Add server-side confluentdbutil showattrib subcommand#223
Conversation
jjohnson42
left a comment
There was a problem hiding this comment.
At first glance, thinking it could go for some simplification. Auditlog and checking the user explicitly I think are superfluous since this utility is just run directly as the user without setuid or setgid or any daemon wrapping it.
|
Yeah makes sense. Removed these checks. |
|
Might as well show the crypted attributes, maybe of limited utility to most folks, but someone might have a use for it, like feeding it to hashcat to see how well it stands up. |
|
Added crypted values and some notes to nodeattrib man pages. |
|
We have no filter now so I'll just make this work for all the attributes so it can be used to get attributes if |
bcc5efe to
8b19e19
Compare
|
Ok I guess it's finished now and is basically an offline / server-side version of nodeattrib. I just tried to match nodeattribs output formatting but didn't implement all it's features. I think that's more than good enough for it's usecase. |
Adds `confluentdbutil showattrib <noderange> <attribute>...` to print the node attribute. In contrast to nodeattrib it shows secrets and crypted values, too. It's server-side only: reads the config store and master key directly, never over the API. It's read-only and works without confluentd running.
This PR adds
confluentdbutil showattrib <noderange> <attribute>..., which prints stored attribute values directly from the on-disk config store. Unlikenodeattrib, it revealssecret.*(decrypted plaintext, e.g. a node's BMC password) andcrypted.*(stored one-way hashes). Reading the store directly, it also works while confluent is stopped. Reuses the daemon'sget_node_attributes(..., decrypt=True)and formats values likenodeattrib.Why
No supported way existed to read a secret back out. The
nodeattrib/the API only report whether a secret is set (crypt attributes are masked viamsg.CryptedAttributesbefore any transport). Pretty much every confluent user asks me about this.Fixes: #200
Security implications
autogen=False).Note: This capability "already existed". Any root user on the server could get the same plaintext with a few lines of Python.
Resolved open question
Showing
crypted.*too: yes. They're one-way hashes, but exposing the stored hash is handy for automation and makes this a complete offline attribute reader. Now, all attributes are available via this subcommand.