Skip to content

Commit

Permalink
Add --keystone-user/group to keystone-manage pki_setup
Browse files Browse the repository at this point in the history 
If called as root, --keystone-user and --keystone-group can be
used to set the username and group keystone is going to run under.

In that case, pki_setup is going to issue additional os.chown
calls to change ownership of the PK files accordingly.

Fixes LP Bug #1031372

Change-Id: If9250ca9d0d86eebb9ad7c95ade17132ffd5a36c
  • Loading branch information
@dirkmueller
dirkmueller committed Feb 3, 2013
1 parent 56f194a commit ca2b2cb
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 22 deletions.
29 changes: 28 additions & 1 deletion keystone/cli.py
View file
Expand Up @@ -22,6 +22,9 @@
from keystone.openstack.common import importutils
from keystone.openstack.common import jsonutils

import grp
import pwd

CONF = config.CONF


Expand Down Expand Up @@ -54,9 +57,33 @@ class PKISetup(BaseApp):

name = 'pki_setup'

@classmethod
def add_argument_parser(cls, subparsers):
parser = super(PKISetup,
cls).add_argument_parser(subparsers)
parser.add_argument('--keystone-user')
parser.add_argument('--keystone-group')
return parser

@staticmethod
def main():
conf_ssl = openssl.ConfigurePKI()
keystone_user_id = None
keystone_group_id = None
try:
a = CONF.command.keystone_user
if a:
keystone_user_id = pwd.getpwnam(a).pw_uid
except KeyError:
raise ValueError("Unknown user '%s' in --keystone-user" % a)

try:
a = CONF.command.keystone_group
if a:
keystone_group_id = grp.getgrnam(a).gr_gid
except KeyError:
raise ValueError("Unknown group '%s' in --keystone-group" % a)

conf_ssl = openssl.ConfigurePKI(keystone_user_id, keystone_group_id)
conf_ssl.run()


Expand Down
51 changes: 31 additions & 20 deletions keystone/common/openssl.py
View file
Expand Up @@ -36,12 +36,6 @@ def file_exists(file_path):
return os.path.exists(file_path)


def make_dirs(file_name):
dir = os.path.dirname(file_name)
if not file_exists(dir):
os.makedirs(dir, DIR_PERMS)


class ConfigurePKI(object):
"""Generate files for PKI signing using OpenSSL.
Expand All @@ -51,8 +45,10 @@ class ConfigurePKI(object):
"""

def __init__(self, *args, **kw):
def __init__(self, keystone_user, keystone_group, **kw):
self.conf_dir = os.path.dirname(CONF.signing.ca_certs)
self.use_keystone_user = keystone_user
self.use_keystone_group = keystone_group
self.ssl_config_file_name = os.path.join(self.conf_dir, "openssl.conf")
self.ca_key_file = os.path.join(self.conf_dir, "cakey.pem")
self.request_file_name = os.path.join(self.conf_dir, "req.pem")
Expand All @@ -69,62 +65,77 @@ def __init__(self, *args, **kw):
'valid_days': int(CONF.signing.valid_days),
'ca_password': CONF.signing.ca_password}

def _make_dirs(self, file_name):
dir = os.path.dirname(file_name)
if not file_exists(dir):
os.makedirs(dir, DIR_PERMS)
if os.geteuid() == 0 and self.use_keystone_group:
os.chown(dir, -1, self.use_keystone_group)

def _set_permissions(self, file_name, perms):
os.chmod(file_name, perms)
if os.geteuid() == 0:
os.chown(file_name, self.use_keystone_user or -1,
self.use_keystone_group or -1)

def exec_command(self, command):
to_exec = command % self.ssl_dictionary
LOG.info(to_exec)
subprocess.check_call(to_exec.rsplit(' '))

def build_ssl_config_file(self):
if not file_exists(self.ssl_config_file_name):
make_dirs(self.ssl_config_file_name)
self._make_dirs(self.ssl_config_file_name)
ssl_config_file = open(self.ssl_config_file_name, 'w')
ssl_config_file.write(self.sslconfig % self.ssl_dictionary)
ssl_config_file.close()
os.chmod(self.ssl_config_file_name, CERT_PERMS)
self._set_permissions(self.ssl_config_file_name, CERT_PERMS)

index_file_name = os.path.join(self.conf_dir, 'index.txt')
if not file_exists(index_file_name):
index_file = open(index_file_name, 'w')
index_file.write('')
index_file.close()
os.chmod(self.ssl_config_file_name, PRIV_PERMS)
self._set_permissions(self.ssl_config_file_name, PRIV_PERMS)

serial_file_name = os.path.join(self.conf_dir, 'serial')
if not file_exists(serial_file_name):
index_file = open(serial_file_name, 'w')
index_file.write('01')
index_file.close()
os.chmod(self.ssl_config_file_name, PRIV_PERMS)
self._set_permissions(self.ssl_config_file_name, PRIV_PERMS)

def build_ca_cert(self):
if not file_exists(CONF.signing.ca_certs):
if not os.path.exists(self.ca_key_file):
make_dirs(self.ca_key_file)
self._make_dirs(self.ca_key_file)
self.exec_command('openssl genrsa -out %(ca_private_key)s '
'%(key_size)d -config %(ssl_config)s')
os.chmod(self.ssl_dictionary['ca_private_key'], stat.S_IRUSR)
self._set_permissions(self.ssl_dictionary['ca_private_key'],
stat.S_IRUSR)
self.exec_command('openssl req -new -x509 -extensions v3_ca '
'-passin pass:%(ca_password)s '
'-key %(ca_private_key)s -out %(ca_cert)s '
'-days %(valid_days)d '
'-config %(ssl_config)s '
'-subj %(default_subject)s')
os.chmod(self.ssl_dictionary['ca_cert'], CERT_PERMS)
self._set_permissions(self.ssl_dictionary['ca_cert'], CERT_PERMS)

def build_private_key(self):
if not file_exists(CONF.signing.keyfile):
make_dirs(CONF.signing.keyfile)
signing_keyfile = self.ssl_dictionary['signing_key']

if not file_exists(signing_keyfile):
self._make_dirs(signing_keyfile)

self.exec_command('openssl genrsa -out %(signing_key)s '
'%(key_size)d '
'-config %(ssl_config)s')
os.chmod(os.path.dirname(self.ssl_dictionary['signing_key']),
PRIV_PERMS)
os.chmod(self.ssl_dictionary['signing_key'], stat.S_IRUSR)
self._set_permissions(os.path.dirname(signing_keyfile), PRIV_PERMS)
self._set_permissions(signing_keyfile, stat.S_IRUSR)

def build_signing_cert(self):
if not file_exists(CONF.signing.certfile):
make_dirs(CONF.signing.certfile)
self._make_dirs(CONF.signing.certfile)
self.exec_command('openssl req -key %(signing_key)s -new -nodes '
'-out %(request_file)s -config %(ssl_config)s '
'-subj %(default_subject)s')
Expand Down
2 changes: 1 addition & 1 deletion tests/test_cert_setup.py
View file
Expand Up @@ -43,7 +43,7 @@ def setUp(self):
CONF.signing.keyfile = os.path.join(KEYDIR, "signing_key.pem")

def test_create_certs(self):
ssl = openssl.ConfigurePKI()
ssl = openssl.ConfigurePKI(None, None)
ssl.run()
self.assertTrue(os.path.exists(CONF.signing.certfile))
self.assertTrue(os.path.exists(CONF.signing.ca_certs))
Expand Down

0 comments on commit ca2b2cb

Please sign in to comment.