mirror of
https://github.com/xcat2/confluent.git
synced 2024-11-25 19:10:10 +00:00
Simplify IPMI credential management
The strategy was going to allow for a distinct IPMI account for automation from other protocols. However, this is pretty complicated to explain to people. The thought before was that the HTTPS/SSH type access could use a passphrase that is easy to remember whilst ipmi accounts would tend to be randomized. Instead, have the software managed authentication info be used across all protocols and avail endpoint of user management to add human-friendly accounts if needed (disabling IPMI/SNMP by default in such cases).
This commit is contained in:
parent
aadbfdb29a
commit
c89a165c6a
@ -212,32 +212,32 @@ node = {
|
||||
'secret.ipmikg': {
|
||||
'description': 'Optional Integrity key for IPMI communication'
|
||||
},
|
||||
'secret.ipmiuser': {
|
||||
'description': ('The username to use to log into IPMI device related '
|
||||
'to the node. For setting username, default behavior '
|
||||
'is to randomize username, for using username if not '
|
||||
'set, USERID is assumed'),
|
||||
},
|
||||
'secret.ipmipassphrase': {
|
||||
'description': ('The key to use to authenticate to IPMI device related '
|
||||
'to the node. For setting passphrase, default behavior '
|
||||
'is to randomize passphrase and store it here. If going '
|
||||
'to connect over the network and value is not set, '
|
||||
'PASSW0RD is attempted')
|
||||
},
|
||||
# 'secret.managementuser': {
|
||||
# 'description': ('Username to be set and used by protocols like SSH and '
|
||||
# 'HTTP where client provides passphrase over the network.'
|
||||
# 'Given the distinct security models betwen this class '
|
||||
# 'of protocols and SNMP and IPMI, snmp and ipmi utilize '
|
||||
# 'dedicated values.'),
|
||||
# 'secret.ipmiuser': {
|
||||
# 'description': ('The username to use to log into IPMI device related '
|
||||
# 'to the node. For setting username, default behavior '
|
||||
# 'is to randomize username, for using username if not '
|
||||
# 'set, USERID is assumed'),
|
||||
# },
|
||||
# 'secret.managementpassphrase': {
|
||||
# 'description': ('Passphrase to be set and used by protocols like SSH '
|
||||
# 'and HTTP, where client sends passphrase over the '
|
||||
# 'network. Given distinct security models between '
|
||||
# 'this class of protocols, SNMP, and IPMI, SNMP and '
|
||||
# 'IPMI are given their own settings with distinct '
|
||||
# 'behaviors'),
|
||||
# 'secret.ipmipassphrase': {
|
||||
# 'description': ('The key to use to authenticate to IPMI device related '
|
||||
# 'to the node. For setting passphrase, default behavior '
|
||||
# 'is to randomize passphrase and store it here. If going '
|
||||
# 'to connect over the network and value is not set, '
|
||||
# 'PASSW0RD is attempted')
|
||||
# },
|
||||
'secret.hardwaremanagementuser': {
|
||||
'description': ('Username to be set and used by protocols like SSH and '
|
||||
'HTTP where client provides passphrase over the network.'
|
||||
'Given the distinct security models betwen this class '
|
||||
'of protocols and SNMP and IPMI, snmp and ipmi utilize '
|
||||
'dedicated values.'),
|
||||
},
|
||||
'secret.hardwaremanagementpassphrase': {
|
||||
'description': ('Passphrase to be set and used by protocols like SSH '
|
||||
'and HTTP, where client sends passphrase over the '
|
||||
'network. Given distinct security models between '
|
||||
'this class of protocols, SNMP, and IPMI, SNMP and '
|
||||
'IPMI are given their own settings with distinct '
|
||||
'behaviors'),
|
||||
},
|
||||
}
|
||||
|
@ -31,15 +31,11 @@ def _ipmi_evtloop():
|
||||
|
||||
|
||||
def get_conn_params(node, configdata):
|
||||
if 'secret.ipmiuser' in configdata:
|
||||
username = configdata['secret.ipmiuser']['value']
|
||||
elif 'secret.managementuser' in configdata:
|
||||
if 'secret.hardwaremanagementuser' in configdata:
|
||||
username = configdata['secret.managementuser']['value']
|
||||
else:
|
||||
username = 'USERID'
|
||||
if 'secret.ipmipassphrase' in configdata:
|
||||
passphrase = configdata['secret.ipmipassphrase']['value']
|
||||
elif 'secret.managementpassphrase' in configdata:
|
||||
if 'secret.hardwaremanagementpassphrase' in configdata:
|
||||
passphrase = configdata['secret.managementpassphrase']['value']
|
||||
else:
|
||||
passphrase = 'PASSW0RD' # for lack of a better guess
|
||||
@ -68,9 +64,9 @@ class IpmiConsole(conapi.Console):
|
||||
config.decrypt = True
|
||||
self.broken = False
|
||||
configdata = config.get_node_attributes([node],
|
||||
['secret.ipmiuser', 'secret.ipmipassphrase',
|
||||
'secret.managementuser', 'secret.managementpassphrase',
|
||||
'hardwaremanagement.manager'])
|
||||
['secret.hardwaremanagementuser',
|
||||
'secret.hardwaremanagementpassphrase',
|
||||
'secret.ipmikg', 'hardwaremanagement.manager'])
|
||||
connparams = get_conn_params(node, configdata[node])
|
||||
config.decrypt = crypt
|
||||
self.username = connparams['username']
|
||||
@ -121,9 +117,9 @@ class IpmiIterator(object):
|
||||
crypt = cfg.decrypt
|
||||
cfg.decrypt = True
|
||||
configdata = cfg.get_node_attributes(nodes,
|
||||
['secret.ipmiuser', 'secret.ipmipassphrase',
|
||||
'secret.managementuser', 'secret.managementpassphrase',
|
||||
'hardwaremanagement.manager'])
|
||||
['secret.hardwaremanagementuser',
|
||||
'secret.hardwaremanagementpassphrase',
|
||||
'secret.ipmikg', 'hardwaremanagement.manager'])
|
||||
cfg.decrypt = crypt
|
||||
self.gpile = greenpool.GreenPile()
|
||||
for node in nodes:
|
||||
|
Loading…
Reference in New Issue
Block a user