5fd8117098
The kolla-genpwd, kolla-mergepwd, kolla-readpwd and kolla-writepwd commands now creates or updates passwords.yml with correct permissions. Also they display warning message about incorrect permissions. Closes-Bug: #2018338 Change-Id: I4b50053ced9150499d1d09fd4a0ec2e243cf938b Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>
136 lines
4.7 KiB
Python
Executable File
136 lines
4.7 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
import argparse
|
|
import os
|
|
import stat
|
|
import sys
|
|
|
|
import hvac
|
|
import yaml
|
|
|
|
from kolla_ansible.hashi_vault import hashicorp_vault_client
|
|
|
|
|
|
def readpwd(passwords_file, vault_kv_path, vault_mount_point, vault_namespace,
|
|
vault_addr, vault_role_id, vault_secret_id, vault_token,
|
|
vault_cacert):
|
|
|
|
with open(passwords_file, 'r') as f:
|
|
passwords = yaml.safe_load(f.read())
|
|
|
|
if os.stat(passwords_file).st_mode & stat.S_IROTH:
|
|
print(f"WARNING: Passwords file \"{passwords_file}\" is"
|
|
" world-readable. The permissions will be changed.")
|
|
|
|
if os.stat(passwords_file).st_mode & stat.S_IWOTH:
|
|
print(f"WARNING: Passwords file \"{passwords_file}\" is"
|
|
" world-writeable. The permissions will be changed.")
|
|
|
|
if not isinstance(passwords, dict):
|
|
print("ERROR: Passwords file not in expected key/value format")
|
|
sys.exit(1)
|
|
|
|
client = hashicorp_vault_client(vault_namespace, vault_addr, vault_role_id,
|
|
vault_secret_id, vault_token, vault_cacert)
|
|
|
|
vault_kv_passwords = dict()
|
|
for password_key in passwords:
|
|
try:
|
|
password_data = client.secrets.kv.v2.read_secret_version(
|
|
mount_point=vault_mount_point,
|
|
path="{}/{}".format(vault_kv_path, password_key))
|
|
except hvac.exceptions.InvalidPath:
|
|
# Ignore passwords that are not found in Vault
|
|
print("WARNING: '%s' not found in Vault" % password_key)
|
|
vault_kv_passwords[password_key] = None
|
|
continue
|
|
try:
|
|
vault_kv_passwords[password_key] =\
|
|
password_data['data']['data']['password']
|
|
except KeyError:
|
|
vault_kv_passwords[password_key] = password_data['data']['data']
|
|
|
|
try:
|
|
os.remove(passwords_file)
|
|
except OSError:
|
|
pass
|
|
|
|
flags = os.O_WRONLY | os.O_CREAT | os.O_TRUNC
|
|
mode = 0o640
|
|
|
|
with os.fdopen(os.open(passwords_file, flags, mode=mode), 'w') as f:
|
|
yaml.safe_dump(vault_kv_passwords, f)
|
|
|
|
|
|
def main():
|
|
parser = argparse.ArgumentParser()
|
|
parser.add_argument(
|
|
'-p', '--passwords', type=str,
|
|
default=os.path.abspath('/etc/kolla/passwords.yml'),
|
|
help='Path to the passwords.yml file')
|
|
parser.add_argument(
|
|
'-kv', '--vault-mount-point', type=str,
|
|
default='kv',
|
|
help='Path to the KV mount point')
|
|
parser.add_argument(
|
|
'-kvp', '--vault-kv-path', type=str,
|
|
default='kolla_passwords',
|
|
help='Path to store passwords within your configured KV mount point')
|
|
parser.add_argument(
|
|
'-n', '--vault-namespace', type=str,
|
|
default='',
|
|
help='Vault namespace (enterprise only)')
|
|
parser.add_argument(
|
|
'-v', '--vault-addr', type=str,
|
|
required=True,
|
|
help='Address to connect to an existing Hashicorp Vault')
|
|
parser.add_argument(
|
|
'-r', '--vault-role-id', type=str,
|
|
default='',
|
|
help='Role-ID to authenticate to Vault. This must be used in '
|
|
'conjunction with --secret-id')
|
|
parser.add_argument(
|
|
'-s', '--vault-secret-id', type=str,
|
|
default='',
|
|
help='Secret-ID to authenticate to Vault. This must be used in '
|
|
'conjunction with --role-id')
|
|
parser.add_argument(
|
|
'-t', '--vault-token', type=str,
|
|
default='',
|
|
help='Vault token to authenticate to Vault')
|
|
parser.add_argument(
|
|
'-c', '--vault-cacert', type=str,
|
|
default='',
|
|
help='Path to CA certificate file')
|
|
|
|
args = parser.parse_args()
|
|
passwords_file = os.path.expanduser(args.passwords)
|
|
vault_kv_path = args.vault_kv_path
|
|
vault_mount_point = args.vault_mount_point
|
|
vault_namespace = args.vault_namespace
|
|
vault_addr = args.vault_addr
|
|
vault_role_id = args.vault_role_id
|
|
vault_secret_id = args.vault_secret_id
|
|
vault_token = args.vault_token
|
|
vault_cacert = os.path.expanduser(args.vault_cacert)
|
|
|
|
readpwd(passwords_file, vault_kv_path, vault_mount_point, vault_namespace,
|
|
vault_addr, vault_role_id, vault_secret_id, vault_token,
|
|
vault_cacert)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main()
|