From 526021d88fdcc9364d1917aa35e8ea8c90ec2947 Mon Sep 17 00:00:00 2001
From: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Date: Thu, 8 Sep 2016 18:07:15 +0100
Subject: [PATCH] Update paste, policy and rootwrap configurations 2016-09-08

Change-Id: I16de572c606db0aa7f9957175218a4cf35052161
---
 defaults/main.yml               |  1 +
 files/rootwrap.d/sahara.filters |  4 ++++
 tasks/sahara_post_install.yml   | 16 ++++++++++++++++
 tasks/sahara_pre_install.yml    | 10 ++++++++++
 templates/policy.json.j2        |  1 +
 templates/rootwrap.conf.j2      | 34 +++++++++++++++++++++++++++++++++
 templates/sudoers.j2            |  6 ++++++
 7 files changed, 72 insertions(+)
 create mode 100644 files/rootwrap.d/sahara.filters
 create mode 100644 templates/rootwrap.conf.j2
 create mode 100644 templates/sudoers.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index da66b51..0ec3a05 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -181,4 +181,5 @@ sahara_role_project_group: sahara_all
 ## Tunable overrides
 sahara_api_paste_ini_overrides: {}
 sahara_conf_overrides: {}
+sahara_rootwrap_conf_overrides: {}
 sahara_policy_overrides: {}
diff --git a/files/rootwrap.d/sahara.filters b/files/rootwrap.d/sahara.filters
new file mode 100644
index 0000000..207b153
--- /dev/null
+++ b/files/rootwrap.d/sahara.filters
@@ -0,0 +1,4 @@
+[Filters]
+ip: IpNetnsExecFilter, ip, root
+nc: CommandFilter, nc, root
+kill: CommandFilter, kill, root
diff --git a/tasks/sahara_post_install.yml b/tasks/sahara_post_install.yml
index 39d1c35..752ce6b 100644
--- a/tasks/sahara_post_install.yml
+++ b/tasks/sahara_post_install.yml
@@ -29,6 +29,12 @@
       dest: "/etc/sahara/sahara.conf"
       config_overrides: "{{ sahara_conf_overrides }}"
       config_type: "ini"
+    - src: "rootwrap.conf.j2"
+      dest: "/etc/sahara/rootwrap.conf"
+      owner: "root"
+      group: "root"
+      config_overrides: "{{ sahara_rootwrap_conf_overrides }}"
+      config_type: "ini"
     - src: "policy.json.j2"
       dest: "/etc/sahara/policy.json"
       config_overrides: "{{ sahara_policy_overrides }}"
@@ -36,3 +42,13 @@
   notify:
     - Restart sahara api
     - Restart sahara engine
+
+- name: Drop rootwrap filter(s)
+  copy:
+    src: "rootwrap.d/sahara.filters"
+    dest: "/etc/sahara/rootwrap.d/sahara.filters"
+    owner: "root"
+    group: "root"
+  notify:
+    - Restart sahara api
+    - Restart sahara engine
diff --git a/tasks/sahara_pre_install.yml b/tasks/sahara_pre_install.yml
index 179003a..6a68f72 100644
--- a/tasks/sahara_pre_install.yml
+++ b/tasks/sahara_pre_install.yml
@@ -37,6 +37,8 @@
   with_items:
     - { path: "/openstack", mode: "0755", owner: "root", group: "root" }
     - { path: "/etc/sahara" }
+    - { path: "/etc/sahara/rootwrap.d", owner: "root", group: "root" }
+    - { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
     - { path: "/var/cache/sahara" }
     - { path: "{{ sahara_system_user_home }}" }
 
@@ -60,3 +62,11 @@
     group: "{{ sahara_system_group_name }}"
     mode: "0755"
   when: log_dir.rc != 0
+
+- name: Drop sudoers file
+  template:
+    src: "sudoers.j2"
+    dest: "/etc/sudoers.d/{{ sahara_system_user_name }}_sudoers"
+    mode: "0440"
+    owner: "root"
+    group: "root"
diff --git a/templates/policy.json.j2 b/templates/policy.json.j2
index e3d2d30..789dafc 100644
--- a/templates/policy.json.j2
+++ b/templates/policy.json.j2
@@ -25,6 +25,7 @@
     "data-processing:plugins:get": "",
     "data-processing:plugins:get_version": "",
     "data-processing:plugins:convert_config": "",
+    "data-processing:plugins:patch": "role:admin",
 
     "data-processing:images:get_all": "",
     "data-processing:images:get": "",
diff --git a/templates/rootwrap.conf.j2 b/templates/rootwrap.conf.j2
new file mode 100644
index 0000000..d808912
--- /dev/null
+++ b/templates/rootwrap.conf.j2
@@ -0,0 +1,34 @@
+# Configuration for sahara-rootwrap
+# This file should be owned by (and only-writeable by) the root user
+
+[DEFAULT]
+# List of directories to load filter definitions from (separated by ',').
+# These directories MUST all be only writeable by root !
+filters_path=/etc/sahara/rootwrap.d,/usr/share/sahara/rootwrap
+
+# List of directories to search executables in, in case filters do not
+# explicitely specify a full path (separated by ',')
+# If not specified, defaults to system PATH environment variable.
+# These directories MUST all be only writeable by root !
+exec_dirs={{ sahara_bin }},/sbin,/usr/sbin,/bin,/usr/bin
+
+# Enable logging to syslog
+# Default value is False
+use_syslog=False
+
+# Which syslog facility to use.
+# Valid values include auth, authpriv, syslog, local0, local1...
+# Default value is 'syslog'
+syslog_log_facility=syslog
+
+# Which messages to log.
+# INFO means log all usage
+# ERROR means only log unsuccessful attempts
+syslog_log_level=ERROR
+
+[xenapi]
+# XenAPI configuration is only required by the L2 agent if it is to
+# target a XenServer/XCP compute host's dom0.
+xenapi_connection_url=<None>
+xenapi_connection_username=root
+xenapi_connection_password=<None>
diff --git a/templates/sudoers.j2 b/templates/sudoers.j2
new file mode 100644
index 0000000..a1a914c
--- /dev/null
+++ b/templates/sudoers.j2
@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+
+Defaults:{{ sahara_system_user_name }} !requiretty
+Defaults:{{ sahara_system_user_name }} secure_path="{{ sahara_bin }}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+{{ sahara_system_user_name }} ALL = (root) NOPASSWD: {{ sahara_bin }}/{{ sahara_service_name }}-rootwrap