cloud-init-dev team mailing list archive
-
cloud-init-dev team
-
Mailing list archive
-
Message #05995
Re: [Merge] ~chad.smith/cloud-init:feature/cc-uaclient into cloud-init:master
Inline comment around sso auth
Diff comments:
> diff --git a/cloudinit/config/cc_ubuntu_advantage.py b/cloudinit/config/cc_ubuntu_advantage.py
> index 5e082bd..1a95766 100644
> --- a/cloudinit/config/cc_ubuntu_advantage.py
> +++ b/cloudinit/config/cc_ubuntu_advantage.py
> @@ -1,145 +1,170 @@
> -# Copyright (C) 2018 Canonical Ltd.
> -#
> # This file is part of cloud-init. See LICENSE file for license information.
>
> -"""Ubuntu advantage: manage ubuntu-advantage offerings from Canonical."""
> +"""ubuntu_advantage: Configure Ubuntu Advantage support entitlements"""
>
> -import sys
> from textwrap import dedent
>
> -from cloudinit import log as logging
> from cloudinit.config.schema import (
> get_schema_doc, validate_cloudconfig_schema)
> +from cloudinit import log as logging
> from cloudinit.settings import PER_INSTANCE
> -from cloudinit.subp import prepend_base_command
> from cloudinit import util
>
>
> -distros = ['ubuntu']
> -frequency = PER_INSTANCE
> +UA_URL = 'https://ubuntu.com/advantage'
>
> -LOG = logging.getLogger(__name__)
> +distros = ['ubuntu']
>
> schema = {
> 'id': 'cc_ubuntu_advantage',
> - 'name': 'Ubuntu Advantage',
> - 'title': 'Install, configure and manage ubuntu-advantage offerings',
> + 'name': 'UbuntuAdvantage',
> + 'title': 'Configure Ubuntu Advantage support entitlements',
> 'description': dedent("""\
> - This module provides configuration options to setup ubuntu-advantage
> - subscriptions.
> -
> - .. note::
> - Both ``commands`` value can be either a dictionary or a list. If
> - the configuration provided is a dictionary, the keys are only used
> - to order the execution of the commands and the dictionary is
> - merged with any vendor-data ubuntu-advantage configuration
> - provided. If a ``commands`` is provided as a list, any vendor-data
> - ubuntu-advantage ``commands`` are ignored.
> -
> - Ubuntu-advantage ``commands`` is a dictionary or list of
> - ubuntu-advantage commands to run on the deployed machine.
> - These commands can be used to enable or disable subscriptions to
> - various ubuntu-advantage products. See 'man ubuntu-advantage' for more
> - information on supported subcommands.
> -
> - .. note::
> - Each command item can be a string or list. If the item is a list,
> - 'ubuntu-advantage' can be omitted and it will automatically be
> - inserted as part of the command.
> + Attach machine to an existing Ubuntu Advantage support contract and
> + enable or disable support entitlements such as livepatch, ESM,
> + FIPS, FIPS Updates and CIS Audit tools. When attaching a machine to
> + Advantage, one can either specify explicit entitlements to enable or
> + rely on the entitlement default behavior. When no 'entitlements' list
> + is provided, the default behavior enables both livepatch and esm on
> + supported Ubuntu environments.
> + When 'entitlements' list is present, any named entitlement will be
> + enabled and all absent entitlements will remain disabled.
> + Note when enabling FIPS or FIPS updates a reboot will occur after
> + installation completes to ensure the machine is running the
> + FIPS-compliant kernel.
> """),
> 'distros': distros,
> 'examples': [dedent("""\
> - # Enable Extended Security Maintenance using your service auth token
> - ubuntu-advantage:
> - commands:
> - 00: ubuntu-advantage enable-esm <token>
> + # Attach the machine to a Ubuntu Advantage support contract with a
> + # UA user token obtained from %s.
> + # Default entitlemtents such as livepatch and esm will automatically
> + # be enabled after detachment because no entitlements were specified.
> + ubuntu_advantage:
> + token: <ua_user_token>
> + """ % UA_URL), dedent("""\
> + # Attach the machine to an Ubuntu Advantage support contract using
> + # Ubuntu SSO with optional two-factor authentication. Default
> + # entitlements such as livepatch and esm will be enabled if applicable.
> + ubuntu_advantage:
> + sso_email: <sso_email>
> + sso_password: <sso_password_hash>
> + sso_twofactor: <2fa_code> # if the sso account requires 2fa
Wouldn't this cause race conditions with your 2fa code expiring? I was under the impression that all accounts required 2fa and as such shouldn't we only accept the token-based method instead?
It also seems more prudent to only accept the token instead of someones password which could be used to control many other aspects of their account.
> """), dedent("""\
> - # Enable livepatch by providing your livepatch token
> + # Attach the machine to an Ubuntu Advantage support contract enabling
> + # only fips and entitlements. Entitlementswill only be enabled if
> + # the environment supports said entitlement. Otherwise warnings will
> + # be logged for incompatible entitlements specified.
> ubuntu-advantage:
> - commands:
> - 00: ubuntu-advantage enable-livepatch <livepatch-token>
> -
> - """), dedent("""\
> - # Convenience: the ubuntu-advantage command can be omitted when
> - # specifying commands as a list and 'ubuntu-advantage' will
> - # automatically be prepended.
> - # The following commands are equivalent
> - ubuntu-advantage:
> - commands:
> - 00: ['enable-livepatch', 'my-token']
> - 01: ['ubuntu-advantage', 'enable-livepatch', 'my-token']
> - 02: ubuntu-advantage enable-livepatch my-token
> - 03: 'ubuntu-advantage enable-livepatch my-token'
> + token: <ua_user_token>
> + entitlements:
> + - fips
> + - esm
> """)],
> 'frequency': PER_INSTANCE,
> 'type': 'object',
> 'properties': {
> - 'ubuntu-advantage': {
> + 'ubuntu_advantage': {
> 'type': 'object',
> 'properties': {
> - 'commands': {
> - 'type': ['object', 'array'], # Array of strings or dict
> + 'entitlements': {
> + 'type': 'array',
> 'items': {
> - 'oneOf': [
> - {'type': 'array', 'items': {'type': 'string'}},
> - {'type': 'string'}]
> + 'type': 'string',
> + 'enum': ['esm', 'fips', 'fips-updates', 'livepatch',
> + 'cis-audit']
> },
> - 'additionalItems': False, # Reject non-string & non-list
> - 'minItems': 1,
> - 'minProperties': 1,
> + 'minItems': 0
> + },
> + 'sso_email': {
> + 'type': 'string',
> + 'description': 'SSO email for the UA account'
> + },
> + 'sso_password': {
> + 'type': 'string',
> + 'description': 'Hashed SSO password for the UA account'
> + },
> + 'sso_twofactor': {
> + 'type': 'string',
> + 'description':
> + 'Optional Two-factor authentication code if'
> + ' required on this UA account'
> + },
> + 'token': {
> + 'type': 'string',
> + 'description': "A user-token obtained from %s." % UA_URL
> }
> },
> - 'additionalProperties': False, # Reject keys not in schema
> - 'required': ['commands']
> + 'oneOf': [ # Either sso_* credentials or token, but not both
> + {'required': ['sso_email', 'sso_password'],
> + 'not': {'required': ['token']}},
> + {'required': ['token'],
> + 'not': {'required': [
> + 'sso_email', 'sso_password', 'sso_twofactor']}}
> + ],
> + 'minProperties': 1, # Either token or sso_* creds must be provided
> + 'additionalProperties': False
> }
> }
> }
>
> -# TODO schema for 'assertions' and 'commands' are too permissive at the moment.
> -# Once python-jsonschema supports schema draft 6 add support for arbitrary
> -# object keys with 'patternProperties' constraint to validate string values.
> -
> __doc__ = get_schema_doc(schema) # Supplement python help()
>
> -UA_CMD = "ubuntu-advantage"
> -
> -
> -def run_commands(commands):
> - """Run the commands provided in ubuntu-advantage:commands config.
> +LOG = logging.getLogger(__name__)
>
> - Commands are run individually. Any errors are collected and reported
> - after attempting all commands.
>
> - @param commands: A list or dict containing commands to run. Keys of a
> - dict will be used to order the commands provided as dict values.
> - """
> - if not commands:
> - return
> - LOG.debug('Running user-provided ubuntu-advantage commands')
> - if isinstance(commands, dict):
> - # Sort commands based on dictionary key
> - commands = [v for _, v in sorted(commands.items())]
> - elif not isinstance(commands, list):
> - raise TypeError(
> - 'commands parameter was not a list or dict: {commands}'.format(
> - commands=commands))
> -
> - fixed_ua_commands = prepend_base_command('ubuntu-advantage', commands)
> -
> - cmd_failures = []
> - for command in fixed_ua_commands:
> - shell = isinstance(command, str)
> - try:
> - util.subp(command, shell=shell, status_cb=sys.stderr.write)
> - except util.ProcessExecutionError as e:
> - cmd_failures.append(str(e))
> - if cmd_failures:
> - msg = (
> - 'Failures running ubuntu-advantage commands:\n'
> - '{cmd_failures}'.format(
> - cmd_failures=cmd_failures))
> +def configure_ua(token=None, sso_email=None, sso_password=None,
> + sso_twofactor=None, entitlements=None):
> + """Call ua commandline client to attach or enable entitlements."""
> + sso_auth = any([sso_email, sso_password, sso_twofactor])
> + error = None
> + if not any([token, sso_auth]):
> + error = ('ubuntu_advantage: either token or sso_email and sso_password'
> + ' must be provided')
> + elif token and sso_auth:
> + error = ('ubuntu_advantage: token and sso credentials cannot both be'
> + ' provided')
> + elif sso_auth and not all([sso_email, sso_password]):
> + error = ('ubuntu_advantage: both sso_email and sso_password are'
> + ' required')
> + if error:
> + LOG.error(error)
> + raise RuntimeError(error)
> + attach_cmd = ['ua', 'attach']
> + if token:
> + attach_cmd.append(token)
> + else:
> + attach_cmd.extend(['--email', sso_email, '--password', sso_password])
> + if sso_twofactor:
> + attach_cmd.extend(['--otp', sso_twofactor])
> +
> + entitlement_cmds = []
> + if entitlements is not None: # Entitlements explicitly enabled
> + attach_cmd.append('--no-auto-enable')
> + entitlement_cmds.extend(
> + [['ua', 'enable', name] for name in entitlements])
> +
> + msg = 'Attaching to Ubuntu Advantage. %s' % ' '.join(attach_cmd)
> + if sso_password:
> + msg = msg.replace(sso_password, '<REDACTED>')
> + LOG.debug(msg)
> + try:
> + util.subp(attach_cmd)
> + except util.ProcessExecutionError as e:
> + error = str(e)
> + if sso_password:
> + error = error.replace(sso_password, '<REDACTED>')
> + msg = 'Failure attaching ubuntu advantage:\n{error}'.format(
> + error=error)
> util.logexc(LOG, msg)
> raise RuntimeError(msg)
> + for cmd in entitlement_cmds:
> + try:
> + util.subp(cmd, capture=True)
> + except util.ProcessExecutionError as e:
> + msg = 'Failure enabling ubuntu advantage:\n{error}'.format(
> + error=str(e))
> + util.logexc(LOG, msg)
> + raise RuntimeError(msg)
>
>
> def maybe_install_ua_tools(cloud):
--
https://code.launchpad.net/~chad.smith/cloud-init/+git/cloud-init/+merge/362161
Your team cloud-init commiters is requested to review the proposed merge of ~chad.smith/cloud-init:feature/cc-uaclient into cloud-init:master.
References
