Merge lp:~cjwatson/charms/trusty/turnip/separate-code-owner into lp:~canonical-launchpad-branches/charms/trusty/turnip/devel

Proposed by Colin Watson
Status: Merged
Approved by: Colin Watson
Approved revision: 32
Merged at revision: 32
Proposed branch: lp:~cjwatson/charms/trusty/turnip/separate-code-owner
Merge into: lp:~canonical-launchpad-branches/charms/trusty/turnip/devel
Diff against target: 109 lines (+31/-8)
3 files modified
config.yaml (+8/-0)
hooks/actions.py (+15/-4)
hooks/services.py (+8/-4)
To merge this branch: bzr merge lp:~cjwatson/charms/trusty/turnip/separate-code-owner
Reviewer Review Type Date Requested Status
Kit Randel (community) code Approve
Review via email: mp+251451@code.launchpad.net

Commit message

Make the code be owned by a different user and group than runs the service.

Description of the change

Make the code be owned by a different user and group than runs the service.

This is required by Canonical IS policies for prodstack (https://wiki.canonical.com/InformationInfrastructure/IS/Policies/Prodstack#Separate_Users_for_Code_Owner_and_Code_Runner), and is a good idea anyway.

To post a comment you must log in.
Revision history for this message
Kit Randel (blr) wrote :

Well spotted Colin thanks, that is a sensible policy.

review: Approve (code)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'config.yaml'
2--- config.yaml 2015-02-27 18:13:29 +0000
3+++ config.yaml 2015-03-02 14:28:24 +0000
4@@ -57,6 +57,14 @@
5 type: string
6 default: '/srv/turnip'
7 description: Root checkout/srv directory.
8+ code_user:
9+ type: string
10+ default: webops_deploy
11+ description: The service's code will be owned by this user.
12+ code_group:
13+ type: string
14+ default: webops_deploy
15+ description: The service's code will be owned by this group.
16 user:
17 type: string
18 default: turnip
19
20=== modified file 'hooks/actions.py'
21--- hooks/actions.py 2015-02-27 18:13:29 +0000
22+++ hooks/actions.py 2015-03-02 14:28:24 +0000
23@@ -1,4 +1,6 @@
24+import grp
25 import os
26+import pwd
27 import subprocess
28
29 from charmhelpers import fetch
30@@ -15,6 +17,8 @@
31 REQUIRED_PACKAGES = ['python-virtualenv', 'python-dev', 'python-pygit2']
32 APP = config['app_name']
33 SRV_DIR = config['srv_dir']
34+CODE_USER = config['code_user']
35+CODE_GROUP = config['code_group']
36 USER = config['user']
37 GROUP = config['group']
38
39@@ -31,13 +35,17 @@
40 log_dir = config['log_dir']
41 deploymgr_dir = os.path.join(os.sep, 'srv', 'deploymgr')
42
43- dirs = [data_dir, deploymgr_dir, log_dir, SRV_DIR]
44- for dir in dirs:
45+ for dir in (deploymgr_dir, SRV_DIR):
46+ host.mkdir(dir, owner=CODE_USER, group=CODE_GROUP, perms=0o775)
47+ for dir in (data_dir, log_dir):
48 host.mkdir(dir, owner=USER, group=GROUP, perms=0o775)
49
50
51 def create_users(service_name):
52- hookenv.log('Creating user and group for %s.' % service_name)
53+ hookenv.log('Creating users and groups for %s.' % service_name)
54+ code_password = host.pwgen()
55+ host.adduser(CODE_USER, code_password)
56+ host.add_user_to_group(CODE_USER, CODE_GROUP)
57 password = host.pwgen()
58 host.adduser(USER, password)
59 host.add_user_to_group(USER, GROUP)
60@@ -56,7 +64,10 @@
61
62 # Unpack source
63 archive.extract_tarfile(archive_path, os.path.join(SRV_DIR))
64- host.chownr(os.path.dirname(SRV_DIR), USER, GROUP)
65+ os.chown(
66+ SRV_DIR,
67+ pwd.getpwnam(CODE_USER).pw_uid, grp.getgrnam(CODE_GROUP).gr_gid)
68+ host.lchownr(SRV_DIR, CODE_USER, CODE_GROUP)
69
70
71 def install_packages(service_name):
72
73=== modified file 'hooks/services.py'
74--- hooks/services.py 2015-03-02 11:45:31 +0000
75+++ hooks/services.py 2015-03-02 14:28:24 +0000
76@@ -10,7 +10,8 @@
77 return helpers.render_template(
78 source='envs/{}.j2'.format(name),
79 target='{}/{}'.format(config['env_dir'], name),
80- owner=config['user'])
81+ owner=config['code_user'],
82+ group=config['code_group'])
83
84
85 def manage():
86@@ -29,17 +30,20 @@
87 helpers.render_template(
88 source='turnip.conf.j2',
89 target='/etc/init/turnip.conf',
90- owner=config['user'],
91+ owner=config['code_user'],
92+ group=config['code_group'],
93 perms=0o644),
94 helpers.render_template(
95 source='turnip-api.conf.j2',
96 target='/etc/init/turnip-api.conf',
97- owner=config['user'],
98+ owner=config['code_user'],
99+ group=config['code_group'],
100 perms=0o644),
101 helpers.render_template(
102 source='turnip-app.j2',
103 target='/srv/deploymgr/turnip-app',
104- owner=config['user'],
105+ owner=config['code_user'],
106+ group=config['code_group'],
107 perms=0o755),
108 render_env_template(config, 'REPO_STORE'),
109 render_env_template(config, 'TURNIP_LOG_DIR'),

Subscribers

People subscribed via source and target branches

to all changes: