Madhuvishy has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/384574 )
Change subject: ssh-key-ldap-lookup: Modify script to run additional checks before ssh login ...................................................................... ssh-key-ldap-lookup: Modify script to run additional checks before ssh login Bug: T171508 Change-Id: I24d22a168e9f1fa1c30154ec3231200d9f40d624 --- M modules/ldap/files/scripts/ssh-key-ldap-lookup M modules/ldap/manifests/client/utils.pp 2 files changed, 30 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/74/384574/1 diff --git a/modules/ldap/files/scripts/ssh-key-ldap-lookup b/modules/ldap/files/scripts/ssh-key-ldap-lookup index 239fbdc..13c893d 100755 --- a/modules/ldap/files/scripts/ssh-key-ldap-lookup +++ b/modules/ldap/files/scripts/ssh-key-ldap-lookup @@ -23,6 +23,8 @@ import argparse import ldap import yaml +import shlex +import subrocess import sys @@ -76,6 +78,21 @@ return robust_connect(servers, user, password, position) +def verify_nfs_mounted(): + # While the initial instance boot process is in progress, all the NFS mounts + # may not be mounted yet. If this is the case, we throw an error + test_cmd = "/usr/bin/test -e /root/firstboot_done" + firstboot_in_progress = subprocess.call(shlex.split(test_cmd)) + if firstboot_in_progress: + mount_command = "/usr/bin/timeout --preserve-status -k 10s 20s /bin/mount -a" + subprocess.check_call(shlex.split(mount_command)) + + +def run_auxillary_checks(): + # Run any additional checks before successful user login here + verify_nfs_mounted() + + def main(): parser = argparse.ArgumentParser() parser.add_argument('username', help='Username to list ssh keys for') @@ -112,6 +129,8 @@ for key in keys: # Some keys have an accidental newline at the end, see T77902 print key.strip() + run_auxillary_checks() + if __name__ == '__main__': main() diff --git a/modules/ldap/manifests/client/utils.pp b/modules/ldap/manifests/client/utils.pp index 09f050f..6c8fc27 100644 --- a/modules/ldap/manifests/client/utils.pp +++ b/modules/ldap/manifests/client/utils.pp @@ -45,6 +45,17 @@ home => '/nonexistent', # Since things seem to check for $HOME/.whatever unconditionally... shell => '/bin/false', } + + # The ssh-key-ldap-lookup scripts does some additional checks before authenticating + # users via ssh, like ensuring that NFS is mounted. This grants the required sudo permissions + # for these commands + sudo::user { 'ssh-key-ldap-lookup_sudo': + user => 'ssh-key-ldap-lookup', + privileges => [ + 'ALL = NOPASSWD: /usr/bin/timeout --preserve-status -k 10s 20s /bin/mount -a', + ], + require => User['ssh-key-ldap-lookup'], + } } file { '/usr/local/lib/python2.7/dist-packages/ldapsupportlib.py': -- To view, visit https://gerrit.wikimedia.org/r/384574 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I24d22a168e9f1fa1c30154ec3231200d9f40d624 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Madhuvishy <mviswanat...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits