Author: fapeeler
Date: Tue Jul 21 18:55:15 2009
New Revision: 796472
URL: http://svn.apache.org/viewvc?rev=796472&view=rev
Log:
VCL-187
Added check for image profile root access allowed
cleaned up delete_user routine added step to remove user from sudoers
ran perltidy
Modified:
incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/Ubuntu.pm
Modified: incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/Ubuntu.pm
URL:
http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/Ubuntu.pm?rev=796472&r1=796471&r2=796472&view=diff
==============================================================================
--- incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/Ubuntu.pm
(original)
+++ incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/Ubuntu.pm Tue
Jul 21 18:55:15 2009
@@ -198,6 +198,8 @@
return 0;
}
+ my $imagemeta_rootaccess = $self->data->get_imagemeta_rootaccess();
+
# Use userdel to delete the user
my $user_delete_command = "/usr/sbin/userdel $user_login_id";
my @user_delete_results = run_ssh_command($computer_node_name,
$IDENTITY_bladerhel, $user_delete_command, "root");
@@ -208,64 +210,30 @@
}
}
- # User successfully deleted
- # Remove user from sshd config
- my $external_sshd_config_path =
"$computer_node_name:/etc/ssh/external_sshd_config";
- my $external_sshd_config_temp_path = "/tmp/$computer_node_name.sshd";
-
- # Retrieve the node's external_sshd_config file
- if (run_scp_command($external_sshd_config_path,
$external_sshd_config_temp_path, $IDENTITY_bladerhel)) {
- notify($ERRORS{'DEBUG'}, 0, "retrieved
$external_sshd_config_path");
+ #Clear user from external_sshd_config
+ my $clear_extsshd = "perl -pi -e 's/^AllowUsers .*\n//'
/etc/ssh/external_sshd_config";
+ if (run_ssh_command($computer_node_name, $identity, $clear_extsshd,
"root")) {
+ notify($ERRORS{'DEBUG'}, 0, "cleared AllowUsers directive from
external_sshd_config");
}
else {
- notify($ERRORS{'WARNING'}, 0, "sshd config not cleaned up,
failed to retrieve $external_sshd_config_path");
- return 0;
+ notify($ERRORS{'CRITICAL'}, 0, "failed to add AllowUsers $user
to external_sshd_config");
}
- # Remove user from sshd config file
- # Get the contents of the sshd config file
- if (open(SSHD_CFG_TEMP, $external_sshd_config_temp_path)) {
- my @external_sshd_config_lines = <SSHD_CFG_TEMP>;
- close SSHD_CFG_TEMP;
-
- # Loop through the lines, clear out AllowUsers lines
- foreach my $external_sshd_config_line
(@external_sshd_config_lines) {
- $external_sshd_config_line = "" if
($external_sshd_config_line =~ /AllowUsers/);
- }
+ #Clear user from sudoers
- # Rewrite the temp sshd config file with the modified contents
- if (open(SSHD_CFG_TEMP, ">$external_sshd_config_temp_path")) {
- print SSHD_CFG_TEMP @external_sshd_config_lines;
- close SSHD_CFG_TEMP;
+ if ($imagemeta_rootaccess) {
+ #clear user from sudoers file
+ my $clear_cmd = "perl -pi -e 's/^$user_name .*\n//'
/etc/sudoers";
+ if (run_ssh_command($computer_node_name, $image_identity,
$clear_cmd, "root")) {
+ notify($ERRORS{'DEBUG'}, 0, "cleared $user_name from
/etc/sudoers");
}
-
- # Copy the modified file back to the node
- if (run_scp_command($external_sshd_config_temp_path,
$external_sshd_config_path, $IDENTITY_bladerhel)) {
- notify($ERRORS{'DEBUG'}, 0, "modified file copied back
to node: $external_sshd_config_path");
-
- # Delete the temp file
- unlink $external_sshd_config_temp_path;
-
- # Restart external sshd
- if (run_ssh_command($computer_node_name,
$IDENTITY_bladerhel, "/etc/init.d/ext_sshd restart")) {
- notify($ERRORS{'DEBUG'}, 0, "restarted ext_sshd
on $computer_node_name");
- }
-
- return 1;
- } ## end if (run_scp_command($external_sshd_config_temp_path...
else {
- notify($ERRORS{'WARNING'}, 0, "failed to copy modified
file back to node: $external_sshd_config_path");
+ notify($ERRORS{'CRITICAL'}, 0, "failed to clear
$user_name from /etc/sudoers");
+ }
+ } ## end if ($imagemeta_rootaccess)
- # Delete the temp file
- unlink $external_sshd_config_temp_path;
+ return 1;
- return 0;
- }
- } ## end if (open(SSHD_CFG_TEMP, $external_sshd_config_temp_path...
- else {
- notify($ERRORS{'WARNING'}, 0, "failed to open temporary sshd
config file: $external_sshd_config_temp_path");
- return 0;
- }
} ## end sub delete_user
#/////////////////////////////////////////////////////////////////////////////
@@ -279,10 +247,11 @@
notify($ERRORS{'DEBUG'}, 0, "Enterered reserve() in the Ubuntu OS
module");
- my $user_name = $self->data->get_user_login_id();
- my $computer_node_name = $self->data->get_computer_node_name();
- my $image_identity = $self->data->get_image_identity;
+ my $user_name = $self->data->get_user_login_id();
+ my $computer_node_name = $self->data->get_computer_node_name();
+ my $image_identity = $self->data->get_image_identity;
my $reservation_password = $self->data->get_reservation_password();
+ my $imagemeta_rootaccess = $self->data->get_imagemeta_rootaccess();
my $useradd_string = "/usr/sbin/useradd -d /home/$user_name -m -g admin
$user_name";
@@ -308,27 +277,29 @@
notify($ERRORS{'DEBUG'}, 0, "Updated the user password .... L
is $l");
}
- #FIXME: This needs to pull from imagemeta data rootaccess - if
rootaccess==1 then set
- # Add to sudoers file
- #clear user from sudoers file
- my $clear_cmd = "perl -pi -e 's/^$user_name .*\n//' /etc/sudoers";
- if(run_ssh_command($computer_node_name, $image_identity, $clear_cmd,
"root")) {
- notify($ERRORS{'DEBUG'}, 0, "cleared $user_name from
/etc/sudoers");
- }
- else {
- notify($ERRORS{'CRITICAL'}, 0, "failed to clear $user_name from
/etc/sudoers");
- }
- my $sudoers_cmd = "echo \"$user_name ALL= NOPASSWD: ALL\" >>
/etc/sudoers";
- if(run_ssh_command($computer_node_name, $image_identity, $sudoers_cmd,
"root")) {
- notify($ERRORS{'DEBUG'}, 0, "added $user_name to /etc/sudoers");
- }
- else {
- notify($ERRORS{'CRITICAL'}, 0, "failed to add $user_name to
/etc/sudoers");
- }
+ #Check image profile for allowed root access
+ if ($imagemeta_rootaccess) {
+ # Add to sudoers file
+ #clear user from sudoers file
+ my $clear_cmd = "perl -pi -e 's/^$user_name .*\n//'
/etc/sudoers";
+ if (run_ssh_command($computer_node_name, $image_identity,
$clear_cmd, "root")) {
+ notify($ERRORS{'DEBUG'}, 0, "cleared $user_name from
/etc/sudoers");
+ }
+ else {
+ notify($ERRORS{'CRITICAL'}, 0, "failed to clear
$user_name from /etc/sudoers");
+ }
+ my $sudoers_cmd = "echo \"$user_name ALL= NOPASSWD: ALL\" >>
/etc/sudoers";
+ if (run_ssh_command($computer_node_name, $image_identity,
$sudoers_cmd, "root")) {
+ notify($ERRORS{'DEBUG'}, 0, "added $user_name to
/etc/sudoers");
+ }
+ else {
+ notify($ERRORS{'CRITICAL'}, 0, "failed to add
$user_name to /etc/sudoers");
+ }
+ } ## end if ($imagemeta_rootaccess)
return 1;
-}
+} ## end sub reserve
sub grant_access {
my $self = shift;
@@ -337,14 +308,14 @@
return 0;
}
- my $user = $self->data->get_user_login_id();
+ my $user = $self->data->get_user_login_id();
my $computer_node_name = $self->data->get_computer_node_name();
- my $identity = $self->data->get_image_identity;
+ my $identity = $self->data->get_image_identity;
notify($ERRORS{'OK'}, 0, "In grant_access routine
$user,$computer_node_name");
my @sshcmd;
my $clear_extsshd = "perl -pi -e 's/^AllowUsers .*\n//'
/etc/ssh/external_sshd_config";
- if(run_ssh_command($computer_node_name, $identity, $clear_extsshd,
"root")) {
+ if (run_ssh_command($computer_node_name, $identity, $clear_extsshd,
"root")) {
notify($ERRORS{'DEBUG'}, 0, "cleared AllowUsers directive from
external_sshd_config");
}
else {
@@ -372,7 +343,7 @@
} #foreach
notify($ERRORS{'OK'}, 0, "started ext_sshd on $computer_node_name");
return 1;
-}
+} ## end sub grant_access
#/////////////////////////////////////////////////////////////////////////////
