Simplify IPMI credential management

The strategy was going to allow for a distinct IPMI account for automation
from other protocols.  However, this is pretty complicated to explain to
people.  The thought before was that the HTTPS/SSH type access could use
a passphrase that is easy to remember whilst ipmi accounts would tend
to be randomized.  Instead, have the software managed authentication
info be used across all protocols and avail endpoint of user management
to add human-friendly accounts if needed (disabling IPMI/SNMP by default
in such cases).

confluent/config/attributes.py

@@ -212,32 +212,32 @@ node = {
     'secret.ipmikg': {
         'description': 'Optional Integrity key for IPMI communication'
     },
-    'secret.ipmiuser': {
-        'description': ('The username to use to log into IPMI device related '
-                        'to the node.  For setting username, default behavior '
-                        'is to randomize username, for using username if not '
-                        'set, USERID is assumed'),
-    },
-    'secret.ipmipassphrase': {
-        'description': ('The key to use to authenticate to IPMI device related '
-                        'to the node.  For setting passphrase, default behavior '
-                        'is to randomize passphrase and store it here.  If going '
-                        'to connect over the network and value is not set, '
-                        'PASSW0RD is attempted')
-    },
-#    'secret.managementuser': {
-#        'description': ('Username to be set and used by protocols like SSH and '
-#                        'HTTP where client provides passphrase over the network.'
-#                        'Given the distinct security models betwen this class '
-#                        'of protocols and SNMP and IPMI, snmp and ipmi utilize '
-#                        'dedicated values.'),
+#    'secret.ipmiuser': {
+#        'description': ('The username to use to log into IPMI device related '
+#                        'to the node.  For setting username, default behavior '
+#                        'is to randomize username, for using username if not '
+#                        'set, USERID is assumed'),
 #    },
-#    'secret.managementpassphrase': {
-#        'description': ('Passphrase to be set and used by protocols like SSH '
-#                        'and HTTP, where client sends passphrase over the '
-#                        'network.  Given distinct security models between '
-#                        'this class of protocols, SNMP, and IPMI, SNMP and '
-#                        'IPMI are given their own settings with distinct '
-#                        'behaviors'),
+#    'secret.ipmipassphrase': {
+#        'description': ('The key to use to authenticate to IPMI device related '
+#                        'to the node.  For setting passphrase, default behavior '
+#                        'is to randomize passphrase and store it here.  If going '
+#                        'to connect over the network and value is not set, '
+#                        'PASSW0RD is attempted')
 #    },
+    'secret.hardwaremanagementuser': {
+        'description': ('Username to be set and used by protocols like SSH and '
+                        'HTTP where client provides passphrase over the network.'
+                        'Given the distinct security models betwen this class '
+                        'of protocols and SNMP and IPMI, snmp and ipmi utilize '
+                        'dedicated values.'),
+    },
+    'secret.hardwaremanagementpassphrase': {
+        'description': ('Passphrase to be set and used by protocols like SSH '
+                        'and HTTP, where client sends passphrase over the '
+                        'network.  Given distinct security models between '
+                        'this class of protocols, SNMP, and IPMI, SNMP and '
+                        'IPMI are given their own settings with distinct '
+                        'behaviors'),
+    },
 }

plugins/hardwaremanagement/ipmi.py

@@ -31,15 +31,11 @@ def _ipmi_evtloop():
 
 
 def get_conn_params(node, configdata):
-    if 'secret.ipmiuser' in configdata:
-        username = configdata['secret.ipmiuser']['value']
-    elif 'secret.managementuser' in configdata:
+    if 'secret.hardwaremanagementuser' in configdata:
         username = configdata['secret.managementuser']['value']
     else:
         username = 'USERID'
-    if 'secret.ipmipassphrase' in configdata:
-        passphrase = configdata['secret.ipmipassphrase']['value']
-    elif 'secret.managementpassphrase' in configdata:
+    if 'secret.hardwaremanagementpassphrase' in configdata:
         passphrase = configdata['secret.managementpassphrase']['value']
     else:
         passphrase = 'PASSW0RD' # for lack of a better guess
@@ -68,9 +64,9 @@ class IpmiConsole(conapi.Console):
         config.decrypt = True
         self.broken = False
         configdata = config.get_node_attributes([node],
-            ['secret.ipmiuser', 'secret.ipmipassphrase',
-             'secret.managementuser', 'secret.managementpassphrase',
-             'hardwaremanagement.manager'])
+            ['secret.hardwaremanagementuser',
+             'secret.hardwaremanagementpassphrase',
+             'secret.ipmikg', 'hardwaremanagement.manager'])
         connparams = get_conn_params(node, configdata[node])
         config.decrypt = crypt
         self.username = connparams['username']
@@ -121,9 +117,9 @@ class IpmiIterator(object):
         crypt = cfg.decrypt
         cfg.decrypt = True
         configdata = cfg.get_node_attributes(nodes,
-            ['secret.ipmiuser', 'secret.ipmipassphrase',
-             'secret.managementuser', 'secret.managementpassphrase',
-             'hardwaremanagement.manager'])
+            ['secret.hardwaremanagementuser',
+             'secret.hardwaremanagementpassphrase',
+             'secret.ipmikg', 'hardwaremanagement.manager'])
         cfg.decrypt = crypt
         self.gpile = greenpool.GreenPile()
         for node in nodes: