Discover the change management practices that are ripe for optimization
DevOps
Change has become the most important part of modern digital product cr ...
Read MoreThis post is from the XebiaLabs blog and has not been updated since the original publish date.
I was working with a customer recently to prove some concepts one of which involved sourcing a password from Cyberark Password Vault. To do this I used rules and performed an action in the planning stage.
First I added a new property to all containers called CyberarkId using a type modification within the synthetic.xml file (..../ext/synthetic.xml)<type-modification type="udm.BaseContainer"> <property name="cyberarkId" category="Cyber Ark" required="false"/> </type-modification>
<rule name="CyberArkPasswordRegistration" scope="plan"> <planning-script-path>cyberark/cyberark-password-rule.py</planning-script-path> </rule>And created a python script that loops through the deltas, looks for containers with an assigned cyberark variable and uses that to look up a password. In our demo case we are simply parsing a key=value text file, but this could easily be a REST call or some other wrapped API call to cyberark. We might need to add some additional information to connect to cyberark or to retrieve our credentials by specifying more information, but that's just gravy.
def emptyOrNone(s): return s is None or len(s.strip()) == 0 def extract_cyberark_aware_containers(deltas): containers = {} # Get our deployed containers for delta in deltas.deltas: delta_op = str(delta.operation) deployed = delta.previous if delta_op == "DESTROY" else delta.deployed container = deployed.container if container.hasProperty("cyberarkId") and not emptyOrNone(container.cyberarkId): # Ensure we only add our container once if container.name in containers.keys(): continue containers[container.name] = container return [containers[ke] for ke in containers.keys()] def update_passwords_from_cyberark(containers, context): f = open('/tmp/password.txt') id_pwds = f.readlines() f.close() for container in containers: cyber_ark_id = container.cyberarkId #call cyber ark # In our example password.txt is a simple key=value file. for id_pwd in id_pwds: id, pwd = id_pwd.split('=') if cyber_ark_id == id: container.setProperty("password", pwd) update_passwords_from_cyberark(extract_cyberark_aware_containers(deltas), context)This is cool and definitely serves to demonstrate the simple flexibility of XL Deploy, but with respect to this particular use case I would add the following cautionary note: It might be fine for demonstrating the concept, but the idea of having every deployment to every container interact with a centralized tool (that may have been designed and optimized for occasional human access) adds quite an overhead to the deployment. I suspect as this is scaled out to hundreds of servers we would have to think of another approach (perhaps a bulk update of infrastructure CIs periodically for example using the our Command Line Interface). That said, it is however a good start, and with approximately 6 lines of configuration ( 2 if you like xml on a single line ) and a small python script we have made a powerful but manageable change to our deployment. I think the biggest win for me is to have something tangible that shows us extending the product in a straight forward way and of course meeting one of the requirements of our growing user base. Also in my context its a very quick way to get to talk about the problem of managing information such as credentials. The issues of making deployments dependent on another single point of failure for example.