x/cloudbase-init
Code Issues Proposed changes

Adds SetUserPassword plugin

Browse Source 
Password management needs to be separated from the CreateUserPlugin.
This commit is contained in:
Alessandro Pilotti 2013-05-02 02:59:03 +03:00
parent 3e120de02a
commit af4e772137
5 changed files with 36 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
cloudbaseinit/metadata/services/base.py
View File

@ -102,10 +102,17 @@ class BaseMetadataService(object):
def _post_data(self, path, data): def _post_data(self, path, data):
raise NotExistingMetadataException() raise NotExistingMetadataException()
def post_password(self, enc_password_b64, version='latest'): def _get_password_path(self, version='latest'):
path = posixpath.normpath(posixpath.join('openstack', return posixpath.normpath(posixpath.join('openstack',
version, version,
'password')) 'password'))
def is_password_set(self, version='latest'):
path = self._get_password_path(version)
return len(self._get_data(path)) > 0
def post_password(self, enc_password_b64, version='latest'):
path = self._get_password_path(version)
action = lambda: self._post_data(path, enc_password_b64) action = lambda: self._post_data(path, enc_password_b64)
return self._exec_with_retry(action) return self._exec_with_retry(action)

8
cloudbaseinit/osutils/base.py
View File

@ -14,6 +14,8 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
import base64
import os
import subprocess import subprocess
@ -24,6 +26,12 @@ class BaseOSUtils(object):
def user_exists(self, username): def user_exists(self, username):
pass pass
def generate_random_password(self, length):
# On Windows os.urandom() uses CryptGenRandom, which is a
# cryptographically secure pseudorandom number generator
b64_password = base64.b64encode(os.urandom(256))
return b64_password.replace('/', '').replace('+', '')[:length]
def execute_process(self, args, shell=True): def execute_process(self, args, shell=True):
p = subprocess.Popen(args, p = subprocess.Popen(args,
stdout=subprocess.PIPE, stdout=subprocess.PIPE,

18
cloudbaseinit/osutils/windows.py
View File

@ -107,8 +107,12 @@ class WindowsUtils(base.BaseOSUtils):
(out, err, ret_val) = self.execute_process(args) (out, err, ret_val) = self.execute_process(args)
if not ret_val: if not ret_val:
self._set_user_password_expiration(username, password_expires) self._set_user_password_expiration(username, password_expires)
else:
return ret_val == 0 if create:
msg = "Create user failed: %(err)s"
else:
msg = "Set user password failed: %(err)s"
raise Exception(msg % locals())
def _sanitize_wmi_input(self, value): def _sanitize_wmi_input(self, value):
return value.replace('\'', '\'\'') return value.replace('\'', '\'\'')
@ -122,14 +126,12 @@ class WindowsUtils(base.BaseOSUtils):
return True return True
def create_user(self, username, password, password_expires=False): def create_user(self, username, password, password_expires=False):
if not self._create_or_change_user(username, password, True, self._create_or_change_user(username, password, True,
password_expires): password_expires)
raise Exception("Create user failed")
def set_user_password(self, username, password, password_expires=False): def set_user_password(self, username, password, password_expires=False):
if not self._create_or_change_user(username, password, False, self._create_or_change_user(username, password, False,
password_expires): password_expires)
raise Exception("Set user password failed")
def _get_user_sid_and_domain(self, username): def _get_user_sid_and_domain(self, username):
sid = ctypes.create_string_buffer(1024) sid = ctypes.create_string_buffer(1024)

1
cloudbaseinit/plugins/factory.py
View File

@ -28,6 +28,7 @@ opts = [
'SetUserSSHPublicKeysPlugin', 'SetUserSSHPublicKeysPlugin',
'cloudbaseinit.plugins.windows.extendvolumes.ExtendVolumesPlugin', 'cloudbaseinit.plugins.windows.extendvolumes.ExtendVolumesPlugin',
'cloudbaseinit.plugins.windows.userdata.UserDataPlugin', 'cloudbaseinit.plugins.windows.userdata.UserDataPlugin',
'cloudbaseinit.plugins.windows.setuserpassword.SetUserPasswordPlugin',
], ],
help='List of enabled plugin classes, ' help='List of enabled plugin classes, '
'to executed in the provided order'), 'to executed in the provided order'),

83
cloudbaseinit/plugins/windows/createuser.py
View File

@ -14,15 +14,10 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
import base64
import os
from cloudbaseinit.metadata.services import base as services_base
from cloudbaseinit.openstack.common import cfg from cloudbaseinit.openstack.common import cfg
from cloudbaseinit.openstack.common import log as logging from cloudbaseinit.openstack.common import log as logging
from cloudbaseinit.osutils import factory as osutils_factory from cloudbaseinit.osutils import factory as osutils_factory
from cloudbaseinit.plugins import base from cloudbaseinit.plugins import base
from cloudbaseinit.utils import crypt
opts = [ opts = [
cfg.StrOpt('username', default='Admin', help='User to be added to the ' cfg.StrOpt('username', default='Admin', help='User to be added to the '
@ -42,81 +37,25 @@ LOG = logging.getLogger(__name__)
class CreateUserPlugin(base.BasePlugin): class CreateUserPlugin(base.BasePlugin):
_post_password_md_ver = '2013-04-04' def _get_password(self, service, osutils):
def _generate_random_password(self, length):
# On Windows os.urandom() uses CryptGenRandom, which is a
# cryptographically secure pseudorandom number generator
b64_password = base64.b64encode(os.urandom(256))
return b64_password.replace('/', '').replace('+', '')[:length]
def _encrypt_password(self, ssh_pub_key, password):
cm = crypt.CryptManager()
with cm.load_ssh_rsa_public_key(ssh_pub_key) as rsa:
enc_password = rsa.public_encrypt(password)
return base64.b64encode(enc_password)
def _get_ssh_public_key(self, service):
meta_data = service.get_meta_data('openstack',
self._post_password_md_ver)
if not 'public_keys' in meta_data:
return False
public_keys = meta_data['public_keys']
ssh_pub_key = None
for k in public_keys:
# Get the first key
ssh_pub_key = public_keys[k]
break
return ssh_pub_key
def _get_password(self, service):
meta_data = service.get_meta_data('openstack') meta_data = service.get_meta_data('openstack')
if 'admin_pass' in meta_data and CONF.inject_user_password: if 'admin_pass' in meta_data and CONF.inject_user_password:
LOG.warn('Using admin_pass metadata user password. Consider '
'changing it as soon as possible')
password = meta_data['admin_pass'] password = meta_data['admin_pass']
else: else:
LOG.debug('Generating random password') # Generate a temporary random password to be replaced
# Generate a random password # by SetUserPasswordPlugin (starting from Grizzly)
# Limit to 14 chars for compatibility with NT password = osutils.generate_random_password(14)
password = self._generate_random_password(14)
return password return password
def _set_metadata_password(self, password, service):
try:
ssh_pub_key = self._get_ssh_public_key(service)
if ssh_pub_key:
enc_password_b64 = self._encrypt_password(ssh_pub_key,
password)
return service.post_password(enc_password_b64,
self._post_password_md_ver)
else:
LOG.info('No SSH public key available for password encryption')
return True
except services_base.NotExistingMetadataException:
# Requested version not available or password feature
# not implemented
LOG.info('Cannot set the password in the metadata as it is not '
'supported by this metadata version')
return True
def execute(self, service): def execute(self, service):
user_name = CONF.username user_name = CONF.username
password = self._get_password(service)
if service.can_post_password:
md_pwd_already_set = not self._set_metadata_password(password,
service)
else:
md_pwd_already_set = False
LOG.info('Cannot set the password in the metadata as it is not '
'supported by this service')
osutils = osutils_factory.OSUtilsFactory().get_os_utils() osutils = osutils_factory.OSUtilsFactory().get_os_utils()
if not osutils.user_exists(user_name): if not osutils.user_exists(user_name):
if md_pwd_already_set: password = self._get_password(service, osutils)
LOG.warning('Creating user, but the password was not set in '
'the metadata as it was previously set')
osutils.create_user(user_name, password) osutils.create_user(user_name, password)
# Create a user profile in order for other plugins # Create a user profile in order for other plugins
# to access the user home, etc # to access the user home, etc
@ -124,12 +63,6 @@ class CreateUserPlugin(base.BasePlugin):
password, password,
True) True)
osutils.close_user_logon_session(token) osutils.close_user_logon_session(token)
else:
if not md_pwd_already_set:
osutils.set_user_password(user_name, password)
else:
LOG.warning('Cannot change the user\'s password as it is '
'already set in the metadata')
for group_name in CONF.groups: for group_name in CONF.groups:
try: try: