 'ssh_email') except: pass # print 'Config values are missing (check rucio.cfg{.template}). Using hardcoded defaults.' s = session.get_session() account = models.Account(account=InternalAccount('root'), account_type=AccountType.SERVICE, status=AccountStatus.ACTIVE) identity1 = models.Identity(identity=up_id, identity_type=IdentityType.USERPASS, password=up_pwd, salt='0', email=up_email) iaa1 = models.IdentityAccountAssociation(identity=identity1.identity, identity_type=identity1.identity_type, account=account.account, is_default=True) # X509 authentication identity2 = models.Identity(identity=x509_id, identity_type=IdentityType.X509, email=x509_email) iaa2 = models.IdentityAccountAssociation(identity=identity2.identity, identity_type=identity2.identity_type, account=account.account, is_default=True) # GSS authentication identity3 = models.Identity(identity=gss_id, identity_type=IdentityType.GSS, email=gss_email) iaa3 = models.IdentityAccountAssociation(identity=identity3.identity, identity_type=identity3.identity_type, account=account.account, is_default=True) # SSH authentication identity4 = models.Identity(identity=ssh_id, identity_type=IdentityType.SSH, email=ssh_email) iaa4 = models.IdentityAccountAssociation(identity=identity4.identity, identity_type=identity4.identity_type, account=account.account, is_default=True) # Account counters create_counters_for_new_account(account=account.account, session=s) # Apply s.add_all([account, identity1, identity2, identity3, identity4]) s.commit() s.add_all([iaa1, iaa2, iaa3, iaa4]) s.commit()
def add_account_identity(identity, type, account, email, default=False, password=None, session=None): """ Adds a membership association between identity and account. :param identity: The identity key name. For example x509 DN, or a username. :param type: The type of the authentication (x509, gss, userpass, ssh, saml, oidc). :param account: The account name. :param email: The Email address associated with the identity. :param default: If True, the account should be used by default with the provided identity. :param password: Password if type is userpass. :param session: The database session in use. """ if not account_exists(account, session=session): raise exception.AccountNotFound('Account \'%s\' does not exist.' % account) id = session.query(models.Identity).filter_by(identity=identity, identity_type=type).first() if id is None: add_identity(identity=identity, type=type, email=email, password=password, session=session) id = session.query(models.Identity).filter_by(identity=identity, identity_type=type).first() iaa = models.IdentityAccountAssociation(identity=id.identity, identity_type=id.identity_type, account=account) try: iaa.save(session=session) except IntegrityError: raise exception.Duplicate('Identity pair \'%s\',\'%s\' already exists!' % (identity, type))
def add_account_identity(identity, type_, account, email, default=False, password=None, session=None): """ Adds a membership association between identity and account. :param identity: The identity key name. For example x509 DN, or a username. :param type_: The type of the authentication (x509, gss, userpass, ssh, saml, oidc). :param account: The account name. :param email: The Email address associated with the identity. :param default: If True, the account should be used by default with the provided identity. :param password: Password if type is userpass. :param session: The database session in use. """ if not account_exists(account, session=session): raise exception.AccountNotFound('Account \'%s\' does not exist.' % account) id_ = session.query(models.Identity).filter_by(identity=identity, identity_type=type_).first() if id_ is None: add_identity(identity=identity, type_=type_, email=email, password=password, session=session) id_ = session.query(models.Identity).filter_by(identity=identity, identity_type=type_).first() iaa = models.IdentityAccountAssociation(identity=id_.identity, identity_type=id_.identity_type, account=account, is_default=default) try: iaa.save(session=session) except IntegrityError as error: if match('.*IntegrityError.*ORA-00001: unique constraint.*violated.*', error.args[0]) \ or match('.*IntegrityError.*UNIQUE constraint failed.*', error.args[0]) \ or match('.*IntegrityError.*1062.*Duplicate entry.*for key.*', error.args[0]) \ or match('.*IntegrityError.*duplicate key value violates unique constraint.*', error.args[0]) \ or match('.*UniqueViolation.*duplicate key value violates unique constraint.*', error.args[0]) \ or match('.*IntegrityError.*columns? .*not unique.*', error.args[0]): raise exception.Duplicate('Identity pair \'%s\',\'%s\' already exists!' % (identity, type_))
def create_root_account(create_counters=True): """ Inserts the default root account to an existing database. Make sure to change the default password later. :param create_counters: If True, create counters for the new account at existing RSEs. """ multi_vo = bool(config_get('common', 'multi_vo', False, False)) up_id = 'ddmlab' up_pwd = 'secret' up_email = '*****@*****.**' x509_id = '/C=CH/ST=Geneva/O=CERN/OU=PH-ADP-CO/CN=DDMLAB Client Certificate/[email protected]' x509_email = '*****@*****.**' gss_id = '*****@*****.**' gss_email = '*****@*****.**' ssh_id = 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq5LySllrQFpPL614sulXQ7wnIr1aGhGtl8b+HCB/'\ '0FhMSMTHwSjX78UbfqEorZV16rXrWPgUpvcbp2hqctw6eCbxwqcgu3uGWaeS5A0iWRw7oXUh6ydn'\ 'Vy89zGzX1FJFFDZ+AgiZ3ytp55tg1bjqqhK1OSC0pJxdNe878TRVVo5MLI0S/rZY2UovCSGFaQG2'\ 'iLj14wz/YqI7NFMUuJFR4e6xmNsOP7fCZ4bGMsmnhR0GmY0dWYTupNiP5WdYXAfKExlnvFLTlDI5'\ 'Mgh4Z11NraQ8pv4YE1woolYpqOc/IMMBBXFniTT4tC7cgikxWb9ZmFe+r4t6yCDpX4IL8L5GOQ== ddmlab' ssh_email = '*****@*****.**' try: up_id = config_get('bootstrap', 'userpass_identity') up_pwd = config_get('bootstrap', 'userpass_pwd') up_email = config_get('bootstrap', 'userpass_email') x509_id = config_get('bootstrap', 'x509_identity') x509_email = config_get('bootstrap', 'x509_email') gss_id = config_get('bootstrap', 'gss_identity') gss_email = config_get('bootstrap', 'gss_email') ssh_id = config_get('bootstrap', 'ssh_identity') ssh_email = config_get('bootstrap', 'ssh_email') except: pass # print 'Config values are missing (check rucio.cfg{.template}). Using hardcoded defaults.' s = get_session() if multi_vo: access = 'super_root' else: access = 'root' account = models.Account(account=InternalAccount(access, 'def'), account_type=AccountType.SERVICE, status=AccountStatus.ACTIVE) salt = urandom(255) salted_password = salt + up_pwd.encode() hashed_password = sha256(salted_password).hexdigest() identity1 = models.Identity(identity=up_id, identity_type=IdentityType.USERPASS, password=hashed_password, salt=salt, email=up_email) iaa1 = models.IdentityAccountAssociation(identity=identity1.identity, identity_type=identity1.identity_type, account=account.account, is_default=True) # X509 authentication identity2 = models.Identity(identity=x509_id, identity_type=IdentityType.X509, email=x509_email) iaa2 = models.IdentityAccountAssociation(identity=identity2.identity, identity_type=identity2.identity_type, account=account.account, is_default=True) # GSS authentication identity3 = models.Identity(identity=gss_id, identity_type=IdentityType.GSS, email=gss_email) iaa3 = models.IdentityAccountAssociation(identity=identity3.identity, identity_type=identity3.identity_type, account=account.account, is_default=True) # SSH authentication identity4 = models.Identity(identity=ssh_id, identity_type=IdentityType.SSH, email=ssh_email) iaa4 = models.IdentityAccountAssociation(identity=identity4.identity, identity_type=identity4.identity_type, account=account.account, is_default=True) # Account counters if create_counters: create_counters_for_new_account(account=account.account, session=s) # Apply for identity in [identity1, identity2, identity3, identity4]: try: s.add(identity) s.commit() except IntegrityError: # Identities may already be in the DB when running multi-VO conversion s.rollback() s.add(account) s.commit() s.add_all([iaa1, iaa2, iaa3, iaa4]) s.commit()