Update paste, policy and rootwrap configurations 2016-09-08

Change-Id: I16de572c606db0aa7f9957175218a4cf35052161

defaults/main.yml

@@ -181,4 +181,5 @@ sahara_role_project_group: sahara_all
 ## Tunable overrides
 sahara_api_paste_ini_overrides: {}
 sahara_conf_overrides: {}
+sahara_rootwrap_conf_overrides: {}
 sahara_policy_overrides: {}

files/rootwrap.d/sahara.filters

@@ -0,0 +1,4 @@
+[Filters]
+ip: IpNetnsExecFilter, ip, root
+nc: CommandFilter, nc, root
+kill: CommandFilter, kill, root

tasks/sahara_post_install.yml

@@ -29,6 +29,12 @@
       dest: "/etc/sahara/sahara.conf"
       config_overrides: "{{ sahara_conf_overrides }}"
       config_type: "ini"
+    - src: "rootwrap.conf.j2"
+      dest: "/etc/sahara/rootwrap.conf"
+      owner: "root"
+      group: "root"
+      config_overrides: "{{ sahara_rootwrap_conf_overrides }}"
+      config_type: "ini"
     - src: "policy.json.j2"
       dest: "/etc/sahara/policy.json"
       config_overrides: "{{ sahara_policy_overrides }}"
@@ -36,3 +42,13 @@
   notify:
     - Restart sahara api
     - Restart sahara engine
+
+- name: Drop rootwrap filter(s)
+  copy:
+    src: "rootwrap.d/sahara.filters"
+    dest: "/etc/sahara/rootwrap.d/sahara.filters"
+    owner: "root"
+    group: "root"
+  notify:
+    - Restart sahara api
+    - Restart sahara engine

tasks/sahara_pre_install.yml

@@ -37,6 +37,8 @@
   with_items:
     - { path: "/openstack", mode: "0755", owner: "root", group: "root" }
     - { path: "/etc/sahara" }
+    - { path: "/etc/sahara/rootwrap.d", owner: "root", group: "root" }
+    - { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
     - { path: "/var/cache/sahara" }
     - { path: "{{ sahara_system_user_home }}" }
 
@@ -60,3 +62,11 @@
     group: "{{ sahara_system_group_name }}"
     mode: "0755"
   when: log_dir.rc != 0
+
+- name: Drop sudoers file
+  template:
+    src: "sudoers.j2"
+    dest: "/etc/sudoers.d/{{ sahara_system_user_name }}_sudoers"
+    mode: "0440"
+    owner: "root"
+    group: "root"

templates/policy.json.j2

@@ -25,6 +25,7 @@
     "data-processing:plugins:get": "",
     "data-processing:plugins:get_version": "",
     "data-processing:plugins:convert_config": "",
+    "data-processing:plugins:patch": "role:admin",
 
     "data-processing:images:get_all": "",
     "data-processing:images:get": "",

templates/rootwrap.conf.j2

@@ -0,0 +1,34 @@
+# Configuration for sahara-rootwrap
+# This file should be owned by (and only-writeable by) the root user
+
+[DEFAULT]
+# List of directories to load filter definitions from (separated by ',').
+# These directories MUST all be only writeable by root !
+filters_path=/etc/sahara/rootwrap.d,/usr/share/sahara/rootwrap
+
+# List of directories to search executables in, in case filters do not
+# explicitely specify a full path (separated by ',')
+# If not specified, defaults to system PATH environment variable.
+# These directories MUST all be only writeable by root !
+exec_dirs={{ sahara_bin }},/sbin,/usr/sbin,/bin,/usr/bin
+
+# Enable logging to syslog
+# Default value is False
+use_syslog=False
+
+# Which syslog facility to use.
+# Valid values include auth, authpriv, syslog, local0, local1...
+# Default value is 'syslog'
+syslog_log_facility=syslog
+
+# Which messages to log.
+# INFO means log all usage
+# ERROR means only log unsuccessful attempts
+syslog_log_level=ERROR
+
+[xenapi]
+# XenAPI configuration is only required by the L2 agent if it is to
+# target a XenServer/XCP compute host's dom0.
+xenapi_connection_url=<None>
+xenapi_connection_username=root
+xenapi_connection_password=<None>

templates/sudoers.j2

@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+
+Defaults:{{ sahara_system_user_name }} !requiretty
+Defaults:{{ sahara_system_user_name }} secure_path="{{ sahara_bin }}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+{{ sahara_system_user_name }} ALL = (root) NOPASSWD: {{ sahara_bin }}/{{ sahara_service_name }}-rootwrap