X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/38104975556f7a0a59c1a21a97aa37cd0e178d69..e6276d3b309b3710a92adb308f879eff7db44488:/services/login-sync/bin/arvados-login-sync diff --git a/services/login-sync/bin/arvados-login-sync b/services/login-sync/bin/arvados-login-sync index d8836f19b3..9bcb5bfa9d 100755 --- a/services/login-sync/bin/arvados-login-sync +++ b/services/login-sync/bin/arvados-login-sync @@ -10,6 +10,7 @@ require 'etc' require 'fileutils' require 'yaml' require 'optparse' +require 'open3' req_envs = %w(ARVADOS_API_HOST ARVADOS_API_TOKEN ARVADOS_VIRTUAL_MACHINE_UUID) req_envs.each do |k| @@ -21,9 +22,10 @@ end options = {} OptionParser.new do |parser| parser.on('--exclusive', 'Manage SSH keys file exclusively.') - parser.on('--rotate-tokens', 'Always create new user tokens. Usually needed with --token-lifetime.') + parser.on('--rotate-tokens', 'Force a rotation of all user tokens.') parser.on('--skip-missing-users', "Don't try to create any local accounts.") parser.on('--token-lifetime SECONDS', 'Create user tokens that expire after SECONDS.', Integer) + parser.on('--debug', 'Enable debug output') end.parse!(into: options) exclusive_banner = "####################################################################################### @@ -35,10 +37,19 @@ end_banner = "### END Arvados-managed keys -- changes between markers will be ov keys = '' begin + debug = false + if options[:"debug"] + debug = true + end arv = Arvados.new({ :suppress_ssl_warnings => false }) - logincluster_arv = Arvados.new({ :api_host => (ENV['LOGINCLUSTER_ARVADOS_API_HOST'] || ENV['ARVADOS_API_HOST']), - :api_token => (ENV['LOGINCLUSTER_ARVADOS_API_TOKEN'] || ENV['ARVADOS_API_TOKEN']), - :suppress_ssl_warnings => false }) + logincluster_host = ENV['ARVADOS_API_HOST'] + logincluster_name = arv.cluster_config['Login']['LoginCluster'] or '' + + if logincluster_name != '' and logincluster_name != arv.cluster_config['ClusterID'] + logincluster_host = arv.cluster_config['RemoteClusters'][logincluster_name]['Host'] + end + logincluster_arv = Arvados.new({ :api_host => logincluster_host, + :suppress_ssl_warnings => false }) vm_uuid = ENV['ARVADOS_VIRTUAL_MACHINE_UUID'] @@ -75,7 +86,7 @@ begin end else if pwnam[l[:username]].uid < uid_min - STDERR.puts "Account #{l[:username]} uid #{pwnam[l[:username]].uid} < uid_min #{uid_min}. Skipping" + STDERR.puts "Account #{l[:username]} uid #{pwnam[l[:username]].uid} < uid_min #{uid_min}. Skipping" if debug true end end @@ -85,6 +96,7 @@ begin # Collect all keys logins.each do |l| + STDERR.puts("Considering #{l[:username]} ...") if debug keys[l[:username]] = Array.new() if not keys.has_key?(l[:username]) key = l[:public_key] if !key.nil? @@ -118,11 +130,12 @@ begin unless pwnam[l[:username]] STDERR.puts "Creating account #{l[:username]}" # Create new user - unless system("useradd", "-m", + out, st = Open3.capture2e("useradd", "-m", "-c", username, "-s", "/bin/bash", username) - STDERR.puts "Account creation failed for #{l[:username]}: #{$?}" + if st.exitstatus != 0 + STDERR.puts "Account creation failed for #{l[:username]}:\n#{out}" next end begin @@ -133,6 +146,12 @@ begin end end + homedir = pwnam[l[:username]].dir + if !File.exist?(homedir) + STDERR.puts "Cannot set up user #{username} because their home directory #{homedir} does not exist. Skipping." + next + end + existing_groups = current_user_groups[username] || [] groups = l[:groups] || [] # Adding users to the FUSE group has long been hardcoded behavior. @@ -144,7 +163,10 @@ begin if existing_groups.index(addgroup).nil? # User should be in group, but isn't, so add them. STDERR.puts "Add user #{username} to #{addgroup} group" - system("adduser", username, addgroup) + out, st = Open3.capture2e("usermod", "-aG", addgroup, username) + if st.exitstatus != 0 + STDERR.puts "Failed to add #{username} to #{addgroup} group:\n#{out}" + end end end @@ -152,11 +174,13 @@ begin if groups.index(removegroup).nil? # User is in a group, but shouldn't be, so remove them. STDERR.puts "Remove user #{username} from #{removegroup} group" - system("deluser", username, removegroup) + out, st = Open3.capture2e("gpasswd", "-d", username, removegroup) + if st.exitstatus != 0 + STDERR.puts "Failed to remove user #{username} from #{removegroup} group:\n#{out}" + end end end - homedir = pwnam[l[:username]].dir userdotssh = File.join(homedir, ".ssh") Dir.mkdir(userdotssh) if !File.exist?(userdotssh) @@ -197,7 +221,32 @@ begin tokenfile = File.join(configarvados, "settings.conf") begin - if !File.exist?(tokenfile) || options[:"rotate-tokens"] + STDERR.puts "Processing #{tokenfile} ..." if debug + newToken = false + if File.exist?(tokenfile) + # check if the token is still valid + myToken = ENV["ARVADOS_API_TOKEN"] + userEnv = IO::read(tokenfile) + if (m = /^ARVADOS_API_TOKEN=(.*?\n)/m.match(userEnv)) + begin + tmp_arv = Arvados.new({ :api_host => logincluster_host, + :api_token => (m[1]), + :suppress_ssl_warnings => false }) + tmp_arv.user.current + rescue Arvados::TransactionFailedError => e + if e.to_s =~ /401 Unauthorized/ + STDERR.puts "Account #{l[:username]} token not valid, creating new token." + newToken = true + else + raise + end + end + end + elsif !File.exist?(tokenfile) || options[:"rotate-tokens"] + STDERR.puts "Account #{l[:username]} token file not found, creating new token." + newToken = true + end + if newToken aca_params = {owner_uuid: l[:user_uuid], api_client_id: 0} if options[:"token-lifetime"] && options[:"token-lifetime"] > 0 aca_params.merge!(expires_at: (Time.now + options[:"token-lifetime"]))