Is there a way not to hardcode the password in the python script while using python-gerrit-api module ?
from gerrit import GerritClient
gerrit = GerritClient(base_url="https://yourgerrit", username='******', password='xxxxx')
There are a few possible solutions for this:
Solution 1:
Use the python argparse module to take the password as input from the CLI using the command-line arguments. Set the $GERRIT_PASSWORD environment variable, and use that in the password argument.
./script.py --username=$GERRIT_USERNAME --password=$GERRIT_PASSWORD
import argparse
parser = argparse.ArgumentParser()
parser.add_argument('--username', help='Username')
parser.add_argument('--password', help='Password')
args = parser.parse_args()
username = args.username
password = args.password
from gerrit import GerritClient
gerrit = GerritClient(base_url="https://yourgerrit", username=username, password=password)
Note: You can achieve a similar state by directly getting the value of the environment in your code, using os.environ, instead of using the argparse module. However, the recommended way would be to give the input using arguments.
Solution 2:
Use the python getpass module, to take the password as input from the user interactively:
import getpass
username = input("Username: ")
password = getpass.getpass(prompt="Password: ")
from gerrit import GerritClient
gerrit = GerritClient(base_url="https://yourgerrit", username=username, password=password)
Both the solutions mentioned above are derived from the fact that accessing Gerrit over HTTPS either requires the password to be input in the CLI command or requires the user to enter it interactively.
(i)
git clone "https://$USERNAME:$PASSWORD#$GERRIT_HOST/$PROJECT"
(ii)
git clone "https://$USERNAME#$GERRIT_HOST/$PROJECT"
Password for 'https://$USERNAME#$PROJECT': <Enter the password>
Related
How can I pass a password to my python script when it prompts for a password. I do not want the user to enter the password when it prompts. It should be passed directly from the script.
subprocess.run(['ansible-vault', 'decrypt', 'main.yml', 'linux.yml','--ask-vault-pass'])
While running the script it prompts for the password. I want the password to be passed from script only not by the user or passing a password file.
Is there a way to pass the password here? I have other ansible vault option like vault-password etc but that doesn't serve my purpose.
Instead of using the cmdline ansible-vault, you can use the Python package - ansible-vault which will allow you to hardcode the password inside the script itself:
from ansible_vault import Vault
vault = Vault('password')
main_data = vault.load(open('main.yml').read())
linux_data = vault.load(open('linux.yaml').read())
As you are hardcoding the password inside the code, ensure you don't commit this code anywhere or send it to anyone, it's a serious security risk.
I would like to securely ask a password to a user and then pass it to subprocess.Popen to run a command that requires it.
I have seen this question and that one, but I wonder if I can securely pass the password via the subprocess environment like that:
import subprocess, os
user_password = input("what is you password?")
my_env = os.environ.copy()
my_env["userpass"] = user_password
my_command = "python --version"
subprocess.Popen(my_command, env=my_env)
Will the password be flushed once the python script is closed ? I have look at the subprocess documentation but it's not explained.
When I add this line print(os.environ['userpass']) at the end of my code to print the OS environment, I can retrieve the user password. Do it means that the password can be access by the other running processes ?
Edit: I can't pipe the password as the command I use doesn't read its password from standard input
I'm using the Python requests library to make a call to an API that requires Windows Authentication. In C# I have always used the Directory Services, which has allowed me to avoid putting passwords in any of my code or configurations. From what I have found online, it seems that my only option in Python is to have a password somewhere. I have a service account that I will use, but I need to store the password securely. What is the best way to securely store and retrieve a service account password in Python without hard coding plain text?
The code that I am currently using is below. I have the username and password stored in plain text in my configuration:
auth = HttpNtlmAuth(
config.ServiceAccount["Username"],
config.ServiceAccount["Password"]
)
content = requests.post(call_string, json=parameters, auth=auth)
Edit: I should mention that this will not be a user-facing application. It will run as a batch job. So there will not be any way for a user to enter the username/password while running the application.
You could just not store the password at all and require the user to provide the password at runtime
import getpass
user = getpass.getuser()
password = getpass.getpass()
Otherwise, you could do something similar to git and just have the user store their password in plaintext in a config file in their home directory that you then read at runtime.
I know I asked this question a while ago, but I found a better solution to the NTLM/Windows authentication. I used the requests_negotiate_sspi library to avoid any passwords:
from requests_negotiate_sspi import HttpNegotiateAuth
auth = HttpNegotiateAuth()
content = requests.post(call_string, json=parameters, auth=auth)
I want to access HDFS jceks (password alias is created) in python script for secure login. Can anyone help with with python code /steps to do so.
Thank you
You may use the hadoop configuration to access the password from python code.
Only thing you would need is to instanciate a hadoop configuration and use the property hadoop.security.credential.provider.path to set and retrieve the password using getPassword
You could use Spark also to read the jecks password from inside your code:
Python:
spark1 = SparkSession.builder.appName("xyz").master("yarn").enableHiveSupport().config("hive.exec.dynamic.partition", "true").config("hive.exec.dynamic.partition.mode", "nonstrict").getOrCreate()
x = spark1.sparkContext._jsc.hadoopConfiguration()
x.set("hadoop.security.credential.provider.path", "jceks://file///localpathtopassword")
a = x.getPassword("<password alias>")
passw = ""
for i in range(a.__len__()):
passw = passw + str(a.__getitem__(i))
In the above code you shall get the password string in passw
I would like to restrict ability to run my Python 3 script to certain host and users on Linux. Is there any Python 3.x build in function or library which would allow me to do this relatively easy please?
Not exactly a Python answer, but a Linux one - you may add all users who can run a script to some group:
groupadd allowed-users
usermod -a -G allowed-users some-user
Then change group of the script and restrict read access to it only for group (if user can't read a script it can't run it).
chown allowed-users script.py
chmod 640 script.py
I'm sure there is a better way of doing that but below is my first attempt.
#!/usr/bin/python3
import getpass
import socket
hostname = socket.gethostname()
username = getpass.getuser()
allowedusers = 'user1'
allowedhosts = 'host1'
if hostname in allowedhosts:
print('hostname allowed')
if username in allowedusers:
print('user allowed')
else:
print('username not allowed')
exit()
else:
print('hostname not allowed')
exit()
print('script will continue to run as hostname and user are allowed')