arvados-login-sync 2.0.4 → 2.1.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/bin/arvados-login-sync +97 -28
- metadata +6 -12
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 1649de19adca3150f2b8a12cebb2526e091e6a7bcee92950c5f928def0f7251e
|
4
|
+
data.tar.gz: eae88fada46a855bb0e97106416bbe404f2cc45ac3a0e52e726fabb1559a2949
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 88ee48dee0be319e3048e33eb7da27d52f4d05105a2318ca732eb0e9bb9831139063caeedcdb45f2fcbb8f3de373e335de041aadf63d44f06ddcfbd917c72112
|
7
|
+
data.tar.gz: 66104002ae2b2fff08c9563f117c3bcec6c2c606544887ada281661f7bbc69e47d7c448d64bc0ba7cb77a082a0f87cb9b86427e72b9ffda9e9fa92c7b83c6535
|
data/bin/arvados-login-sync
CHANGED
@@ -9,6 +9,7 @@ require 'arvados'
|
|
9
9
|
require 'etc'
|
10
10
|
require 'fileutils'
|
11
11
|
require 'yaml'
|
12
|
+
require 'optparse'
|
12
13
|
|
13
14
|
req_envs = %w(ARVADOS_API_HOST ARVADOS_API_TOKEN ARVADOS_VIRTUAL_MACHINE_UUID)
|
14
15
|
req_envs.each do |k|
|
@@ -17,26 +18,33 @@ req_envs.each do |k|
|
|
17
18
|
end
|
18
19
|
end
|
19
20
|
|
20
|
-
|
21
|
+
options = {}
|
22
|
+
OptionParser.new do |parser|
|
23
|
+
parser.on('--exclusive', 'Manage SSH keys file exclusively.')
|
24
|
+
parser.on('--rotate-tokens', 'Always create new user tokens. Usually needed with --token-lifetime.')
|
25
|
+
parser.on('--skip-missing-users', "Don't try to create any local accounts.")
|
26
|
+
parser.on('--token-lifetime SECONDS', 'Create user tokens that expire after SECONDS.', Integer)
|
27
|
+
end.parse!(into: options)
|
28
|
+
|
21
29
|
exclusive_banner = "#######################################################################################
|
22
30
|
# THIS FILE IS MANAGED BY #{$0} -- CHANGES WILL BE OVERWRITTEN #
|
23
31
|
#######################################################################################\n\n"
|
24
32
|
start_banner = "### BEGIN Arvados-managed keys -- changes between markers will be overwritten\n"
|
25
33
|
end_banner = "### END Arvados-managed keys -- changes between markers will be overwritten\n"
|
26
34
|
|
27
|
-
# Don't try to create any local accounts
|
28
|
-
skip_missing_users = ARGV.index("--skip-missing-users")
|
29
|
-
|
30
35
|
keys = ''
|
31
36
|
|
32
37
|
begin
|
33
38
|
arv = Arvados.new({ :suppress_ssl_warnings => false })
|
39
|
+
logincluster_arv = Arvados.new({ :api_host => (ENV['LOGINCLUSTER_ARVADOS_API_HOST'] || ENV['ARVADOS_API_HOST']),
|
40
|
+
:api_token => (ENV['LOGINCLUSTER_ARVADOS_API_TOKEN'] || ENV['ARVADOS_API_TOKEN']),
|
41
|
+
:suppress_ssl_warnings => false })
|
34
42
|
|
35
43
|
vm_uuid = ENV['ARVADOS_VIRTUAL_MACHINE_UUID']
|
36
44
|
|
37
45
|
logins = arv.virtual_machine.logins(:uuid => vm_uuid)[:items]
|
38
46
|
logins = [] if logins.nil?
|
39
|
-
logins = logins.reject { |l| l[:username].nil? or l[:hostname].nil? or l[:
|
47
|
+
logins = logins.reject { |l| l[:username].nil? or l[:hostname].nil? or l[:virtual_machine_uuid] != vm_uuid }
|
40
48
|
|
41
49
|
# No system users
|
42
50
|
uid_min = 1000
|
@@ -61,7 +69,7 @@ begin
|
|
61
69
|
begin
|
62
70
|
pwnam[l[:username]] = Etc.getpwnam(l[:username])
|
63
71
|
rescue
|
64
|
-
if
|
72
|
+
if options[:"skip-missing-users"]
|
65
73
|
STDERR.puts "Account #{l[:username]} not found. Skipping"
|
66
74
|
true
|
67
75
|
end
|
@@ -79,48 +87,77 @@ begin
|
|
79
87
|
logins.each do |l|
|
80
88
|
keys[l[:username]] = Array.new() if not keys.has_key?(l[:username])
|
81
89
|
key = l[:public_key]
|
82
|
-
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
90
|
+
if !key.nil?
|
91
|
+
# Handle putty-style ssh public keys
|
92
|
+
key.sub!(/^(Comment: "r[^\n]*\n)(.*)$/m,'ssh-rsa \2 \1')
|
93
|
+
key.sub!(/^(Comment: "d[^\n]*\n)(.*)$/m,'ssh-dss \2 \1')
|
94
|
+
key.gsub!(/\n/,'')
|
95
|
+
key.strip
|
96
|
+
|
97
|
+
keys[l[:username]].push(key) if not keys[l[:username]].include?(key)
|
98
|
+
end
|
89
99
|
end
|
90
100
|
|
91
101
|
seen = Hash.new()
|
92
|
-
|
102
|
+
|
103
|
+
current_user_groups = Hash.new
|
104
|
+
while (ent = Etc.getgrent()) do
|
105
|
+
ent.mem.each do |member|
|
106
|
+
current_user_groups[member] ||= Array.new
|
107
|
+
current_user_groups[member].push ent.name
|
108
|
+
end
|
109
|
+
end
|
110
|
+
Etc.endgrent()
|
93
111
|
|
94
112
|
logins.each do |l|
|
95
113
|
next if seen[l[:username]]
|
96
114
|
seen[l[:username]] = true
|
97
115
|
|
116
|
+
username = l[:username]
|
117
|
+
|
98
118
|
unless pwnam[l[:username]]
|
99
119
|
STDERR.puts "Creating account #{l[:username]}"
|
100
|
-
groups = l[:groups] || []
|
101
|
-
# Adding users to the FUSE group has long been hardcoded behavior.
|
102
|
-
groups << "fuse"
|
103
|
-
groups.select! { |g| Etc.getgrnam(g) rescue false }
|
104
120
|
# Create new user
|
105
121
|
unless system("useradd", "-m",
|
106
|
-
"-c",
|
122
|
+
"-c", username,
|
107
123
|
"-s", "/bin/bash",
|
108
|
-
|
109
|
-
l[:username],
|
110
|
-
out: devnull)
|
124
|
+
username)
|
111
125
|
STDERR.puts "Account creation failed for #{l[:username]}: #{$?}"
|
112
126
|
next
|
113
127
|
end
|
114
128
|
begin
|
115
|
-
pwnam[
|
129
|
+
pwnam[username] = Etc.getpwnam(username)
|
116
130
|
rescue => e
|
117
131
|
STDERR.puts "Created account but then getpwnam() failed for #{l[:username]}: #{e}"
|
118
132
|
raise
|
119
133
|
end
|
120
134
|
end
|
121
135
|
|
122
|
-
|
123
|
-
|
136
|
+
existing_groups = current_user_groups[username] || []
|
137
|
+
groups = l[:groups] || []
|
138
|
+
# Adding users to the FUSE group has long been hardcoded behavior.
|
139
|
+
groups << "fuse"
|
140
|
+
groups << username
|
141
|
+
groups.select! { |g| Etc.getgrnam(g) rescue false }
|
142
|
+
|
143
|
+
groups.each do |addgroup|
|
144
|
+
if existing_groups.index(addgroup).nil?
|
145
|
+
# User should be in group, but isn't, so add them.
|
146
|
+
STDERR.puts "Add user #{username} to #{addgroup} group"
|
147
|
+
system("adduser", username, addgroup)
|
148
|
+
end
|
149
|
+
end
|
150
|
+
|
151
|
+
existing_groups.each do |removegroup|
|
152
|
+
if groups.index(removegroup).nil?
|
153
|
+
# User is in a group, but shouldn't be, so remove them.
|
154
|
+
STDERR.puts "Remove user #{username} from #{removegroup} group"
|
155
|
+
system("deluser", username, removegroup)
|
156
|
+
end
|
157
|
+
end
|
158
|
+
|
159
|
+
homedir = pwnam[l[:username]].dir
|
160
|
+
userdotssh = File.join(homedir, ".ssh")
|
124
161
|
Dir.mkdir(userdotssh) if !File.exist?(userdotssh)
|
125
162
|
|
126
163
|
newkeys = "###\n###\n" + keys[l[:username]].join("\n") + "\n###\n###\n"
|
@@ -133,7 +170,7 @@ begin
|
|
133
170
|
oldkeys = ""
|
134
171
|
end
|
135
172
|
|
136
|
-
if
|
173
|
+
if options[:exclusive]
|
137
174
|
newkeys = exclusive_banner + newkeys
|
138
175
|
elsif oldkeys.start_with?(exclusive_banner)
|
139
176
|
newkeys = start_banner + newkeys + end_banner
|
@@ -148,13 +185,45 @@ begin
|
|
148
185
|
f.write(newkeys)
|
149
186
|
f.close()
|
150
187
|
end
|
188
|
+
|
189
|
+
userdotconfig = File.join(homedir, ".config")
|
190
|
+
if !File.exist?(userdotconfig)
|
191
|
+
Dir.mkdir(userdotconfig)
|
192
|
+
end
|
193
|
+
|
194
|
+
configarvados = File.join(userdotconfig, "arvados")
|
195
|
+
Dir.mkdir(configarvados) if !File.exist?(configarvados)
|
196
|
+
|
197
|
+
tokenfile = File.join(configarvados, "settings.conf")
|
198
|
+
|
199
|
+
begin
|
200
|
+
if !File.exist?(tokenfile) || options[:"rotate-tokens"]
|
201
|
+
aca_params = {owner_uuid: l[:user_uuid], api_client_id: 0}
|
202
|
+
if options[:"token-lifetime"] && options[:"token-lifetime"] > 0
|
203
|
+
aca_params.merge!(expires_at: (Time.now + options[:"token-lifetime"]))
|
204
|
+
end
|
205
|
+
user_token = logincluster_arv.api_client_authorization.create(api_client_authorization: aca_params)
|
206
|
+
f = File.new(tokenfile, 'w')
|
207
|
+
f.write("ARVADOS_API_HOST=#{ENV['ARVADOS_API_HOST']}\n")
|
208
|
+
f.write("ARVADOS_API_TOKEN=v2/#{user_token[:uuid]}/#{user_token[:api_token]}\n")
|
209
|
+
f.close()
|
210
|
+
end
|
211
|
+
rescue => e
|
212
|
+
STDERR.puts "Error setting token for #{l[:username]}: #{e}"
|
213
|
+
end
|
214
|
+
|
151
215
|
FileUtils.chown_R(l[:username], nil, userdotssh)
|
216
|
+
FileUtils.chown_R(l[:username], nil, userdotconfig)
|
152
217
|
File.chmod(0700, userdotssh)
|
153
|
-
File.chmod(
|
218
|
+
File.chmod(0700, userdotconfig)
|
219
|
+
File.chmod(0700, configarvados)
|
220
|
+
File.chmod(0750, homedir)
|
154
221
|
File.chmod(0600, keysfile)
|
222
|
+
if File.exist?(tokenfile)
|
223
|
+
File.chmod(0600, tokenfile)
|
224
|
+
end
|
155
225
|
end
|
156
226
|
|
157
|
-
devnull.close
|
158
227
|
rescue Exception => bang
|
159
228
|
puts "Error: " + bang.to_s
|
160
229
|
puts bang.backtrace.join("\n")
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: arvados-login-sync
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.
|
4
|
+
version: 2.1.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Arvados Authors
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-04-27 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: arvados
|
@@ -16,20 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - ">="
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 1.3.
|
20
|
-
- - "~>"
|
21
|
-
- !ruby/object:Gem::Version
|
22
|
-
version: 1.3.0
|
19
|
+
version: 1.3.3.20190320201707
|
23
20
|
type: :runtime
|
24
21
|
prerelease: false
|
25
22
|
version_requirements: !ruby/object:Gem::Requirement
|
26
23
|
requirements:
|
27
24
|
- - ">="
|
28
25
|
- !ruby/object:Gem::Version
|
29
|
-
version: 1.3.
|
30
|
-
- - "~>"
|
31
|
-
- !ruby/object:Gem::Version
|
32
|
-
version: 1.3.0
|
26
|
+
version: 1.3.3.20190320201707
|
33
27
|
- !ruby/object:Gem::Dependency
|
34
28
|
name: launchy
|
35
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -73,8 +67,8 @@ dependencies:
|
|
73
67
|
- !ruby/object:Gem::Version
|
74
68
|
version: '0.12'
|
75
69
|
description: Creates and updates local login accounts for Arvados users. Built from
|
76
|
-
git commit
|
77
|
-
email:
|
70
|
+
git commit 24b0875964b3eff98c12d1c135d8797efcfabfb2
|
71
|
+
email: packaging@arvados.org
|
78
72
|
executables:
|
79
73
|
- arvados-login-sync
|
80
74
|
extensions: []
|