From 2d6bdffebe2a2bf628236bd4c3348e3a26e832b7 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Fri, 8 Jan 2021 14:05:37 -0500 Subject: [PATCH] Finalize the ssh.trustnodes facility This is the confluent approach to handling the same problem that xCAT SSH Zones do. --- confluent_server/confluent/config/attributes.py | 7 +++++++ confluent_server/confluent/selfservice.py | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/confluent_server/confluent/config/attributes.py b/confluent_server/confluent/config/attributes.py index 955e3416..3967240f 100644 --- a/confluent_server/confluent/config/attributes.py +++ b/confluent_server/confluent/config/attributes.py @@ -534,6 +534,13 @@ node = { 'description': ('Password to use when connecting to the hardware ' 'manager'), }, + 'ssh.trustnodes': { + 'description': ('Nodes that are allowed to ssh into the node, ' + 'expressed in noderange syntax. This is used during ' + 'deployment if the confluent SSH certificate ' + 'authority is configured. Default behavior is for ' + 'all nodes to trust each other.'), + }, 'pubkeys.addpolicy': { 'description': ('Policy to use when encountering unknown public ' 'keys. Choices are "automatic" to accept and ' diff --git a/confluent_server/confluent/selfservice.py b/confluent_server/confluent/selfservice.py index fc8b9d3f..89542b8d 100644 --- a/confluent_server/confluent/selfservice.py +++ b/confluent_server/confluent/selfservice.py @@ -301,8 +301,8 @@ def get_cluster_list(nodename=None, cfg=None): cfg = configmanager.ConfigManager(None) nodes = None if nodename is not None: - sshpeers = cfg.get_node_attributes(nodename, 'ssh.peers') - sshpeers = sshpeers.get(nodename, {}).get('ssh.peers', {}).get( + sshpeers = cfg.get_node_attributes(nodename, 'ssh.trustnodes') + sshpeers = sshpeers.get(nodename, {}).get('ssh.trustnodes', {}).get( 'value', None) if sshpeers: nodes = noderange.NodeRange(sshpeers, cfg).nodes