From 15b4979453ac9e85dc8e03d30d7ca440179dfc73 Mon Sep 17 00:00:00 2001 From: "Schmalzried, Terry (ts862m)" Date: Fri, 21 Aug 2020 15:59:22 -0400 Subject: Set Cloudify password Cloudify pod updates for sourcing password from CMPASS environment variable. Issue-ID: DCAEGEN2-1975 Change-Id: I5f297af9ad92389d0901eee463ea175751853838 Signed-off-by: Schmalzried, Terry (ts862m) --- cm-container/Dockerfile-template | 9 +++-- cm-container/README.md | 2 +- cm-container/pom.xml | 2 +- cm-container/reset_admin.py | 54 ++++++++++++++++++++++++++++++ cm-container/scripts/cloudify-ready.sh | 24 +++++++++++-- cm-container/scripts/dcae-cleanup.sh | 12 ++++--- cm-container/scripts/load-plugins.sh | 8 +++-- cm-container/scripts/set-admin-password.sh | 39 +++++++++++++++++++++ cm-container/scripts/setup-secret.sh | 1 - 9 files changed, 134 insertions(+), 17 deletions(-) create mode 100644 cm-container/reset_admin.py create mode 100755 cm-container/scripts/set-admin-password.sh diff --git a/cm-container/Dockerfile-template b/cm-container/Dockerfile-template index 5e6d846..e79099d 100644 --- a/cm-container/Dockerfile-template +++ b/cm-container/Dockerfile-template @@ -13,20 +13,23 @@ # See the License for the specific language governing permissions and # limitations under the License. # ============LICENSE_END========================================================= -FROM cloudifyplatform/community:19.01.24 +FROM cloudifyplatform/community-cloudify-manager-aio:20.03.03 ENV PLUGIN_REPO {{ ONAPTEMPLATE_RAWREPOURL_org_onap_dcaegen2_platform_plugins_releases }} # Store plugin files locally RUN mkdir scripts COPY scripts/* scripts/ +COPY reset_admin.py /opt/manager/ # Load our plugin files # Setup rc.local to set up k8s credentials for CM -RUN scripts/get-plugins.sh ${PLUGIN_REPO} \ +RUN chmod +x /opt/manager/reset_admin.py\ && chmod +x scripts/*.sh\ + && scripts/get-plugins.sh ${PLUGIN_REPO} \ && /scripts/configure-tls.sh\ && echo "/scripts/setup-secret.sh" >> /etc/rc.d/rc.local\ - && echo "/scripts/load-plugins.sh > /load-plugins.log 2>&1" >> /etc/rc.d/rc.local\ + && echo "/scripts/set-admin-password.sh" >> /etc/rc.d/rc.local\ + && echo "/scripts/load-plugins.sh >/load-plugins.log 2>&1" >> /etc/rc.d/rc.local\ && chmod +x /etc/rc.d/rc.local # Create mount point for CM config file RUN mkdir -p /opt/onap && chown cfyuser:cfyuser /opt/onap diff --git a/cm-container/README.md b/cm-container/README.md index 3e3d45a..03b9634 100644 --- a/cm-container/README.md +++ b/cm-container/README.md @@ -58,7 +58,7 @@ The last command in the script is the command from the original Cloudify version which then brings up the many other processes needed for a working instance of Cloudify Manager. ## The `setup-secret.sh` script -When Kubernetes starts a container, it mounts a directory containing the credentials that the container needs to access the Kubernetes API on the local Kubernetes cluster. The mountpoint is `/var/run/secrets/kubernetes.io/serviceaccount`. Something about the way that Cloudify Manager is started (possibly because `/sbin/init` is run) causes this mountpoint to be hidden. `setup-secret.sh` will recreated the directory if it's not present and symbolically link it to a copy of the credentials mounted at `/secret` in the container file system. This gives Cloudify Manager the credentials that the Kubernetes plugin needs to deploy Kubernetes-based DCAE components. +When Kubernetes starts a container, it mounts a directory containing the credentials that the container needs to access the Kubernetes API on the local Kubernetes cluster. The mountpoint is `/var/run/secrets/kubernetes.io/serviceaccount`. Something about the way that Cloudify Manager is started (possibly because `/sbin/init` is run) causes this mountpoint to be hidden. `setup-secret.sh` will recreate the directory if it's not present and symbolically link it to a copy of the credentials mounted at `/secret` in the container file system. This gives Cloudify Manager the credentials that the Kubernetes plugin needs to deploy Kubernetes-based DCAE components. `setup-secret.sh` needs to run after '/sbin/init'. The Dockerfile installs it in the `rc.local` script that runs at startup. diff --git a/cm-container/pom.xml b/cm-container/pom.xml index 5024f25..8909a7e 100644 --- a/cm-container/pom.xml +++ b/cm-container/pom.xml @@ -27,7 +27,7 @@ limitations under the License. org.onap.dcaegen2.deployments cm-container dcaegen2-deployments-cm-container - 3.1.0 + 3.2.0 http://maven.apache.org UTF-8 diff --git a/cm-container/reset_admin.py b/cm-container/reset_admin.py new file mode 100644 index 0000000..c7a7672 --- /dev/null +++ b/cm-container/reset_admin.py @@ -0,0 +1,54 @@ +######## +# Copyright (c) 2018 Cloudify Platform Ltd. All rights reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# * See the License for the specific language governing permissions and +# * limitations under the License. + +#!/usr/bin/env python + +import subprocess +import json +import argparse +from flask_security.utils import encrypt_password +from manager_rest.flask_utils import setup_flask_app + + +def db_update_password(password): + password = encrypt_new_password(password) + password = password.replace('$', '\$') + sql_command = "\"update users set password='" + password + "' where username='admin'\"" + cmd = "sudo -u postgres psql cloudify_db -c " + sql_command + subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True) + + +def get_salt(): + with open('/opt/manager/rest-security.conf') as f: + rest_security = json.load(f) + + return rest_security['hash_salt'] + + +def encrypt_new_password(password): + app = setup_flask_app(hash_salt=get_salt()) + with app.app_context(): + password = encrypt_password(password) + return password + + +if __name__ == '__main__': + + parser = argparse.ArgumentParser(description=('Reset admin password in DB according to rest-security.conf')) + parser.add_argument('-p', '--password', required=True, help='New admin password') + args = parser.parse_args() + + db_update_password(args.password) + print 'Done!\n' diff --git a/cm-container/scripts/cloudify-ready.sh b/cm-container/scripts/cloudify-ready.sh index 60b48e6..0cb3e6e 100644 --- a/cm-container/scripts/cloudify-ready.sh +++ b/cm-container/scripts/cloudify-ready.sh @@ -2,7 +2,7 @@ # ============LICENSE_START======================================================= # org.onap.dcae # ================================================================================ -# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -41,14 +41,32 @@ # | Riemann | running | # +--------------------------------+---------+ # -# When an individual service is not running, it will have a status other than "running". +# or: +# +# cfy status +# Retrieving manager services status... [ip=dcae-cloudify-manager] +# +# Services: +# +--------------------------------+--------+ +# | service | status | +# +--------------------------------+--------+ +# | Cloudify Console | Active | +# | PostgreSQL | Active | +# | AMQP-Postgres | Active | +# | Manager Rest-Service | Active | +# | RabbitMQ | Active | +# | Webserver | Active | +# | Management Worker | Active | +# +--------------------------------+--------+ +# +# When an individual service is not running, it will have a status other than "running" or "Active". # If the Cloudify API cannot be reached, the "Services:" line will not appear. STAT=$(cfy status) if (echo "${STAT}" | grep "^Services:$") then echo "Got a status response" - if !(echo "${STAT}" | egrep '^\| [[:alnum:]]+'| grep -iv '| running ') + if !(echo "${STAT}" | egrep '^\| [[:alnum:]]+'| egrep -iv ' Active | running ') then echo "All services running" exit 0 diff --git a/cm-container/scripts/dcae-cleanup.sh b/cm-container/scripts/dcae-cleanup.sh index ce5c56b..b95b639 100755 --- a/cm-container/scripts/dcae-cleanup.sh +++ b/cm-container/scripts/dcae-cleanup.sh @@ -1,6 +1,6 @@ #!/bin/bash # ================================================================================ -# Copyright (c) 2018-2019 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2018-2020 AT&T Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -43,10 +43,12 @@ set -x set +e -# Get the CM admin password from the config file -# Brittle, but the container is built with an unchanging version of CM, -# so no real risk of a breaking change -CMPASS=$(grep 'admin_password:' /etc/cloudify/config.yaml | cut -d ':' -f2 | tr -d ' ') +# Expect Cloudify password to be in file mounted from Kubernetes secret, +# but allow overriding by CMPASS environment variable, +# and if not provided, use the default +CMPASS=${CMPASS:-$(cat /opt/onap/cm-secrets/password 2>/dev/null)} +CMPASS=${CMPASS:-admin} + TYPENAMES=[\\\"dcae.nodes.ContainerizedServiceComponent\\\",\\\"dcae.nodes.ContainerizedServiceComponentUsingDmaap\\\",\\\"dcae.nodes.ContainerizedPlatformComponent\\\",\\\"dcae.nodes.ContainerizedApplication\\\"] # Uninstall components managed by Cloudify diff --git a/cm-container/scripts/load-plugins.sh b/cm-container/scripts/load-plugins.sh index f4d1f66..5a342dd 100755 --- a/cm-container/scripts/load-plugins.sh +++ b/cm-container/scripts/load-plugins.sh @@ -25,8 +25,10 @@ CMADDR=${CMADDR:-dcae-cloudify-manager} CMPROTO=${CMPROTO:-https} CMPORT=${CMPORT:-443} -# Password is currently fixed at the default -# Eventually the password will be passed in as an environment variable +# Expect Cloudify password to be in file mounted from Kubernetes secret, +# but allow overriding by CMPASS environment variable, +# and if not provided, use the default +CMPASS=${CMPASS:-$(cat /opt/onap/cm-secrets/password 2>/dev/null)} CMPASS=${CMPASS:-admin} # Set up additional parameters for using HTTPS @@ -100,4 +102,4 @@ then touch ${PLUGINS_LOADED} else echo "Plugins already loaded" -fi \ No newline at end of file +fi diff --git a/cm-container/scripts/set-admin-password.sh b/cm-container/scripts/set-admin-password.sh new file mode 100755 index 0000000..5b9ca27 --- /dev/null +++ b/cm-container/scripts/set-admin-password.sh @@ -0,0 +1,39 @@ +#!/bin/bash +# ============LICENSE_START======================================================= +# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +# Runs at deployment time to set cloudify's admin password + +# Wait for Cloudify Manager to come up +while ! /scripts/cloudify-ready.sh +do + echo "Waiting for CM to come up" + sleep 15 +done + +# Expect Cloudify password to be in file mounted from Kubernetes secret, +# but allow overriding by CMPASS environment variable, +# and if not provided, use the default +CMPASS=${CMPASS:-$(cat /opt/onap/cm-secrets/password 2>/dev/null)} +CMPASS=${CMPASS:-admin} + +# Set Cloudify's admin password +cd /opt/manager +cfy_manager --reset_admin_password $CMPASS || ./env/bin/python reset_admin.py -p $CMPASS + +# Set the password used by the cfy client +cfy profile set -p $CMPASS + +echo "Cloudify password set" diff --git a/cm-container/scripts/setup-secret.sh b/cm-container/scripts/setup-secret.sh index 848ed28..a3ee6c5 100755 --- a/cm-container/scripts/setup-secret.sh +++ b/cm-container/scripts/setup-secret.sh @@ -1,4 +1,3 @@ - #!/bin/bash # ================================================================================ # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. -- cgit 1.2.3-korg