diff options
| author | Riku Voipio <riku.voipio@linaro.org> | 2018-08-14 15:44:48 +0300 |
|---|---|---|
| committer | Riku Voipio <riku.voipio@linaro.org> | 2018-08-23 09:55:40 +0000 |
| commit | 22d3dfdc4d8ee71649957a5cd6be5e6443b524f7 (patch) | |
| tree | 1b67c1c9adeaf3b3b2b72256fea1345e739dcb14 | |
| parent | d6a93fab4e5f3b3254e3dd702ecd75573ffb5ce7 (diff) | |
linaro-git-tools/ssh-ldap: move to /srv/linaro-git-tools/ldap.conf
Use a separate conf file for git tools. For SYS-158.
depends on: https://review.linaro.org/#/c/infrastructure/linaro-git-tools/+/27931
This makes ssh-ldap role depend on linaro-git-tools. This reduces
duplication as there is now only one place there repo is cloned and
configured from. git-deps role is now no longer a dependency for
linaro-git-tools since it brings apache and other stuff. List it
expicitly in gerrit playbook instead.
Change-Id: I128ebbcfef3729bc4dd5907c8f31e4eb8f688c9b
Reviewed-on: https://review.linaro.org/27941
Reviewed-by: Benjamin Copeland <ben.copeland@linaro.org>
| -rw-r--r-- | gerrit.yml | 1 | ||||
| -rw-r--r-- | group_vars/all | 1 | ||||
| -rw-r--r-- | group_vars/gerrit | 1 | ||||
| -rw-r--r-- | group_vars/git | 1 | ||||
| -rw-r--r-- | roles/linaro-git-tools/defaults/main.yml | 5 | ||||
| -rw-r--r-- | roles/linaro-git-tools/meta/main.yml | 3 | ||||
| -rw-r--r-- | roles/linaro-git-tools/tasks/main.yml | 7 | ||||
| -rw-r--r-- | roles/linaro-git-tools/templates/ldap.conf (renamed from roles/ssh-ldap/templates/ldap.conf) | 0 | ||||
| -rw-r--r-- | roles/ssh-ldap/defaults/main.yml | 3 | ||||
| -rw-r--r-- | roles/ssh-ldap/files/linaro_ldap.py | 88 | ||||
| -rwxr-xr-x | roles/ssh-ldap/files/ssh_keys.py | 65 | ||||
| -rw-r--r-- | roles/ssh-ldap/handlers/main.yml | 2 | ||||
| -rw-r--r-- | roles/ssh-ldap/meta/main.yml | 3 | ||||
| -rw-r--r-- | roles/ssh-ldap/tasks/main.yml | 31 | ||||
| -rw-r--r-- | roles/ssh-ldap/templates/cron.d | 2 | ||||
| -rw-r--r-- | roles/ssh-ldap/templates/sshd_config | 2 |
16 files changed, 32 insertions, 183 deletions
@@ -7,6 +7,7 @@ roles: - {role: apache-site, src: "apache/{{gerrit_host}}.conf", config: "{{gerrit_host}}", tags: [apache, website-conf] } - {role: apache-auth, host_name: "{{gerrit_host}}", when: server_access == "private", tags: [apache-auth, website-conf]} + - {role: git-deps} - {role: linaro-git-tools, tags: [linaro-git-tools]} - {role: postgres, tags: [gerrit]} - {role: dovecot-imapd, tags: [imapd]} diff --git a/group_vars/all b/group_vars/all index a7045876..caa73418 100644 --- a/group_vars/all +++ b/group_vars/all @@ -14,3 +14,4 @@ login_groups: MANAGED_HEADER: Managed by Ansible - do not change! apache_root: /var/www linaro_git_server: git.linaro.org +git_user: git diff --git a/group_vars/gerrit b/group_vars/gerrit index c7f2b9ee..01cced27 100644 --- a/group_vars/gerrit +++ b/group_vars/gerrit @@ -16,7 +16,6 @@ gerrit_included_plugins: - singleusergroup tools_checkout_dir: /srv -git_user: git db_name: reviewdb www_host: "{{inventory_hostname}}" repo_root: /srv/repositories diff --git a/group_vars/git b/group_vars/git index 5fc46a1d..7f3c439c 100644 --- a/group_vars/git +++ b/group_vars/git @@ -5,7 +5,6 @@ has_gerrit: true repo_root: "{{install_base}}/repositories" git_host: git.linaro.org -git_user: git gerrit_root: /srv/gerrit diff --git a/roles/linaro-git-tools/defaults/main.yml b/roles/linaro-git-tools/defaults/main.yml new file mode 100644 index 00000000..17ee9980 --- /dev/null +++ b/roles/linaro-git-tools/defaults/main.yml @@ -0,0 +1,5 @@ +--- +ssh_ldap_uri: ldaps://login.linaro.org +ssh_ldap_base: dc=linaro,dc=org +ssh_ldap_cache_url: "" +ssh_ldap_binddn: cn=systems-bind,ou=binders,dc=linaro,dc=org diff --git a/roles/linaro-git-tools/meta/main.yml b/roles/linaro-git-tools/meta/main.yml deleted file mode 100644 index efc3fc38..00000000 --- a/roles/linaro-git-tools/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - {role: git-deps} diff --git a/roles/linaro-git-tools/tasks/main.yml b/roles/linaro-git-tools/tasks/main.yml index a1c1a25a..bb537434 100644 --- a/roles/linaro-git-tools/tasks/main.yml +++ b/roles/linaro-git-tools/tasks/main.yml @@ -14,6 +14,13 @@ dest={{tools_checkout_dir}}/linaro-git-tools version="HEAD" +- name: Configure ldap.conf + when: ssh_ldap_bindpw is defined + template: src=ldap.conf dest={{tools_checkout_dir}}/linaro-git-tools/linaro_ldap.conf + owner={{git_user}} + group=root + mode=0440 + - name: Set up linaro_gerrit.conf with credentials when: gerrit_http_password is defined template: src=linaro_gerrit.conf dest={{tools_checkout_dir}}/linaro-git-tools/linaro_gerrit.conf diff --git a/roles/ssh-ldap/templates/ldap.conf b/roles/linaro-git-tools/templates/ldap.conf index be9b2045..be9b2045 100644 --- a/roles/ssh-ldap/templates/ldap.conf +++ b/roles/linaro-git-tools/templates/ldap.conf diff --git a/roles/ssh-ldap/defaults/main.yml b/roles/ssh-ldap/defaults/main.yml index 17ee9980..7d506d45 100644 --- a/roles/ssh-ldap/defaults/main.yml +++ b/roles/ssh-ldap/defaults/main.yml @@ -1,5 +1,2 @@ --- -ssh_ldap_uri: ldaps://login.linaro.org -ssh_ldap_base: dc=linaro,dc=org ssh_ldap_cache_url: "" -ssh_ldap_binddn: cn=systems-bind,ou=binders,dc=linaro,dc=org diff --git a/roles/ssh-ldap/files/linaro_ldap.py b/roles/ssh-ldap/files/linaro_ldap.py deleted file mode 100644 index 4a5be6e7..00000000 --- a/roles/ssh-ldap/files/linaro_ldap.py +++ /dev/null @@ -1,88 +0,0 @@ -import contextlib -import os -import subprocess -import tempfile -import ldap - - -# To provide alternative ldap bind credentials, override the LDAP_CONF -# environment variable when calling your script that makes use of the this -# library -LDAP_CONF = os.environ.get('LDAP_CONF', '/etc/ldap.conf') - - -@contextlib.contextmanager -def ldap_client(config): - client = ldap.initialize(config["uri"], trace_level=0) - client.set_option(ldap.OPT_REFERRALS, 0) - client.simple_bind(config["binddn"], config["bindpw"]) - try: - yield client - finally: - client.unbind() - - -def build_config(): - config = {} - with open(LDAP_CONF) as f: - for line in f: - if line.startswith('binddn'): - if "binddn" not in config: - config["binddn"] = line.split(' ', 1)[1].strip() - elif line.startswith('bindpw'): - if "bindpw" not in config: - config["bindpw"] = line.split(' ', 1)[1].strip() - elif line.startswith('base'): - if "basedn" not in config: - config["basedn"] = line.split(' ', 1)[1].strip() - elif line.startswith('uri'): - if "uri" not in config: - config["uri"] = line.split(' ', 1)[1].strip() - return config - - -def validate_key(pubkey): - with tempfile.NamedTemporaryFile(delete=True) as f: - f.write(pubkey) - f.flush() - try: - args = ['ssh-keygen', '-l', '-f', f.name] - subprocess.check_output(args, stderr=subprocess.PIPE) - except: - return False - return True - - -def do_query(search_attr='uid', search_pat='*', attrlist=[]): - config = build_config() - with ldap_client(config) as client: - result = client.search_s( - config["basedn"], - ldap.SCOPE_SUBTREE, - '(%s=%s)' % (search_attr, search_pat), - attrlist) - return result - - -def get_users_and_keys(only_validated=False): - """Gets all the users and their associated SSH key. - :return A list of tuples (uid, ssh_key), only if the user has an SSH - key. - """ - result = do_query(attrlist=['uid', 'sshPublicKey']) - all_users = {} - for row in result: - try: - # Just pick the first UID, it does not really matter how the - # user is called, it will access the git repository via the - # 'git' user. - uid = row[1]['uid'][0] - ssh_keys = row[1]['sshPublicKey'] - for index, ssh_key in enumerate(ssh_keys): - if not only_validated or validate_key(ssh_key): - key_name = '{0}@key_{1}.pub'.format(uid, index) - all_users.setdefault(uid, []).append((key_name, ssh_key)) - except KeyError: - # If there are no SSH keys, skip this user. - pass - return all_users diff --git a/roles/ssh-ldap/files/ssh_keys.py b/roles/ssh-ldap/files/ssh_keys.py deleted file mode 100755 index 07f09954..00000000 --- a/roles/ssh-ldap/files/ssh_keys.py +++ /dev/null @@ -1,65 +0,0 @@ -#!/usr/bin/python2 -import json -import os -import subprocess -import sys -import tarfile -import urllib2 -import pwd - -import linaro_ldap - - -def web_sync(url): - if not os.path.exists('./tmp'): - os.mkdir('./tmp') - tf = urllib2.urlopen(url) - with tarfile.open(fileobj=tf, mode="r|gz") as tf: - tf.extractall(path='./tmp') - - for p in os.listdir('./tmp'): - os.rename('./tmp/' + p, p) - - -def ldap_sync(): - fname = 'ssh_keys.json' - with open(fname + '.tmp', 'w') as f: - json.dump(linaro_ldap.get_users_and_keys(), f) - os.rename(f.name, fname) - subprocess.check_output(['/usr/sbin/nss_updatedb', 'ldap']) - with tarfile.open('ldap-files.tgz.tmp', 'w:gz') as tf: - tf.add('group.db') - tf.add('passwd.db') - tf.add('ssh_keys.json') - os.rename('ldap-files.tgz.tmp', 'ldap-files.tgz') - - -def keys(user): - u = pwd.getpwnam(user) - if u.pw_uid < 10000: # local user - with open(os.path.join(u.pw_dir, '.ssh/authorized_keys')) as f: - try: - print f.read().strip('\n') - except: - return - - with open('ssh_keys.json') as f: - data = json.load(f) - keys = data.get(user) - if keys: - for key in keys: - print(key[1]) - - -if __name__ == '__main__': - if len(sys.argv) not in (2, 3): - sys.exit('Usage: %s --sync [URL]|<user>' % sys.argv[0]) - - os.chdir('/var/lib/misc') - if sys.argv[1] == '--sync': - if len(sys.argv) == 3: - web_sync(sys.argv[2]) - else: - ldap_sync() - else: - keys(sys.argv[1]) diff --git a/roles/ssh-ldap/handlers/main.yml b/roles/ssh-ldap/handlers/main.yml index 0f6983a3..52820471 100644 --- a/roles/ssh-ldap/handlers/main.yml +++ b/roles/ssh-ldap/handlers/main.yml @@ -3,7 +3,7 @@ import_tasks: update_pam.yml - name: update-ssh-keys - command: /etc/ssh/ssh_keys.py --sync {{ssh_ldap_cache_url}} + command: /srv/linaro-git-tools/ssh_keys.py --sync {{ssh_ldap_cache_url}} - name: restart-sshd service: name=ssh state=restarted diff --git a/roles/ssh-ldap/meta/main.yml b/roles/ssh-ldap/meta/main.yml new file mode 100644 index 00000000..ddc3faaf --- /dev/null +++ b/roles/ssh-ldap/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: linaro-git-tools} diff --git a/roles/ssh-ldap/tasks/main.yml b/roles/ssh-ldap/tasks/main.yml index 02d0575a..a4268cbc 100644 --- a/roles/ssh-ldap/tasks/main.yml +++ b/roles/ssh-ldap/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Install packages - apt: pkg={{item}} + apt: pkg={{item}} update_cache=yes with_items: - libnss-db - libpam-ccreds @@ -18,32 +18,25 @@ apt: pkg: libnss-ldap -- name: Install linaro-git-tools to provide linaro_ldap.py - git: repo=https://{{linaro_git_server}}/infrastructure/linaro-git-tools.git/ - dest=/srv/linaro-git-tools update=yes version=HEAD - -- name: Put linaro_ldap.py into the PYTHONPATH - file: src=/srv/linaro-git-tools/linaro_ldap.py - dest=/usr/lib/python2.7/dist-packages/linaro_ldap.py - state=link force=yes - -- name: Copy ssh_keys.py script - copy: src=ssh_keys.py dest=/etc/ssh/ssh_keys.py mode=0555 owner=root - notify: - - update-ssh-keys - -- name: Configure ldap.conf - template: src=ldap.conf dest=/etc/ - # Debian uses 1 ldap conf file per service (ie a ldap.conf, pam_ldap.conf, etc) # which is a *real* pain to deal with. We just symlink them all to one source # to make it easy to manage in one place - name: LDAP symlinks for Debian systems when: ansible_distribution == 'Debian' - file: src=/etc/ldap.conf dest=/etc/{{item}} state=link force=yes + file: src=/srv/linaro-git-tools/linaro_ldap.conf dest=/etc/{{item}} state=link force=yes mode=0400 owner=root with_items: - pam_ldap.conf - libnss-ldap.conf + notify: + - update-ssh-keys + +- name: LDAP symlinks for Ubuntu systems + when: ansible_distribution == 'Ubuntu' + file: src=/srv/linaro-git-tools/linaro_ldap.conf dest=/etc/{{item}} state=link force=yes mode=0400 owner=root + with_items: + - ldap.conf + notify: + - update-ssh-keys # Debian has nscd enabled and running by default. We need this off to work. - name: Disable nscd for Debian < 9 diff --git a/roles/ssh-ldap/templates/cron.d b/roles/ssh-ldap/templates/cron.d index f10d2b02..4a60c174 100644 --- a/roles/ssh-ldap/templates/cron.d +++ b/roles/ssh-ldap/templates/cron.d @@ -1,2 +1,2 @@ # !!MANAGED BY ANSIBLE!! -0,30 * * * * root /etc/ssh/ssh_keys.py --sync {{ssh_ldap_cache_url}} +0,30 * * * * root /srv/linaro-git-tools/ssh_keys.py --sync {{ssh_ldap_cache_url}} diff --git a/roles/ssh-ldap/templates/sshd_config b/roles/ssh-ldap/templates/sshd_config index dd380a6c..a6bfa67a 100644 --- a/roles/ssh-ldap/templates/sshd_config +++ b/roles/ssh-ldap/templates/sshd_config @@ -91,7 +91,7 @@ Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes AuthorizedKeysCommandUser root -AuthorizedKeysCommand /etc/ssh/ssh_keys.py +AuthorizedKeysCommand /srv/linaro-git-tools/ssh_keys.py AllowGroups {%for group in login_groups%}{{group}} {%endfor%} {%if inventory_hostname == '188.40.49.144'%} #x86_64-08 |