# HG changeset patch # User Dejan Muhamedagic # Date 1313760016 -7200 # Node ID 3a81b7eae66672dd9873fe6b53ee3c0da6fc87d7 # Parent e8ea8fb95f310997995576ee831693b0d3b2736a Medium: Shell: support for LRM secrets in resource level diff --git a/doc/crm.8.txt b/doc/crm.8.txt --- a/doc/crm.8.txt +++ b/doc/crm.8.txt @@ -869,6 +869,34 @@ Example: param ip_0 show ip ............... +[[cmdhelp_resource_secret,manage sensitive parameters]] +==== `secret` + +Sensitive parameters can be kept in local files rather than CIB +in order to prevent accidental data exposure. Use the `secret` +command to manage such parameters. `stash` and `unstash` move the +value from the CIB and back to the CIB respectively. The `set` +subcommand sets the parameter to the provided value. `delete` +removes the parameter completely. `show` displays the value of +the parameter from the local file. Use `check` to verify if the +local file content is valid. + +Usage: +............... + secret set + secret stash + secret unstash + secret delete + secret show + secret check +............... +Example: +............... + secret fence_1 show password + secret fence_1 stash password + secret fence_1 set password secret_value +............... + [[cmdhelp_resource_meta,manage a meta attribute]] ==== `meta` diff --git a/shell/modules/ui.py.in b/shell/modules/ui.py.in --- a/shell/modules/ui.py.in +++ b/shell/modules/ui.py.in @@ -661,7 +661,8 @@ def manage_attr(cmd,attr_ext_commands,*a else: bad_usage(cmd,' '.join(args)) return False - elif args[1] in ('delete','show'): + elif args[1] in ('delete','show') or \ + (cmd == "secret" and args[1] in ('stash','unstash','check')): if len(args) == 3: if not is_name_sane(args[0]) \ or not is_name_sane(args[2]): @@ -770,6 +771,14 @@ program. 'delete': "crm_resource -z -r '%s' -d '%s'", 'show': "crm_resource -z -r '%s' -g '%s'", } + rsc_secret = { + 'set': "cibsecret set '%s' '%s' '%s'", + 'stash': "cibsecret stash '%s' '%s'", + 'unstash': "cibsecret unstash '%s' '%s'", + 'delete': "cibsecret delete '%s' '%s'", + 'show': "cibsecret get '%s' '%s'", + 'check': "cibsecret check '%s' '%s'", + } rsc_refresh = "crm_resource -R" rsc_refresh_node = "crm_resource -R -H '%s'" rsc_reprobe = "crm_resource -P" @@ -787,6 +796,7 @@ program. self.cmd_table["migrate"] = (self.migrate,(1,4),0,1) self.cmd_table["unmigrate"] = (self.unmigrate,(1,1),0,1) self.cmd_table["param"] = (self.param,(3,4),1,1) + self.cmd_table["secret"] = (self.secret,(3,4),1,1) self.cmd_table["meta"] = (self.meta,(3,4),1,1) self.cmd_table["utilization"] = (self.utilization,(3,4),1,1) self.cmd_table["failcount"] = (self.failcount,(3,4),0,0) @@ -924,6 +934,16 @@ program. param show """ d = lambda: manage_attr(cmd,self.rsc_param,*args) return d() + def secret(self,cmd,*args): + """usage: + secret set + secret stash + secret unstash + secret delete + secret show + secret check """ + d = lambda: manage_attr(cmd,self.rsc_secret,*args) + return d() def meta(self,cmd,*args): """usage: meta set