projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge branch '21666-provision-test-improvement'
[arvados.git] / services / login-sync / bin / arvados-login-sync
diff --git a/services/login-sync/bin/arvados-login-sync b/services/login-sync/bin/arvados-login-sync
index 8e5c6deb5dc8ca47a08dd169157116141aeb0518..cbe8520a002620e0a1520a1fde08552e6a183a3e 100755 (executable)
--- a/services/login-sync/bin/arvados-login-sync
+++ b/services/login-sync/bin/arvados-login-sync
@@ -10,6 +10,19 @@ require 'etc'
 require 'fileutils'
 require 'yaml'
 require 'optparse'
+require 'open3'
+
+def ensure_dir(path, mode, owner, group)
+  begin
+    Dir.mkdir(path, mode)
+  rescue Errno::EEXIST
+    # No change needed
+    false
+  else
+    FileUtils.chown(owner, group, path)
+    true
+  end
+end
 
 req_envs = %w(ARVADOS_API_HOST ARVADOS_API_TOKEN ARVADOS_VIRTUAL_MACHINE_UUID)
 req_envs.each do |k|
@@ -21,9 +34,10 @@ end
 options = {}
 OptionParser.new do |parser|
   parser.on('--exclusive', 'Manage SSH keys file exclusively.')
-  parser.on('--rotate-tokens', 'Always create new user tokens. Usually needed with --token-lifetime.')
+  parser.on('--rotate-tokens', 'Force a rotation of all user tokens.')
   parser.on('--skip-missing-users', "Don't try to create any local accounts.")
   parser.on('--token-lifetime SECONDS', 'Create user tokens that expire after SECONDS.', Integer)
+  parser.on('--debug', 'Enable debug output')
 end.parse!(into: options)
 
 exclusive_banner = "#######################################################################################
@@ -32,13 +46,42 @@ exclusive_banner = "############################################################
 start_banner = "### BEGIN Arvados-managed keys -- changes between markers will be overwritten\n"
 end_banner = "### END Arvados-managed keys -- changes between markers will be overwritten\n"
 
+actions = {
+  # These names correspond to the names in the cluster Users configuration.
+  # Managing everything was the original behavior.
+  SyncUserAccounts: true,
+  SyncUserGroups: true,
+  SyncUserSSHKeys: true,
+  SyncUserAPITokens: true,
+}
+
 keys = ''
 
 begin
+  debug = false
+  if options[:"debug"]
+    debug = true
+  end
   arv = Arvados.new({ :suppress_ssl_warnings => false })
-  logincluster_arv = Arvados.new({ :api_host => (ENV['LOGINCLUSTER_ARVADOS_API_HOST'] || ENV['ARVADOS_API_HOST']),
-                                   :api_token => (ENV['LOGINCLUSTER_ARVADOS_API_TOKEN'] || ENV['ARVADOS_API_TOKEN']),
-                      :suppress_ssl_warnings => false })
+  logincluster_host = ENV['ARVADOS_API_HOST']
+  logincluster_name = arv.cluster_config['Login']['LoginCluster'] or ''
+
+  # Requiring the fuse group was previous hardcoded behavior
+  minimum_groups = arv.cluster_config['Users']['SyncRequiredGroups'] || ['fuse']
+  ignored_groups = arv.cluster_config['Users']['SyncIgnoredGroups'] || []
+  (minimum_groups & ignored_groups).each do |group_name|
+    STDERR.puts "WARNING: #{group_name} is listed in both SyncRequiredGroups and SyncIgnoredGroups. It will be ignored."
+  end
+
+  actions.each_pair do |key, default|
+    actions[key] = arv.cluster_config['Users'].fetch(key.to_s, default)
+  end
+
+  if logincluster_name != '' and logincluster_name != arv.cluster_config['ClusterID']
+    logincluster_host = arv.cluster_config['RemoteClusters'][logincluster_name]['Host']
+  end
+  logincluster_arv = Arvados.new({ :api_host => logincluster_host,
+                                   :suppress_ssl_warnings => false })
 
   vm_uuid = ENV['ARVADOS_VIRTUAL_MACHINE_UUID']
 
@@ -75,7 +118,7 @@ begin
         end
       else
         if pwnam[l[:username]].uid < uid_min
-          STDERR.puts "Account #{l[:username]} uid #{pwnam[l[:username]].uid} < uid_min #{uid_min}. Skipping"
+          STDERR.puts "Account #{l[:username]} uid #{pwnam[l[:username]].uid} < uid_min #{uid_min}. Skipping" if debug
           true
         end
       end
@@ -85,6 +128,7 @@ begin
 
   # Collect all keys
   logins.each do |l|
+    STDERR.puts("Considering #{l[:username]} ...") if debug
     keys[l[:username]] = Array.new() if not keys.has_key?(l[:username])
     key = l[:public_key]
     if !key.nil?
@@ -100,11 +144,12 @@ begin
 
   seen = Hash.new()
 
-  current_user_groups = Hash.new
+  all_groups = []
+  current_user_groups = Hash.new { |hash, key| hash[key] = [] }
   while (ent = Etc.getgrent()) do
+    all_groups << ent.name
     ent.mem.each do |member|
-      current_user_groups[member] ||= Array.new
-      current_user_groups[member].push ent.name
+      current_user_groups[member] << ent.name
     end
   end
   Etc.endgrent()
@@ -116,13 +161,18 @@ begin
     username = l[:username]
 
     unless pwnam[l[:username]]
+      unless actions[:SyncUserAccounts]
+        STDERR.puts "User #{username} does not exist and SyncUserAccounts=false. Skipping."
+        next
+      end
       STDERR.puts "Creating account #{l[:username]}"
       # Create new user
-      unless system("useradd", "-m",
+      out, st = Open3.capture2e("useradd", "-m",
                 "-c", username,
                 "-s", "/bin/bash",
                 username)
-        STDERR.puts "Account creation failed for #{l[:username]}: #{$?}"
+      if st.exitstatus != 0
+        STDERR.puts "Account creation failed for #{l[:username]}:\n#{out}"
         next
       end
       begin
@@ -133,94 +183,119 @@ begin
       end
     end
 
-    existing_groups = current_user_groups[username] || []
-    groups = l[:groups] || []
-    # Adding users to the FUSE group has long been hardcoded behavior.
-    groups << "fuse"
-    groups << username
-    groups.select! { |g| Etc.getgrnam(g) rescue false }
+    user_gid = pwnam[username].gid
+    homedir = pwnam[l[:username]].dir
+    if !File.exist?(homedir)
+      STDERR.puts "Cannot set up user #{username} because their home directory #{homedir} does not exist. Skipping."
+      next
+    end
+
+    if actions[:SyncUserGroups]
+      have_groups = current_user_groups[username] - ignored_groups
+      want_groups = l[:groups] || []
+      want_groups |= minimum_groups
+      want_groups -= ignored_groups
+      want_groups &= all_groups
 
-    groups.each do |addgroup|
-      if existing_groups.index(addgroup).nil?
+      (want_groups - have_groups).each do |addgroup|
         # User should be in group, but isn't, so add them.
         STDERR.puts "Add user #{username} to #{addgroup} group"
-        system("usermod", "-aG", addgroup, username)
+        out, st = Open3.capture2e("usermod", "-aG", addgroup, username)
+        if st.exitstatus != 0
+          STDERR.puts "Failed to add #{username} to #{addgroup} group:\n#{out}"
+        end
       end
-    end
 
-    existing_groups.each do |removegroup|
-      if groups.index(removegroup).nil?
+      (have_groups - want_groups).each do |removegroup|
         # User is in a group, but shouldn't be, so remove them.
         STDERR.puts "Remove user #{username} from #{removegroup} group"
-        system("gpasswd", "-d", username, removegroup)
+        out, st = Open3.capture2e("gpasswd", "-d", username, removegroup)
+        if st.exitstatus != 0
+          STDERR.puts "Failed to remove user #{username} from #{removegroup} group:\n#{out}"
+        end
       end
     end
 
-    homedir = pwnam[l[:username]].dir
-    userdotssh = File.join(homedir, ".ssh")
-    Dir.mkdir(userdotssh) if !File.exist?(userdotssh)
-
-    newkeys = "###\n###\n" + keys[l[:username]].join("\n") + "\n###\n###\n"
+    if actions[:SyncUserSSHKeys]
+      userdotssh = File.join(homedir, ".ssh")
+      ensure_dir(userdotssh, 0700, username, user_gid)
 
-    keysfile = File.join(userdotssh, "authorized_keys")
+      newkeys = "###\n###\n" + keys[l[:username]].join("\n") + "\n###\n###\n"
 
-    if File.exist?(keysfile)
-      oldkeys = IO::read(keysfile)
-    else
-      oldkeys = ""
-    end
-
-    if options[:exclusive]
-      newkeys = exclusive_banner + newkeys
-    elsif oldkeys.start_with?(exclusive_banner)
-      newkeys = start_banner + newkeys + end_banner
-    elsif (m = /^(.*?\n|)#{start_banner}(.*?\n|)#{end_banner}(.*)/m.match(oldkeys))
-      newkeys = m[1] + start_banner + newkeys + end_banner + m[3]
-    else
-      newkeys = start_banner + newkeys + end_banner + oldkeys
-    end
+      keysfile = File.join(userdotssh, "authorized_keys")
+      begin
+        oldkeys = File.read(keysfile)
+      rescue Errno::ENOENT
+        oldkeys = ""
+      end
 
-    if oldkeys != newkeys then
-      f = File.new(keysfile, 'w')
-      f.write(newkeys)
-      f.close()
-    end
+      if options[:exclusive]
+        newkeys = exclusive_banner + newkeys
+      elsif oldkeys.start_with?(exclusive_banner)
+        newkeys = start_banner + newkeys + end_banner
+      elsif (m = /^(.*?\n|)#{start_banner}(.*?\n|)#{end_banner}(.*)/m.match(oldkeys))
+        newkeys = m[1] + start_banner + newkeys + end_banner + m[3]
+      else
+        newkeys = start_banner + newkeys + end_banner + oldkeys
+      end
 
-    userdotconfig = File.join(homedir, ".config")
-    if !File.exist?(userdotconfig)
-      Dir.mkdir(userdotconfig)
+      if oldkeys != newkeys then
+        File.open(keysfile, 'w', 0600) do |f|
+          f.write(newkeys)
+        end
+        FileUtils.chown(username, user_gid, keysfile)
+      end
     end
 
-    configarvados = File.join(userdotconfig, "arvados")
-    Dir.mkdir(configarvados) if !File.exist?(configarvados)
+    if actions[:SyncUserAPITokens]
+      userdotconfig = File.join(homedir, ".config")
+      ensure_dir(userdotconfig, 0755, username, user_gid)
+      configarvados = File.join(userdotconfig, "arvados")
+      ensure_dir(configarvados, 0700, username, user_gid)
 
-    tokenfile = File.join(configarvados, "settings.conf")
+      tokenfile = File.join(configarvados, "settings.conf")
 
-    begin
-      if !File.exist?(tokenfile) || options[:"rotate-tokens"]
-        aca_params = {owner_uuid: l[:user_uuid], api_client_id: 0}
-        if options[:"token-lifetime"] && options[:"token-lifetime"] > 0
-          aca_params.merge!(expires_at: (Time.now + options[:"token-lifetime"]))
+      begin
+        STDERR.puts "Processing #{tokenfile} ..." if debug
+        newToken = false
+        if File.exist?(tokenfile)
+          # check if the token is still valid
+          myToken = ENV["ARVADOS_API_TOKEN"]
+          userEnv = File.read(tokenfile)
+          if (m = /^ARVADOS_API_TOKEN=(.*?\n)/m.match(userEnv))
+            begin
+              tmp_arv = Arvados.new({ :api_host => logincluster_host,
+                                      :api_token => (m[1]),
+                                      :suppress_ssl_warnings => false })
+              tmp_arv.user.current
+            rescue Arvados::TransactionFailedError => e
+              if e.to_s =~ /401 Unauthorized/
+                STDERR.puts "Account #{l[:username]} token not valid, creating new token."
+                newToken = true
+              else
+                raise
+              end
+            end
+          end
+        elsif !File.exist?(tokenfile) || options[:"rotate-tokens"]
+          STDERR.puts "Account #{l[:username]} token file not found, creating new token."
+          newToken = true
         end
-        user_token = logincluster_arv.api_client_authorization.create(api_client_authorization: aca_params)
-        f = File.new(tokenfile, 'w')
-        f.write("ARVADOS_API_HOST=#{ENV['ARVADOS_API_HOST']}\n")
-        f.write("ARVADOS_API_TOKEN=v2/#{user_token[:uuid]}/#{user_token[:api_token]}\n")
-        f.close()
+        if newToken
+          aca_params = {owner_uuid: l[:user_uuid], api_client_id: 0}
+          if options[:"token-lifetime"] && options[:"token-lifetime"] > 0
+            aca_params.merge!(expires_at: (Time.now + options[:"token-lifetime"]))
+          end
+          user_token = logincluster_arv.api_client_authorization.create(api_client_authorization: aca_params)
+          File.open(tokenfile, 'w', 0600) do |f|
+            f.write("ARVADOS_API_HOST=#{ENV['ARVADOS_API_HOST']}\n")
+            f.write("ARVADOS_API_TOKEN=v2/#{user_token[:uuid]}/#{user_token[:api_token]}\n")
+          end
+          FileUtils.chown(username, user_gid, tokenfile)
+        end
+      rescue => e
+        STDERR.puts "Error setting token for #{l[:username]}: #{e}"
       end
-    rescue => e
-      STDERR.puts "Error setting token for #{l[:username]}: #{e}"
-    end
-
-    FileUtils.chown_R(l[:username], nil, userdotssh)
-    FileUtils.chown_R(l[:username], nil, userdotconfig)
-    File.chmod(0700, userdotssh)
-    File.chmod(0700, userdotconfig)
-    File.chmod(0700, configarvados)
-    File.chmod(0750, homedir)
-    File.chmod(0600, keysfile)
-    if File.exist?(tokenfile)
-      File.chmod(0600, tokenfile)
     end
   end