[sysadmin-bin] Rewrite create-auth taking into account we do not handle restricted accesses via plain files anymore
- From: Andrea Veri <averi src gnome org>
- To: gnome-sysadmin gnome org,commits-list gnome org
- Subject: [sysadmin-bin] Rewrite create-auth taking into account we do not handle restricted accesses via plain files anymore
- Date: Wed, 8 Jul 2020 15:16:38 +0000 (UTC)
commit a9d1146d6ddcd7d81984e8280ccea1408d36f9e3
Author: Andrea Veri <averi redhat com>
Date: Wed Jul 8 17:16:28 2020 +0200
Rewrite create-auth taking into account we do not handle restricted accesses via plain files anymore
create-auth | 111 ++++++++++++-----------------------------------------
run-nagios-command | 30 ---------------
2 files changed, 24 insertions(+), 117 deletions(-)
---
diff --git a/create-auth b/create-auth
index 322c297..ab9a414 100755
--- a/create-auth
+++ b/create-auth
@@ -31,7 +31,6 @@ def get_md5sum_hash():
execfile('/home/admin/secret/freeipa_ro')
-## first you must open a connection to the server
try:
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, LDAP_CA_PATH)
@@ -41,18 +40,7 @@ except ldap.LDAPError, e:
print >>sys.stderr, e
sys.exit(1)
-RESTRICTS = {
- 'gnomegit-i18n':
- 'command="/home/admin/bin/run-git-or-special-cmd",no-pty,no-port-forwarding,from="91.189.93.2" ',
- 'mango':
- 'command="/home/admin/bin/run-mango-special-cmd",no-pty,no-port-forwarding ',
- 'rrsync':
- 'command="/home/admin/bin/run-rrsync-or-special-cmd
/ftp/scratch",no-user-rc,no-pty,no-port-forwarding ',
- 'gnomegit':
- 'command="/home/admin/bin/run-git-or-special-cmd",no-pty,no-port-forwarding ',
- 'nagios':
- 'command="/home/admin/bin/run-nagios-command",no-pty,no-port-forwarding ',
-}
+RESTRICTS = {}
LDAP_GROUP_BASE='cn=groups,cn=accounts,dc=gnome,dc=org'
LDAP_USER_BASE='cn=users,cn=accounts,dc=gnome,dc=org'
@@ -285,15 +273,6 @@ def set_homedir_permissions(user_data, created_users):
for paths in splitter(delayed, 50):
subprocess.call(['/usr/bin/chattr', '+i', '--'] + paths)
-def get_uids_from_wheel():
- try:
- wheelinfo = grp.getgrnam ('wheel')
- except KeyError:
- wheelinfo = grp.getgrnam ('admin')
-
- people = wheelinfo[3]
- return set(filter (lambda x: x != 'root', people))
-
_cache_group = {}
def get_uids_from_group(group, force_ldap=False):
if group in _cache_group:
@@ -328,35 +307,15 @@ def build_user_hash(group_list, options):
gnomevcs_users = set()
# get a list of all the users. Keep them in a hashtable to avoid duplicates
- wheel = get_uids_from_wheel()
sysadmin = get_uids_from_group('sysadmin')
- print_user_list('Ex-sysadmins to be removed from wheel', wheel - sysadmin)
- users.update(wheel)
users.update(sysadmin)
for group in group_list:
users.update(get_uids_from_group(group, force_ldap=True))
- if options.restrict in ('gnomegit', 'mango'):
- gnomevcs_users = (get_uids_from_group('gnomecvs', force_ldap=True) | get_uids_from_group('gnomevcs',
force_ldap=True)) - users
- if options.translation_user:
- gnomevcs_users.update(['translations'])
- elif options.restrict == 'nagios':
- gnomevcs_users = get_uids_from_group('nagios', force_ldap=True) - users
- elif options.restrict == 'rrsync':
- gnomevcs_users = get_uids_from_group('ftpbasic', force_ldap=True) - users
# look up their keys (if we have them)
- user_data = lookup_user_info(users | gnomevcs_users)
-
- for uid in gnomevcs_users:
- if uid not in user_data:
- continue
-
- if options.restrict == 'gnomegit' and options.translation_user and uid == 'translations':
- user_data[uid]['restrict'] = 'gnomegit-i18n'
- else:
- user_data[uid]['restrict'] = options.restrict
+ user_data = lookup_user_info(users)
- for uid in wheel | sysadmin:
+ for uid in sysadmin:
if uid not in user_data:
continue
@@ -364,46 +323,43 @@ def build_user_hash(group_list, options):
return user_data
-def create_directory_structure (user_data):
+def create_directory_structure(user_data):
base_directory_name = tempfile.mktemp ('-sshd')
sshd_directory_name = base_directory_name + "/sshd"
users_directory_name = sshd_directory_name + "/users"
- os.mkdir (base_directory_name, 0700)
+ os.mkdir(base_directory_name, 0700)
try:
- os.mkdir (sshd_directory_name, 0711)
- os.mkdir (users_directory_name, 0711)
+ os.mkdir(sshd_directory_name, 0711)
+ os.mkdir(users_directory_name, 0711)
# make a users dir
for uid, user in user_data.iteritems():
user_dir_name = users_directory_name + "/" + user['uid']
authorized_keys_file = user_dir_name + "/authorized_keys"
- os.mkdir (user_dir_name, 0700)
- os.chown (user_dir_name, int(user['uidNumber']), int (user['gidNumber']))
- file = open (authorized_keys_file, "w")
+ os.mkdir(user_dir_name, 0700)
+ os.chown(user_dir_name, int(user['uidNumber']), int (user['gidNumber']))
+ file = open(authorized_keys_file, "w")
for key in user['ipaSshPubKey']:
- restrict = user.get('restrict', None)
- if restrict:
- file.write(RESTRICTS[restrict])
- file.write (key)
- file.write ("\n")
+ file.write(key)
+ file.write("\n")
file.close()
- os.chmod (authorized_keys_file, 0700)
- os.chown (authorized_keys_file, int (user['uidNumber']), int (user['gidNumber']))
+ os.chmod(authorized_keys_file, 0700)
+ os.chown(authorized_keys_file, int (user['uidNumber']), int (user['gidNumber']))
# We special case root
- if os.path.isfile ("/root/.ssh/authorized_keys"):
+ if os.path.isfile("/root/.ssh/authorized_keys"):
user_dir_name = users_directory_name + "/root"
authorized_keys_file = user_dir_name + "/authorized_keys"
- os.mkdir (user_dir_name, 0700)
- os.chown (user_dir_name, 0, 0)
+ os.mkdir(user_dir_name, 0700)
+ os.chown(user_dir_name, 0, 0)
shutil.copy2('/root/.ssh/authorized_keys', authorized_keys_file)
if socket.gethostname() == 'gitlab.gnome.org':
user_dir_name = users_directory_name + "/git"
authorized_keys_file = user_dir_name + "/authorized_keys"
- os.mkdir (user_dir_name, 0700)
- os.chown (user_dir_name, 993, 990)
+ os.mkdir(user_dir_name, 0700)
+ os.chown(user_dir_name, 993, 990)
os.symlink('/var/opt/gitlab/.ssh/authorized_keys', authorized_keys_file)
except Exception, e:
@@ -413,7 +369,7 @@ def create_directory_structure (user_data):
return base_directory_name
-def print_user_list (description, user_list):
+def print_user_list(description, user_list):
if not user_list:
return
@@ -426,7 +382,7 @@ def print_user_list (description, user_list):
print "\t%s" % user
print
-def print_comparison (initial_user_hash, post_user_hash):
+def print_comparison(initial_user_hash, post_user_hash):
removed_users = []
new_users = []
changed_users = []
@@ -449,21 +405,6 @@ def print_comparison (initial_user_hash, post_user_hash):
if __name__ == '__main__':
from optparse import OptionParser
parser = OptionParser()
- parser.add_option("--restrict",
- action="store", dest="restrict", default=None,
- choices=['gnomegit', 'mango', 'rrsync', 'nagios'],
- help="What type of restricted access to setup")
-
- parser.add_option("--gnomegit",
- action="store_const", dest="restrict", const="gnomegit")
- parser.add_option("--rrsync",
- action="store_const", dest="restrict", const="rrsync")
- parser.add_option("--mango",
- action="store_const", dest="restrict", const="mango")
- parser.add_option("--nagios",
- action="store_const", dest="restrict", const="nagios")
- parser.add_option("--translation-user", action="store_true")
-
parser.add_option("--create-all-homedirs",
action="store_const", dest="homedirs", const="all")
parser.add_option("--create-homedirs",
@@ -479,10 +420,6 @@ if __name__ == '__main__':
if options.homedirs is not None:
import stat
- if options.translation_user and options.restrict != 'gnomegit':
- print >>sys.stderr, "ERROR: --translation-user only works for --gnome-git"
- sys.exit(1)
-
if options.homedirs == 'all':
user_list_homedirs = get_homedirs()
old_mask = os.umask(0077)
@@ -491,7 +428,7 @@ if __name__ == '__main__':
print_user_list('Created home directory for', created_users)
# set_homedir_permissions(user_list_homedirs, user_list_homedirs.keys())
- user_data = build_user_hash (group_list, options)
+ user_data = build_user_hash(group_list, options)
if not len(user_data):
print >>sys.stderr, "ERROR: No users to create! Likely empty LDAP directory!!"
sys.exit(1)
@@ -510,8 +447,8 @@ if __name__ == '__main__':
print >>sys.stderr, "Error in rsync of files:"
sys.exit (status)
- post_user_hash = get_md5sum_hash ()
+ post_user_hash = get_md5sum_hash()
finally:
shutil.rmtree(base_directory_name)
- print_comparison (initial_user_hash, post_user_hash)
+ print_comparison(initial_user_hash, post_user_hash)
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
