2
0
mirror of https://github.com/xcat2/confluent.git synced 2024-11-26 03:19:48 +00:00

Add attribute to store root password

We want a non-recoverable form,
so hard code it to force it that way.
This commit is contained in:
Jarrod Johnson 2020-04-15 16:18:39 -04:00
parent 709ace4c92
commit 09700626b5
2 changed files with 17 additions and 0 deletions

View File

@ -97,6 +97,10 @@ node = {
'description': ('Classification of node as server or switch'),
'validvalues': ('switch', 'server'),
},
'crypted.rootpassword': {
'description': 'The password of the local root password. '
'This is stored as a non-recoverable hash.',
},
'deployment.apikey': {
'description': ('Crypt of api key for self api requests by node'),
},

View File

@ -60,6 +60,7 @@ import confluent.util
import confluent.netutil as netutil
import confluent.exceptions as exc
import copy
import crypt
try:
import cPickle
except ModuleNotFoundError:
@ -475,6 +476,12 @@ def _get_valid_attrname(attrname):
return attrname
def hashcrypt_value(value):
salt = confluent.util.stringify(base64.b64encode(os.urandom(12)))
salt = '$6${0}'.format(salt)
return crypt.crypt(value, salt)
def crypt_value(value,
key=None,
integritykey=None):
@ -1760,6 +1767,9 @@ class ConfigManager(object):
if 'value' in newdict and attr.startswith("secret."):
newdict['cryptvalue'] = crypt_value(newdict['value'])
del newdict['value']
if 'value' in newdict and attr.startswith("crypted."):
newdict['hashvalue'] = hashcrypt_value(newdict['value'])
del newdict['value']
cfgobj[attr] = newdict
if attr == 'nodes':
self._sync_nodes_to_group(group=group,
@ -2162,6 +2172,9 @@ class ConfigManager(object):
if 'value' in newdict and attrname.startswith("secret."):
newdict['cryptvalue'] = crypt_value(newdict['value'])
del newdict['value']
if 'value' in newdict and attrname.startswith("crypted."):
newdict['hashvalue'] = hashcrypt_value(newdict['value'])
del newdict['value']
cfgobj[attrname] = newdict
if attrname == 'groups':
self._sync_groups_to_node(node=node,