Move rootwrap filters definition to config files
Move rootwrap filters definition from being defined within Nova
code to being defined in configuration files to facilitate pluging-in
new rootwrap commands.
Transition notes:
* nova-rootwrap now requires an additional (first) parameter pointing
to the root-owned rootwrap.conf file, sudoers needs to be updated
to specify that ("nova-rootwrap /etc/nova/rootwrap.conf *")
* Packagers should ship {compute,network,volume}.filters inside a
directory listed in rootwrap.conf rather than shipping
nova/rootwrap/{compute,network,volume}.py
* Filter definitions now only support strings. The KillFilter (which was
using arrays as parameters) was modified and the tests updated.
Implements bp nova-rootwrap-pluggable-filters
Corresponding devstack change needs to land first, so that tests pass:
https://review.openstack.org/8842
Change-Id: I2350154cd8057bd57926ed542de035626f7de37d
This commit is contained in:
Thierry Carrez
@@ -18,21 +18,21 @@
|
||||
|
||||
"""Root wrapper for Nova
|
||||
|
||||
Uses modules in nova.rootwrap containing filters for commands
|
||||
that nova is allowed to run as another user.
|
||||
Filters which commands nova is allowed to run as another user.
|
||||
|
||||
To switch to using this, you should:
|
||||
* Set "--root_helper=sudo nova-rootwrap" in nova.conf
|
||||
* Allow nova to run nova-rootwrap as root in nova_sudoers:
|
||||
nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap
|
||||
(all other commands can be removed from this file)
|
||||
To use this, you should set the following in nova.conf:
|
||||
root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
|
||||
|
||||
You also need to let the nova user run nova-rootwrap as root in sudoers:
|
||||
nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf *
|
||||
|
||||
To make allowed commands node-specific, your packaging should only
|
||||
install nova/rootwrap/{compute,network,volume}.py respectively on
|
||||
compute, network and volume nodes (i.e. nova-api nodes should not
|
||||
have any of those files installed).
|
||||
install {compute,network,volume}.filters respectively on compute, network
|
||||
and volume nodes (i.e. nova-api nodes should not have any of those files
|
||||
installed).
|
||||
"""
|
||||
|
||||
import ConfigParser
|
||||
import os
|
||||
import subprocess
|
||||
import sys
|
||||
@@ -40,16 +40,27 @@ import sys
|
||||
|
||||
RC_UNAUTHORIZED = 99
|
||||
RC_NOCOMMAND = 98
|
||||
RC_BADCONFIG = 97
|
||||
|
||||
if __name__ == '__main__':
|
||||
# Split arguments, require at least a command
|
||||
execname = sys.argv.pop(0)
|
||||
if len(sys.argv) == 0:
|
||||
if len(sys.argv) < 2:
|
||||
print "%s: %s" % (execname, "No command specified")
|
||||
sys.exit(RC_NOCOMMAND)
|
||||
|
||||
configfile = sys.argv.pop(0)
|
||||
userargs = sys.argv[:]
|
||||
|
||||
# Load configuration
|
||||
config = ConfigParser.RawConfigParser()
|
||||
config.read(configfile)
|
||||
try:
|
||||
filters_path = config.get("DEFAULT", "filters_path").split(",")
|
||||
except ConfigParser.Error:
|
||||
print "%s: Incorrect configuration file: %s" % (execname, configfile)
|
||||
sys.exit(RC_BADCONFIG)
|
||||
|
||||
# Add ../ to sys.path to allow running from branch
|
||||
possible_topdir = os.path.normpath(os.path.join(os.path.abspath(execname),
|
||||
os.pardir, os.pardir))
|
||||
@@ -59,7 +70,7 @@ if __name__ == '__main__':
|
||||
from nova.rootwrap import wrapper
|
||||
|
||||
# Execute command if it matches any of the loaded filters
|
||||
filters = wrapper.load_filters()
|
||||
filters = wrapper.load_filters(filters_path)
|
||||
filtermatch = wrapper.match_filter(filters, userargs)
|
||||
if filtermatch:
|
||||
obj = subprocess.Popen(filtermatch.get_command(userargs),
|
||||
|
||||
Reference in New Issue
Block a user