#!/usr/bin/env python # vim: tabstop=4 shiftwidth=4 softtabstop=4 # Copyright (c) 2011 OpenStack, LLC. # All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. """Root wrapper for Cinder Filters which commands cinder is allowed to run as another user. To use this, you should set the following in cinder.conf: rootwrap_config=/etc/cinder/rootwrap.conf You also need to let the cinder user run cinder-rootwrap as root in sudoers: cinder ALL = (root) NOPASSWD: /usr/bin/cinder-rootwrap /etc/cinder/rootwrap.conf * To make allowed commands node-specific, your packaging should only install volume.filters on volume nodes (i.e. cinder-api nodes should not have any of those files installed). """ import ConfigParser import os import signal import subprocess import sys RC_UNAUTHORIZED = 99 RC_NOCOMMAND = 98 RC_BADCONFIG = 97 def _subprocess_setup(): # Python installs a SIGPIPE handler by default. This is usually not what # non-Python subprocesses expect. signal.signal(signal.SIGPIPE, signal.SIG_DFL) if __name__ == '__main__': # Split arguments, require at least a command execname = sys.argv.pop(0) if len(sys.argv) < 2: print "%s: %s" % (execname, "No command specified") sys.exit(RC_NOCOMMAND) configfile = sys.argv.pop(0) userargs = sys.argv[:] # Load configuration config = ConfigParser.RawConfigParser() config.read(configfile) try: filters_path = config.get("DEFAULT", "filters_path").split(",") except ConfigParser.Error: print "%s: Incorrect configuration file: %s" % (execname, configfile) sys.exit(RC_BADCONFIG) # Add ../ to sys.path to allow running from branch possible_topdir = os.path.normpath(os.path.join(os.path.abspath(execname), os.pardir, os.pardir)) if os.path.exists(os.path.join(possible_topdir, "cinder", "__init__.py")): sys.path.insert(0, possible_topdir) from cinder.rootwrap import wrapper # Execute command if it matches any of the loaded filters filters = wrapper.load_filters(filters_path) filtermatch = wrapper.match_filter(filters, userargs) if filtermatch: obj = subprocess.Popen(filtermatch.get_command(userargs), stdin=sys.stdin, stdout=sys.stdout, stderr=sys.stderr, preexec_fn=_subprocess_setup, env=filtermatch.get_environment(userargs)) obj.wait() sys.exit(obj.returncode) print "Unauthorized command: %s" % ' '.join(userargs) sys.exit(RC_UNAUTHORIZED)