[MediaWiki-commits] [Gerrit] wikimedia...process-control[master]: Only run jobs as the service user

Mon, 03 Apr 2017 14:33:06 -0700 

Awight has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/346202 )

Change subject: Only run jobs as the service user
......................................................................

Only run jobs as the service user

Change-Id: Ia12f06f07a1b4d77b6fa3f69fc121ab1c1b10419
---
M process-control.example.yaml
M processcontrol/job_wrapper.py
M tests/data/global_config/global_defaults.yaml
M tests/override_config.py
4 files changed, 13 insertions(+), 6 deletions(-)


  git pull 
ssh://gerrit.wikimedia.org:29418/wikimedia/fundraising/process-control 
refs/changes/02/346202/1

diff --git a/process-control.example.yaml b/process-control.example.yaml
index 2891458..0cbe639 100644
--- a/process-control.example.yaml
+++ b/process-control.example.yaml
@@ -6,8 +6,8 @@
 # Absolute path to the job harness.
 runner_path: /usr/bin/run-job
 
-# Cron will setuid to this user before running the command.  Only use service
-# accounts, never privileged ones.
+# Enforce that jobs are run as this service user.
+# FIXME: new service user for this package.
 user: jenkins
 
 # Default values used when the job description doesn't have these keys.  See
diff --git a/processcontrol/job_wrapper.py b/processcontrol/job_wrapper.py
index 5d83afb..3ec58bf 100644
--- a/processcontrol/job_wrapper.py
+++ b/processcontrol/job_wrapper.py
@@ -1,6 +1,7 @@
 import datetime
 import glob
 import os
+import pwd
 import shlex
 import subprocess
 import threading
@@ -61,6 +62,14 @@
             self.environment = {}
 
     def run(self):
+        # Check that we are the service user.
+        service_user = str(self.global_config.get("user"))
+        if service_user.isdigit():
+            passwd_entry = pwd.getpwuid(int(service_user))
+        else:
+            passwd_entry = pwd.getpwnam(service_user)
+        assert passwd_entry.pw_uid == os.getuid()
+
         lock.begin(job_tag=self.slug)
 
         config.log.info("Running job {name} ({slug})".format(name=self.name, 
slug=self.slug))
diff --git a/tests/data/global_config/global_defaults.yaml 
b/tests/data/global_config/global_defaults.yaml
index e2ac795..daca679 100644
--- a/tests/data/global_config/global_defaults.yaml
+++ b/tests/data/global_config/global_defaults.yaml
@@ -6,10 +6,6 @@
 # Absolute path to the job harness.
 runner_path: /usr/bin/run-job
 
-# Cron will setuid to this user before running the command.  Only use service
-# accounts, never privileged ones.
-user: jenkins
-
 # Default values used when the job description doesn't have these keys.  See
 # the README for a discussion of how to configure jobs.
 default_job_config:
diff --git a/tests/override_config.py b/tests/override_config.py
index 973813e..b1ef2ed 100644
--- a/tests/override_config.py
+++ b/tests/override_config.py
@@ -21,6 +21,8 @@
     elif "job_directory" not in extra:
         extra["job_directory"] = data_dir
 
+    extra["user"] = os.getuid()
+
     OverrideConfiguration.extra = extra
 
     global patcher

-- 
To view, visit https://gerrit.wikimedia.org/r/346202
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ia12f06f07a1b4d77b6fa3f69fc121ab1c1b10419
Gerrit-PatchSet: 1
Gerrit-Project: wikimedia/fundraising/process-control
Gerrit-Branch: master
Gerrit-Owner: Awight <awi...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to