ceph/qa/tasks/pykmip.py
Marcus Watts 4e04dc1d2e rgw/kms/kmip - correct documentation.
The pykmip task should be after ceph, and before rgw.

kmip needs ssl certs in order to function correctly.
Because the openssl_keys task has an indeterminate
order of execution, it is best to create the ca as
a separate task.  The ca can be shared with rgw, but
real life deployments of kmip are likely to have their
own CA.

In order to create kmip secrets, a client certificate
is necessary, so must be supplied to the pykmip task.

Signed-off-by: Marcus Watts <mwatts@redhat.com>
2021-03-03 19:14:10 -05:00

465 lines
14 KiB
Python

"""
Deploy and configure PyKMIP for Teuthology
"""
import argparse
import contextlib
import logging
import time
import tempfile
import json
import os
from io import BytesIO
from teuthology.orchestra.daemon import DaemonGroup
from teuthology.orchestra.remote import Remote
import pprint
from teuthology import misc as teuthology
from teuthology import contextutil
from teuthology.orchestra import run
from teuthology.packaging import install_package
from teuthology.packaging import remove_package
from teuthology.exceptions import ConfigError
from tasks.util import get_remote_for_role
log = logging.getLogger(__name__)
def get_pykmip_dir(ctx):
return '{tdir}/pykmip'.format(tdir=teuthology.get_testdir(ctx))
def run_in_pykmip_dir(ctx, client, args, **kwargs):
(remote,) = [client] if isinstance(client,Remote) else ctx.cluster.only(client).remotes.keys()
return remote.run(
args=['cd', get_pykmip_dir(ctx), run.Raw('&&'), ] + args,
**kwargs
)
def run_in_pykmip_venv(ctx, client, args, **kwargs):
return run_in_pykmip_dir(ctx, client,
args = ['.', '.pykmipenv/bin/activate',
run.Raw('&&')
] + args, **kwargs)
@contextlib.contextmanager
def download(ctx, config):
"""
Download PyKMIP from github.
Remove downloaded file upon exit.
The context passed in should be identical to the context
passed in to the main task.
"""
assert isinstance(config, dict)
log.info('Downloading pykmip...')
pykmipdir = get_pykmip_dir(ctx)
for (client, cconf) in config.items():
branch = cconf.get('force-branch', 'master')
repo = cconf.get('force-repo', 'https://github.com/OpenKMIP/PyKMIP')
sha1 = cconf.get('sha1')
log.info("Using branch '%s' for pykmip", branch)
log.info('sha1=%s', sha1)
ctx.cluster.only(client).run(
args=[
'git', 'clone', '-b', branch, repo,
pykmipdir,
],
)
if sha1 is not None:
run_in_pykmip_dir(ctx, client, [
'git', 'reset', '--hard', sha1,
],
)
try:
yield
finally:
log.info('Removing pykmip...')
for client in config:
ctx.cluster.only(client).run(
args=[ 'rm', '-rf', pykmipdir ],
)
_bindep_txt = """# should be part of PyKMIP
libffi-dev [platform:dpkg]
libffi-devel [platform:rpm]
libssl-dev [platform:dpkg]
openssl-devel [platform:redhat]
libopenssl-devel [platform:suse]
libsqlite3-dev [platform:dpkg]
sqlite-devel [platform:rpm]
python-dev [platform:dpkg]
python-devel [(platform:redhat platform:base-py2)]
python3-dev [platform:dpkg]
python3-devel [(platform:redhat platform:base-py3) platform:suse]
python3 [platform:suse]
"""
@contextlib.contextmanager
def install_packages(ctx, config):
"""
Download the packaged dependencies of PyKMIP.
Remove install packages upon exit.
The context passed in should be identical to the context
passed in to the main task.
"""
assert isinstance(config, dict)
log.info('Installing system dependenies for PyKMIP...')
packages = {}
for (client, _) in config.items():
(remote,) = ctx.cluster.only(client).remotes.keys()
# use bindep to read which dependencies we need from temp/bindep.txt
fd, local_temp_path = tempfile.mkstemp(suffix='.txt',
prefix='bindep-')
os.write(fd, _bindep_txt.encode())
os.close(fd)
fd, remote_temp_path = tempfile.mkstemp(suffix='.txt',
prefix='bindep-')
os.close(fd)
remote.put_file(local_temp_path, remote_temp_path)
os.remove(local_temp_path)
run_in_pykmip_venv(ctx, remote, ['pip', 'install', 'bindep'])
r = run_in_pykmip_venv(ctx, remote,
['bindep', '--brief', '--file', remote_temp_path],
stdout=BytesIO(),
check_status=False) # returns 1 on success?
packages[client] = r.stdout.getvalue().decode().splitlines()
for dep in packages[client]:
install_package(dep, remote)
try:
yield
finally:
log.info('Removing system dependencies of PyKMIP...')
for (client, _) in config.items():
(remote,) = ctx.cluster.only(client).remotes.keys()
for dep in packages[client]:
remove_package(dep, remote)
@contextlib.contextmanager
def setup_venv(ctx, config):
"""
Setup the virtualenv for PyKMIP using pip.
"""
assert isinstance(config, dict)
log.info('Setting up virtualenv for pykmip...')
for (client, _) in config.items():
run_in_pykmip_dir(ctx, client, ['virtualenv', '.pykmipenv'])
run_in_pykmip_venv(ctx, client, ['pip', 'install', 'pytz', '-e', get_pykmip_dir(ctx)])
yield
def assign_ports(ctx, config, initial_port):
"""
Assign port numbers starting from @initial_port
"""
port = initial_port
role_endpoints = {}
for remote, roles_for_host in ctx.cluster.remotes.items():
for role in roles_for_host:
if role in config:
r = get_remote_for_role(ctx, role)
role_endpoints[role] = r.ip_address, port, r.hostname
port += 1
return role_endpoints
def copy_policy_json(ctx, cclient, cconfig):
run_in_pykmip_dir(ctx, cclient,
['cp',
get_pykmip_dir(ctx)+'/examples/policy.json',
get_pykmip_dir(ctx)])
_pykmip_configuration = """# configuration for pykmip
[server]
hostname={ipaddr}
port={port}
certificate_path={servercert}
key_path={serverkey}
ca_path={clientca}
auth_suite=TLS1.2
policy_path={confdir}
enable_tls_client_auth=False
tls_cipher_suites=
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
logging_level=DEBUG
database_path={confdir}/pykmip.sqlite
[client]
host={hostname}
port=5696
certfile={clientcert}
keyfile={clientkey}
ca_certs={clientca}
ssl_version=PROTOCOL_TLSv1_2
"""
def create_pykmip_conf(ctx, cclient, cconfig):
log.info('#0 cclient={} cconfig={}'.format(pprint.pformat(cclient),pprint.pformat(cconfig)))
(remote,) = ctx.cluster.only(cclient).remotes.keys()
pykmip_ipaddr, pykmip_port, pykmip_hostname = ctx.pykmip.endpoints[cclient]
log.info('#1 ip,p,h {} {} {}'.format(pykmip_ipaddr, pykmip_port, pykmip_hostname))
clientca = cconfig.get('clientca', None)
log.info('#2 clientca {}'.format(clientca))
serverkey = None
servercert = cconfig.get('servercert', None)
log.info('#3 servercert {}'.format(servercert))
servercert = ctx.ssl_certificates.get(servercert)
log.info('#4 servercert {}'.format(servercert))
clientkey = None
clientcert = cconfig.get('clientcert', None)
log.info('#3 clientcert {}'.format(clientcert))
clientcert = ctx.ssl_certificates.get(clientcert)
log.info('#4 clientcert {}'.format(clientcert))
clientca = ctx.ssl_certificates.get(clientca)
log.info('#5 clientca {}'.format(clientca))
if servercert != None:
serverkey = servercert.key
servercert = servercert.certificate
log.info('#6 serverkey {} servercert {}'.format(serverkey, servercert))
if clientcert != None:
clientkey = clientcert.key
clientcert = clientcert.certificate
log.info('#6 clientkey {} clientcert {}'.format(clientkey, clientcert))
if clientca != None:
clientca = clientca.certificate
log.info('#7 clientca {}'.format(clientca))
if servercert == None or clientca == None or serverkey == None:
log.info('#8 clientca {} serverkey {} servercert {}'.format(clientca, serverkey, servercert))
raise ConfigError('pykmip: Missing/bad servercert or clientca')
pykmipdir = get_pykmip_dir(ctx)
kmip_conf = _pykmip_configuration.format(
ipaddr=pykmip_ipaddr,
port=pykmip_port,
confdir=pykmipdir,
hostname=pykmip_hostname,
clientca=clientca,
clientkey=clientkey,
clientcert=clientcert,
serverkey=serverkey,
servercert=servercert
)
fd, local_temp_path = tempfile.mkstemp(suffix='.conf',
prefix='pykmip')
os.write(fd, kmip_conf.encode())
os.close(fd)
remote.put_file(local_temp_path, pykmipdir+'/pykmip.conf')
os.remove(local_temp_path)
@contextlib.contextmanager
def configure_pykmip(ctx, config):
"""
Configure pykmip paste-api and pykmip-api.
"""
assert isinstance(config, dict)
(cclient, cconfig) = next(iter(config.items()))
copy_policy_json(ctx, cclient, cconfig)
create_pykmip_conf(ctx, cclient, cconfig)
try:
yield
finally:
pass
def has_ceph_task(tasks):
for task in tasks:
for name, conf in task.items():
if name == 'ceph':
return True
return False
@contextlib.contextmanager
def run_pykmip(ctx, config):
assert isinstance(config, dict)
if hasattr(ctx, 'daemons'):
pass
elif has_ceph_task(ctx.config['tasks']):
log.info('Delay start pykmip so ceph can do once-only daemon logic')
try:
yield
finally:
pass
else:
ctx.daemons = DaemonGroup()
log.info('Running pykmip...')
pykmipdir = get_pykmip_dir(ctx)
for (client, _) in config.items():
(remote,) = ctx.cluster.only(client).remotes.keys()
cluster_name, _, client_id = teuthology.split_role(client)
# start the public endpoint
client_public_with_id = 'pykmip.public' + '.' + client_id
run_cmd = 'cd ' + pykmipdir + ' && ' + \
'. .pykmipenv/bin/activate && ' + \
'HOME={}'.format(pykmipdir) + ' && ' + \
'exec pykmip-server -f pykmip.conf -l ' + \
pykmipdir + '/pykmip.log & { read; kill %1; }'
ctx.daemons.add_daemon(
remote, 'pykmip', client_public_with_id,
cluster=cluster_name,
args=['bash', '-c', run_cmd],
logger=log.getChild(client),
stdin=run.PIPE,
cwd=pykmipdir,
wait=False,
check_status=False,
)
# sleep driven synchronization
time.sleep(10)
try:
yield
finally:
log.info('Stopping PyKMIP instance')
ctx.daemons.get_daemon('pykmip', client_public_with_id,
cluster_name).stop()
make_keys_template = """
from kmip.pie import client
from kmip import enums
import ssl
import sys
import json
from io import BytesIO
c = client.ProxyKmipClient(config_file="{replace-with-config-file-path}")
rl=[]
for kwargs in {replace-with-secrets}:
with c:
key_id = c.create(
enums.CryptographicAlgorithm.AES,
256,
operation_policy_name='default',
cryptographic_usage_mask=[
enums.CryptographicUsageMask.ENCRYPT,
enums.CryptographicUsageMask.DECRYPT
],
**kwargs
)
c.activate(key_id)
attrs = c.get_attributes(uid=key_id)
r = {}
for a in attrs[1]:
r[str(a.attribute_name)] = str(a.attribute_value)
rl.append(r)
print(json.dumps(rl))
"""
@contextlib.contextmanager
def create_secrets(ctx, config):
"""
Create and activate any requested keys in kmip
"""
assert isinstance(config, dict)
pykmipdir = get_pykmip_dir(ctx)
pykmip_conf_path = pykmipdir + '/pykmip.conf'
my_output = BytesIO()
for (client,cconf) in config.items():
(remote,) = ctx.cluster.only(client).remotes.keys()
secrets=cconf.get('secrets')
if secrets:
secrets_json = json.dumps(cconf['secrets'])
make_keys = make_keys_template \
.replace("{replace-with-secrets}",secrets_json) \
.replace("{replace-with-config-file-path}",pykmip_conf_path)
my_output.truncate()
remote.run(args=[run.Raw('. cephtest/pykmip/.pykmipenv/bin/activate;' \
+ 'python')], stdin=make_keys, stdout = my_output)
ctx.pykmip.keys[client] = json.loads(my_output.getvalue().decode())
try:
yield
finally:
pass
@contextlib.contextmanager
def task(ctx, config):
"""
Deploy and configure PyKMIP
Example of configuration:
tasks:
- install:
- ceph:
conf:
client:
rgw crypt s3 kms backend: kmip
rgw crypt kmip ca path: /home/ubuntu/cephtest/ca/kmiproot.crt
rgw crypt kmip client cert: /home/ubuntu/cephtest/ca/kmip-client.crt
rgw crypt kmip client key: /home/ubuntu/cephtest/ca/kmip-client.key
rgw crypt kmip kms key template: pykmip-$keyid
- openssl_keys:
kmiproot:
client: client.0
cn: kmiproot
key-type: rsa:4096
- openssl_keys:
kmip-server:
client: client.0
ca: kmiproot
kmip-client:
client: client.0
ca: kmiproot
cn: rgw-client
- pykmip:
client.0:
force-branch: master
clientca: kmiproot
servercert: kmip-server
clientcert: kmip-client
secrets:
- name: pykmip-key-1
- name: pykmip-key-2
- rgw:
client.0:
use-pykmip-role: client.0
- s3tests:
client.0:
force-branch: master
"""
assert config is None or isinstance(config, list) \
or isinstance(config, dict), \
"task pykmip only supports a list or dictionary for configuration"
all_clients = ['client.{id}'.format(id=id_)
for id_ in teuthology.all_roles_of_type(ctx.cluster, 'client')]
if config is None:
config = all_clients
if isinstance(config, list):
config = dict.fromkeys(config)
overrides = ctx.config.get('overrides', {})
# merge each client section, not the top level.
for client in config.keys():
if not config[client]:
config[client] = {}
teuthology.deep_merge(config[client], overrides.get('pykmip', {}))
log.debug('PyKMIP config is %s', config)
if not hasattr(ctx, 'ssl_certificates'):
raise ConfigError('pykmip must run after the openssl_keys task')
ctx.pykmip = argparse.Namespace()
ctx.pykmip.endpoints = assign_ports(ctx, config, 5696)
ctx.pykmip.keys = {}
with contextutil.nested(
lambda: download(ctx=ctx, config=config),
lambda: setup_venv(ctx=ctx, config=config),
lambda: install_packages(ctx=ctx, config=config),
lambda: configure_pykmip(ctx=ctx, config=config),
lambda: run_pykmip(ctx=ctx, config=config),
lambda: create_secrets(ctx=ctx, config=config),
):
yield