Madhuvishy has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/384574 )
Change subject: ssh-key-ldap-lookup: Modify script to run additional checks
before ssh login
......................................................................
ssh-key-ldap-lookup: Modify script to run additional checks before ssh login
Bug: T171508
Change-Id: I24d22a168e9f1fa1c30154ec3231200d9f40d624
---
M modules/ldap/files/scripts/ssh-key-ldap-lookup
M modules/ldap/manifests/client/utils.pp
2 files changed, 30 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/74/384574/1
diff --git a/modules/ldap/files/scripts/ssh-key-ldap-lookup
b/modules/ldap/files/scripts/ssh-key-ldap-lookup
index 239fbdc..13c893d 100755
--- a/modules/ldap/files/scripts/ssh-key-ldap-lookup
+++ b/modules/ldap/files/scripts/ssh-key-ldap-lookup
@@ -23,6 +23,8 @@
import argparse
import ldap
import yaml
+import shlex
+import subrocess
import sys
@@ -76,6 +78,21 @@
return robust_connect(servers, user, password, position)
+def verify_nfs_mounted():
+ # While the initial instance boot process is in progress, all the NFS
mounts
+ # may not be mounted yet. If this is the case, we throw an error
+ test_cmd = "/usr/bin/test -e /root/firstboot_done"
+ firstboot_in_progress = subprocess.call(shlex.split(test_cmd))
+ if firstboot_in_progress:
+ mount_command = "/usr/bin/timeout --preserve-status -k 10s 20s
/bin/mount -a"
+ subprocess.check_call(shlex.split(mount_command))
+
+
+def run_auxillary_checks():
+ # Run any additional checks before successful user login here
+ verify_nfs_mounted()
+
+
def main():
parser = argparse.ArgumentParser()
parser.add_argument('username', help='Username to list ssh keys for')
@@ -112,6 +129,8 @@
for key in keys:
# Some keys have an accidental newline at the end, see T77902
print key.strip()
+ run_auxillary_checks()
+
if __name__ == '__main__':
main()
diff --git a/modules/ldap/manifests/client/utils.pp
b/modules/ldap/manifests/client/utils.pp
index 09f050f..6c8fc27 100644
--- a/modules/ldap/manifests/client/utils.pp
+++ b/modules/ldap/manifests/client/utils.pp
@@ -45,6 +45,17 @@
home => '/nonexistent', # Since things seem to check for
$HOME/.whatever unconditionally...
shell => '/bin/false',
}
+
+ # The ssh-key-ldap-lookup scripts does some additional checks before
authenticating
+ # users via ssh, like ensuring that NFS is mounted. This grants the
required sudo permissions
+ # for these commands
+ sudo::user { 'ssh-key-ldap-lookup_sudo':
+ user => 'ssh-key-ldap-lookup',
+ privileges => [
+ 'ALL = NOPASSWD: /usr/bin/timeout --preserve-status -k 10s 20s
/bin/mount -a',
+ ],
+ require => User['ssh-key-ldap-lookup'],
+ }
}
file { '/usr/local/lib/python2.7/dist-packages/ldapsupportlib.py':
--
To view, visit https://gerrit.wikimedia.org/r/384574
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I24d22a168e9f1fa1c30154ec3231200d9f40d624
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Madhuvishy <mviswanat...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
