From c89a165c6a63a3917a3e3c42d8172a79c2cf2207 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Fri, 4 Apr 2014 09:09:00 -0400 Subject: [PATCH] Simplify IPMI credential management The strategy was going to allow for a distinct IPMI account for automation from other protocols. However, this is pretty complicated to explain to people. The thought before was that the HTTPS/SSH type access could use a passphrase that is easy to remember whilst ipmi accounts would tend to be randomized. Instead, have the software managed authentication info be used across all protocols and avail endpoint of user management to add human-friendly accounts if needed (disabling IPMI/SNMP by default in such cases). --- confluent/config/attributes.py | 52 +++++++++++++++--------------- plugins/hardwaremanagement/ipmi.py | 20 +++++------- 2 files changed, 34 insertions(+), 38 deletions(-) diff --git a/confluent/config/attributes.py b/confluent/config/attributes.py index 62bf2802..f16a48f0 100644 --- a/confluent/config/attributes.py +++ b/confluent/config/attributes.py @@ -212,32 +212,32 @@ node = { 'secret.ipmikg': { 'description': 'Optional Integrity key for IPMI communication' }, - 'secret.ipmiuser': { - 'description': ('The username to use to log into IPMI device related ' - 'to the node. For setting username, default behavior ' - 'is to randomize username, for using username if not ' - 'set, USERID is assumed'), - }, - 'secret.ipmipassphrase': { - 'description': ('The key to use to authenticate to IPMI device related ' - 'to the node. For setting passphrase, default behavior ' - 'is to randomize passphrase and store it here. If going ' - 'to connect over the network and value is not set, ' - 'PASSW0RD is attempted') - }, -# 'secret.managementuser': { -# 'description': ('Username to be set and used by protocols like SSH and ' -# 'HTTP where client provides passphrase over the network.' -# 'Given the distinct security models betwen this class ' -# 'of protocols and SNMP and IPMI, snmp and ipmi utilize ' -# 'dedicated values.'), +# 'secret.ipmiuser': { +# 'description': ('The username to use to log into IPMI device related ' +# 'to the node. For setting username, default behavior ' +# 'is to randomize username, for using username if not ' +# 'set, USERID is assumed'), # }, -# 'secret.managementpassphrase': { -# 'description': ('Passphrase to be set and used by protocols like SSH ' -# 'and HTTP, where client sends passphrase over the ' -# 'network. Given distinct security models between ' -# 'this class of protocols, SNMP, and IPMI, SNMP and ' -# 'IPMI are given their own settings with distinct ' -# 'behaviors'), +# 'secret.ipmipassphrase': { +# 'description': ('The key to use to authenticate to IPMI device related ' +# 'to the node. For setting passphrase, default behavior ' +# 'is to randomize passphrase and store it here. If going ' +# 'to connect over the network and value is not set, ' +# 'PASSW0RD is attempted') # }, + 'secret.hardwaremanagementuser': { + 'description': ('Username to be set and used by protocols like SSH and ' + 'HTTP where client provides passphrase over the network.' + 'Given the distinct security models betwen this class ' + 'of protocols and SNMP and IPMI, snmp and ipmi utilize ' + 'dedicated values.'), + }, + 'secret.hardwaremanagementpassphrase': { + 'description': ('Passphrase to be set and used by protocols like SSH ' + 'and HTTP, where client sends passphrase over the ' + 'network. Given distinct security models between ' + 'this class of protocols, SNMP, and IPMI, SNMP and ' + 'IPMI are given their own settings with distinct ' + 'behaviors'), + }, } diff --git a/plugins/hardwaremanagement/ipmi.py b/plugins/hardwaremanagement/ipmi.py index 62ba2ba8..4d704302 100644 --- a/plugins/hardwaremanagement/ipmi.py +++ b/plugins/hardwaremanagement/ipmi.py @@ -31,15 +31,11 @@ def _ipmi_evtloop(): def get_conn_params(node, configdata): - if 'secret.ipmiuser' in configdata: - username = configdata['secret.ipmiuser']['value'] - elif 'secret.managementuser' in configdata: + if 'secret.hardwaremanagementuser' in configdata: username = configdata['secret.managementuser']['value'] else: username = 'USERID' - if 'secret.ipmipassphrase' in configdata: - passphrase = configdata['secret.ipmipassphrase']['value'] - elif 'secret.managementpassphrase' in configdata: + if 'secret.hardwaremanagementpassphrase' in configdata: passphrase = configdata['secret.managementpassphrase']['value'] else: passphrase = 'PASSW0RD' # for lack of a better guess @@ -68,9 +64,9 @@ class IpmiConsole(conapi.Console): config.decrypt = True self.broken = False configdata = config.get_node_attributes([node], - ['secret.ipmiuser', 'secret.ipmipassphrase', - 'secret.managementuser', 'secret.managementpassphrase', - 'hardwaremanagement.manager']) + ['secret.hardwaremanagementuser', + 'secret.hardwaremanagementpassphrase', + 'secret.ipmikg', 'hardwaremanagement.manager']) connparams = get_conn_params(node, configdata[node]) config.decrypt = crypt self.username = connparams['username'] @@ -121,9 +117,9 @@ class IpmiIterator(object): crypt = cfg.decrypt cfg.decrypt = True configdata = cfg.get_node_attributes(nodes, - ['secret.ipmiuser', 'secret.ipmipassphrase', - 'secret.managementuser', 'secret.managementpassphrase', - 'hardwaremanagement.manager']) + ['secret.hardwaremanagementuser', + 'secret.hardwaremanagementpassphrase', + 'secret.ipmikg', 'hardwaremanagement.manager']) cfg.decrypt = crypt self.gpile = greenpool.GreenPile() for node in nodes: