launchpad-reviewers team mailing list archive

Thread
Date

[Merge] lp:~cjwatson/charms/trusty/turnip/separate-code-owner into lp:~canonical-launchpad-branches/charms/trusty/turnip/devel

To: mp+251451@xxxxxxxxxxxxxxxxxx
From: Colin Watson <cjwatson@xxxxxxxxxxxxx>
Date: Mon, 02 Mar 2015 14:23:24 -0000
Reply-to: mp+251451@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Colin Watson has proposed merging lp:~cjwatson/charms/trusty/turnip/separate-code-owner into lp:~canonical-launchpad-branches/charms/trusty/turnip/devel.

Commit message:
Make the code be owned by a different user and group than runs the service.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~cjwatson/charms/trusty/turnip/separate-code-owner/+merge/251451

Make the code be owned by a different user and group than runs the service.

This is required by Canonical IS policies for prodstack (https://wiki.canonical.com/InformationInfrastructure/IS/Policies/Prodstack#Separate_Users_for_Code_Owner_and_Code_Runner), and is a good idea anyway.
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~cjwatson/charms/trusty/turnip/separate-code-owner into lp:~canonical-launchpad-branches/charms/trusty/turnip/devel.

=== modified file 'config.yaml'
--- config.yaml	2015-02-27 18:13:29 +0000
+++ config.yaml	2015-03-02 14:22:57 +0000
@@ -57,6 +57,14 @@
     type: string
     default: '/srv/turnip'
     description: Root checkout/srv directory.
+  code_user:
+    type: string
+    default: webops_deploy
+    description: The service's code will be owned by this user.
+  code_group:
+    type: string
+    default: webops_deploy
+    description: The service's code will be owned by this group.
   user:
     type: string
     default: turnip

=== modified file 'hooks/actions.py'
--- hooks/actions.py	2015-02-27 18:13:29 +0000
+++ hooks/actions.py	2015-03-02 14:22:57 +0000
@@ -1,4 +1,6 @@
+import grp
 import os
+import pwd
 import subprocess
 
 from charmhelpers import fetch
@@ -15,6 +17,8 @@
 REQUIRED_PACKAGES = ['python-virtualenv', 'python-dev', 'python-pygit2']
 APP = config['app_name']
 SRV_DIR = config['srv_dir']
+CODE_USER = config['code_user']
+CODE_GROUP = config['code_group']
 USER = config['user']
 GROUP = config['group']
 
@@ -31,13 +35,17 @@
     log_dir = config['log_dir']
     deploymgr_dir = os.path.join(os.sep, 'srv', 'deploymgr')
 
-    dirs = [data_dir, deploymgr_dir, log_dir, SRV_DIR]
-    for dir in dirs:
+    for dir in (deploymgr_dir, SRV_DIR):
+        host.mkdir(dir, owner=CODE_USER, group=CODE_GROUP, perms=0o775)
+    for dir in (data_dir, log_dir):
         host.mkdir(dir, owner=USER, group=GROUP, perms=0o775)
 
 
 def create_users(service_name):
-    hookenv.log('Creating user and group for %s.' % service_name)
+    hookenv.log('Creating users and groups for %s.' % service_name)
+    code_password = host.pwgen()
+    host.adduser(CODE_USER, code_password)
+    host.add_user_to_group(CODE_USER, CODE_GROUP)
     password = host.pwgen()
     host.adduser(USER, password)
     host.add_user_to_group(USER, GROUP)
@@ -56,7 +64,10 @@
 
     # Unpack source
     archive.extract_tarfile(archive_path, os.path.join(SRV_DIR))
-    host.chownr(os.path.dirname(SRV_DIR), USER, GROUP)
+    os.chown(
+        SRV_DIR,
+        pwd.getpwnam(CODE_USER).pw_uid, grp.getgrnam(CODE_GROUP).gr_gid)
+    host.lchownr(SRV_DIR, CODE_USER, CODE_GROUP)
 
 
 def install_packages(service_name):

=== modified file 'hooks/services.py'
--- hooks/services.py	2015-03-02 11:45:31 +0000
+++ hooks/services.py	2015-03-02 14:22:57 +0000
@@ -10,7 +10,8 @@
     return helpers.render_template(
         source='envs/{}.j2'.format(name),
         target='{}/{}'.format(config['env_dir'], name),
-        owner=config['user'])
+        owner=config['code_user'],
+        group=config['code_group'])
 
 
 def manage():
@@ -29,17 +30,20 @@
                 helpers.render_template(
                     source='turnip.conf.j2',
                     target='/etc/init/turnip.conf',
-                    owner=config['user'],
+                    owner=config['code_user'],
+                    group=config['code_group'],
                     perms=0o644),
                 helpers.render_template(
                     source='turnip-api.conf.j2',
                     target='/etc/init/turnip-api.conf',
-                    owner=config['user'],
+                    owner=config['code_user'],
+                    group=config['code_group'],
                     perms=0o644),
                 helpers.render_template(
                     source='turnip-app.j2',
                     target='/srv/deploymgr/turnip-app',
-                    owner=config['user'],
+                    owner=config['code_user'],
+                    group=config['code_group'],
                     perms=0o755),
                 render_env_template(config, 'REPO_STORE'),
                 render_env_template(config, 'TURNIP_LOG_DIR'),