From 75488b2abdedb58715a21e365573a64e4ab1c324 Mon Sep 17 00:00:00 2001 From: Ondrej Mular Date: Tue, 30 May 2017 16:47:55 +0200 Subject: [PATCH] squash bz1165821 pcs CLI/GUI should be capable of e60e02d store binary data in the corosync authkey file bf45303 cli: add option --no-hardened to 'cluster setup' 97dff2f web UI: add option to create not hardened cluster --- pcs/cli/common/parse_args.py | 2 +- pcs/cluster.py | 23 ++++++++++++++++------- pcs/lib/tools.py | 5 ++++- pcs/pcs.8 | 4 +++- pcs/usage.py | 3 +++ pcs/utils.py | 1 + pcsd/pcs.rb | 1 + pcsd/pcsd.rb | 3 ++- pcsd/remote.rb | 3 +++ pcsd/views/manage.erb | 9 +++++++++ 10 files changed, 43 insertions(+), 11 deletions(-) diff --git a/pcs/cli/common/parse_args.py b/pcs/cli/common/parse_args.py index e2250c7..5b87fbc 100644 --- a/pcs/cli/common/parse_args.py +++ b/pcs/cli/common/parse_args.py @@ -32,7 +32,7 @@ PCS_LONG_OPTIONS = [ "miss_count_const=", "fail_recv_const=", "corosync_conf=", "cluster_conf=", "booth-conf=", "booth-key=", - "remote", "watchdog=", "device=", + "remote", "watchdog=", "device=", "no-hardened", #in pcs status - do not display resorce status on inactive node "hide-inactive", # pcs resource (un)manage - enable or disable monitor operations diff --git a/pcs/cluster.py b/pcs/cluster.py index 0fc5e2c..0a9289b 100644 --- a/pcs/cluster.py +++ b/pcs/cluster.py @@ -70,7 +70,11 @@ from pcs.lib.node import NodeAddresses, NodeAddressesList from pcs.lib.nodes_task import check_corosync_offline_on_nodes, distribute_files from pcs.lib import node_communication_format import pcs.lib.pacemaker.live as lib_pacemaker -from pcs.lib.tools import environment_file_to_dict, generate_key +from pcs.lib.tools import ( + environment_file_to_dict, + generate_binary_key, + generate_key, +) def cluster_cmd(argv): if len(argv) == 0: @@ -381,7 +385,8 @@ def cluster_setup(argv): node_list, options["transport_options"], options["totem_options"], - options["quorum_options"] + options["quorum_options"], + modifiers["hardened"] ) process_library_reports(messages) @@ -453,11 +458,12 @@ def cluster_setup(argv): file_definitions.update( node_communication_format.pcmk_authkey_file(generate_key()) ) - file_definitions.update( - node_communication_format.corosync_authkey_file( - generate_key(random_bytes_count=128) + if modifiers["hardened"]: + file_definitions.update( + node_communication_format.corosync_authkey_file( + generate_binary_key(random_bytes_count=128) + ) ) - ) distribute_files( lib_env.node_communicator(), @@ -736,7 +742,8 @@ def cluster_setup_parse_options_cman(options, force=False): return parsed, messages def cluster_setup_create_corosync_conf( - cluster_name, node_list, transport_options, totem_options, quorum_options + cluster_name, node_list, transport_options, totem_options, quorum_options, + is_hardened ): messages = [] @@ -752,6 +759,8 @@ def cluster_setup_create_corosync_conf( totem_section.add_attribute("version", "2") totem_section.add_attribute("cluster_name", cluster_name) + if not is_hardened: + totem_section.add_attribute("secauth", "off") transport_options_names = ( "transport", diff --git a/pcs/lib/tools.py b/pcs/lib/tools.py index cd2d7f9..b9d7505 100644 --- a/pcs/lib/tools.py +++ b/pcs/lib/tools.py @@ -9,7 +9,10 @@ import os def generate_key(random_bytes_count=32): - return binascii.hexlify(os.urandom(random_bytes_count)) + return binascii.hexlify(generate_binary_key(random_bytes_count)) + +def generate_binary_key(random_bytes_count): + return os.urandom(random_bytes_count) def environment_file_to_dict(config): """ diff --git a/pcs/pcs.8 b/pcs/pcs.8 index 4edfc72..aee8b3a 100644 --- a/pcs/pcs.8 +++ b/pcs/pcs.8 @@ -205,7 +205,7 @@ Add specified utilization options to specified resource. If resource is not spec auth [node] [...] [\fB\-u\fR username] [\fB\-p\fR password] [\fB\-\-force\fR] [\fB\-\-local\fR] Authenticate pcs to pcsd on nodes specified, or on all nodes configured in the local cluster if no nodes are specified (authorization tokens are stored in ~/.pcs/tokens or /var/lib/pcsd/tokens for root). By default all nodes are also authenticated to each other, using \fB\-\-local\fR only authenticates the local node (and does not authenticate the remote nodes with each other). Using \fB\-\-force\fR forces re\-authentication to occur. .TP -setup [\fB\-\-start\fR [\fB\-\-wait\fR[=]]] [\fB\-\-local\fR] [\fB\-\-enable\fR] \fB\-\-name\fR [] [...] [\fB\-\-transport\fR udpu|udp] [\fB\-\-rrpmode\fR active|passive] [\fB\-\-addr0\fR [[[\fB\-\-mcast0\fR
] [\fB\-\-mcastport0\fR ] [\fB\-\-ttl0\fR ]] | [\fB\-\-broadcast0\fR]] [\fB\-\-addr1\fR [[[\fB\-\-mcast1\fR
] [\fB\-\-mcastport1\fR ] [\fB\-\-ttl1\fR ]] | [\fB\-\-broadcast1\fR]]]] [\fB\-\-wait_for_all\fR=<0|1>] [\fB\-\-auto_tie_breaker\fR=<0|1>] [\fB\-\-last_man_standing\fR=<0|1> [\fB\-\-last_man_standing_window\fR=