Package ganeti :: Package tools :: Module ssl_update
[hide private]
[frames] | no frames]

Source Code for Module ganeti.tools.ssl_update

  1  # 
  2  # 
  3   
  4  # Copyright (C) 2015 Google Inc. 
  5  # All rights reserved. 
  6  # 
  7  # Redistribution and use in source and binary forms, with or without 
  8  # modification, are permitted provided that the following conditions are 
  9  # met: 
 10  # 
 11  # 1. Redistributions of source code must retain the above copyright notice, 
 12  # this list of conditions and the following disclaimer. 
 13  # 
 14  # 2. Redistributions in binary form must reproduce the above copyright 
 15  # notice, this list of conditions and the following disclaimer in the 
 16  # documentation and/or other materials provided with the distribution. 
 17  # 
 18  # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS 
 19  # IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 
 20  # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
 21  # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR 
 22  # CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 
 23  # EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 
 24  # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 
 25  # PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 
 26  # LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 
 27  # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
 28  # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
 29   
 30  """Script to recreate and sign the client SSL certificates. 
 31   
 32  """ 
 33   
 34  import os 
 35  import os.path 
 36  import optparse 
 37  import sys 
 38  import logging 
 39   
 40  from ganeti import cli 
 41  from ganeti import constants 
 42  from ganeti import errors 
 43  from ganeti import utils 
 44  from ganeti import ht 
 45  from ganeti import pathutils 
 46  from ganeti.tools import common 
 47   
 48   
 49  _DATA_CHECK = ht.TStrictDict(False, True, { 
 50    constants.NDS_CLUSTER_NAME: ht.TNonEmptyString, 
 51    constants.NDS_NODE_DAEMON_CERTIFICATE: ht.TNonEmptyString, 
 52    constants.NDS_NODE_NAME: ht.TNonEmptyString, 
 53    constants.NDS_ACTION: ht.TNonEmptyString, 
 54    }) 
 55   
 56   
57 -class SslSetupError(errors.GenericError):
58 """Local class for reporting errors. 59 60 """
61 62
63 -def ParseOptions():
64 """Parses the options passed to the program. 65 66 @return: Options and arguments 67 68 """ 69 parser = optparse.OptionParser(usage="%prog [--dry-run]", 70 prog=os.path.basename(sys.argv[0])) 71 parser.add_option(cli.DEBUG_OPT) 72 parser.add_option(cli.VERBOSE_OPT) 73 parser.add_option(cli.DRY_RUN_OPT) 74 75 (opts, args) = parser.parse_args() 76 77 return common.VerifyOptions(parser, opts, args)
78 79
80 -def DeleteClientCertificate():
81 """Deleting the client certificate. This is necessary for downgrades.""" 82 if os.path.exists(pathutils.NODED_CLIENT_CERT_FILE): 83 os.remove(pathutils.NODED_CLIENT_CERT_FILE) 84 else: 85 logging.debug("Trying to delete the client certificate '%s' which did not" 86 " exist.", pathutils.NODED_CLIENT_CERT_FILE)
87 88
89 -def ClearMasterCandidateSsconfList():
90 """Clear the ssconf list of master candidate certs. 91 92 This is necessary when deleting the client certificates for a downgrade, 93 because otherwise the master cannot distribute the configuration to the 94 nodes via RPC during a downgrade anymore. 95 96 """ 97 ssconf_file = os.path.join( 98 pathutils.DATA_DIR, 99 "%s%s" % (constants.SSCONF_FILEPREFIX, 100 constants.SS_MASTER_CANDIDATES_CERTS)) 101 if os.path.exists: 102 os.remove(ssconf_file) 103 else: 104 logging.debug("Trying to delete the ssconf file '%s' which does not" 105 " exist.", ssconf_file)
106 107 108 # pylint: disable=E1103 109 # This pyling message complains about 'data' as 'bool' not having a get 110 # member, but obviously the type is wrongly inferred.
111 -def Main():
112 """Main routine. 113 114 """ 115 opts = ParseOptions() 116 117 utils.SetupToolLogging(opts.debug, opts.verbose) 118 119 try: 120 data = common.LoadData(sys.stdin.read(), _DATA_CHECK) 121 122 common.VerifyClusterName(data, SslSetupError) 123 124 # Verifies whether the server certificate of the caller 125 # is the same as on this node. 126 common.VerifyCertificate(data, SslSetupError) 127 128 action = data.get(constants.NDS_ACTION) 129 if not action: 130 raise SslSetupError("No Action specified.") 131 132 if action == constants.CRYPTO_ACTION_CREATE: 133 common.GenerateClientCertificate(data, SslSetupError) 134 elif action == constants.CRYPTO_ACTION_DELETE: 135 DeleteClientCertificate() 136 ClearMasterCandidateSsconfList() 137 else: 138 raise SslSetupError("Unsupported action: %s." % action) 139 140 except Exception, err: # pylint: disable=W0703 141 logging.debug("Caught unhandled exception", exc_info=True) 142 143 (retcode, message) = cli.FormatError(err) 144 logging.error(message) 145 146 return retcode 147 else: 148 return constants.EXIT_SUCCESS
149