Added ability to clear authentication tokens

pcs/pcs.8

@@ -535,6 +535,9 @@ Load custom certificate and key files for use in pcsd.
 .TP
 sync-certificates
 Sync pcsd certificates to all nodes found from current corosync.conf file (cluster.conf on systems running Corosync 1.x).  WARNING: This will restart pcsd daemon on the nodes.
+.TP
+clear-auth [--local] [--remote]
+Removes all system tokens which allow pcs/pcsd on the current system to authenticate with remote pcs/pcsd instances and vice-versa.  After this command is run this node will need to be re-authenticated with other nodes (using 'pcs cluster auth').  Using '--local' only removes tokens used by local pcs (and pcsd if root) to connect to other pcsd instances, using --remote clears authentication tokens used by remote systems to connect to the local pcsd instance.
 .SH EXAMPLES
 .TP
 Show all resources

pcs/pcs.py

@@ -77,6 +77,7 @@ def main(argv):
             "token=", "token_coefficient=", "consensus=", "join=",
             "miss_count_const=", "fail_recv_const=",
             "corosync_conf=", "cluster_conf=",
+            "remote",
         ]
         # pull out negative number arguments and add them back after getopt
         prev_arg = ""

pcs/pcsd.py

@@ -1,8 +1,11 @@
 import sys
 import json
+import os
+import errno
 
 import usage
 import utils
+import settings
 
 def pcsd_cmd(argv):
     if len(argv) == 0:
@@ -16,6 +19,8 @@ def pcsd_cmd(argv):
         pcsd_certkey(argv)
     elif sub_cmd == "sync-certificates":
         pcsd_sync_certs(argv)
+    elif sub_cmd == "clear-auth":
+        pcsd_clear_auth(argv)
     else:
         usage.pcsd()
         sys.exit(1)
@@ -87,3 +92,31 @@ def pcsd_sync_certs(argv):
         if error:
             utils.err(error, False)
 
+def pcsd_clear_auth(argv):
+    output = []
+    files = []
+    if os.geteuid() == 0:
+        pcsd_tokens_file = settings.pcsd_tokens_location
+    else:
+        pcsd_tokens_file = os.path.expanduser("~/.pcs/tokens")
+
+    if '--local' in utils.pcs_options:
+        files.append(pcsd_tokens_file)
+    if '--remote' in utils.pcs_options:
+        files.append(settings.pcsd_users_conf_location)
+
+    if len(files) == 0:
+        files.append(pcsd_tokens_file)
+        files.append(settings.pcsd_users_conf_location)
+
+    for f in files:
+        try:
+            os.remove(f)
+        except OSError as e:
+            if (e.errno != errno.ENOENT):
+                output.append(e.strerror + " (" + f + ")")
+
+    if len(output) > 0:
+        for o in output:
+            print "Error: " + o
+        sys.exit(1)

pcs/settings.py

@@ -12,6 +12,8 @@
 crm_verify = pacemaker_binaries + "crm_verify"
 pcsd_cert_location = "/var/lib/pcsd/pcsd.crt"
 pcsd_key_location = "/var/lib/pcsd/pcsd.key"
+pcsd_tokens_location = "/var/lib/pcsd/tokens"
+pcsd_users_conf_location = "/var/lib/pcsd/pcs_users.conf"
 pcsd_exec_location = "/usr/lib/pcsd/"
 corosync_uidgid_dir = "/etc/corosync/uidgid.d/"
 cib_dir = "/var/lib/pacemaker/cib/"

pcs/usage.py

@@ -1168,6 +1168,15 @@ def pcsd(args=[], pout=True):
         Sync pcsd certificates to all nodes found from current corosync.conf
         file (cluster.conf on systems running Corosync 1.x).  WARNING: This will
         restart pcsd daemon on the nodes.
+
+    clear-auth [--local] [--remote]
+       Removes all system tokens which allow pcs/pcsd on the current system to
+       authenticate with remote pcs/pcsd instances and vice-versa.  After this
+       command is run this node will need to be re-authenticated with other
+       nodes (using 'pcs cluster auth').  Using '--local' only removes tokens
+       used by local pcs (and pcsd if root) to connect to other pcsd instances,
+       using --remote clears authentication tokens used by remote systems to
+       connect to the local pcsd instance.
 """
     if pout:
         print sub_usage(args, output)