Colin Watson has proposed merging ~cjwatson/launchpad:charm-admin-apply-security into launchpad:master.
Commit message: charm: Update DB permissions when configuring launchpad-admin Requested reviews: Launchpad code reviewers (launchpad-reviewers) For more details, see: https://code.launchpad.net/~cjwatson/launchpad/+git/launchpad/+merge/440257 This replaces code currently run by our deployment machinery at the end of its `build` phase. I also fixed a typo in a reactive flag name that caused hooks to do unnecessary work, since we were never considering the service to be configured. -- Your team Launchpad code reviewers is requested to review the proposed merge of ~cjwatson/launchpad:charm-admin-apply-security into launchpad:master.
diff --git a/charm/launchpad-admin/reactive/launchpad-admin.py b/charm/launchpad-admin/reactive/launchpad-admin.py index 4d65102..ff76afc 100644 --- a/charm/launchpad-admin/reactive/launchpad-admin.py +++ b/charm/launchpad-admin/reactive/launchpad-admin.py @@ -2,6 +2,7 @@ # GNU Affero General Public License version 3 (see the file LICENSE). import os.path +import subprocess from charmhelpers.core import hookenv, host, templating from charms.launchpad.base import ( @@ -28,13 +29,55 @@ def strip_password(dsn): return make_dsn(**parsed_dsn) +def database_is_initialized() -> bool: + """Has the database been initialized? + + The launchpad-admin charm is itself used to initialize the database, so + we can't assume that that's been done yet at the time our `configure` + handler runs. The `LaunchpadDatabaseRevision` table is used to track + schema migrations, so its presence is a good indicator of whether we + have a useful database. + """ + return ( + subprocess.run( + [ + "sudo", + "-H", + "-u", + base.user(), + os.path.join(home_dir(), "bin", "db"), + "-c", + r"\d LaunchpadDatabaseRevision", + ], + stdout=subprocess.DEVNULL, + stderr=subprocess.DEVNULL, + ).returncode + == 0 + ) + + +def update_database_permissions(): + subprocess.run( + [ + "sudo", + "-H", + "-u", + base.user(), + "LPCONFIG=launchpad-admin", + os.path.join(base.code_dir(), "database", "schema", "security.py"), + "--no-revoke", + ], + check=True, + ) + + @when( "launchpad.base.configured", "db.master.available", "db-admin.master.available", "session-db.master.available", ) -@when_not("service_configured") +@when_not("service.configured") def configure(): db = endpoint_from_flag("db.master.available") db_admin = endpoint_from_flag("db-admin.master.available") @@ -82,5 +125,11 @@ def configure(): perms=0o755, ) + if database_is_initialized(): + hookenv.log("Updating database permissions.") + update_database_permissions() + else: + hookenv.log("Database has not been initialized yet.") + set_state("service.configured") hookenv.status_set("active", "Ready") diff --git a/charm/launchpad-admin/templates/db-admin.j2 b/charm/launchpad-admin/templates/db-admin.j2 index aa0f73d..4749ab3 100644 --- a/charm/launchpad-admin/templates/db-admin.j2 +++ b/charm/launchpad-admin/templates/db-admin.j2 @@ -6,5 +6,5 @@ set -e -psql '{{ db_admin_primary }}' +psql '{{ db_admin_primary }}' "$@" diff --git a/charm/launchpad-admin/templates/db-session.j2 b/charm/launchpad-admin/templates/db-session.j2 index 4d776ae..76a47e1 100755 --- a/charm/launchpad-admin/templates/db-session.j2 +++ b/charm/launchpad-admin/templates/db-session.j2 @@ -6,5 +6,5 @@ set -e -psql '{{ db_session_primary }}' +psql '{{ db_session_primary }}' "$@" diff --git a/charm/launchpad-admin/templates/db.j2 b/charm/launchpad-admin/templates/db.j2 index f07f7e8..7976492 100644 --- a/charm/launchpad-admin/templates/db.j2 +++ b/charm/launchpad-admin/templates/db.j2 @@ -6,5 +6,5 @@ set -e -psql '{{ db_primary }}' +psql '{{ db_primary }}' "$@"
_______________________________________________ Mailing list: https://launchpad.net/~launchpad-reviewers Post to : launchpad-reviewers@lists.launchpad.net Unsubscribe : https://launchpad.net/~launchpad-reviewers More help : https://help.launchpad.net/ListHelp