- aws-vpc-move-ip/aws-vpc-route53/awseip/awsvip: add auth_type parameter

and AWS Policy based authentication type

  Resolves: RHEL-16248
This commit is contained in:
Oyvind Albrigtsen 2023-11-17 16:20:33 +01:00
parent 78cdd8146e
commit f772802d72
2 changed files with 47 additions and 26 deletions

View File

@ -1,18 +1,18 @@
From a1177407608887970cafbfe7ad9bf97570c739dd Mon Sep 17 00:00:00 2001 From f45f76600a7e02c860566db7d1350dc3b09449c2 Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com> From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Mon, 6 Nov 2023 15:49:44 +0100 Date: Mon, 6 Nov 2023 15:49:44 +0100
Subject: [PATCH] aws-vpc-move-ip/aws-vpc-route53/awseip/awsvip: add auth_type Subject: [PATCH] aws-vpc-move-ip/aws-vpc-route53/awseip/awsvip: add auth_type
parameter and AWS Policy based authentication type parameter and AWS Policy based authentication type
--- ---
heartbeat/aws-vpc-move-ip | 40 ++++++++++++++++++---- heartbeat/aws-vpc-move-ip | 43 +++++++++++++++++++----
heartbeat/aws-vpc-route53.in | 44 +++++++++++++++++++----- heartbeat/aws-vpc-route53.in | 47 ++++++++++++++++++++-----
heartbeat/awseip | 65 +++++++++++++++++++++++++++--------- heartbeat/awseip | 68 +++++++++++++++++++++++++++---------
heartbeat/awsvip | 59 +++++++++++++++++++++++++------- heartbeat/awsvip | 60 ++++++++++++++++++++++++-------
4 files changed, 166 insertions(+), 42 deletions(-) 4 files changed, 173 insertions(+), 45 deletions(-)
diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
index dee040300f..3fa93cd4af 100755 index dee040300f..54806f6eaa 100755
--- a/heartbeat/aws-vpc-move-ip --- a/heartbeat/aws-vpc-move-ip
+++ b/heartbeat/aws-vpc-move-ip +++ b/heartbeat/aws-vpc-move-ip
@@ -36,6 +36,7 @@ @@ -36,6 +36,7 @@
@ -76,7 +76,12 @@ index dee040300f..3fa93cd4af 100755
export AWS_ACCESS_KEY_ID="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $5}')" export AWS_ACCESS_KEY_ID="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $5}')"
export AWS_SECRET_ACCESS_KEY="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $7}')" export AWS_SECRET_ACCESS_KEY="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $7}')"
export AWS_SESSION_TOKEN="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $8}')" export AWS_SESSION_TOKEN="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $8}')"
@@ -224,7 +237,7 @@ ec2ip_validate() { @@ -220,11 +233,11 @@ ec2ip_set_address_param_compat(){
}
ec2ip_validate() {
- for cmd in $OCF_RESKEY_awscli ip curl; do
+ for cmd in "$OCF_RESKEY_awscli" ip curl; do
check_binary "$cmd" check_binary "$cmd"
done done
@ -103,12 +108,13 @@ index dee040300f..3fa93cd4af 100755
ocf_log debug "executing command: $cmd" ocf_log debug "executing command: $cmd"
$cmd $cmd
else else
@@ -475,6 +488,21 @@ if ! ocf_is_root; then @@ -475,6 +488,22 @@ if ! ocf_is_root; then
exit $OCF_ERR_PERM exit $OCF_ERR_PERM
fi fi
+AWSCLI_CMD="${OCF_RESKEY_awscli}"
+if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then +if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
+ AWSCLI_CMD="${OCF_RESKEY_awscli} --profile ${OCF_RESKEY_profile}" + AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
+elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then +elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
+ if [ -z "${OCF_RESKEY_region}" ]; then + if [ -z "${OCF_RESKEY_region}" ]; then
+ ocf_exit_reason "region needs to be set when using role-based authentication" + ocf_exit_reason "region needs to be set when using role-based authentication"
@ -126,7 +132,7 @@ index dee040300f..3fa93cd4af 100755
ec2ip_validate ec2ip_validate
diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
index 22cbb35833..911f15f59f 100644 index 22cbb35833..18ab157e8a 100644
--- a/heartbeat/aws-vpc-route53.in --- a/heartbeat/aws-vpc-route53.in
+++ b/heartbeat/aws-vpc-route53.in +++ b/heartbeat/aws-vpc-route53.in
@@ -46,24 +46,22 @@ @@ -46,24 +46,22 @@
@ -174,6 +180,15 @@ index 22cbb35833..911f15f59f 100644
<parameter name="profile"> <parameter name="profile">
<longdesc lang="en"> <longdesc lang="en">
The name of the AWS CLI profile of the root account. This The name of the AWS CLI profile of the root account. This
@@ -196,7 +203,7 @@ r53_validate() {
# Check for required binaries
ocf_log debug "Checking for required binaries"
- for command in curl dig; do
+ for command in "${OCF_RESKEY_awscli}" curl dig; do
check_binary "$command"
done
@@ -216,7 +223,10 @@ r53_validate() { @@ -216,7 +223,10 @@ r53_validate() {
esac esac
@ -194,14 +209,15 @@ index 22cbb35833..911f15f59f 100644
case $__OCF_ACTION in case $__OCF_ACTION in
usage|help) usage|help)
usage usage
@@ -427,6 +436,25 @@ case $__OCF_ACTION in @@ -427,6 +436,26 @@ case $__OCF_ACTION in
metadata metadata
exit $OCF_SUCCESS exit $OCF_SUCCESS
;; ;;
+esac +esac
+ +
+AWSCLI_CMD="${OCF_RESKEY_awscli}"
+if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then +if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
+ AWSCLI_CMD="${OCF_RESKEY_awscli} --profile ${OCF_RESKEY_profile}" + AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
+elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then +elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
+ if [ -z "${OCF_RESKEY_region}" ]; then + if [ -z "${OCF_RESKEY_region}" ]; then
+ ocf_exit_reason "region needs to be set when using role-based authentication" + ocf_exit_reason "region needs to be set when using role-based authentication"
@ -221,7 +237,7 @@ index 22cbb35833..911f15f59f 100644
r53_validate || exit $? r53_validate || exit $?
r53_start r53_start
diff --git a/heartbeat/awseip b/heartbeat/awseip diff --git a/heartbeat/awseip b/heartbeat/awseip
index dc48460c85..f93b5a3434 100755 index dc48460c85..49b0ca6155 100755
--- a/heartbeat/awseip --- a/heartbeat/awseip
+++ b/heartbeat/awseip +++ b/heartbeat/awseip
@@ -23,7 +23,8 @@ @@ -23,7 +23,8 @@
@ -335,16 +351,19 @@ index dc48460c85..f93b5a3434 100755
RET=$? RET=$?
if [ $RET -ne 0 ]; then if [ $RET -ne 0 ]; then
@@ -220,7 +240,7 @@ awseip_monitor() { @@ -218,9 +238,9 @@ awseip_monitor() {
}
awseip_validate() { awseip_validate() {
check_binary ${AWSCLI} - check_binary ${AWSCLI}
+ check_binary "${OCF_RESKEY_awscli}"
- if [ -z "$OCF_RESKEY_profile" ]; then - if [ -z "$OCF_RESKEY_profile" ]; then
+ if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then + if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
ocf_exit_reason "profile parameter not set" ocf_exit_reason "profile parameter not set"
return $OCF_ERR_CONFIGURED return $OCF_ERR_CONFIGURED
fi fi
@@ -238,9 +258,26 @@ case $__OCF_ACTION in @@ -238,9 +258,27 @@ case $__OCF_ACTION in
meta_data meta_data
exit $OCF_SUCCESS exit $OCF_SUCCESS
;; ;;
@ -356,8 +375,9 @@ index dc48460c85..f93b5a3434 100755
+esac +esac
-AWSCLI="${OCF_RESKEY_awscli}" -AWSCLI="${OCF_RESKEY_awscli}"
+AWSCLI_CMD="${OCF_RESKEY_awscli}"
+if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then +if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
+ AWSCLI_CMD="${OCF_RESKEY_awscli} --profile ${OCF_RESKEY_profile}" + AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
+elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then +elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
+ if [ -z "${OCF_RESKEY_region}" ]; then + if [ -z "${OCF_RESKEY_region}" ]; then
+ ocf_exit_reason "region needs to be set when using role-based authentication" + ocf_exit_reason "region needs to be set when using role-based authentication"
@ -373,7 +393,7 @@ index dc48460c85..f93b5a3434 100755
ELASTIC_IP="${OCF_RESKEY_elastic_ip}" ELASTIC_IP="${OCF_RESKEY_elastic_ip}"
ALLOCATION_ID="${OCF_RESKEY_allocation_id}" ALLOCATION_ID="${OCF_RESKEY_allocation_id}"
PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}" PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}"
@@ -272,10 +309,6 @@ case $__OCF_ACTION in @@ -272,10 +310,6 @@ case $__OCF_ACTION in
validate|validate-all) validate|validate-all)
awseip_validate awseip_validate
;; ;;
@ -385,7 +405,7 @@ index dc48460c85..f93b5a3434 100755
awseip_usage awseip_usage
exit $OCF_ERR_UNIMPLEMENTED exit $OCF_ERR_UNIMPLEMENTED
diff --git a/heartbeat/awsvip b/heartbeat/awsvip diff --git a/heartbeat/awsvip b/heartbeat/awsvip
index 037278e296..7e6cc23d64 100755 index 037278e296..bdb4d68dd0 100755
--- a/heartbeat/awsvip --- a/heartbeat/awsvip
+++ b/heartbeat/awsvip +++ b/heartbeat/awsvip
@@ -23,7 +23,8 @@ @@ -23,7 +23,8 @@
@ -486,14 +506,14 @@ index 037278e296..7e6cc23d64 100755
awsvip_validate() { awsvip_validate() {
- check_binary ${AWSCLI} - check_binary ${AWSCLI}
+ check_binary ${OCF_RESKEY_awscli} + check_binary "${OCF_RESKEY_awscli}"
- if [ -z "$OCF_RESKEY_profile" ]; then - if [ -z "$OCF_RESKEY_profile" ]; then
+ if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then + if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
ocf_exit_reason "profile parameter not set" ocf_exit_reason "profile parameter not set"
return $OCF_ERR_CONFIGURED return $OCF_ERR_CONFIGURED
fi fi
@@ -202,9 +224,26 @@ case $__OCF_ACTION in @@ -202,9 +224,27 @@ case $__OCF_ACTION in
meta_data meta_data
exit $OCF_SUCCESS exit $OCF_SUCCESS
;; ;;
@ -504,8 +524,9 @@ index 037278e296..7e6cc23d64 100755
esac esac
-AWSCLI="${OCF_RESKEY_awscli}" -AWSCLI="${OCF_RESKEY_awscli}"
+AWSCLI_CMD="${OCF_RESKEY_awscli}"
+if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then +if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
+ AWSCLI_CMD="${OCF_RESKEY_awscli} --profile ${OCF_RESKEY_profile}" + AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
+elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then +elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
+ if [ -z "${OCF_RESKEY_region}" ]; then + if [ -z "${OCF_RESKEY_region}" ]; then
+ ocf_exit_reason "region needs to be set when using role-based authentication" + ocf_exit_reason "region needs to be set when using role-based authentication"
@ -521,7 +542,7 @@ index 037278e296..7e6cc23d64 100755
SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}" SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}"
TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN") INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
@@ -236,10 +275,6 @@ case $__OCF_ACTION in @@ -236,10 +276,6 @@ case $__OCF_ACTION in
validate|validate-all) validate|validate-all)
awsvip_validate awsvip_validate
;; ;;

View File

@ -69,7 +69,7 @@
Name: resource-agents Name: resource-agents
Summary: Open Source HA Reusable Cluster Resource Scripts Summary: Open Source HA Reusable Cluster Resource Scripts
Version: 4.9.0 Version: 4.9.0
Release: 50%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist} Release: 51%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
License: GPLv2+ and LGPLv2+ License: GPLv2+ and LGPLv2+
URL: https://github.com/ClusterLabs/resource-agents URL: https://github.com/ClusterLabs/resource-agents
%if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel} %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@ -972,7 +972,7 @@ ccs_update_schema > /dev/null 2>&1 ||:
%{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm
%changelog %changelog
* Tue Nov 14 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-50 * Fri Nov 17 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-51
- aws-vpc-move-ip/aws-vpc-route53/awseip/awsvip: add auth_type parameter - aws-vpc-move-ip/aws-vpc-route53/awseip/awsvip: add auth_type parameter
and AWS Policy based authentication type and AWS Policy based authentication type