a06b316cb4
When running commands that require root privileges, the linuxbridge, openvswitch, and ryu agent now prepend the commands with the value of the root_helper config variable. This is set to "sudo" in the plugins' .ini files, allowing the agent to run as a non-root user with appropriate sudo privilidges. If root_helper is changed to "sudo quantum-rootwrap", then the command being run will be filtered against lists of each agent's valid commands in quantum/rootwrap. See http://wiki.openstack.org/Packager/Rootwrap for details. Fixes bug 948467. Change-Id: I549515068a4ce8ae480905ec5eaab6257445d0c3 Signed-off-by: Bob Kukura <rkukura@redhat.com>
74 lines
2.6 KiB
Python
Executable File
74 lines
2.6 KiB
Python
Executable File
#!/usr/bin/env python
|
|
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
|
|
|
# Copyright (c) 2012 Openstack, LLC.
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
"""Root wrapper for Quantum
|
|
|
|
Uses modules in quantum.rootwrap containing filters for commands
|
|
that quantum agents are allowed to run as another user.
|
|
|
|
To switch to using this, you should:
|
|
* Set "--root_helper=sudo quantum-rootwrap" in the agents config file.
|
|
* Allow quantum to run quantum-rootwrap as root in quantum_sudoers:
|
|
quantum ALL = (root) NOPASSWD: /usr/bin/quantum-rootwrap
|
|
(all other commands can be removed from this file)
|
|
|
|
To make allowed commands node-specific, your packaging should only
|
|
install quantum/rootwrap/quantum-*-agent.py on compute nodes where
|
|
agents that need root privileges are run.
|
|
"""
|
|
|
|
import os
|
|
import subprocess
|
|
import sys
|
|
|
|
|
|
RC_UNAUTHORIZED = 99
|
|
RC_NOCOMMAND = 98
|
|
|
|
if __name__ == '__main__':
|
|
# Split arguments, require at least a command
|
|
execname = sys.argv.pop(0)
|
|
if len(sys.argv) == 0:
|
|
print "%s: %s" % (execname, "No command specified")
|
|
sys.exit(RC_NOCOMMAND)
|
|
|
|
userargs = sys.argv[:]
|
|
|
|
# Add ../ to sys.path to allow running from branch
|
|
possible_topdir = os.path.normpath(os.path.join(os.path.abspath(execname),
|
|
os.pardir, os.pardir))
|
|
if os.path.exists(os.path.join(possible_topdir, "quantum", "__init__.py")):
|
|
sys.path.insert(0, possible_topdir)
|
|
|
|
from quantum.rootwrap import wrapper
|
|
|
|
# Execute command if it matches any of the loaded filters
|
|
filters = wrapper.load_filters()
|
|
filtermatch = wrapper.match_filter(filters, userargs)
|
|
if filtermatch:
|
|
obj = subprocess.Popen(filtermatch.get_command(userargs),
|
|
stdin=sys.stdin,
|
|
stdout=sys.stdout,
|
|
stderr=sys.stderr,
|
|
env=filtermatch.get_environment(userargs))
|
|
obj.wait()
|
|
sys.exit(obj.returncode)
|
|
|
|
print "Unauthorized command: %s" % ' '.join(userargs)
|
|
sys.exit(RC_UNAUTHORIZED)
|