Andrew Bogott has uploaded a new change for review.
https://gerrit.wikimedia.org/r/56523
Change subject: WIP: Sudo policy for service groups
......................................................................
WIP: Sudo policy for service groups
Change-Id: I0cda7c4f32709c8c7bf6ac38eadd0d1d39b19767
---
M nova/OpenStackNovaServiceGroup.php
M special/SpecialNovaSudoer.php
2 files changed, 32 insertions(+), 1 deletion(-)
git pull
ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/OpenStackManager
refs/changes/23/56523/1
diff --git a/nova/OpenStackNovaServiceGroup.php
b/nova/OpenStackNovaServiceGroup.php
index f2a462a..dc3c49d 100644
--- a/nova/OpenStackNovaServiceGroup.php
+++ b/nova/OpenStackNovaServiceGroup.php
@@ -259,6 +259,20 @@
return null;
}
+ # Create Sudo policy so that members of this group can chmod
files
+ if ( OpenStackNovaSudoer::createSudoer( $groupName . '-chmod',
+ $project->projectname,
+ array( $groupName ),
+ array( 'ALL' ),
+ array( 'chown -R ' . $groupName . ':' .
$groupName . ' /data/project/' . $groupName ),
+ array( '!authenticate' ) ) ) {
+ $wgAuth->printDebug( "Successfully created chmod sudo
policy for $groupName",
+ NONSENSITIVE );
+ } else {
+ $wgAuth->printDebug( "Failed to creat chmod sudo
policy for $groupName",
+ NONSENSITIVE );
+ }
+
return $newGroup;
}
diff --git a/special/SpecialNovaSudoer.php b/special/SpecialNovaSudoer.php
index 28dbaad..b67148d 100644
--- a/special/SpecialNovaSudoer.php
+++ b/special/SpecialNovaSudoer.php
@@ -272,6 +272,7 @@
$projectmembers = $project->getMembers();
array_unshift( $projectmembers, $this->msg(
'openstackmanager-allmembers' )->text() );
+
$sudomembers = array();
if ( $sudoer ) {
$sudomembers = $sudoer->getSudoerUsers();
@@ -398,6 +399,12 @@
$userNames = array();
$projectmembers = $project->getMembers();
$sudoUsers = $sudoer->getSudoerUsers();
+ # Add service users. These aren't editable.
+ foreach ( $project->serviceGroups as $servicegroup ) {
+ if ( in_array( $servicegroup->groupName,
$sudoUsers ) ) {
+ $userNames[] = $servicegroup->groupName;
+ }
+ }
foreach ( $projectmembers as $member ) {
$user = new OpenStackNovaUser( $member );
if ( in_array( $user->getUid(), $sudoUsers ) ) {
@@ -551,7 +558,17 @@
} else {
$options[] = '!authenticate';
}
- $success = $sudoer->modifySudoer(
$this->removeALLFromUserKeys($formData['users']), $formData['hosts'],
$commands, $options );
+
+ # Make sure we aren't pulling service users out of the
list.
+ $users =
$this->removeALLFromUserKeys($formData['users']);
+ $project = OpenStackNovaProject::getProjectByName(
$formData['project'] );
+ foreach ( $this->project->serviceGroups as
$servicegroup ) {
+ if ( in_array( $servicegroup->groupName,
$sudoer->getSudoerUsers() ) ) {
+ $users[] = $servicegroup->groupName;
+ }
+ }
+
+ $success = $sudoer->modifySudoer( $users,
$formData['hosts'], $commands, $options );
if ( ! $success ) {
$this->getOutput()->addWikiMsg(
'openstackmanager-modifysudoerfailed' );
return true;
--
To view, visit https://gerrit.wikimedia.org/r/56523
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I0cda7c4f32709c8c7bf6ac38eadd0d1d39b19767
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/OpenStackManager
Gerrit-Branch: master
Gerrit-Owner: Andrew Bogott <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
