Author: arkurth
Date: Wed Jun 7 21:10:44 2017
New Revision: 1798002
URL: http://svn.apache.org/viewvc?rev=1798002&view=rev
Log:
VCL-1045
Added explicit DataStructure.pm::get_vmhost_profile_password subroutine.
Updated utils.pm::get_vmhost_info to retrieve the cryptsecret if
vmprofile.secretid is set.
Removed vmprofile.secretid contstraint from vcl.sql and update-vcl.sql.
Modified:
vcl/trunk/managementnode/lib/VCL/DataStructure.pm
vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/ManagementNode.pm
vcl/trunk/managementnode/lib/VCL/Module/Provisioning/VMware/VMware.pm
vcl/trunk/managementnode/lib/VCL/utils.pm
vcl/trunk/mysql/update-vcl.sql
vcl/trunk/mysql/vcl.sql
Modified: vcl/trunk/managementnode/lib/VCL/DataStructure.pm
URL:
http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/DataStructure.pm?rev=1798002&r1=1798001&r2=1798002&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/DataStructure.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/DataStructure.pm Wed Jun 7 21:10:44 2017
@@ -284,9 +284,10 @@ $SUBROUTINE_MAPPINGS{vmhost_profile_virt
$SUBROUTINE_MAPPINGS{vmhost_profile_vmdisk} =
'$self->request_data->{reservation}{RESERVATION_ID}{computer}{vmhost}{vmprofile}{vmdisk}';
$SUBROUTINE_MAPPINGS{vmhost_profile_vmpath} =
'$self->request_data->{reservation}{RESERVATION_ID}{computer}{vmhost}{vmprofile}{vmpath}';
$SUBROUTINE_MAPPINGS{vmhost_profile_username} =
'$self->request_data->{reservation}{RESERVATION_ID}{computer}{vmhost}{vmprofile}{username}';
-$SUBROUTINE_MAPPINGS{vmhost_profile_password} =
'$self->request_data->{reservation}{RESERVATION_ID}{computer}{vmhost}{vmprofile}{password}';
+#$SUBROUTINE_MAPPINGS{vmhost_profile_password} =
'$self->request_data->{reservation}{RESERVATION_ID}{computer}{vmhost}{vmprofile}{password}';
$SUBROUTINE_MAPPINGS{vmhost_profile_eth0generated} =
'$self->request_data->{reservation}{RESERVATION_ID}{computer}{vmhost}{vmprofile}{eth0generated}';
$SUBROUTINE_MAPPINGS{vmhost_profile_eth1generated} =
'$self->request_data->{reservation}{RESERVATION_ID}{computer}{vmhost}{vmprofile}{eth1generated}';
+$SUBROUTINE_MAPPINGS{vmhost_profile_secret_id} =
'$self->request_data->{reservation}{RESERVATION_ID}{computer}{vmhost}{vmprofile}{secretid}';
$SUBROUTINE_MAPPINGS{vmhost_repository_imagetype_name} =
'$self->request_data->{reservation}{RESERVATION_ID}{computer}{vmhost}{repositoryimagetype}{name}';
$SUBROUTINE_MAPPINGS{vmhost_datastore_imagetype_name} =
'$self->request_data->{reservation}{RESERVATION_ID}{computer}{vmhost}{datastoreimagetype}{name}';
@@ -2798,7 +2799,7 @@ sub get_image_domain_password {
}
my $image_domain_password =
$self->mn_os->decrypt_cryptsecret($secret_id, $encrypted_password);
- #notify($ERRORS{'DEBUG'}, 0, string_to_ascii($image_domain_password));
+ #notify($ERRORS{'DEBUG'}, 0, "retrieved Active Directory domain
password: '$image_domain_password'");
return $image_domain_password;
}
@@ -2838,6 +2839,49 @@ sub get_domain_credentials {
}
#//////////////////////////////////////////////////////////////////////////////
+
+=head2 get_vmhost_profile_password
+
+ Parameters : $display_warnings (optional)
+ Returns : string
+ Description : Returns the decrypted VM host profile password if both
+ vmprofile.password and vmprofile.secretid are set. If
+ vmprofile.password is set but vmprofile.secretid is not, assumes
+ the password was set prior to VCL 2.5 and returns raw value of
+ vmprofile.password.
+
+=cut
+
+sub get_vmhost_profile_password {
+ my $self = shift;
+ if (ref($self) !~ /VCL::/i) {
+ notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a
function, it must be called as a class method");
+ return 0;
+ }
+
+ my $display_warnings = shift;
+ $display_warnings = 1 unless defined($display_warnings);
+
+ my $reservation_id = $self->reservation_id();
+
+ my $password =
$self->request_data->{reservation}{$reservation_id}{computer}{vmhost}{vmprofile}{password};
+ if (!defined($password)) {
+ notify($ERRORS{'WARNING'}, 0, "failed to retrieve decrypted VM
profile password, vmprofile.password is not defined in this DataStructure.pm
object") if $display_warnings;
+ return;
+ }
+
+ my $secret_id = $self->get_vmhost_profile_secret_id();
+ if (!defined($secret_id)) {
+ notify($ERRORS{'DEBUG'}, 0, "vmprofile.password is set but
vmprofile.secretid is NOT, assuming vmprofile.password is a pre-VCL 2.5
clear-text password: '$password'");
+ return $password;
+ }
+
+ my $decrypted_password = $self->mn_os->decrypt_cryptsecret($secret_id,
$password);
+ notify($ERRORS{'DEBUG'}, 0, "decrypted VM profile password:
'$decrypted_password'");
+ return $decrypted_password;
+}
+
+#//////////////////////////////////////////////////////////////////////////////
1;
__END__
Modified: vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/ManagementNode.pm
URL:
http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/ManagementNode.pm?rev=1798002&r1=1798001&r2=1798002&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/ManagementNode.pm
(original)
+++ vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/ManagementNode.pm Wed Jun
7 21:10:44 2017
@@ -682,7 +682,7 @@ sub _get_private_key_object_from_file {
$rsa_private =
Crypt::OpenSSL::RSA->new_private_key($private_key_file_string);
};
if ($EVAL_ERROR || !$rsa_private) {
- notify($ERRORS{'WARNING'}, 0, "failed to create private key
file Crypt::OpenSSL::RSA object from $private_key_file_path on
$management_node_short_name" . ($EVAL_ERROR ? ", error:\n" . $EVAL_ERROR : ''));
+ notify($ERRORS{'WARNING'}, 0, "failed to create
Crypt::OpenSSL::RSA object from $private_key_file_path on
$management_node_short_name" . ($EVAL_ERROR ? ", error:\n" . $EVAL_ERROR : ''));
return;
}
@@ -729,71 +729,6 @@ sub extract_public_key_from_private_key_
#//////////////////////////////////////////////////////////////////////////////
-=head2 check_encryption_keys
-
- Parameters : none
- Returns : string
- Description : Retrieves the cryptkeys.pubkey value from the database for the
- management node and extracts the public key from the private key
- file on the management node. Returns true if they match. Returns
- false if they differ or if either could not be retrieved.
-
-=cut
-
-sub check_encryption_keys {
- my $self = shift;
- if (ref($self) !~ /VCL::Module/i) {
- notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a
function, it must be called as a class method");
- return;
- }
-
- my $management_node_id = $self->data->get_management_node_id() ||
return;
- my $management_node_short_name =
$self->data->get_management_node_short_name() || return;
-
- notify($ERRORS{'DEBUG'}, 0, "*** checking encryption keys on
$management_node_short_name ***");
-
- # Get the cryptkey.pubkey value from the database for the management
node
- my $public_key_string_database_value =
get_management_node_cryptkey_pubkey($management_node_id, 0) || return;
-
- # Create an RSA object based on the existing public key stored in the
database, then extract the (hopefully same) public key from the object
- # Do this to verify the public key is correctly formatted, the RSA
module should strip any extraneous space or newlines
- my $rsa_public;
- eval {
- $rsa_public =
Crypt::OpenSSL::RSA->new_public_key($public_key_string_database_value);
- };
- if ($EVAL_ERROR || !$rsa_public) {
- notify($ERRORS{'WARNING'}, 0, "failed to create RSA object from
public key stored in database:\n$public_key_string_database_value" .
($EVAL_ERROR ? ", error:\n" . $EVAL_ERROR : ''));
- return;
- }
-
- # Retrieve the public key string from the RSA object
- my $public_key_string_database_extracted;
- eval {
- $public_key_string_database_extracted =
$rsa_public->get_public_key_x509_string();
- };
- if ($EVAL_ERROR || !$public_key_string_database_extracted) {
- notify($ERRORS{'WARNING'}, 0, "retrieved cryptkey.pubkey value
from database, created RSA object based on this public key, but failed to
extract the public key from the object, there may be a problem with the public
key stored in the database:\n$public_key_string_database_value" . ($EVAL_ERROR
? ", error:\n" . $EVAL_ERROR : ''));
- return;
- }
-
- # Extract the public key string from the private key file stored on the
management node
- my $public_key_string_private_extracted =
$self->extract_public_key_from_private_key_file() || return;
-
- if ($public_key_string_database_extracted eq
$public_key_string_private_extracted) {
- notify($ERRORS{'OK'}, 0, "public key extracted from private key
file on $management_node_short_name matches database cryptkey.pubkey value");
- return 1;
- }
- else {
- notify($ERRORS{'WARNING'}, 0, "public key extracted from
private key file on $management_node_short_name does not match database
cryptkey.pubkey value:\n" .
- "public key stored in database (cryptkey.pubkey):\n" .
string_to_ascii($public_key_string_database_extracted) . "\n" .
- "public key extracted from private key file:\n" .
string_to_ascii($public_key_string_private_extracted)
- );
- return 0;
- }
-}
-
-#//////////////////////////////////////////////////////////////////////////////
-
=head2 generate_private_key_file
Parameters : none
@@ -946,13 +881,11 @@ sub decrypt_cryptsecret {
return;
}
}
- elsif (!$self->check_encryption_keys()) {
- return $self->decrypt_cryptsecret($secret_id,
$encrypted_string, 1);
- }
- my $cryptsecret =
get_management_node_cryptsecret_value($management_node_id, $secret_id);
+ # Pass opposite of $recreate_key as $suppress_warning argument
+ my $cryptsecret =
get_management_node_cryptsecret_value($management_node_id, $secret_id,
!$recreate_key);
if (!$cryptsecret) {
- notify($ERRORS{'WARNING'}, 0, "unable to decrypt secret ID
$secret_id, failed to retrieve cryptsecret.cryptsecret value for management
node ID $management_node_id");
+ #notify($ERRORS{'WARNING'}, 0, "unable to decrypt secret ID
$secret_id, failed to retrieve cryptsecret.cryptsecret value for management
node ID $management_node_id");
$recreate_key ? return : return
$self->decrypt_cryptsecret($secret_id, $encrypted_string, 1);
}
@@ -963,7 +896,7 @@ sub decrypt_cryptsecret {
my $rsa_private = $self->_get_private_key_object_from_file();
if (!$rsa_private) {
- notify($ERRORS{'WARNING'}, 0, "unable to decrypt secret ID
$secret_id, failed to create RSA object based on management node's private
key");
+ #notify($ERRORS{'WARNING'}, 0, "unable to decrypt secret ID
$secret_id, failed to create RSA object based on management node's private
key");
$recreate_key ? return : return
$self->decrypt_cryptsecret($secret_id, $encrypted_string, 1);
}
Modified: vcl/trunk/managementnode/lib/VCL/Module/Provisioning/VMware/VMware.pm
URL:
http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/Module/Provisioning/VMware/VMware.pm?rev=1798002&r1=1798001&r2=1798002&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/Module/Provisioning/VMware/VMware.pm
(original)
+++ vcl/trunk/managementnode/lib/VCL/Module/Provisioning/VMware/VMware.pm Wed
Jun 7 21:10:44 2017
@@ -299,13 +299,6 @@ sub initialize {
}
my $request_state_name = $self->data->get_request_state_name();
- my $vmhost_computer_name = $vmhost_data->get_computer_node_name();
- my $vmhost_image_name = $vmhost_data->get_image_name();
- my $vmhost_os_module_package =
$vmhost_data->get_image_os_module_perl_package();
- my $vmhost_lastcheck_time =
$vmhost_data->get_computer_lastcheck_time(0);
- my $vmhost_computer_id = $self->data->get_vmhost_computer_id();
- my $vmprofile_name = $self->data->get_vmhost_profile_name();
- my $vmprofile_password = $self->data->get_vmhost_profile_password(0);
# Used only for development/testing
# If request state is 'test', full initialization is bypassed by
default to speed things up
@@ -318,6 +311,14 @@ sub initialize {
}
}
+ my $vmhost_computer_name = $vmhost_data->get_computer_node_name();
+ my $vmhost_image_name = $vmhost_data->get_image_name();
+ my $vmhost_os_module_package =
$vmhost_data->get_image_os_module_perl_package();
+ my $vmhost_lastcheck_time =
$vmhost_data->get_computer_lastcheck_time(0);
+ my $vmhost_computer_id = $self->data->get_vmhost_computer_id();
+ my $vmprofile_name = $self->data->get_vmhost_profile_name();
+ my $vmprofile_password = $self->data->get_vmhost_profile_password(0);
+
notify($ERRORS{'DEBUG'}, 0, "initializing " . ref($self) . " object");
my $vmware_api;
Modified: vcl/trunk/managementnode/lib/VCL/utils.pm
URL:
http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/utils.pm?rev=1798002&r1=1798001&r2=1798002&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/utils.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/utils.pm Wed Jun 7 21:10:44 2017
@@ -3796,6 +3796,8 @@ sub get_vmhost_info {
return $ENV{vmhost_info}{$vmhost_identifier} if (!$no_cache &&
$ENV{vmhost_info}{$vmhost_identifier});
+ my $management_node_id = get_management_node_id();
+
# Get a hash ref containing the database column names
my $database_table_columns = get_database_table_columns();
@@ -3804,6 +3806,7 @@ sub get_vmhost_info {
'vmprofile' => 'vmprofile',
'repositoryimagetype' => 'imagetype',
'datastoreimagetype' => 'imagetype',
+ 'cryptsecret' => 'cryptsecret',
);
# Construct the select statement
@@ -3817,7 +3820,7 @@ sub get_vmhost_info {
$select_statement .= "$table_alias.$column AS
'$table_alias-$column',\n";
}
}
-
+
# Remove the comma after the last column line
$select_statement =~ s/,$//;
@@ -3825,7 +3828,13 @@ sub get_vmhost_info {
$select_statement .= <<EOF;
FROM
vmhost,
-vmprofile,
+vmprofile
+LEFT JOIN (cryptsecret, cryptkey) ON (
+ vmprofile.secretid = cryptsecret.secretid AND
+ cryptsecret.cryptkeyid = cryptkey.id AND
+ cryptkey.hosttype = 'managementnode' AND
+ cryptkey.hostid = $management_node_id
+),
imagetype repositoryimagetype,
imagetype datastoreimagetype,
computer
@@ -3897,6 +3906,9 @@ EOF
if ($table eq 'vmhost') {
$vmhost_info->{$column} = $value;
}
+ elsif ($table eq 'cryptsecret') {
+ $vmhost_info->{vmprofile}{$table}{$column} = $value;
+ }
else {
$vmhost_info->{$table}{$column} = $value;
}
@@ -15000,7 +15012,7 @@ EOF
=head2 get_management_node_cryptsecret_value
- Parameters : $management_node_id, $secret_id
+ Parameters : $management_node_id, $secret_id, $suppress_warning (optional)
Returns : boolean
Description : Retrieves the cryptsecret.cryptsecret value matching the
cryptsecret.secretid value from the database for the management
@@ -15009,7 +15021,7 @@ EOF
=cut
sub get_management_node_cryptsecret_value {
- my ($management_node_id, $secret_id) = @_;
+ my ($management_node_id, $secret_id, $suppress_warning) = @_;
if (!defined($management_node_id)) {
notify($ERRORS{'WARNING'}, 0, "management node ID argument was
not supplied");
return;
@@ -15034,7 +15046,7 @@ EOF
my @rows = database_select($select_statement);
if (scalar @rows == 0) {
- notify($ERRORS{'WARNING'}, 0, "failed to retrieve cryptsecret
from database for management node $management_node_id, secret ID: $secret_id");
+ notify($ERRORS{'WARNING'}, 0, "failed to retrieve cryptsecret
from database for management node $management_node_id, secret ID: $secret_id")
unless $suppress_warning;
return;
}
Modified: vcl/trunk/mysql/update-vcl.sql
URL:
http://svn.apache.org/viewvc/vcl/trunk/mysql/update-vcl.sql?rev=1798002&r1=1798001&r2=1798002&view=diff
==============================================================================
--- vcl/trunk/mysql/update-vcl.sql (original)
+++ vcl/trunk/mysql/update-vcl.sql Wed Jun 7 21:10:44 2017
@@ -2692,7 +2692,6 @@ CALL DropExistingConstraints('vmprofile'
CALL AddConstraintIfNotExists('vmprofile', 'imageid', 'image', 'id', 'none',
'');
CALL AddConstraintIfNotExists('vmprofile', 'repositoryimagetypeid',
'imagetype', 'id', 'update', 'CASCADE');
CALL AddConstraintIfNotExists('vmprofile', 'datastoreimagetypeid',
'imagetype', 'id', 'update', 'CASCADE');
-CALL AddConstraintIfNotExists('vmprofile', 'secretid', 'cryptsecret',
'secretid', 'none', '');
-- --------------------------------------------------------
Modified: vcl/trunk/mysql/vcl.sql
URL:
http://svn.apache.org/viewvc/vcl/trunk/mysql/vcl.sql?rev=1798002&r1=1798001&r2=1798002&view=diff
==============================================================================
--- vcl/trunk/mysql/vcl.sql (original)
+++ vcl/trunk/mysql/vcl.sql Wed Jun 7 21:10:44 2017
@@ -2696,7 +2696,6 @@ ALTER TABLE `vmhost` ADD CONSTRAINT FORE
ALTER TABLE `vmprofile` ADD CONSTRAINT FOREIGN KEY (`imageid`) REFERENCES
`image` (`id`);
ALTER TABLE `vmprofile` ADD CONSTRAINT FOREIGN KEY (`repositoryimagetypeid`)
REFERENCES `imagetype` (`id`) ON UPDATE CASCADE;
ALTER TABLE `vmprofile` ADD CONSTRAINT FOREIGN KEY (`datastoreimagetypeid`)
REFERENCES `imagetype` (`id`) ON UPDATE CASCADE;
-ALTER TABLE `vmprofile` ADD CONSTRAINT FOREIGN KEY (`secretid`) REFERENCES
`cryptsecret` (`secretid`);
--
-- Constraints for table `winKMS`
