from __future__ import print_function, division, absolute_import try: import ssl except ImportError: ssl = None import dask _roles = ['client', 'scheduler', 'worker'] _tls_per_role_fields = ['key', 'cert'] _tls_fields = ['ca_file', 'ciphers'] _misc_fields = ['require_encryption'] _fields = set(_misc_fields + ['tls_%s' % field for field in _tls_fields] + ['tls_%s_%s' % (role, field) for role in _roles for field in _tls_per_role_fields] ) def _field_to_config_key(field): return field.replace('_', '-') class Security(object): """ An object to gather and pass around security configuration. Default values are gathered from the global ``config`` object and can be overriden by constructor args. Supported fields: - require_encryption - tls_ca_file - tls_ciphers - tls_client_key - tls_client_cert - tls_scheduler_key - tls_scheduler_cert - tls_worker_key - tls_worker_cert """ __slots__ = tuple(_fields) def __init__(self, **kwargs): self._init_from_dict(dask.config.config) for k, v in kwargs.items(): if v is not None: setattr(self, k, v) for k in _fields: if not hasattr(self, k): setattr(self, k, None) def _init_from_dict(self, d): """ Initialize Security from nested dict. """ self._init_fields_from_dict(d, '', _misc_fields, {}) self._init_fields_from_dict(d, 'tls', _tls_fields, _tls_per_role_fields) def _init_fields_from_dict(self, d, category, fields, per_role_fields): if category: d = d.get(category, {}) category_prefix = category + '_' else: category_prefix = '' for field in fields: k = _field_to_config_key(field) if k in d: setattr(self, '%s%s' % (category_prefix, field), d[k]) for role in _roles: dd = d.get(role, {}) for field in per_role_fields: k = _field_to_config_key(field) if k in dd: setattr(self, '%s%s_%s' % (category_prefix, role, field), dd[k]) def __repr__(self): items = sorted((k, getattr(self, k)) for k in _fields) return ("Security(" + ", ".join("%s=%r" % (k, v) for k, v in items if v is not None) + ")") def get_tls_config_for_role(self, role): """ Return the TLS configuration for the given role, as a flat dict. """ return self._get_config_for_role('tls', role, _tls_fields, _tls_per_role_fields) def _get_config_for_role(self, category, role, fields, per_role_fields): if role not in _roles: raise ValueError("unknown role %r" % (role,)) d = {} for field in fields: k = '%s_%s' % (category, field) d[field] = getattr(self, k) for field in per_role_fields: k = '%s_%s_%s' % (category, role, field) d[field] = getattr(self, k) return d def _get_tls_context(self, tls, purpose): if tls.get('ca_file') and tls.get('cert'): try: ctx = ssl.create_default_context(purpose=purpose, cafile=tls['ca_file']) except AttributeError: raise RuntimeError("TLS functionality requires Python 2.7.9+") ctx.verify_mode = ssl.CERT_REQUIRED # We expect a dedicated CA for the cluster and people using # IP addresses rather than hostnames ctx.check_hostname = False ctx.load_cert_chain(tls['cert'], tls.get('key')) if tls.get('ciphers'): ctx.set_ciphers(tls.get('ciphers')) return ctx def get_connection_args(self, role): """ Get the *connection_args* argument for a connect() call with the given *role*. """ d = {} tls = self.get_tls_config_for_role(role) # Ensure backwards compatibility (ssl.Purpose is Python 2.7.9+ only) purpose = ssl.Purpose.SERVER_AUTH if hasattr(ssl, "Purpose") else None d['ssl_context'] = self._get_tls_context(tls, purpose) d['require_encryption'] = self.require_encryption return d def get_listen_args(self, role): """ Get the *connection_args* argument for a listen() call with the given *role*. """ d = {} tls = self.get_tls_config_for_role(role) # Ensure backwards compatibility (ssl.Purpose is Python 2.7.9+ only) purpose = ssl.Purpose.CLIENT_AUTH if hasattr(ssl, "Purpose") else None d['ssl_context'] = self._get_tls_context(tls, purpose) d['require_encryption'] = self.require_encryption return d