As a replacement for shadow attributes, we introduced the Rocks secure attributes infrastructure. The reason for the change was internal, as shadow attributes were still accessible by the apache user. Secure attributes are not accessible by anyone but the root user.
The secure attributes are not synced along with any of the other regular attributes. The secure attributes are synced between hosts completely out of band using standard SSH.
The secure attributes infrastructure consists of two parts.
The secure attribute itself, which is stored in the database.
Plugins, in the form of python code, which defines how to act on the secure attribute. These plugins reside in /opt/rocks/var/plugins/sec_attr/. The plugins have a very simple API.
The Rocks secure attribute plugin class inherits a single class called
This example is a very simple fictitious use-case. A service called fake_service runs on all compute nodes, and stores an SHA password in it's configuration file. The configuration file for this service is called /etc/fake_service.conf. These are the contents of the config file.
# cat /etc/fake_service.conf password=150b95f90c06f127a040a40f98582231369b6fda
This password can be stored in the database as a secure attribute. To store the password as a secure attribute, run
# rocks set host sec_attr compute attr=fake_svc_pw enc=sha Enter fake_svc_pw: Confirm fake_svc_pw:
Enter the password string and confirm it (the same way you would when changing the root password).
Secure attribute plugins are located in the /opt/rocks/var/plugins/sec_attr directory. These plugins are written in python, and contain very simple API. There are two functions that must be a part of all plugins.
function returns a the name of the secure attribute as stored in
the database. In the example, this would return
This name should match exactly the attribute name in the database. If multiple plugins return the same value for this function, then the last match wins.
filter: This function is
the workhorse of the plugin. This takes in a single value , and
performs the desired manipulation, filtering, and storage on it.
The plugin for the above example is
The name of the file is irrelevant. The command iterates over all
available plugins and uses the last match on the return value of
Once the plugin has been created and the attribute has been assigned in the database, you can sync the plugin using the command
# rocks sync host sec_attr # rocks run host compute command="cat /etc/fake_service.conf" collate=yes compute-0-1: password=150b95f90c06f127a040a40f98582231369b6fda compute-0-0: password=150b95f90c06f127a040a40f98582231369b6fda