add extraSshPublicKeys options to jclouds allows extra public keys to be supplied to authorized_keys on provisioned vm's
Project: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/commit/50395595 Tree: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/tree/50395595 Diff: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/diff/50395595 Branch: refs/heads/master Commit: 50395595f9a808af254a715516adce6b1ae5d93c Parents: c3828fb Author: Alex Heneveld <[email protected]> Authored: Thu Jan 22 20:42:08 2015 +0000 Committer: Alex Heneveld <[email protected]> Committed: Thu Jan 22 20:56:04 2015 +0000 ---------------------------------------------------------------------- .../location/jclouds/JcloudsLocation.java | 24 +++++++++++++++----- .../location/jclouds/JcloudsLocationConfig.java | 6 ++++- 2 files changed, 23 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/50395595/locations/jclouds/src/main/java/brooklyn/location/jclouds/JcloudsLocation.java ---------------------------------------------------------------------- diff --git a/locations/jclouds/src/main/java/brooklyn/location/jclouds/JcloudsLocation.java b/locations/jclouds/src/main/java/brooklyn/location/jclouds/JcloudsLocation.java index ec76330..0916b21 100644 --- a/locations/jclouds/src/main/java/brooklyn/location/jclouds/JcloudsLocation.java +++ b/locations/jclouds/src/main/java/brooklyn/location/jclouds/JcloudsLocation.java @@ -111,7 +111,9 @@ import brooklyn.location.jclouds.templates.PortableTemplateBuilder; import brooklyn.location.jclouds.zone.AwsAvailabilityZoneExtension; import brooklyn.management.AccessController; import brooklyn.util.ResourceUtils; +import brooklyn.util.collections.MutableList; import brooklyn.util.collections.MutableMap; +import brooklyn.util.collections.MutableSet; import brooklyn.util.config.ConfigBag; import brooklyn.util.crypto.SecureKeys; import brooklyn.util.exceptions.CompoundRuntimeException; @@ -180,8 +182,6 @@ public class JcloudsLocation extends AbstractCloudMachineProvisioningLocation im // TODO test (and fix) ability to set config keys from flags - // TODO need a way to define imageId (and others?) with a specific location - // TODO we say config is inherited, but it isn't the case for many "deep" / jclouds properties // e.g. when we pass getRawLocalConfigBag() in and decorate it with additional flags // (inheritance only works when we call getConfig in this class) @@ -760,6 +760,17 @@ public class JcloudsLocation extends AbstractCloudMachineProvisioningLocation im List<String> cmds = ImmutableList.of(IptablesCommands.iptablesServiceStop(), IptablesCommands.iptablesServiceStatus()); sshMachineLocation.execCommands("Stopping iptables", cmds); } + + List<String> extraKeyUrlsToAuth = setup.get(EXTRA_PUBLIC_KEYS_TO_AUTH); + if (extraKeyUrlsToAuth!=null && !extraKeyUrlsToAuth.isEmpty()) { + List<String> extraKeyDataToAuth = MutableList.of(); + for (String keyUrl: extraKeyUrlsToAuth) { + extraKeyDataToAuth.add(ResourceUtils.create().getResourceAsString(keyUrl)); + } + sshMachineLocation.execCommands("Authorizing ssh keys", + MutableList.of(new AuthorizeRSAPublicKeys(extraKeyDataToAuth).render(org.jclouds.scriptbuilder.domain.OsFamily.UNIX))); + } + } else { // Otherwise we have deliberately not waited to be ssh'able, so don't try now to // ssh to exec these commands! @@ -775,8 +786,8 @@ public class JcloudsLocation extends AbstractCloudMachineProvisioningLocation im LOG.info("Finished VM "+setup.getDescription()+" creation:" + " "+sshMachineLocation.getUser()+"@"+sshMachineLocation.getAddress()+":"+sshMachineLocation.getPort() + (Boolean.TRUE.equals(setup.get(LOG_CREDENTIALS)) - ? "password=" + (userCredentials.getOptionalPassword().isPresent() ? userCredentials.getOptionalPassword() : "<absent>") - + " && key=" + (userCredentials.getOptionalPrivateKey().isPresent() ? userCredentials.getOptionalPrivateKey() : "<absent>") + ? "password=" + userCredentials.getOptionalPassword().or("<absent>") + + " && key=" + userCredentials.getOptionalPrivateKey().or("<absent>") : "") + " ready after "+Duration.of(provisioningStopwatch).toStringRounded() + " ("+template+" template built in "+Duration.of(templateTimestamp).toStringRounded()+";" @@ -1435,8 +1446,9 @@ public class JcloudsLocation extends AbstractCloudMachineProvisioningLocation im // (we build the creds below) adminBuilder.installAdminPrivateKey(false).adminPrivateKey(Identifiers.makeRandomId(12)+"-ignored"); - // lock SSH (key only) iff there is a public key and no password supplied - adminBuilder.lockSsh(useKey && !config.get(JcloudsLocationConfig.DISABLE_ROOT_AND_PASSWORD_SSH)); + // lock SSH means no root login and no passwordless login + // if we're using a password or we don't have sudo, then don't do this! + adminBuilder.lockSsh(useKey && grantUserSudo && !config.get(JcloudsLocationConfig.DISABLE_ROOT_AND_PASSWORD_SSH)); statements.add(adminBuilder.build()); http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/50395595/locations/jclouds/src/main/java/brooklyn/location/jclouds/JcloudsLocationConfig.java ---------------------------------------------------------------------- diff --git a/locations/jclouds/src/main/java/brooklyn/location/jclouds/JcloudsLocationConfig.java b/locations/jclouds/src/main/java/brooklyn/location/jclouds/JcloudsLocationConfig.java index 91a47dd..4e57fa2 100644 --- a/locations/jclouds/src/main/java/brooklyn/location/jclouds/JcloudsLocationConfig.java +++ b/locations/jclouds/src/main/java/brooklyn/location/jclouds/JcloudsLocationConfig.java @@ -19,6 +19,7 @@ package brooklyn.location.jclouds; import java.util.Collection; +import java.util.List; import java.util.concurrent.Semaphore; import org.jclouds.Constants; @@ -71,7 +72,10 @@ public interface JcloudsLocationConfig extends CloudLocationConfig { public static final ConfigKey<String> LOGIN_USER_PRIVATE_KEY_FILE = ConfigKeys.newStringConfigKey("loginUser.privateKeyFile", "Custom private key for the user who logs in initially", null); public static final ConfigKey<String> EXTRA_PUBLIC_KEY_DATA_TO_AUTH = ConfigKeys.newStringConfigKey("extraSshPublicKeyData", - "Additional public key data to add to authorized_keys", null); + "Additional public key data to add to authorized_keys", null); + @SuppressWarnings("serial") + public static final ConfigKey<List<String>> EXTRA_PUBLIC_KEYS_TO_AUTH = ConfigKeys.newConfigKey(new TypeToken<List<String>>() {}, + "extraSshPublicKeys", "Additional public keys (files or URLs) to add to authorized_keys", null); public static final ConfigKey<Boolean> DONT_CREATE_USER = ConfigKeys.newBooleanConfigKey("dontCreateUser", "Whether to skip creation of 'user' when provisioning machines (default false)", false);
