D.2. Rocks Secure Attribute Infrastructure

As a replacement for shadow attributes, we introduced the Rocks secure attributes infrastructure. The reason for the change was internal, as shadow attributes were still accessible by the apache user. Secure attributes are not accessible by anyone but the root user.

The secure attributes are not synced along with any of the other regular attributes. The secure attributes are synced between hosts completely out of band using standard SSH.

D.2.1. Structure

The secure attributes infrastructure consists of two parts.

  1. The secure attribute itself, which is stored in the database.

  2. Plugins, in the form of python code, which defines how to act on the secure attribute. These plugins reside in /opt/rocks/var/plugins/sec_attr/. The plugins have a very simple API.

D.2.2. Plugins API

The Rocks secure attribute plugin class inherits a single class called rocks.commands.sec_attr_plugin.

This example is a very simple fictitious use-case. A service called fake_service runs on all compute nodes, and stores an SHA password in it's configuration file. The configuration file for this service is called /etc/fake_service.conf. These are the contents of the config file.

# cat /etc/fake_service.conf
password=150b95f90c06f127a040a40f98582231369b6fda

D.2.2.1. Setting the Secure Attribute

This password can be stored in the database as a secure attribute. To store the password as a secure attribute, run

# rocks set host sec_attr compute attr=fake_svc_pw enc=sha
  Enter fake_svc_pw: 
Confirm fake_svc_pw: 

Enter the password string and confirm it (the same way you would when changing the root password).

D.2.2.2. Creating the plugin

Secure attribute plugins are located in the /opt/rocks/var/plugins/sec_attr directory. These plugins are written in python, and contain very simple API. There are two functions that must be a part of all plugins.

  1. get_sec_attr: This function returns a the name of the secure attribute as stored in the database. In the example, this would return fake_svc_pw.

    Note

    This name should match exactly the attribute name in the database. If multiple plugins return the same value for this function, then the last match wins.

  2. filter: This function is the workhorse of the plugin. This takes in a single value , and performs the desired manipulation, filtering, and storage on it.

The plugin for the above example is /opt/rocks/var/plugins/sec_attr/fake.py. The name of the file is irrelevant. The command iterates over all available plugins and uses the last match on the return value of get_sec_attr function.

Example D-1. Plugin code for fake_svc_pw - fake.py

import rocks.commands
import os, sys, string

class plugin(rocks.commands.sec_attr_plugin):
	def get_sec_attr(self):
		return 'fake_svc_pw'

	def filter(self, value):
		f = open('/etc/fake_service.conf','w')
		f.write('password=%s\n' % value)
		f.close()
	

D.2.2.3. Syncing the attribute

Once the plugin has been created and the attribute has been assigned in the database, you can sync the plugin using the command

# rocks sync host sec_attr
# rocks run host compute command="cat /etc/fake_service.conf" collate=yes
compute-0-1: password=150b95f90c06f127a040a40f98582231369b6fda
compute-0-0: password=150b95f90c06f127a040a40f98582231369b6fda