geofront.masterkey — Master key management¶
Master key renewal process:
- Create a new master key without updating the master key store.
- Update every authorized_keys to authorize both the previous and the new master keys.
- Store the new master key to the master key store, and remove the previous master key.
- Update very authorized_keys to authorize only the new master key.
For more details, see also TwoPhaseRenewal.
- class geofront.masterkey.CloudMasterKeyStore(driver: libcloud.storage.base.StorageDriver, container: libcloud.storage.base.Container, object_name: str)¶
Store the master key into the cloud object storage e.g. AWS S3. It supports more than 20 cloud providers through the efforts of Libcloud.
from geofront.masterkey import CloudMasterKeyStore from libcloud.storage.types import Provider from libcloud.storage.providers import get_driver driver_cls = get_driver(Provider.S3) driver = driver_cls('api key', 'api secret key') container = driver.get_container(container_name='my-master-key-bucket') MASTER_KEY_STORE = CloudMasterKeyStore(container)
Parameters: - driver (libcloud.storage.base.StorageDriver) – the libcloud storage driver
- container (libcloud.storage.base.Container) – the block storage container
- object_name (str) – the object name to use
See also
- Object Storage — Libcloud
- Storage API allows you to manage cloud object storage and services such as Amazon S3, Rackspace CloudFiles, Google Storage and others.
- exception geofront.masterkey.EmptyStoreError¶
Exception that rises when there’s no master key yet in the store.
- class geofront.masterkey.FileSystemMasterKeyStore(path: str)¶
Store the master key into the file system. Although not that secure, but it might help you to try out Geofront.
Parameters: path (str) – the path to save file. it has to end with the filename Raises OSError: when the path is not writable
- class geofront.masterkey.MasterKeyStore¶
The master key store backend interface. It can have only one master key at the most.
- load() → paramiko.pkey.PKey¶
Load the stored master key.
Returns: the stored master key Return type: paramiko.pkey.PKey Raises geofront.masterkey.EmptyStoreError: when there’s no master key yet in the store
- save(master_key: paramiko.pkey.PKey)¶
Remove the stored master key, and then save the new master key. The operation should be atomic.
Parameters: master_key (paramiko.pkey.PKey) – the new master key to replace the existing master key
- class geofront.masterkey.PeriodicalRenewal(servers: collections.abc.Set, key_store: geofront.masterkey.MasterKeyStore, interval: datetime.timedelta, start: bool=True)¶
Periodically renew the master key in the separated background thread.
Parameters: - servers (collections.abc.Set) – servers to renew the master key. every element has to be an instance of Remote
- key_store (MasterKeyStore) – the master key store to update
- interval (datetime.timedelta) – the interval to renew
- start (bool) – whether to start the background thread immediately. True by default
- terminate()¶
Graceful termination.
- class geofront.masterkey.TwoPhaseRenewal(servers: collections.abc.Set, old_key: paramiko.pkey.PKey, new_key: paramiko.pkey.PKey)¶
Renew the master key for the given servers. It’s a context manager for with statement.
# State: servers allow only old_key; # old_key is in the master_key_store with TwoPhaseRenewal(servers, old_key, new_key): # State: *servers allow both old_key and new_key;* # old_key is in the master_key_store master_key_store.save(new_key) # State: servers allow both old_key and new_key; # *new_key is in the master_key_store.* # State: *servers allow only new_key;* # new_key is in the master_key_store
Parameters: - servers (collections.abc.Set) – the set of Remote servers to renew their master key
- old_key (paramiko.pkey.PKey) – the previous master key to expire
- new_key (paramiko.pkey.PKey) – the new master key to replace old_key
- geofront.masterkey.read_private_key_file(file_: io.IOBase) → paramiko.pkey.PKey¶
Read a private key file. Similar to PKey.from_private_key() except it guess the key type.
Parameters: file (io.IOBase) – a stream of the private key to read Returns: the read private key Return type: paramiko.pkey.PKery Raises paramiko.ssh_exception.SSHException: when something goes wrong
- geofront.masterkey.renew_master_key(servers: collections.abc.Set, key_store: geofront.masterkey.MasterKeyStore) → paramiko.pkey.PKey¶
Renew the master key. It creates a new master key, makes servers to authorize the new key, replaces the existing master key with the new key in the key_store, and then makes servers to deauthorize the old key. All these operations are done in a two-phase renewal transaction.
Parameters: - servers (collections.abc.Set) – servers to renew the master key. every element has to be an instance of Remote
- key_store (MasterKeyStore) – the master key store to update
Returns: the created new master key
Return type: