confluent/confluent_server/bin/confluentdbutil

#!/usr/bin/python2
# vim: tabstop=4 shiftwidth=4 softtabstop=4

# Copyright 2017 Lenovo
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.


import getpass
import optparse
import sys
import os
path = os.path.dirname(os.path.realpath(__file__))
path = os.path.realpath(os.path.join(path, '..', 'lib', 'python'))
if path.startswith('/opt'):
    # if installed into system path, do not muck with things
    sys.path.append(path)
import confluent.config.configmanager as cfm
import confluent.config.conf as conf
import confluent.main as main

argparser = optparse.OptionParser(
    usage="Usage: %prog [options] [dump|restore] [path]")
argparser.add_option('-p', '--password',
                     help='Password to use to protect/unlock a protected dump')
argparser.add_option('-i', '--interactivepassword', help='Prompt for password',
                     action='store_true')
argparser.add_option('-r', '--redact', action='store_true',
                     help='Redact potentially sensitive data rather than store')
argparser.add_option('-u', '--unprotected', action='store_true',
                      help='Specify that no password should be used to protect'
                           ' the key information.  Fields will be encrypted, '
                           'but keys.json will contain unencrypted decryption'
                           ' keys that may be used to read the dump')
argparser.add_option('-s', '--skipkeys', action='store_true',
                      help='This specifies to dump the encrypted data without '
                           'dumping the keys needed to decrypt it.  This is '
                           'suitable for an automated incremental backup, '
                           'where an earlier password protected dump has a '
                           'protected keys.json file, and only the protected '
                           'data is needed.  keys do not change and as such '
                           'they do not require incremental backup')
(options, args) = argparser.parse_args()
if len(args) != 2 or args[0] not in ('dump', 'restore'):
    argparser.print_help()
    sys.exit(1)
dumpdir = args[1]


if args[0] == 'restore':
    pid = main.is_running()
    if pid is not None:
        print("Confluent is running, must shut down to restore db")
        sys.exit(1)
    stinf = os.stat('/etc/confluent')
    owner = stinf.st_uid
    group = stinf.st_gid
    password = options.password
    if options.interactivepassword:
        password = getpass.getpass('Enter password to restore backup: ')
    try:
        cfm.init(True)
        cfm.statelessmode = True
        cfm.restore_db_from_directory(dumpdir, password)
        cfm.statelessmode = False
        cfm.ConfigManager.wait_for_sync(True)
        if owner != 0:
            for targdir in os.walk('/etc/confluent'):
                os.chown(targdir[0], owner, group)
                for f in targdir[2]:
                    os.chown(os.path.join(targdir[0], f), owner, group)
    except Exception as e:
        print(str(e))
        sys.exit(1)
elif args[0] == 'dump':
    password = options.password
    if not password and options.interactivepassword:
        passcfm = None
        while passcfm is None or password != passcfm:
            password = getpass.getpass(
                'Enter password to protect the backup: ')
            passcfm = getpass.getpass('Confirm password to protect the backup: ')
    if password is None and not (options.unprotected or options.redact
                                         or options.skipkeys):
        print("Must indicate a password to protect or -u to opt opt of "
              "secure value protection or -r to redact sensitive information, "
              "or -s to do encrypted backup that requires keys.json from "
              "another backup to restore.")
        sys.exit(1)
    os.umask(0o77)
    main._initsecurity(conf.get_config())
    if not os.path.exists(dumpdir):
        os.makedirs(dumpdir)
    cfm.dump_db_to_directory(dumpdir, password, options.redact,
                             options.skipkeys)
Make /usr/bin/env python point to python2 Same as before, more RHEL8 compatibility changes 2019-09-23 15:04:52 +00:00			`#!/usr/bin/python2`
Add a utility to frontend DB dump/restore This exposes the library functions as a utility 2017-01-30 21:08:28 +00:00			`# vim: tabstop=4 shiftwidth=4 softtabstop=4`

			`# Copyright 2017 Lenovo`
			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`


Add ability to skip key backup and interactive password Backups should carefully protect keys.json, but that's only feasible interactively. However keys don't change, so have a way to combine protected keys.json with password with relatively safe non-interactive incremental backups. 2018-06-13 20:22:40 +00:00			`import getpass`
Add a utility to frontend DB dump/restore This exposes the library functions as a utility 2017-01-30 21:08:28 +00:00			`import optparse`
			`import sys`
			`import os`
			`path = os.path.dirname(os.path.realpath(__file__))`
			`path = os.path.realpath(os.path.join(path, '..', 'lib', 'python'))`
			`if path.startswith('/opt'):`
			`# if installed into system path, do not muck with things`
			`sys.path.append(path)`
			`import confluent.config.configmanager as cfm`
			`import confluent.config.conf as conf`
			`import confluent.main as main`

Actually hook up the redact feature 2017-01-30 21:12:49 +00:00			`argparser = optparse.OptionParser(`
			`usage="Usage: %prog [options] [dump\|restore] [path]")`
Add a utility to frontend DB dump/restore This exposes the library functions as a utility 2017-01-30 21:08:28 +00:00			`argparser.add_option('-p', '--password',`
			`help='Password to use to protect/unlock a protected dump')`
Add ability to skip key backup and interactive password Backups should carefully protect keys.json, but that's only feasible interactively. However keys don't change, so have a way to combine protected keys.json with password with relatively safe non-interactive incremental backups. 2018-06-13 20:22:40 +00:00			`argparser.add_option('-i', '--interactivepassword', help='Prompt for password',`
			`action='store_true')`
Add a utility to frontend DB dump/restore This exposes the library functions as a utility 2017-01-30 21:08:28 +00:00			`argparser.add_option('-r', '--redact', action='store_true',`
			`help='Redact potentially sensitive data rather than store')`
			`argparser.add_option('-u', '--unprotected', action='store_true',`
			`help='Specify that no password should be used to protect'`
			`' the key information. Fields will be encrypted, '`
			`'but keys.json will contain unencrypted decryption'`
			`' keys that may be used to read the dump')`
Add ability to skip key backup and interactive password Backups should carefully protect keys.json, but that's only feasible interactively. However keys don't change, so have a way to combine protected keys.json with password with relatively safe non-interactive incremental backups. 2018-06-13 20:22:40 +00:00			`argparser.add_option('-s', '--skipkeys', action='store_true',`
			`help='This specifies to dump the encrypted data without '`
			`'dumping the keys needed to decrypt it. This is '`
			`'suitable for an automated incremental backup, '`
			`'where an earlier password protected dump has a '`
			`'protected keys.json file, and only the protected '`
			`'data is needed. keys do not change and as such '`
			`'they do not require incremental backup')`
Add a utility to frontend DB dump/restore This exposes the library functions as a utility 2017-01-30 21:08:28 +00:00			`(options, args) = argparser.parse_args()`
			`if len(args) != 2 or args[0] not in ('dump', 'restore'):`
			`argparser.print_help()`
			`sys.exit(1)`
			`dumpdir = args[1]`


			`if args[0] == 'restore':`
			`pid = main.is_running()`
			`if pid is not None:`
			`print("Confluent is running, must shut down to restore db")`
			`sys.exit(1)`
Fix confluentdbrestore in non-root environments 2020-08-14 11:16:04 +00:00			`stinf = os.stat('/etc/confluent')`
			`owner = stinf.st_uid`
			`group = stinf.st_gid`
Fix backup/restore with python3 backup/restore with password was having problems with python3 2020-05-07 20:22:56 +00:00			`password = options.password`
			`if options.interactivepassword:`
			`password = getpass.getpass('Enter password to restore backup: ')`
Cleaner handling of invalid names in restore attempt Detect problems ahead af time and more cleanly print a message. 2018-05-17 18:40:19 +00:00			`try:`
Migrate DB on start If python2 db format detected, use python2 to dump to text, then python3 to restore to get the python3 native version 2022-06-09 20:23:35 +00:00			`cfm.init(True)`
Allow restore to replace unsupported format Going from python 2 to python 3, the dbm format goes from the default to unsupported. This allows a python3 confluentdbutil restore to handle a python2 dump of unsupported format. 2022-06-09 19:49:06 +00:00			`cfm.statelessmode = True`
Fix backup/restore with python3 backup/restore with password was having problems with python3 2020-05-07 20:22:56 +00:00			`cfm.restore_db_from_directory(dumpdir, password)`
Allow restore to replace unsupported format Going from python 2 to python 3, the dbm format goes from the default to unsupported. This allows a python3 confluentdbutil restore to handle a python2 dump of unsupported format. 2022-06-09 19:49:06 +00:00			`cfm.statelessmode = False`
			`cfm.ConfigManager.wait_for_sync(True)`
Fix confluentdbrestore in non-root environments 2020-08-14 11:16:04 +00:00			`if owner != 0:`
			`for targdir in os.walk('/etc/confluent'):`
			`os.chown(targdir[0], owner, group)`
			`for f in targdir[2]:`
Fix typo in confluentdbutil The restore function would fail to chown directories due to typo 2021-03-01 15:31:28 +00:00			`os.chown(os.path.join(targdir[0], f), owner, group)`
Cleaner handling of invalid names in restore attempt Detect problems ahead af time and more cleanly print a message. 2018-05-17 18:40:19 +00:00			`except Exception as e:`
			`print(str(e))`
			`sys.exit(1)`
Add a utility to frontend DB dump/restore This exposes the library functions as a utility 2017-01-30 21:08:28 +00:00			`elif args[0] == 'dump':`
Add ability to skip key backup and interactive password Backups should carefully protect keys.json, but that's only feasible interactively. However keys don't change, so have a way to combine protected keys.json with password with relatively safe non-interactive incremental backups. 2018-06-13 20:22:40 +00:00			`password = options.password`
			`if not password and options.interactivepassword:`
			`passcfm = None`
			`while passcfm is None or password != passcfm:`
			`password = getpass.getpass(`
			`'Enter password to protect the backup: ')`
			`passcfm = getpass.getpass('Confirm password to protect the backup: ')`
			`if password is None and not (options.unprotected or options.redact`
			`or options.skipkeys):`
Add a utility to frontend DB dump/restore This exposes the library functions as a utility 2017-01-30 21:08:28 +00:00			`print("Must indicate a password to protect or -u to opt opt of "`
Add ability to skip key backup and interactive password Backups should carefully protect keys.json, but that's only feasible interactively. However keys don't change, so have a way to combine protected keys.json with password with relatively safe non-interactive incremental backups. 2018-06-13 20:22:40 +00:00			`"secure value protection or -r to redact sensitive information, "`
			`"or -s to do encrypted backup that requires keys.json from "`
			`"another backup to restore.")`
Add a utility to frontend DB dump/restore This exposes the library functions as a utility 2017-01-30 21:08:28 +00:00			`sys.exit(1)`
Implement a number of py3 compatible adjustments 2019-10-02 12:58:39 +00:00			`os.umask(0o77)`
Add a utility to frontend DB dump/restore This exposes the library functions as a utility 2017-01-30 21:08:28 +00:00			`main._initsecurity(conf.get_config())`
			`if not os.path.exists(dumpdir):`
			`os.makedirs(dumpdir)`
Fix backup/restore with python3 backup/restore with password was having problems with python3 2020-05-07 20:22:56 +00:00			`cfm.dump_db_to_directory(dumpdir, password, options.redact,`
Add ability to skip key backup and interactive password Backups should carefully protect keys.json, but that's only feasible interactively. However keys don't change, so have a way to combine protected keys.json with password with relatively safe non-interactive incremental backups. 2018-06-13 20:22:40 +00:00			`options.skipkeys)`
Add a utility to frontend DB dump/restore This exposes the library functions as a utility 2017-01-30 21:08:28 +00:00