I am writing a python script to automate deletion of svmi netapp snapshots using PySphere library.
to create a connection instance i do :
vc_server = pysphere.VIServer()
vc_server.connect("vc.example.com", "example.com\dd432", "password")
Everything works the expected way, the only question I have is there a way for me to hide the password in the script, maybe some hashing mechanism, to have that password argument do not specify the password in clear text in the script?
Thanks.
For now i found only way to put password under file system into .cf file and restrict permissions for read on that file. Sure there should be some better way.
#classmethod
def setUpClass(cls):
config_path = os.path.join(os.path.dirname(__file__), "config_conn.cf")
cls.config = ConfigParser.ConfigParser()
cls.config.read(config_path)
host = cls.config.get("READ_ONLY_ENV", "host")
user = cls.config.get("READ_ONLY_ENV", "user")
pswd = cls.config.get("READ_ONLY_ENV", "password")
cls.server = VIServer()
cls.server.connect(host, user, pswd)
Related
My system is connected to Active Directory and I can query it by binding using a username and password.
I noticed that I am also able to query it without explicitly providing a username and password, when using ADO or ADSDSOObject Provider (tried in Java/Python/VBA).
I would like to understand how the authentication is done in this case.
Example of first case where username and password is explicitly needed:
import ldap3
from ldap3.extend.microsoft.addMembersToGroups import ad_add_members_to_groups as addUsersInGroups
server = Server('172.16.10.50', port=636, use_ssl=True)
conn = Connection(server, 'CN=ldap_bind_account,OU=1_Service_Accounts,OU=0_Users,DC=TG,DC=LOCAL','Passw0rds123!',auto_bind=True)
print(conn)
Example of second case where no username and password is explicitly needed:
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = "SELECT Name FROM 'LDAP://DC=mydomain,DC=com' WHERE objectClass = 'Computer'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute
I tried to look at the source code of the libraries but was not able to understand what is being done.
In the second case, it's using the credentials of the account running the program, or it could even be using the computer account (every computer joined to the domain has an account on the domain, with a password that no person ever sees).
Python's ldap3 package doesn't automatically do that, however, it appears there may be way to make it work without specifying credentials, using Kerberos authentication. For example, from this issue:
I know that, for GSSAPI and GSS-SPNEGO, if you specify "authentication=SASL, sasl_mechanism=GSSAPI" (or spnego as needed) in your connection, then you don't need to specify user/password at all.
And there's also this StackOverflow question on the same topic: Passwordless Python LDAP3 authentication from Windows client
Hi I'm creating Cloudera environment, and want to share this to other teams. This script should be querying our Active directory server. But unfortunately I don't want to put my password / username inside the script.
from ldap3 import Server, Connection, ALL, NTLM, ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, AUTO_BIND_NO_TLS, SUBTREE
serverName = 'internal.imsglobal.com'
server = Server(serverName)
conn = Connection(server, read_only=True, user='',password='', auto_bind=True)
person='somebody'
conn.search('dc=internal,dc=mydomain,dc=com', '(&(givenName=*)(sAMAccountName=*{person}*))'.format(person=person), attributes=[ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES])
no_entries = len(conn.entries)
What can be done to avoid hardcoding credentials ?
Unfortunately Cloudera doesn't allow to use input function or anything interactive.
You can use dotenv
pip install python-dotenv
Create a .env file that consists of key/values like this:
USERNAME=foo
PASSWORD=bar
Then load the .env file and access the values.
dotenv_path = join(dirname(__file__), $location_of_.env_file)
load_dotenv(dotenv_path)
username = os.getenv("USERNAME")
password = os.getenv("PASSWORD")
I'm using the Python requests library to make a call to an API that requires Windows Authentication. In C# I have always used the Directory Services, which has allowed me to avoid putting passwords in any of my code or configurations. From what I have found online, it seems that my only option in Python is to have a password somewhere. I have a service account that I will use, but I need to store the password securely. What is the best way to securely store and retrieve a service account password in Python without hard coding plain text?
The code that I am currently using is below. I have the username and password stored in plain text in my configuration:
auth = HttpNtlmAuth(
config.ServiceAccount["Username"],
config.ServiceAccount["Password"]
)
content = requests.post(call_string, json=parameters, auth=auth)
Edit: I should mention that this will not be a user-facing application. It will run as a batch job. So there will not be any way for a user to enter the username/password while running the application.
You could just not store the password at all and require the user to provide the password at runtime
import getpass
user = getpass.getuser()
password = getpass.getpass()
Otherwise, you could do something similar to git and just have the user store their password in plaintext in a config file in their home directory that you then read at runtime.
I know I asked this question a while ago, but I found a better solution to the NTLM/Windows authentication. I used the requests_negotiate_sspi library to avoid any passwords:
from requests_negotiate_sspi import HttpNegotiateAuth
auth = HttpNegotiateAuth()
content = requests.post(call_string, json=parameters, auth=auth)
I want to access HDFS jceks (password alias is created) in python script for secure login. Can anyone help with with python code /steps to do so.
Thank you
You may use the hadoop configuration to access the password from python code.
Only thing you would need is to instanciate a hadoop configuration and use the property hadoop.security.credential.provider.path to set and retrieve the password using getPassword
You could use Spark also to read the jecks password from inside your code:
Python:
spark1 = SparkSession.builder.appName("xyz").master("yarn").enableHiveSupport().config("hive.exec.dynamic.partition", "true").config("hive.exec.dynamic.partition.mode", "nonstrict").getOrCreate()
x = spark1.sparkContext._jsc.hadoopConfiguration()
x.set("hadoop.security.credential.provider.path", "jceks://file///localpathtopassword")
a = x.getPassword("<password alias>")
passw = ""
for i in range(a.__len__()):
passw = passw + str(a.__getitem__(i))
In the above code you shall get the password string in passw
I am using Python 2.7.3 and successfully passing my login credentials to an SMTP server to send me a text or email when an event trigger takes place. However, now I would like to store the SMTP server login and password in a separate file so that multiple scripts could use that information or so that I can share my script without having to remove my credentials each time.
I am using the great tutorial from Alex Le on sending an SMS via Python. But now I want to take the following segment and put it into another file that can be called by multiple scripts. This could be either just the username/password pair or the whole section.
server = smtplib.SMTP( "smtp.gmail.com", 587 )
server.starttls()
server.login( '<gmail_address>', '<gmail_password>' )
I would consider myself a pretty basic Python programmer. I don't mind doing some research, but I think I need help on what terms I should be looking for.
Get all the critical variables from .yml file:
import yaml
conf = yaml.load(open('conf/application.yml'))
email = conf['user']['email']
pwd = conf['user']['password']
server = smtplib.SMTP( "smtp.gmail.com", 587 ) # add these 2 to .yml as well
server.starttls()
server.login(email, pwd)
The application.yml will look similar to this:
user:
email: example#mail.com
password: yourpassword
This way, you will never see the actual credentials in the script.
In production environments what we usually do is make a seperate file and save it somewhere outside the project. Now do chmod 600, i.e. allow only root to access the file. Now in your code run read the file by running in the the superuser mode. Or you could also create a different user which can access the file and run the code using that user.
OR You could use environment variables in your system. You can set one by doing the following in bash shell
export KEY=some_value
And then in your Python code
os.environ.get('KEY')
Use a separate configuration file settings.py containing:
EMAIL = 'gmail address'
PASSWORD = 'gmail password'
As the configuration file is a Python file, you can import it from your actual code:
from . import settings
server = smtplib.SMTP( "smtp.gmail.com", 587 )
server.starttls()
server.login(settings.EMAIL, settings.PASSWORD)
This is similar to what projects such as Django use, which you can see here.
You would need to keep the settings.py file secret, so you would not add it to your revision control software and wouldn't make it publicly readable.