openstack/tacker
Code Issues Proposed changes
Files
3d6d849faa2752a8248655d16badaf64b6024cd0
tacker/tacker/privileged/__init__.py
Yasufumi Ogawa 3d6d849faa Migrate rootwrap to privsep 
As a part of the community goal [1], we should replace rootwrap in
favor of privsep.

Although the latest codes don't have a dependency on rootwrap for now,
but it might be happened to introduce a task with root privilege after.
In addition, there are some complex mechanism embeded in Tacker such as
in setuptools or configs under `etc/`. It's hard to drop and restore
them again. So, keep the mechanism active.

In this update, two methods used for tests are implemented in
`tacker/privileged/linux_cmd.py`, but can be used for general purpose.
For the test, it's also including rootwrap for backward compatibility
which will be removed in a future update. It also updates required
libs as bellow for oslo.privsep 2.4.0.
  - eventlet>=0.30.1
  - msgpack>=0.6.0
  - oslo.service>=2.5.0

[1] https://governance.openstack.org/tc/goals/selected/migrate-to-privsep.html

Partially-Implements: bp privsep-migration
Signed-off-by: Yasufumi Ogawa <yasufum.o@gmail.com>
Change-Id: Id8de4c2bae91718d6ba45ed523edc103f0b21718
2022-03-09 00:36:10 +00:00

32 lines
1.1 KiB
Python
Raw Blame History

# Copyright (C) 2022 Nippon Telegraph and Telephone Corporation
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
"""Setup privsep decorator."""
from oslo_privsep import capabilities as caps
from oslo_privsep import priv_context
default = priv_context.PrivContext(
__name__,
cfg_section='privsep',
pypath="f{__name__}.default",
capabilities=[caps.CAP_SYS_ADMIN,
caps.CAP_NET_ADMIN,
caps.CAP_DAC_OVERRIDE,
caps.CAP_DAC_READ_SEARCH,
caps.CAP_SYS_PTRACE],
)
View Git Blame Copy Permalink