Set owner of drive-audit recon cache to swift user
Fixies this problem:
* swift-drive-audit needs to be run by root, because only root have
"umount" permission
* swift-object servers typically runs as user swift
* if swift-drive-audit is run by root, /var/cache/swift/drive.recon is
owned by root, with 0o600
* recon middleware (inside swift-object-server) can't read this cache
file: swift-object: Error reading recon cache file
This patch adds "user" option to drive-audit config file. Recon cache
is chowned to this user.
(cherry picked from commit 9847796)
Change-Id: Ibf20543ee690b7c5a37fabd1540fd5c0c7b638c9
This commit is contained in:
Ondřej Nový
parent
7c786381c8
commit
0dc3fd6d0b
|
|
@ -208,7 +208,8 @@ if __name__ == '__main__':
|
|||
total_errors += count
|
||||
recon_file = recon_cache_path + "/drive.recon"
|
||||
dump_recon_cache(recon_errors, recon_file, logger)
|
||||
dump_recon_cache({'drive_audit_errors': total_errors}, recon_file, logger)
|
||||
dump_recon_cache({'drive_audit_errors': total_errors}, recon_file, logger,
|
||||
set_owner=conf.get("user", "swift"))
|
||||
|
||||
if unmounts == 0:
|
||||
logger.info("No drives were unmounted")
|
||||
|
|
|
|||
|
|
@ -264,6 +264,8 @@ settings:
|
|||
================== ============== ===========================================
|
||||
Option Default Description
|
||||
------------------ -------------- -------------------------------------------
|
||||
user swift Drop privileges to this user for non-root
|
||||
tasks
|
||||
log_facility LOG_LOCAL0 Syslog log facility
|
||||
log_level INFO Log level
|
||||
device_dir /srv/node Directory devices are mounted under
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
[drive-audit]
|
||||
# user = swift
|
||||
# device_dir = /srv/node
|
||||
#
|
||||
# You can specify default log routing here if you want:
|
||||
|
|
|
|||
|
|
@ -3037,13 +3037,15 @@ def put_recon_cache_entry(cache_entry, key, item):
|
|||
cache_entry[key] = item
|
||||
|
||||
|
||||
def dump_recon_cache(cache_dict, cache_file, logger, lock_timeout=2):
|
||||
def dump_recon_cache(cache_dict, cache_file, logger, lock_timeout=2,
|
||||
set_owner=None):
|
||||
"""Update recon cache values
|
||||
|
||||
:param cache_dict: Dictionary of cache key/value pairs to write out
|
||||
:param cache_file: cache file to update
|
||||
:param logger: the logger to use to log an encountered error
|
||||
:param lock_timeout: timeout (in seconds)
|
||||
:param set_owner: Set owner of recon cache file
|
||||
"""
|
||||
try:
|
||||
with lock_file(cache_file, lock_timeout, unlink=False) as cf:
|
||||
|
|
@ -3062,6 +3064,8 @@ def dump_recon_cache(cache_dict, cache_file, logger, lock_timeout=2):
|
|||
with NamedTemporaryFile(dir=os.path.dirname(cache_file),
|
||||
delete=False) as tf:
|
||||
tf.write(json.dumps(cache_entry) + '\n')
|
||||
if set_owner:
|
||||
os.chown(tf.name, pwd.getpwnam(set_owner).pw_uid, -1)
|
||||
renamer(tf.name, cache_file, fsync=False)
|
||||
finally:
|
||||
if tf is not None:
|
||||
|
|
|
|||
|
|
@ -1377,6 +1377,28 @@ class TestUtils(unittest.TestCase):
|
|||
finally:
|
||||
rmtree(testdir_base)
|
||||
|
||||
def test_dump_recon_cache_set_owner(self):
|
||||
testdir_base = mkdtemp()
|
||||
testcache_file = os.path.join(testdir_base, 'cache.recon')
|
||||
logger = utils.get_logger(None, 'server', log_route='server')
|
||||
try:
|
||||
submit_dict = {'key1': {'value1': 1, 'value2': 2}}
|
||||
|
||||
_ret = lambda: None
|
||||
_ret.pw_uid = 100
|
||||
_mock_getpwnam = MagicMock(return_value=_ret)
|
||||
_mock_chown = mock.Mock()
|
||||
|
||||
with patch('os.chown', _mock_chown), \
|
||||
patch('pwd.getpwnam', _mock_getpwnam):
|
||||
utils.dump_recon_cache(submit_dict, testcache_file,
|
||||
logger, set_owner="swift")
|
||||
|
||||
_mock_getpwnam.assert_called_once_with("swift")
|
||||
self.assertEqual(_mock_chown.call_args[0][1], 100)
|
||||
finally:
|
||||
rmtree(testdir_base)
|
||||
|
||||
def test_dump_recon_cache_permission_denied(self):
|
||||
testdir_base = mkdtemp()
|
||||
testcache_file = os.path.join(testdir_base, 'cache.recon')
|
||||
|
|
|
|||
Loading…
Reference in New Issue