From: Brett Smith Date: Thu, 22 Jun 2023 14:43:36 +0000 (-0400) Subject: 20663: Make arvados-login-sync actions configurable X-Git-Tag: 2.7.0~70^2~6 X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/354335e323305190b957c59c4be26c1231c2d115 20663: Make arvados-login-sync actions configurable Arvados-DCO-1.1-Signed-off-by: Brett Smith --- diff --git a/services/login-sync/bin/arvados-login-sync b/services/login-sync/bin/arvados-login-sync index df68a4030c..1a825c90f9 100755 --- a/services/login-sync/bin/arvados-login-sync +++ b/services/login-sync/bin/arvados-login-sync @@ -46,6 +46,15 @@ exclusive_banner = "############################################################ start_banner = "### BEGIN Arvados-managed keys -- changes between markers will be overwritten\n" end_banner = "### END Arvados-managed keys -- changes between markers will be overwritten\n" +actions = { + # These names correspond to the names in the cluster Users configuration. + # Managing everything was the original behavior. + SyncUserAccounts: true, + SyncUserGroups: true, + SyncUserSSHKeys: true, + SyncUserAPITokens: true, +} + keys = '' begin @@ -58,6 +67,9 @@ begin logincluster_name = arv.cluster_config['Login']['LoginCluster'] or '' # Requiring the fuse group was previous hardcoded behavior minimum_groups = arv.cluster_config['Login']['SyncRequiredGroups'] || ['fuse'] + actions.each_pair do |key, default| + actions[key] = arv.cluster_config['Login'].fetch(key.to_s, default) + end if logincluster_name != '' and logincluster_name != arv.cluster_config['ClusterID'] logincluster_host = arv.cluster_config['RemoteClusters'][logincluster_name]['Host'] @@ -143,6 +155,10 @@ begin username = l[:username] unless pwnam[l[:username]] + unless actions[:SyncUserAccounts] + STDERR.puts "User #{username} does not exist and SyncUserAccounts=false. Skipping." + next + end STDERR.puts "Creating account #{l[:username]}" # Create new user out, st = Open3.capture2e("useradd", "-m", @@ -168,105 +184,111 @@ begin next end - have_groups = current_user_groups[username] - want_groups = l[:groups] || [] - want_groups |= minimum_groups - want_groups &= all_groups - - (want_groups - have_groups).each do |addgroup| - # User should be in group, but isn't, so add them. - STDERR.puts "Add user #{username} to #{addgroup} group" - out, st = Open3.capture2e("usermod", "-aG", addgroup, username) - if st.exitstatus != 0 - STDERR.puts "Failed to add #{username} to #{addgroup} group:\n#{out}" + if actions[:SyncUserGroups] + have_groups = current_user_groups[username] + want_groups = l[:groups] || [] + want_groups |= minimum_groups + want_groups &= all_groups + + (want_groups - have_groups).each do |addgroup| + # User should be in group, but isn't, so add them. + STDERR.puts "Add user #{username} to #{addgroup} group" + out, st = Open3.capture2e("usermod", "-aG", addgroup, username) + if st.exitstatus != 0 + STDERR.puts "Failed to add #{username} to #{addgroup} group:\n#{out}" + end end - end - (have_groups - want_groups).each do |removegroup| - # User is in a group, but shouldn't be, so remove them. - STDERR.puts "Remove user #{username} from #{removegroup} group" - out, st = Open3.capture2e("gpasswd", "-d", username, removegroup) - if st.exitstatus != 0 - STDERR.puts "Failed to remove user #{username} from #{removegroup} group:\n#{out}" + (have_groups - want_groups).each do |removegroup| + # User is in a group, but shouldn't be, so remove them. + STDERR.puts "Remove user #{username} from #{removegroup} group" + out, st = Open3.capture2e("gpasswd", "-d", username, removegroup) + if st.exitstatus != 0 + STDERR.puts "Failed to remove user #{username} from #{removegroup} group:\n#{out}" + end end end - userdotssh = File.join(homedir, ".ssh") - ensure_dir(userdotssh, 0700, username, user_gid) + if actions[:SyncUserSSHKeys] + userdotssh = File.join(homedir, ".ssh") + ensure_dir(userdotssh, 0700, username, user_gid) - newkeys = "###\n###\n" + keys[l[:username]].join("\n") + "\n###\n###\n" + newkeys = "###\n###\n" + keys[l[:username]].join("\n") + "\n###\n###\n" - keysfile = File.join(userdotssh, "authorized_keys") - begin - oldkeys = File.read(keysfile) - rescue Errno::ENOENT - oldkeys = "" - end + keysfile = File.join(userdotssh, "authorized_keys") + begin + oldkeys = File.read(keysfile) + rescue Errno::ENOENT + oldkeys = "" + end - if options[:exclusive] - newkeys = exclusive_banner + newkeys - elsif oldkeys.start_with?(exclusive_banner) - newkeys = start_banner + newkeys + end_banner - elsif (m = /^(.*?\n|)#{start_banner}(.*?\n|)#{end_banner}(.*)/m.match(oldkeys)) - newkeys = m[1] + start_banner + newkeys + end_banner + m[3] - else - newkeys = start_banner + newkeys + end_banner + oldkeys - end + if options[:exclusive] + newkeys = exclusive_banner + newkeys + elsif oldkeys.start_with?(exclusive_banner) + newkeys = start_banner + newkeys + end_banner + elsif (m = /^(.*?\n|)#{start_banner}(.*?\n|)#{end_banner}(.*)/m.match(oldkeys)) + newkeys = m[1] + start_banner + newkeys + end_banner + m[3] + else + newkeys = start_banner + newkeys + end_banner + oldkeys + end - if oldkeys != newkeys then - File.open(keysfile, 'w', 0600) do |f| - f.write(newkeys) + if oldkeys != newkeys then + File.open(keysfile, 'w', 0600) do |f| + f.write(newkeys) + end + FileUtils.chown(username, user_gid, keysfile) end - FileUtils.chown(username, user_gid, keysfile) end - userdotconfig = File.join(homedir, ".config") - ensure_dir(userdotconfig, 0755, username, user_gid) - configarvados = File.join(userdotconfig, "arvados") - ensure_dir(configarvados, 0700, username, user_gid) - - tokenfile = File.join(configarvados, "settings.conf") - - begin - STDERR.puts "Processing #{tokenfile} ..." if debug - newToken = false - if File.exist?(tokenfile) - # check if the token is still valid - myToken = ENV["ARVADOS_API_TOKEN"] - userEnv = File.read(tokenfile) - if (m = /^ARVADOS_API_TOKEN=(.*?\n)/m.match(userEnv)) - begin - tmp_arv = Arvados.new({ :api_host => logincluster_host, - :api_token => (m[1]), - :suppress_ssl_warnings => false }) - tmp_arv.user.current - rescue Arvados::TransactionFailedError => e - if e.to_s =~ /401 Unauthorized/ - STDERR.puts "Account #{l[:username]} token not valid, creating new token." - newToken = true - else - raise + if actions[:SyncUserAPITokens] + userdotconfig = File.join(homedir, ".config") + ensure_dir(userdotconfig, 0755, username, user_gid) + configarvados = File.join(userdotconfig, "arvados") + ensure_dir(configarvados, 0700, username, user_gid) + + tokenfile = File.join(configarvados, "settings.conf") + + begin + STDERR.puts "Processing #{tokenfile} ..." if debug + newToken = false + if File.exist?(tokenfile) + # check if the token is still valid + myToken = ENV["ARVADOS_API_TOKEN"] + userEnv = File.read(tokenfile) + if (m = /^ARVADOS_API_TOKEN=(.*?\n)/m.match(userEnv)) + begin + tmp_arv = Arvados.new({ :api_host => logincluster_host, + :api_token => (m[1]), + :suppress_ssl_warnings => false }) + tmp_arv.user.current + rescue Arvados::TransactionFailedError => e + if e.to_s =~ /401 Unauthorized/ + STDERR.puts "Account #{l[:username]} token not valid, creating new token." + newToken = true + else + raise + end end end + elsif !File.exist?(tokenfile) || options[:"rotate-tokens"] + STDERR.puts "Account #{l[:username]} token file not found, creating new token." + newToken = true end - elsif !File.exist?(tokenfile) || options[:"rotate-tokens"] - STDERR.puts "Account #{l[:username]} token file not found, creating new token." - newToken = true - end - if newToken - aca_params = {owner_uuid: l[:user_uuid], api_client_id: 0} - if options[:"token-lifetime"] && options[:"token-lifetime"] > 0 - aca_params.merge!(expires_at: (Time.now + options[:"token-lifetime"])) - end - user_token = logincluster_arv.api_client_authorization.create(api_client_authorization: aca_params) - File.open(tokenfile, 'w', 0600) do |f| - f.write("ARVADOS_API_HOST=#{ENV['ARVADOS_API_HOST']}\n") - f.write("ARVADOS_API_TOKEN=v2/#{user_token[:uuid]}/#{user_token[:api_token]}\n") + if newToken + aca_params = {owner_uuid: l[:user_uuid], api_client_id: 0} + if options[:"token-lifetime"] && options[:"token-lifetime"] > 0 + aca_params.merge!(expires_at: (Time.now + options[:"token-lifetime"])) + end + user_token = logincluster_arv.api_client_authorization.create(api_client_authorization: aca_params) + File.open(tokenfile, 'w', 0600) do |f| + f.write("ARVADOS_API_HOST=#{ENV['ARVADOS_API_HOST']}\n") + f.write("ARVADOS_API_TOKEN=v2/#{user_token[:uuid]}/#{user_token[:api_token]}\n") + end + FileUtils.chown(username, user_gid, tokenfile) end - FileUtils.chown(username, user_gid, tokenfile) + rescue => e + STDERR.puts "Error setting token for #{l[:username]}: #{e}" end - rescue => e - STDERR.puts "Error setting token for #{l[:username]}: #{e}" end end