make encryption default while running cloud-setup-database

2025-11-03 04:12:31 +01:00 · 2011-11-28 13:26:14 -08:00 · 2011-11-28 13:26:14 -08:00 · c50250ca43
commit c50250ca43
parent 623a048d13
1 changed files with 15 additions and 9 deletions
--- a/setup/bindir/cloud-setup-databases.in
+++ b/setup/bindir/cloud-setup-databases.in
@ -406,6 +406,10 @@ for example:
            cmd = ['java','-classpath',self.encryptionJarPath,'org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI', 'encrypt.sh', 'input=%s'%input, 'password=%s'%self.mgmtsecretkey,'verbose=false']
            return runCmd(cmd).strip('\n')
        
+        def saveMgmtServerSecretKey():
+            if self.encryptiontype == 'file':
+                file(self.encryptionKeyFile, 'w').write(self.mgmtsecretkey)
+                
        def formatEncryptResult(value):
            return 'ENC(%s)'%value
        
@ -422,8 +426,8 @@ for example:
            self.putDbProperty('db.usage.password', formatEncryptResult(encrypt(usagePassword)))
        
        self.info("Processing encryption ...", None)
-        file(self.encryptionKeyFile, 'w').write(self.encryptiontype)
        self.putDbProperty("db.cloud.encryption.type", self.encryptiontype)
+        saveMgmtServerSecretKey()
        encryptDBSecretKey()
        encryptDBPassword()
        self.info(None, True)
@ -504,7 +508,7 @@ for example:
            self.info("Mysql server port:%s"%self.port, True)
            
    #---------------------- option parsing and command line checks ------------------------
-        usage = """%prog user:[password]@mysqlhost:[port] [--deploy-as=rootuser:[rootpassword]] [--auto=/path/to/server-setup.xml]
+        usage = """%prog user:[password]@mysqlhost:[port] [--deploy-as=rootuser:[rootpassword]] [--auto=/path/to/server-setup.xml] [-e ENCRYPTIONTYPE] [-m MGMTSECRETKEY] [-k DBSECRETKEY] [--debug]
    
    This command sets up the CloudStack Management Server and CloudStack Usage Server database configuration (connection credentials and host information) based on the first argument.
    
@ -528,6 +532,11 @@ for example:
        sets alex up as the MySQL user, then connects as the root user
        with password 'nonsense', and recreates the databases, creating
        the user alex with password 'founder' as necessary
+
+    %prog alex:founder@1.2.3.4 --deploy-as=root:nonsense -e file -m password -k dbpassword
+        In addition actions performing in above example, using 'password' as management server encryption key
+        and 'dbpassword' as database encryption key, saving management server encryption key to a file as the
+        encryption type specified by -e is file.
    
    %prog alena:tests@5.6.7.8 --deploy-as=root:nonsense --auto=/root/server-setup.xml
        sets alena up as the MySQL user, then connects as the root user
@ -543,13 +552,11 @@ for example:
        self.parser.add_option("-a", "--auto", action="store", type="string", dest="serversetup", default="",
                          help="Path to an XML file describing an automated unattended cloud setup")
        self.parser.add_option("-e", "--encrypt-type", action="store", type="string", dest="encryptiontype", default="file",
-                          help="Encryption method used for db password encryption, could be file. Default is file")
+                          help="Encryption method used for db password encryption. Valid values are file, web. Default is file.")
        self.parser.add_option("-m", "--managementserver-secretkey", action="store", type="string", dest="mgmtsecretkey", default="password",
-                          help="Secret key used for encrypt. A string, default is password")
+                          help="Secret key used to encrypt confidential parameters in db.properties. A string, default is password")
        self.parser.add_option("-k", "--database-secretkey", action="store", type="string", dest="dbsecretkey", default="password",
-                          help="Secret key used for encrypt. A string, default is password")
-        self.parser.add_option("-t", "--test-encryption", action="store_true", dest="testencryption", default=False,
-                          help="If enabled, will process encryption")
+                          help="Secret key used to encrypt sensitive database values. A string, default is password")
        
        (self.options, self.args) = self.parser.parse_args()
        parseCasualCredit()
@ -563,8 +570,7 @@ for example:
            self.grabSystemInfo()
            self.prepareDBFiles()
            self.setupDBSchema()
-            if self.options.testencryption:
-                self.processEncryptionStuff()
+            self.processEncryptionStuff()
            self.finalize()
        finally:
            self.postRun()