launchpad-reviewers team mailing list archive
-
launchpad-reviewers team
-
Mailing list archive
-
Message #29868
[Merge] ~cjwatson/launchpad:charm-admin-apply-security into launchpad:master
Colin Watson has proposed merging ~cjwatson/launchpad:charm-admin-apply-security into launchpad:master.
Commit message:
charm: Update DB permissions when configuring launchpad-admin
Requested reviews:
Launchpad code reviewers (launchpad-reviewers)
For more details, see:
https://code.launchpad.net/~cjwatson/launchpad/+git/launchpad/+merge/440257
This replaces code currently run by our deployment machinery at the end of its `build` phase.
I also fixed a typo in a reactive flag name that caused hooks to do unnecessary work, since we were never considering the service to be configured.
--
Your team Launchpad code reviewers is requested to review the proposed merge of ~cjwatson/launchpad:charm-admin-apply-security into launchpad:master.
diff --git a/charm/launchpad-admin/reactive/launchpad-admin.py b/charm/launchpad-admin/reactive/launchpad-admin.py
index 4d65102..ff76afc 100644
--- a/charm/launchpad-admin/reactive/launchpad-admin.py
+++ b/charm/launchpad-admin/reactive/launchpad-admin.py
@@ -2,6 +2,7 @@
# GNU Affero General Public License version 3 (see the file LICENSE).
import os.path
+import subprocess
from charmhelpers.core import hookenv, host, templating
from charms.launchpad.base import (
@@ -28,13 +29,55 @@ def strip_password(dsn):
return make_dsn(**parsed_dsn)
+def database_is_initialized() -> bool:
+ """Has the database been initialized?
+
+ The launchpad-admin charm is itself used to initialize the database, so
+ we can't assume that that's been done yet at the time our `configure`
+ handler runs. The `LaunchpadDatabaseRevision` table is used to track
+ schema migrations, so its presence is a good indicator of whether we
+ have a useful database.
+ """
+ return (
+ subprocess.run(
+ [
+ "sudo",
+ "-H",
+ "-u",
+ base.user(),
+ os.path.join(home_dir(), "bin", "db"),
+ "-c",
+ r"\d LaunchpadDatabaseRevision",
+ ],
+ stdout=subprocess.DEVNULL,
+ stderr=subprocess.DEVNULL,
+ ).returncode
+ == 0
+ )
+
+
+def update_database_permissions():
+ subprocess.run(
+ [
+ "sudo",
+ "-H",
+ "-u",
+ base.user(),
+ "LPCONFIG=launchpad-admin",
+ os.path.join(base.code_dir(), "database", "schema", "security.py"),
+ "--no-revoke",
+ ],
+ check=True,
+ )
+
+
@when(
"launchpad.base.configured",
"db.master.available",
"db-admin.master.available",
"session-db.master.available",
)
-@when_not("service_configured")
+@when_not("service.configured")
def configure():
db = endpoint_from_flag("db.master.available")
db_admin = endpoint_from_flag("db-admin.master.available")
@@ -82,5 +125,11 @@ def configure():
perms=0o755,
)
+ if database_is_initialized():
+ hookenv.log("Updating database permissions.")
+ update_database_permissions()
+ else:
+ hookenv.log("Database has not been initialized yet.")
+
set_state("service.configured")
hookenv.status_set("active", "Ready")
diff --git a/charm/launchpad-admin/templates/db-admin.j2 b/charm/launchpad-admin/templates/db-admin.j2
index aa0f73d..4749ab3 100644
--- a/charm/launchpad-admin/templates/db-admin.j2
+++ b/charm/launchpad-admin/templates/db-admin.j2
@@ -6,5 +6,5 @@
set -e
-psql '{{ db_admin_primary }}'
+psql '{{ db_admin_primary }}' "$@"
diff --git a/charm/launchpad-admin/templates/db-session.j2 b/charm/launchpad-admin/templates/db-session.j2
index 4d776ae..76a47e1 100755
--- a/charm/launchpad-admin/templates/db-session.j2
+++ b/charm/launchpad-admin/templates/db-session.j2
@@ -6,5 +6,5 @@
set -e
-psql '{{ db_session_primary }}'
+psql '{{ db_session_primary }}' "$@"
diff --git a/charm/launchpad-admin/templates/db.j2 b/charm/launchpad-admin/templates/db.j2
index f07f7e8..7976492 100644
--- a/charm/launchpad-admin/templates/db.j2
+++ b/charm/launchpad-admin/templates/db.j2
@@ -6,5 +6,5 @@
set -e
-psql '{{ db_primary }}'
+psql '{{ db_primary }}' "$@"