[MediaWiki-commits] [Gerrit] tools: Set homedir permissions properly in kube-maintainusers - change (operations/puppet)

Yuvipanda (Code Review) Fri, 15 Jul 2016 05:15:41 -0700

Yuvipanda has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/299133


Change subject: tools: Set homedir permissions properly in kube-maintainusers
......................................................................

tools: Set homedir permissions properly in kube-maintainusers

Otherwise if it created homedirs it was setting them to be
readable and writeable only by root

Bug: T140460
Change-Id: I23e06ea5de8115904e606b1580aa3f7391157559
---
M modules/toollabs/files/maintain-kubeusers
1 file changed, 18 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/33/299133/1

diff --git a/modules/toollabs/files/maintain-kubeusers 
b/modules/toollabs/files/maintain-kubeusers
index 6ba6a47..0ff9eca 100755
--- a/modules/toollabs/files/maintain-kubeusers
+++ b/modules/toollabs/files/maintain-kubeusers
@@ -22,6 +22,7 @@
 import random
 import time
 import csv
+import stat
 
 TOOL_ALLOWED_RESOURCES = [
     'pods',
@@ -201,7 +202,9 @@
 
 def write_kubeconfig(user, master):
     """
-    Write an appropriate .kube/config for given user to access given master
+    Write an appropriate .kube/config for given user to access given master.
+
+    This also creates the user's homedir if it doesn't exist
 
     See http://kubernetes.io/docs/user-guide/kubeconfig-file/ for format
     """
@@ -230,9 +233,21 @@
         }],
         'current-context': 'default'
     }
-    dirpath = os.path.join('/data', 'project', user.name, '.kube')
+    homepath = os.path.join('/data', 'project', user.name)
+    # If the home folder hasn't been created yet, we should create it here
+    # with the appropriate bits. This used to be done by this script called
+    # toolwatcher, but it was racing this so we decided to fold it into this.
+    # HACK: I am not entirely sure if this
+    try:
+        os.path.makedirs(homepath, mode=0o775, exists_ok=False)
+        os.chmod(homepath, 0o775 | stat.I_SGID)
+        os.chown(homepath, int(user.id), int(user.id))
+    except OSError:
+        # It already exists, let it go!
+        pass
+    dirpath = os.path.join(homepath '.kube')
     path = os.path.join(dirpath, 'config')
-    os.makedirs(dirpath, exist_ok=True)
+    os.makedirs(dirpath, mode=0o775, exist_ok=True)
     f = os.open(path, os.O_CREAT | os.O_WRONLY | os.O_NOFOLLOW)
     try:
         os.write(f, json.dumps(config, indent=4, 
sort_keys=True).encode('utf-8'))

-- 
To view, visit https://gerrit.wikimedia.org/r/299133
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I23e06ea5de8115904e606b1580aa3f7391157559
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Yuvipanda <yuvipa...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] tools: Set homedir permissions properly in kube-maintainusers - change (operations/puppet)

Reply via email to