prevent crowbar batch from locking itself and the user out #1336
Conversation
This is not right yet. |
5e93c27
to
b698752
Compare
OK this should be right now - needs a quick test though. |
#"from #{@password} to #{users[@username]['password']} " + \ | ||
"which would lock myself out!" | ||
end | ||
to_merge['attributes'][barclamp]['users'].delete @username |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While testing this I got a
/opt/dell/bin/barclamp_lib.rb:536:in `eval': undefined local variable or method `to_merge' for main:Object (NameError)
Changing it to an instance variable @to_merge
(in all its lines ofc) fixes this.
Second issue in this line: barclamp
is unknown as-well. Making it a method argument fixed it for me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the catch but there is a better fix for than these ;-)
If crowbar batch is used to export the crowbar proposal from one cloud and apply it to another, it will change the machine-install user's password, which is typically the one used to run crowbar batch. This would break any future HTTP digest authentications against the Crowbar REST API, including ones invoked immediately after the change, by the still running crowbar batch process. So if the user inadvertently attempts to change the password they're currently relying on, simply output a warning and ignore the attempt.
e.g. if the username/password is wrong, it needs to be clear to the user that authentication failed.
b698752
to
d6e9a9a
Compare
Tested again. Works. |
LGTM but I have not much experience with crowbar_batch |
@aspiers, this repository got merged into crowbar-core. |
Superseded by crowbar/crowbar-core#35 |
If crowbar batch is used to export the crowbar proposal from one cloud and apply it to another, it will change the machine-install user's password, which is typically the one used to run crowbar batch. This would break any future HTTP digest authentications against the Crowbar REST API, including ones invoked immediately after the change, by the still running crowbar batch process. So if the user inadvertently attempts to change the password they're currently relying on, simply output a warning and ignore the attempt.
Also improve error reporting when retrieving aliases.