Introduction
- A Credential Store can be used to store sensitive information that is used by the YADE file transfer job (and command line utility).
- YADE allows use of a Credentials Store as explained in the YADE Credential Store article.
Desired Behavior
- Users would like to store sensitive information that should be used by job and order parameters in a Credential Store similar to YADE.
- This includes
- to specify the Credential Store location (file path) and access method (password, key file) globally.
- parameter values to reference credentials with a special syntax such as cs://<path>@<value>
- Example
<job> <params> <param name="db_password" value="cs://databases/mysql_localhost@password"/> </params> ... </job>
- Example
- to apply parameter values from a Credential Store to job, order and node parameters.
- substituted parameter values to be excluded from logging.
Stand aktuell
- Job/Order Parameter werden nicht substituiert.
- SOSKeePassDatabase Klasse kann in einem_shell_(master/agent), javascript(master/agent), powershell(agent) Job aufgerufen werden.
- Lauf erfolgreich:
- Exit Status = 0, Ausgabe nach stdout
- Lauf fehlerhaft:
- Exit Status = 99, Exception Ausgaben nach stderr
- Lauf erfolgreich:
Syntax
Query Parameter eingeführt:
- file - required
- the path to a Credential Store database file.
- this path can be specified either relatively or absolutely. For example:
- Relative values for a Master are relative to the SCHEDULER_DATA directory.
- Relative values for an Agent are relative to the SCHEDULER_HOME (install) directory.
- password - optional
- the password for the Credential Store database file.
- key_file - optional
- If this parameter is set:
- this path can be specified either relatively or absolutely. See the file example.
- If this parameter is not set:
- es wird im Verzeichnis der file Datei nach einer <file_without_extension>.key Datei gesucht (Bsp.: mystore.kdbx -> mystore.key).
- .key Datei gefunden - so wird sie auch verwendet
- .key Datei nicht gefunden - wenn auch der Query parameter password nicht gesetzt ist - eine Exception wird geworfen
- es wird im Verzeichnis der file Datei nach einer <file_without_extension>.key Datei gesucht (Bsp.: mystore.kdbx -> mystore.key).
- If this parameter is set:
- ignore_expired - optional, default: 0
- ignore_expired=0 - Exception, wenn der Eintrag abgelaufen ist (Expires)
- ignore_expired=1 - Expires wird nicht ausgewertet
- attachment - optional, default: 0
- attachment=0 - ein String Feld wird gelesen
- attachment=1 - ein File attachment Feld wird gelesen und als new String(bytes) zurückgegeben.
JavaScript Job (master/agent) Example
2 methods can be used:
- com.sos.keepass.SOSKeePassDatabase.getProperty(uri)
- com.sos.keepass.SOSKeePassDatabase.getBinaryProperty(uri)
JavaScript Job Example (master/agent)
<job order="no" stop_on_error="no"> <script language="java:javascript"><![CDATA[ function getCredentialStoreProperty(uri){ try{ return Packages.com.sos.keepass.SOSKeePassDatabase.getProperty(uri); } catch (e) { throw new Error("can't get property: "+e.message); } } function exportCredentialStoreAttachment2File(uri, targetFile){ var fos = null; try{ var data = Packages.com.sos.keepass.SOSKeePassDatabase.getBinaryProperty(uri); fos = new Packages.java.io.FileOutputStream(targetFile) fos.write(data); } catch (e) { throw new Error("["+targetFile+"]can't write attachment to file: "+e.message); } finally{ if(fos !== null){ fos.close(); } } } function spooler_process(){ var file = "config/live/JITL-473-cs/kdbx-p.kdbx"; spooler_log.info("--- get string property ---"); var property = "server/SFTP/homer.sos@user"; var uri = "cs://"+property+"?file="+file+"&password=test"; var val = getCredentialStoreProperty(uri); spooler_log.info("["+property+"]=" + val); spooler_log.info("--- get binary property as string ---"); property = "server/SFTP/homer.sos@homer.privat.dsa"; uri = "cs://"+property+"?file="+file+"&password=test&attachment=1"; val = getCredentialStoreProperty(uri); spooler_log.info("["+property+"]=" + val); spooler_log.info("--- get binary property as byte array and write to file ---"); property = "server/SFTP/homer.sos@homer.privat.dsa"; uri = "cs://"+property+"?file="+file+"&password=test"; var targetFile = "D:/my_homer.privat.dsa"; exportCredentialStoreAttachment2File(uri,targetFile); spooler_log.info("["+property+"] written to " + targetFile); return false; } ]]></script> <run_time /> </job>
Powershell Job (agent) Example
Only the com.sos.keepass.SOSKeePassDatabase main method can be used:
Powershell Job (agent) Example
<job order="no" stop_on_error="no" process_class="/Agent"> <script language="powershell"><![CDATA[ function Get-CredentialStoreProperty([string] $uri) { $command = "java" if (![string]::IsNullOrEmpty(${env:JAVA_HOME})){ $command = "${env:JAVA_HOME}\bin\$command" } $arguments = @("com.sos.keepass.SOSKeePassDatabase", $uri) $startInfo = New-Object System.Diagnostics.ProcessStartInfo $startInfo.FileName = $command $startInfo.RedirectStandardError = $true $startInfo.RedirectStandardOutput = $true $startInfo.UseShellExecute = $false $startInfo.WindowStyle = 'Hidden' $startInfo.CreateNoWindow = $true $startInfo.Arguments = $arguments try{ $process = New-Object System.Diagnostics.Process $process.StartInfo = $startInfo $process.Start() | Out-Null $stdout = $process.StandardOutput.ReadToEnd() $stderr = $process.StandardError.ReadToEnd() $process.WaitForExit() } catch{ throw "Failed $($startInfo.FileName): $error" } if ($process.exitCode -ne 0) { throw "Failed with exit code $($process.exitCode): $stderr" } $stdout } $file = "D:/jobscheduler.1.x/jobscheduler/data/1.12.x.x64-snapshot/config/live/JITL-473-cs/kdbx-p.kdbx"; $spooler_log.info("--- get string property with exception handling ---"); $property = "server/SFTP/homer.sos@user"; $uri = "cs://"+$property+"?file="+$file+"&password=test"; $val = Get-CredentialStoreProperty($uri); $spooler_log.info("["+$property+"]=" + $val); $spooler_log.info("--- get string property without exception handling ---"); $val = java com.sos.keepass.SOSKeePassDatabase $uri $spooler_log.info("["+$property+"]=" + $val); $spooler_log.info("--- get binary property as string with exception handling and formatted output ---"); $property = "server/SFTP/homer.sos@homer.privat.dsa"; $uri = "cs://"+$property+"?file="+$file+"&password=test&attachment=1"; $val = Get-CredentialStoreProperty($uri); $spooler_log.info("["+$property+"]=" + $val); $spooler_log.info("--- get binary property as string without exception handling ---"); $val = java com.sos.keepass.SOSKeePassDatabase $uri $spooler_log.info("["+$property+"]=" + $val); ]]></script> <run_time /> </job>
nur die com.sos.keepass.SOSKeePassDatabase main Methode kann verwenden werden:
Bsp. Unix/Windows folgen...