geofront.masterkey
— Master key management¶
Master key renewal process:
- Create a new master key without updating the master key store.
- Update every
authorized_keys
to authorize both the previous and the new master keys. - Store the new master key to the master key store, and remove the previous master key.
- Update very
authorized_keys
to authorize only the new master key.
For more details, see also TwoPhaseRenewal
.
Changed in version 0.2.0: CloudMasterKeyStore
is moved from this module to
geofront.backends.cloud
.
See CloudMasterKeyStore
.
-
exception
geofront.masterkey.
EmptyStoreError
¶ Exception that rises when there’s no master key yet in the store.
-
class
geofront.masterkey.
FileSystemMasterKeyStore
(path: str)¶ Store the master key into the file system. Although not that secure, but it might help you to evaluate Geofront.
Parameters: path ( str
) – the path to save file. it has to end with the filenameRaises OSError: when the path
is not writable
-
class
geofront.masterkey.
MasterKeyStore
¶ The master key store backend interface. It can have only one master key at the most.
-
load
() → paramiko.pkey.PKey¶ Load the stored master key.
Returns: the stored master key Return type: paramiko.pkey.PKey
Raises geofront.masterkey.EmptyStoreError: when there’s no master key yet in the store
-
save
(master_key: paramiko.pkey.PKey)¶ Remove the stored master key, and then save the new master key. The operation should be atomic.
Parameters: master_key ( paramiko.pkey.PKey
) – the new master key to replace the existing master key
-
-
class
geofront.masterkey.
PeriodicalRenewal
(servers: collections.abc.Set, key_store: geofront.masterkey.MasterKeyStore, interval: datetime.timedelta, bits: int=2048, start: bool=True)¶ Periodically renew the master key in the separated background thread.
Parameters: - servers (
collections.abc.Set
) – servers to renew the master key. every element has to be an instance ofRemote
- key_store (
MasterKeyStore
) – the master key store to update - interval (
datetime.timedelta
) – the interval to renew - bits (
int
) – the number of bits the generated key should be. it has to be 1024 at least, and a multiple of 256. 2048 by default - start (
bool
) – whether to start the background thread immediately.True
by default
New in version 0.2.0: The
bits
optional parameter.-
terminate
()¶ Graceful termination.
- servers (
-
class
geofront.masterkey.
TwoPhaseRenewal
(servers: collections.abc.Set, old_key: paramiko.pkey.PKey, new_key: paramiko.pkey.PKey)¶ Renew the master key for the given
servers
. It’s a context manager forwith
statement.# State: servers allow only old_key; # old_key is in the master_key_store with TwoPhaseRenewal(servers, old_key, new_key): # State: *servers allow both old_key and new_key;* # old_key is in the master_key_store master_key_store.save(new_key) # State: servers allow both old_key and new_key; # *new_key is in the master_key_store.* # State: *servers allow only new_key;* # new_key is in the master_key_store
Parameters: - servers (
collections.abc.Set
) – the set ofRemote
servers to renew their master key - old_key (
paramiko.pkey.PKey
) – the previous master key to expire - new_key (
paramiko.pkey.PKey
) – the new master key to replaceold_key
- servers (
-
geofront.masterkey.
read_private_key_file
(file_: io.IOBase) → paramiko.pkey.PKey¶ Read a private key file. Similar to
PKey.from_private_key()
except it guess the key type.Parameters: file ( io.IOBase
) – a stream of the private key to readReturns: the read private key Return type: paramiko.pkey.PKery
Raises paramiko.ssh_exception.SSHException: when something goes wrong
-
geofront.masterkey.
renew_master_key
(servers: collections.abc.Set, key_store: geofront.masterkey.MasterKeyStore, bits: int=2048) → paramiko.pkey.PKey¶ Renew the master key. It creates a new master key, makes
servers
to authorize the new key, replaces the existing master key with the new key in thekey_store
, and then makesservers
to deauthorize the old key. All these operations are done in a two-phase renewal transaction.Parameters: - servers (
collections.abc.Set
) – servers to renew the master key. every element has to be an instance ofRemote
- key_store (
MasterKeyStore
) – the master key store to update - bits (
int
) – the number of bits the generated key should be. it has to be 1024 at least, and a multiple of 256. 2048 by default
Returns: the created new master key
Return type: New in version 0.2.0: The
bits
optional parameter.- servers (