mirror of
https://github.com/xcat2/confluent.git
synced 2024-12-24 12:11:52 +00:00
Attempt to have both short and long names
In ssh, long or short name may matter and user may use short or long names as node names. Try to make ssh equipped to be apathetic about the choice.
This commit is contained in:
parent
f70a3daf9a
commit
4ecae144d9
@ -145,14 +145,30 @@ def handle_request(env, start_response):
|
||||
start_response('500 Unconfigured', ())
|
||||
yield 'CA is not configured on this system (run ...)'
|
||||
return
|
||||
cert = sshutil.sign_host_key(reqbody, nodename)
|
||||
dnsinfo = cfg.get_node_attributes(nodename, ('dns.*'))
|
||||
dnsinfo = dnsinfo.get(nodename, {}).get('dns.domain', {}).get('value',
|
||||
None)
|
||||
if dnsinfo in nodename:
|
||||
dnsinfo = ''
|
||||
cert = sshutil.sign_host_key(reqbody, nodename, [dnsinfo])
|
||||
start_response('200 OK', (('Content-Type', 'text/plain'),))
|
||||
yield cert
|
||||
elif env['PATH_INFO'] == '/self/nodelist':
|
||||
nodes = set(cfg.list_nodes())
|
||||
domaininfo = cfg.get_node_attributes(nodes, 'dns.domain')
|
||||
for node in list(util.natural_sort(nodes)):
|
||||
domain = domaininfo.get(node, {}).get('dns.domain', {}).get(
|
||||
'value', None)
|
||||
if domain and domain not in node:
|
||||
nodes.add('{0}.{1}'.format(node, domain))
|
||||
for mgr in configmanager.list_collective():
|
||||
nodes.add(mgr)
|
||||
nodes.add(collective.get_myname())
|
||||
if domain and domain not in mgr:
|
||||
nodes.add('{0}.{1}'.format(mgr, domain))
|
||||
myname = collective.get_myname()
|
||||
nodes.add(myname)
|
||||
if domain and domain not in myname:
|
||||
nodes.add('{0}.{1}'.format(myname, domain))
|
||||
if isgeneric:
|
||||
start_response('200 OK', (('Content-Type', 'text/plain'),))
|
||||
for node in util.natural_sort(nodes):
|
||||
|
@ -41,15 +41,19 @@ def initialize_ca():
|
||||
# newent = '@cert-authority * ' + capub.read()
|
||||
|
||||
|
||||
def sign_host_key(pubkey, nodename):
|
||||
def sign_host_key(pubkey, nodename, domains=()):
|
||||
tmpdir = tempfile.mkdtemp()
|
||||
try:
|
||||
pkeyname = os.path.join(tmpdir, 'hostkey.pub')
|
||||
with open(pkeyname, 'wb') as pubfile:
|
||||
pubfile.write(pubkey)
|
||||
principals = [nodename]
|
||||
for domain in domains:
|
||||
principals.append('{0}.{1}'.format(nodename, domain))
|
||||
principals = ','.join(principals)
|
||||
subprocess.check_call(
|
||||
['ssh-keygen', '-s', '/etc/confluent/ssh/ca', '-I', nodename,
|
||||
'-n', nodename, '-h', pkeyname])
|
||||
'-n', principals, '-h', pkeyname])
|
||||
certname = pkeyname.replace('.pub', '-cert.pub')
|
||||
with open(certname) as cert:
|
||||
return cert.read()
|
||||
@ -95,4 +99,4 @@ if __name__ == '__main__':
|
||||
initialize_root_key(True)
|
||||
if not ca_exists():
|
||||
initialize_ca()
|
||||
print(repr(sign_host_key(open('/etc/ssh/ssh_host_ed25519_key.pub').read(), collective.get_myname())))
|
||||
print(repr(sign_host_key(open('/etc/ssh/ssh_host_ed25519_key.pub').read(), collective.get_myname())))
|
||||
|
Loading…
Reference in New Issue
Block a user