EOS-23137: Setup passwordless-ssh for nodeadmin user (#6027)

* EOS-23137: Setup passwordless-ssh for nodeadmin user Signed-off-by: Anjali Somwanshi <[email protected]> * Fix codacy issues Signed-off-by: Anjali Somwanshi <[email protected]> * Fix codacy issues Signed-off-by: Anjali Somwanshi <[email protected]> * Fix issues Signed-off-by: Anjali Somwanshi <[email protected]> * Fix issues Signed-off-by: Anjali Somwanshi <[email protected]> * Fix issues Signed-off-by: Anjali Somwanshi <[email protected]> * Fix issues with config file Signed-off-by: Anjali Somwanshi <[email protected]> * remove unwanted commets Signed-off-by: Anjali Somwanshi <[email protected]> * Remove password parameter and ask at command line Signed-off-by: Anjali Somwanshi <[email protected]> * fix typo issue Signed-off-by: Anjali Somwanshi <[email protected]>
Seagate · Aug 9, 2021 · 8f2b7da · 8f2b7da
1 parent d0e0d57
commit 8f2b7da
Show file tree

Hide file tree

Showing 19 changed files with 243 additions and 97 deletions.
diff --git a/api/python/provisioner/__init__.py b/api/python/provisioner/__init__.py
@@ -56,6 +56,10 @@
     shutdown_controller,
     configure_cortx,
     create_user,
+    cluster_id,
+    confstore_export,
+    create_service_user,
+    bootstrap_provisioner,
     replace_node,
     get_release_version,
     get_factory_version,
@@ -104,6 +108,10 @@
     'shutdown_controller',
     'configure_cortx',
     'create_user',
+    'cluster_id',
+    'confstore_export',
+    'create_service_user',
+    'bootstrap_provisioner',
     'replace_node',
     'get_release_version',
     'get_factory_version',

diff --git a/api/python/provisioner/_api_cli.py b/api/python/provisioner/_api_cli.py
@@ -167,6 +167,7 @@ def auth_init(username, password, eauth='pam'):
 mod = sys.modules[__name__]
 for fun in [
     'get_result',
+    'grains_get',
     'pillar_get',
     'pillar_set',
     'get_params',
@@ -187,6 +188,10 @@ def auth_init(username, password, eauth='pam'):
     'shutdown_controller',
     'configure_cortx',
     'create_user',
+    'cluster_id',
+    'confstore_export',
+    'create_service_user',
+    'bootstrap_provisioner',
     'replace_node',
     'get_release_version',
     'get_factory_version',

diff --git a/api/python/provisioner/api.py b/api/python/provisioner/api.py
@@ -780,3 +780,34 @@ def set_private_data_network(local=False, **kwargs):
     :return:
     """
     return _api_call('set_private_data_network', local=local, **kwargs)
+
+def bootstrap_provisioner(nodes, **kwargs):
+    """
+    Bootstrap provisioner
+    """
+    return _api_call('bootstrap_provisioner', nodes, **kwargs)
+
+def create_service_user(user):
+    """
+    Create service user
+
+    :param user: service user username
+
+    :return:
+    """
+    return _api_call('create_service_user', user=user)
+
+def cluster_id(targets=ALL_MINIONS):
+    """
+    Create cluster_id
+
+    :param targets: (optional) targets for cluster_id
+    """
+    return _api_call('cluster_id', targets=targets)
+
+def confstore_export():
+    """
+    Confstore export
+    """
+    return _api_call('confstore_export')
+
diff --git a/api/python/provisioner/commands/bootstrap_provisioner.py b/api/python/provisioner/commands/bootstrap_provisioner.py
@@ -105,7 +105,8 @@ def _prepare_roster(
                 'host': node.host,
                 'user': node.user,
                 'port': node.port,
-                'priv': str(priv_key)
+                'priv': str(priv_key),
+                'sudo': True
             }
             if thin_dir:
                 roster[node.minion_id]['thin_dir'] = str(thin_dir)
@@ -342,7 +343,7 @@ def _prepare_salt_config(self, run_args, ssh_client, profile_paths):  # noqa: E5
         if run_args.rediscover or not specs_pillar_path.exists():
             specs = {
                 node.minion_id: {
-                    'user': 'root',
+                    'user': node.user,
                     'host': node.ping_addrs[0],
                     'port': node.port
                 }
@@ -839,7 +840,6 @@ def _run(self, nodes, **kwargs):  # noqa: MC0001, C901 FIXME
         if not run_args.pypi_repo:
             logger.info("Setting up custom python repository")
             ssh_client.state_apply('repos.pip_config')
-
         try:
             logger.info("Checking passwordless ssh")
             ssh_client.state_apply('ssh.check')
@@ -985,7 +985,8 @@ def _run(self, nodes, **kwargs):  # noqa: MC0001, C901 FIXME
             ssh_client.cmd_run(
                 (
                     'provisioner pillar_set --fpath release.sls'
-                    f' release/type \'"{run_args.dist_type.value}"\''
+                    ' release/type '
+                    f"\"{run_args.dist_type.value}\""
                 ), targets=run_args.primary.minion_id
             )
 
@@ -995,7 +996,7 @@ def _run(self, nodes, **kwargs):  # noqa: MC0001, C901 FIXME
                     (
                         'provisioner pillar_set --fpath release.sls'
                         ' release/deps_bundle_url '
-                        f'\'"{run_args.url_cortx_deps}"\''
+                        f"\"{run_args.url_cortx_deps}\""
                     ), targets=run_args.primary.minion_id
                 )
 
@@ -1004,7 +1005,8 @@ def _run(self, nodes, **kwargs):  # noqa: MC0001, C901 FIXME
                 ssh_client.cmd_run(
                     (
                         'provisioner pillar_set --fpath release.sls'
-                        f' release/target_build \'"{run_args.target_build}"\''
+                        ' release/target_build '
+                        f"\"{run_args.target_build}\""
                     ), targets=run_args.primary.minion_id
                 )
 

diff --git a/api/python/provisioner/commands/cluster_id.py b/api/python/provisioner/commands/cluster_id.py
@@ -213,7 +213,7 @@ def run(self, targets=ALL_MINIONS):
                 PillarSet().run(
                     'cluster/cluster_id',
                     f'{cluster_id_from_setup}',
-                    targets=targets
+                    targets=ALL_MINIONS
                 )
 
                 # Ensure cluster-id file is created in all nodes

diff --git a/api/python/provisioner/inputs.py b/api/python/provisioner/inputs.py
@@ -435,11 +435,7 @@ class PillarInputBase(PillarItemsAPI):
     value: Any = attr.ib(
         metadata={
             METADATA_ARGPARSER: {
-                'help': 'pillar value',
-                'type': functools.partial(
-                    AttrParserArgs.value_from_str, v_type='json'
-                )
-                # 'metavar': 'value'
+                'help': 'pillar value'
             }
         }
     )

diff --git a/api/python/provisioner/salt.py b/api/python/provisioner/salt.py
@@ -752,7 +752,8 @@ def ensure_access(
                             ssh_options=exc.cmd_args.get('kw').get(
                                 'ssh_options'
                             ),
-                            force=True
+                            force=True,
+                            target=target
                         )
                 else:
                     raise
@@ -1126,8 +1127,8 @@ def pillar_get(targets=ALL_MINIONS, **kwargs):
     return function_run('pillar.items', targets=targets, **kwargs)
 
 
-def pillar_refresh(targets=ALL_MINIONS):
-    return function_run('saltutil.refresh_pillar', targets=targets)
+def pillar_refresh(targets=ALL_MINIONS, **kwargs):
+    return function_run('saltutil.refresh_pillar', targets=targets, **kwargs)
 
 
 # TODO test

diff --git a/api/python/provisioner/salt_api/ssh.py b/api/python/provisioner/salt_api/ssh.py
@@ -489,7 +489,8 @@ def ensure_access(
                             ssh_options=exc.cmd_args.get('kw').get(
                                 'ssh_options'
                             ),
-                            force=True
+                            force=True,
+                            target=target
                         )
                 else:
                     raise

diff --git a/api/python/provisioner/srv/salt/ssh/check.sls b/api/python/provisioner/srv/salt/ssh/check.sls
@@ -19,8 +19,14 @@
 
 {% for node_id, node in pillar['node_specs'].items() %}
 
+{%- if node['user'] == 'root' -%}
+  {%- set user_home = '/root' -%}
+{%- else -%}
+  {%- set user_home= '/opt/seagate/users/' + node['user'] -%}
+{% endif %}
+
 check_{{ node_id }}_reachable:
   cmd.run:
-    - name: ssh -q -o "ConnectTimeout=5" {{ node_id }} exit
+    - name: ssh -q -o "ConnectTimeout=5" {{ node['user'] }}@{{ node['host'] }} exit
 
 {% endfor %}
diff --git a/api/python/provisioner/srv/salt/ssh/config.sls b/api/python/provisioner/srv/salt/ssh/config.sls
@@ -17,47 +17,91 @@
 
 # TODO TEST OES-8473
 
-ssh_dir_created:
+{% set users = ['root'] %}
+{% if pillar['node_specs'][grains['id']]['user'] != 'root' %}
+  {% do users.append(pillar['node_specs'][grains['id']]['user']) %}
+{% endif %}
+
+{% for user in users %}
+
+{% if user == 'root' %}
+{%- set user_home = '/root' -%}
+{% else %}
+{%- set user_home = '/opt/seagate/users/' + user -%}
+{% endif %}
+
+{{ user }}_ssh_dir_created:
   file.directory:
-    - name: /root/.ssh
+    - name: {{user_home}}/.ssh
     - mode: 700
+    - user: {{ user }}
+    - group: {{ user }}
 
-ssh_priv_key_deployed:
+{{ user }}_ssh_priv_key_deployed:
   file.managed:
     - show_changes: False
     - keep_source: True
     - mode: 600
     - names:
-      - /root/.ssh/id_rsa_prvsnr:
+      - {{user_home}}/.ssh/id_rsa_prvsnr:
         - source: salt://provisioner/files/minions/all/id_rsa_prvsnr
-      - /root/.ssh/id_rsa:
+      - {{user_home}}/.ssh/id_rsa:
         - source: salt://provisioner/files/minions/all/id_rsa_prvsnr
+    - user: {{ user }}
+    - group: {{ user }}
     - requires:
       - ssh_dir_created
 
-ssh_pub_key_deployed:
+{{ user }}_ssh_pub_key_deployed:
   file.managed:
     - keep_source: True
     - mode: 600
     - names:
-      - /root/.ssh/id_rsa_prvsnr.pub:
+      - {{user_home}}/.ssh/id_rsa_prvsnr.pub:
         - source: salt://provisioner/files/minions/all/id_rsa_prvsnr.pub
-      - /root/.ssh/id_rsa.pub:
+      - {{user_home}}/.ssh/id_rsa.pub:
         - source: salt://provisioner/files/minions/all/id_rsa_prvsnr.pub
+    - user: {{ user }}
+    - group: {{ user }}
     - requires:
       - ssh_dir_created
 
-ssh_key_authorized:
+{{ user }}_ssh_key_authorized:
   ssh_auth.present:
-    - source: /root/.ssh/id_rsa_prvsnr.pub
-    - user: root
+    - source: {{user_home}}/.ssh/id_rsa_prvsnr.pub
+    - user: {{ user }}
+    - group: {{ user }}
     - requires:
       - ssh_pub_key_deployed
 
-ssh_config_updated:
+{{ user }}_ssh_config_updated:
   file.managed:
-    - name: /root/.ssh/config
-    - source: salt://ssh/files/config
-    - keep_source: True
+    - name: {{user_home}}/.ssh/config
+    - contents: |
+        {% for node_id, node in pillar['node_specs'].items() %}
+        Host {{ node['host'] }}
+            HostName {{ node['host'] }}
+            Port {{ node['port'] }}
+            User {{ user }}
+            UserKnownHostsFile /dev/null
+            StrictHostKeyChecking no
+            IdentityFile {{user_home}}/.ssh/id_rsa_prvsnr
+            IdentitiesOnly yes
+            LogLevel ERROR
+            BatchMode yes
+        Host {{ node_id }} {{ node_id }}.data.private
+            HostName {{ node_id }}.data.private
+            Port {{ node['port'] }}
+            User {{ user }}
+            UserKnownHostsFile /dev/null
+            StrictHostKeyChecking no
+            IdentityFile {{user_home}}/.ssh/id_rsa_prvsnr
+            IdentitiesOnly yes
+            LogLevel ERROR
+            BatchMode yes
+        {% endfor %}
     - mode: 600
-    - template: jinja
+    - user: {{ user }}
+    - group: {{ user }}
+
+{% endfor %}
diff --git a/api/python/provisioner/srv/salt/ssh/files/config b/api/python/provisioner/srv/salt/ssh/files/config
@@ -1,14 +1,20 @@
-{% for node_id, node in pillar['node_specs'].items() %}
+{%- for node_id, node in pillar['node_specs'].items() -%}
+
+{%- if node['user'] == 'root' -%}
+  {%- set user_home = '/root' -%}
+{%- else -%}
+  {%- set user_home= '/opt/seagate/users/' + node['user'] -%}
+{% endif %}
 
 Host {{ node_id }} {{ node['host'] }}
     HostName {{ node['host'] }}
     Port {{ node['port'] }}
     User {{ node['user'] }}
     UserKnownHostsFile /dev/null
     StrictHostKeyChecking no
-    IdentityFile /root/.ssh/id_rsa_prvsnr
+    IdentityFile {{user_home}}/.ssh/id_rsa_prvsnr
     IdentitiesOnly yes
     LogLevel ERROR
     BatchMode yes
 
-{% endfor %}
+{%- endfor -%}
diff --git a/api/python/provisioner/ssh.py b/api/python/provisioner/ssh.py
@@ -19,6 +19,7 @@
 import os
 from pathlib import Path
 from typing import Union
+from getpass import getpass
 
 from .utils import run_subprocess_cmd
 
@@ -48,6 +49,7 @@ def copy_id(
     priv_key_path: Union[Path, str] = None,
     force=False,
     ssh_options=None,
+    target=None
 ):
     cmd = ['ssh-copy-id']
 
@@ -66,7 +68,11 @@ def copy_id(
 
     cmd.append(f"{user}@{host}" if user else f"{host}")
 
-    cmd = (['sshpass', '-e'] + cmd) if os.getenv("SSHPASS") else cmd
+    if os.getenv("SSHPASS"):
+        cmd = (['sshpass', '-e'] + cmd)
+    else:
+        password = getpass(prompt=f"Enter {user} user passowrd for {target}:")
+        cmd = (['sshpass', '-p', password] + cmd)
 
     logger.info("Copying keys for ssh password-less connectivity.")
     logger.debug(f"Command: {cmd}")