[US367408] Add support for user & ssh key mgmt
Change-Id: I0ef68dfd80194e6da289fbf86f5cd2ee5c7edad8
This commit is contained in:
parent
b4c7160aa6
commit
9e7028416e
8
Makefile
8
Makefile
|
@ -15,8 +15,9 @@
|
||||||
HELM := helm
|
HELM := helm
|
||||||
TASK := build
|
TASK := build
|
||||||
|
|
||||||
EXCLUDES := helm-toolkit doc tests tools logs
|
EXCLUDES := helm-toolkit docs tests tools logs
|
||||||
CHARTS := helm-toolkit $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
|
CHARTS := helm-toolkit $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
|
||||||
|
CHART := divingbell
|
||||||
|
|
||||||
all: $(CHARTS)
|
all: $(CHARTS)
|
||||||
|
|
||||||
|
@ -42,3 +43,8 @@ clean:
|
||||||
rm -rf */templates/_globals.tpl
|
rm -rf */templates/_globals.tpl
|
||||||
|
|
||||||
.PHONY: $(EXCLUDES) $(CHARTS)
|
.PHONY: $(EXCLUDES) $(CHARTS)
|
||||||
|
|
||||||
|
.PHONY: charts
|
||||||
|
charts: clean
|
||||||
|
$(HELM) dep up $(CHART)
|
||||||
|
$(HELM) package $(CHART)
|
||||||
|
|
|
@ -0,0 +1,181 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
# Copyright 2018 AT&T Intellectual Property. All other rights reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
cat <<'EOF' > {{ .Values.conf.chroot_mnt_path | quote }}/tmp/uamlite_host.sh
|
||||||
|
{{ include "divingbell.shcommon" . }}
|
||||||
|
|
||||||
|
keyword='divingbell'
|
||||||
|
builtin_acct='ubuntu'
|
||||||
|
|
||||||
|
add_user(){
|
||||||
|
die_if_null "${user_name}" ", 'user_name' env var not initialized"
|
||||||
|
: ${user_sudo:=false}
|
||||||
|
|
||||||
|
# Create user if user does not already exist
|
||||||
|
getent passwd ${user_name} && \
|
||||||
|
log.INFO "User '${user_name}' already exists" || \
|
||||||
|
(useradd --create-home --shell /bin/bash --comment ${keyword} ${user_name} && \
|
||||||
|
log.INFO "User '${user_name}' successfully created")
|
||||||
|
|
||||||
|
# Unexpire the user (if user had been previously expired)
|
||||||
|
if [ "$(chage -l ${user_name} | grep 'Account expires' | cut -d':' -f2 |
|
||||||
|
tr -d '[:space:]')" != "never" ]; then
|
||||||
|
usermod --expiredate "" ${user_name}
|
||||||
|
log.INFO "User '${user_name}' has been unexpired"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Add sudoers entry if requested for user
|
||||||
|
if [ "${user_sudo}" = 'true' ]; then
|
||||||
|
# Add sudoers entry if it does not already exist
|
||||||
|
user_sudo_file=/etc/sudoers.d/${keyword}-${user_name}-sudo
|
||||||
|
if [ -f "${user_sudo_file}" ] ; then
|
||||||
|
log.INFO "User '${user_name}' already added to sudoers: ${user_sudo_file}"
|
||||||
|
else
|
||||||
|
echo "${user_name} ALL=(ALL) NOPASSWD:ALL" > "${user_sudo_file}"
|
||||||
|
log.INFO "User '${user_name}' added to sudoers: ${user_sudo_file}"
|
||||||
|
fi
|
||||||
|
curr_sudoers="${curr_sudoers}${user_sudo_file}"$'\n'
|
||||||
|
else
|
||||||
|
log.INFO "User '${user_name}' was not requested sudo access"
|
||||||
|
fi
|
||||||
|
|
||||||
|
curr_userlist="${curr_userlist}${user_name}"$'\n'
|
||||||
|
}
|
||||||
|
|
||||||
|
add_sshkeys(){
|
||||||
|
die_if_null "${user_name}" ", 'user_name' env var not initialized"
|
||||||
|
user_sshkeys="$@"
|
||||||
|
|
||||||
|
sshkey_dir="/home/${user_name}/.ssh"
|
||||||
|
sshkey_file="${sshkey_dir}/authorized_keys"
|
||||||
|
if [ -z "${user_sshkeys}" ]; then
|
||||||
|
log.INFO "User '${user_name}' has no SSH keys defined"
|
||||||
|
if [ -f "${sshkey_file}" ]; then
|
||||||
|
rm "${sshkey_file}"
|
||||||
|
log.INFO "User '${user_name}' has had its authorized_keys file wiped"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
sshkey_file_contents='# NOTE: This file is managed by divingbell'$'\n'
|
||||||
|
for sshkey in "$@"; do
|
||||||
|
sshkey_file_contents="${sshkey_file_contents}${sshkey}"$'\n'
|
||||||
|
done
|
||||||
|
write_file=false
|
||||||
|
if [ -f "${sshkey_file}" ]; then
|
||||||
|
if [ "$(cat "${sshkey_file}")" = \
|
||||||
|
"$(echo "${sshkey_file_contents}" | head -n-1)" ]; then
|
||||||
|
log.INFO "User '${user_name}' has no new SSH keys"
|
||||||
|
else
|
||||||
|
write_file=true
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
write_file=true
|
||||||
|
fi
|
||||||
|
if [ "${write_file}" = "true" ]; then
|
||||||
|
mkdir -p "${sshkey_dir}"
|
||||||
|
chmod 700 "${sshkey_dir}"
|
||||||
|
echo -e "${sshkey_file_contents}" > "${sshkey_file}"
|
||||||
|
chown -R ${user_name}:${user_name} "${sshkey_dir}" || \
|
||||||
|
(rm "${sshkey_file}" && die "Error setting ownership on ${sshkey_dir}")
|
||||||
|
log.INFO "User '${user_name}' has had SSH keys deployed: ${user_sshkeys}"
|
||||||
|
fi
|
||||||
|
custom_sshkeys_present=true
|
||||||
|
fi
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
{{- if hasKey .Values.conf "uamlite" }}
|
||||||
|
{{- if hasKey .Values.conf.uamlite "users" }}
|
||||||
|
{{- range $item := .Values.conf.uamlite.users }}
|
||||||
|
{{- range $key, $value := . }}
|
||||||
|
{{ $key }}={{ $value | quote }} \
|
||||||
|
{{- end }}
|
||||||
|
add_user
|
||||||
|
|
||||||
|
{{- range $key, $value := . }}
|
||||||
|
{{ $key }}={{ $value | quote }} \
|
||||||
|
{{- end }}
|
||||||
|
add_sshkeys {{ range $ssh_key := .user_sshkeys }}{{ $ssh_key | quote }} {{end}}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
# TODO: This should be done before applying new settings rather than after
|
||||||
|
# Expire any previously defined users that are no longer defined
|
||||||
|
users="$(getent passwd | grep ${keyword} | cut -d':' -f1)"
|
||||||
|
echo "$users" | sort > /tmp/prev_users
|
||||||
|
echo "$curr_userlist" | sort > /tmp/curr_users
|
||||||
|
revert_list="$(comm -23 /tmp/prev_users /tmp/curr_users)"
|
||||||
|
IFS=$'\n'
|
||||||
|
for user in ${revert_list}; do
|
||||||
|
# We expire rather than delete the user to maintain local UID FS consistency
|
||||||
|
usermod --expiredate 1 ${user}
|
||||||
|
log.INFO "User '${user}' has been disabled (expired)"
|
||||||
|
done
|
||||||
|
|
||||||
|
# Delete any previous user sudo access that is no longer defined
|
||||||
|
sudoers="$(find /etc/sudoers.d | grep ${keyword})"
|
||||||
|
echo "$sudoers" | sort > /tmp/prev_sudoers
|
||||||
|
echo "$curr_sudoers" | sort > /tmp/curr_sudoers
|
||||||
|
revert_list="$(comm -23 /tmp/prev_sudoers /tmp/curr_sudoers)"
|
||||||
|
IFS=$'\n'
|
||||||
|
for sudo_file in ${revert_list}; do
|
||||||
|
rm "${sudo_file}"
|
||||||
|
log.INFO "Sudoers file '${sudo_file}' has been deleted"
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -n "${builtin_acct}" ] && [ -n "$(getent passwd ${builtin_acct})" ]; then
|
||||||
|
# Disable built-in account as long as there was at least one account defined
|
||||||
|
# in this chart with a ssh key present
|
||||||
|
if [ "${custom_sshkeys_present}" = "true" ]; then
|
||||||
|
if [ "$(chage -l ${builtin_acct} | grep 'Account expires' | cut -d':' -f2 |
|
||||||
|
tr -d '[:space:]')" = "never" ]; then
|
||||||
|
usermod --expiredate 1 ${builtin_acct}
|
||||||
|
fi
|
||||||
|
# Re-enable built-in account as a fallback in the event that are no other
|
||||||
|
# accounts defined in this chart with a ssh key present
|
||||||
|
else
|
||||||
|
if [ "$(chage -l ${builtin_acct} | grep 'Account expires' | cut -d':' -f2 |
|
||||||
|
tr -d '[:space:]')" != "never" ]; then
|
||||||
|
usermod --expiredate "" ${builtin_acct}
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "${curr_userlist}" ]; then
|
||||||
|
log.INFO 'All uamlite data successfully validated on this node.'
|
||||||
|
else
|
||||||
|
log.WARN 'No uamlite overrides defined for this node.'
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
EOF
|
||||||
|
|
||||||
|
chmod 755 {{ .Values.conf.chroot_mnt_path | quote }}/tmp/uamlite_host.sh
|
||||||
|
chroot {{ .Values.conf.chroot_mnt_path | quote }} /tmp/uamlite_host.sh
|
||||||
|
|
||||||
|
sleep 1
|
||||||
|
echo 'INFO Putting the daemon to sleep.'
|
||||||
|
|
||||||
|
while [ 1 ]; do
|
||||||
|
sleep 300
|
||||||
|
done
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
|
|
@ -0,0 +1,30 @@
|
||||||
|
{{/*
|
||||||
|
Copyright 2018 AT&T Intellectual Property. All other rights reserved.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- define "divingbell.configmap.uamlite" }}
|
||||||
|
{{- $configMapName := index . 0 }}
|
||||||
|
{{- $envAll := index . 1 }}
|
||||||
|
{{- with $envAll }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: {{ $configMapName }}
|
||||||
|
data:
|
||||||
|
uamlite: |+
|
||||||
|
{{ tuple "bin/_uamlite.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,65 @@
|
||||||
|
{{/*
|
||||||
|
# Copyright 2018 AT&T Intellectual Property. All other rights reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- define "divingbell.daemonset.uamlite" }}
|
||||||
|
{{- $daemonset := index . 0 }}
|
||||||
|
{{- $configMapName := index . 1 }}
|
||||||
|
{{- $envAll := index . 2 }}
|
||||||
|
{{- with $envAll }}
|
||||||
|
---
|
||||||
|
apiVersion: extensions/v1beta1
|
||||||
|
kind: DaemonSet
|
||||||
|
metadata:
|
||||||
|
name: {{ $daemonset }}
|
||||||
|
spec:
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{ list $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
|
spec:
|
||||||
|
hostNetwork: true
|
||||||
|
hostPID: true
|
||||||
|
hostIPC: true
|
||||||
|
containers:
|
||||||
|
- name: {{ $daemonset }}
|
||||||
|
image: {{ .Values.images.divingbell }}
|
||||||
|
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||||
|
command:
|
||||||
|
- /tmp/{{ $daemonset }}.sh
|
||||||
|
volumeMounts:
|
||||||
|
- name: rootfs-{{ $daemonset }}
|
||||||
|
mountPath: {{ .Values.conf.chroot_mnt_path }}
|
||||||
|
- name: {{ $configMapName }}
|
||||||
|
mountPath: /tmp/{{ $daemonset }}.sh
|
||||||
|
subPath: {{ $daemonset }}
|
||||||
|
readOnly: true
|
||||||
|
securityContext:
|
||||||
|
privileged: true
|
||||||
|
volumes:
|
||||||
|
- name: rootfs-{{ $daemonset }}
|
||||||
|
hostPath:
|
||||||
|
path: /
|
||||||
|
- name: {{ $configMapName }}
|
||||||
|
configMap:
|
||||||
|
name: {{ $configMapName }}
|
||||||
|
defaultMode: 0555
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- $daemonset := "uamlite" }}
|
||||||
|
{{- $configMapName := "divingbell-uamlite" }}
|
||||||
|
{{- $daemonset_yaml := list $daemonset $configMapName . | include "divingbell.daemonset.uamlite" | toString | fromYaml }}
|
||||||
|
{{- $configmap_include := "divingbell.configmap.uamlite" }}
|
||||||
|
{{- list $daemonset $daemonset_yaml $configmap_include $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
|
|
@ -33,6 +33,18 @@ ETHTOOL_KEY4=tx-nocache-copy
|
||||||
ETHTOOL_VAL4_DEFAULT=off
|
ETHTOOL_VAL4_DEFAULT=off
|
||||||
ETHTOOL_KEY5=tx-checksum-ip-generic
|
ETHTOOL_KEY5=tx-checksum-ip-generic
|
||||||
ETHTOOL_VAL5_DEFAULT=on
|
ETHTOOL_VAL5_DEFAULT=on
|
||||||
|
USERNAME1=userone
|
||||||
|
USERNAME1_SUDO=true
|
||||||
|
USERNAME1_SSHKEY1="ssh-rsa abc123 comment"
|
||||||
|
USERNAME2=usertwo
|
||||||
|
USERNAME2_SUDO=false
|
||||||
|
USERNAME2_SSHKEY1="ssh-rsa xyz456 comment"
|
||||||
|
USERNAME2_SSHKEY2="ssh-rsa qwe789 comment"
|
||||||
|
USERNAME2_SSHKEY3="ssh-rsa rfv000 comment"
|
||||||
|
USERNAME3=userthree
|
||||||
|
USERNAME3_SUDO=true
|
||||||
|
USERNAME4=userfour
|
||||||
|
USERNAME4_SUDO=false
|
||||||
nic_info="$(lshw -class network)"
|
nic_info="$(lshw -class network)"
|
||||||
physical_nic=''
|
physical_nic=''
|
||||||
IFS=$'\n'
|
IFS=$'\n'
|
||||||
|
@ -96,6 +108,14 @@ _write_ethtool(){
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
_reset_account(){
|
||||||
|
if [ -n "$1" ]; then
|
||||||
|
sudo deluser $1 >& /dev/null || true
|
||||||
|
sudo rm -r /home/$1 >& /dev/null || true
|
||||||
|
sudo rm /etc/sudoers.d/*$1* >& /dev/null || true
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
init_default_state(){
|
init_default_state(){
|
||||||
if [ "${1}" = 'make' ]; then
|
if [ "${1}" = 'make' ]; then
|
||||||
(cd ../../../; make)
|
(cd ../../../; make)
|
||||||
|
@ -112,6 +132,11 @@ init_default_state(){
|
||||||
_write_ethtool ${DEVICE} ${ETHTOOL_KEY3} ${ETHTOOL_VAL3_DEFAULT}
|
_write_ethtool ${DEVICE} ${ETHTOOL_KEY3} ${ETHTOOL_VAL3_DEFAULT}
|
||||||
_write_ethtool ${DEVICE} ${ETHTOOL_KEY4} ${ETHTOOL_VAL4_DEFAULT}
|
_write_ethtool ${DEVICE} ${ETHTOOL_KEY4} ${ETHTOOL_VAL4_DEFAULT}
|
||||||
_write_ethtool ${DEVICE} ${ETHTOOL_KEY5} ${ETHTOOL_VAL5_DEFAULT}
|
_write_ethtool ${DEVICE} ${ETHTOOL_KEY5} ${ETHTOOL_VAL5_DEFAULT}
|
||||||
|
# Remove any created accounts, SSH keys
|
||||||
|
_reset_account ${USERNAME1}
|
||||||
|
_reset_account ${USERNAME2}
|
||||||
|
_reset_account ${USERNAME3}
|
||||||
|
_reset_account ${USERNAME4}
|
||||||
}
|
}
|
||||||
|
|
||||||
install(){
|
install(){
|
||||||
|
@ -134,9 +159,9 @@ get_container_status(){
|
||||||
local log_connect_sleep_interval=2
|
local log_connect_sleep_interval=2
|
||||||
local wait_time=0
|
local wait_time=0
|
||||||
while : ; do
|
while : ; do
|
||||||
kubectl logs "${container}" --namespace="${NAME}" > /dev/null && break ||
|
kubectl logs "${container}" --namespace="${NAME}" > /dev/null && break || \
|
||||||
echo "Waiting for container logs..." &&
|
echo "Waiting for container logs..." && \
|
||||||
wait_time=$((${wait_time} + ${log_connect_sleep_interval})) &&
|
wait_time=$((${wait_time} + ${log_connect_sleep_interval})) && \
|
||||||
sleep ${log_connect_sleep_interval}
|
sleep ${log_connect_sleep_interval}
|
||||||
if [ ${wait_time} -ge ${log_connect_timeout} ]; then
|
if [ ${wait_time} -ge ${log_connect_timeout} ]; then
|
||||||
echo "Hit timeout while waiting for container logs to become available."
|
echo "Hit timeout while waiting for container logs to become available."
|
||||||
|
@ -149,7 +174,8 @@ get_container_status(){
|
||||||
while : ; do
|
while : ; do
|
||||||
CLOGS="$(kubectl logs --namespace="${NAME}" "${container}" 2>&1)"
|
CLOGS="$(kubectl logs --namespace="${NAME}" "${container}" 2>&1)"
|
||||||
local status="$(echo "${CLOGS}" | tail -1)"
|
local status="$(echo "${CLOGS}" | tail -1)"
|
||||||
if [[ ${status} = *ERROR* ]] || [[ ${status} = *TRACE* ]]; then
|
if [[ $(echo -e ${status} | tr -d '[:cntrl:]') = *ERROR* ]] ||
|
||||||
|
[[ $(echo -e ${status} | tr -d '[:cntrl:]') = *TRACE* ]]; then
|
||||||
if [ "${2}" = 'expect_failure' ]; then
|
if [ "${2}" = 'expect_failure' ]; then
|
||||||
echo 'Pod exited as expected'
|
echo 'Pod exited as expected'
|
||||||
break
|
break
|
||||||
|
@ -159,8 +185,8 @@ get_container_status(){
|
||||||
echo "${CLOGS}"
|
echo "${CLOGS}"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
elif [ "${status}" = 'INFO Putting the daemon to sleep.' ] ||
|
elif [[ $(echo -e ${status} | tr -d '[:cntrl:]') = *'INFO Putting the daemon to sleep.'* ]] ||
|
||||||
[ "${status}" = 'DEBUG + exit 0' ]; then
|
[[ $(echo -e ${status} | tr -d '[:cntrl:]') = *'DEBUG + exit 0'* ]]; then
|
||||||
if [ "${2}" = 'expect_failure' ]; then
|
if [ "${2}" = 'expect_failure' ]; then
|
||||||
echo 'Expected pod to die with error, but pod completed successfully'
|
echo 'Expected pod to die with error, but pod completed successfully'
|
||||||
echo 'pod logs:'
|
echo 'pod logs:'
|
||||||
|
@ -475,6 +501,138 @@ test_ethtool(){
|
||||||
echo '[SUCCESS] ethtool test7 passed successfully' >> "${TEST_RESULTS}"
|
echo '[SUCCESS] ethtool test7 passed successfully' >> "${TEST_RESULTS}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
_test_user_enabled(){
|
||||||
|
username=$1
|
||||||
|
user_enabled=$2
|
||||||
|
|
||||||
|
if [ "${user_enabled}" = "true" ]; then
|
||||||
|
# verify the user is there and not set to expire
|
||||||
|
getent passwd $username >& /dev/null
|
||||||
|
test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 |
|
||||||
|
tr -d '[:space:]')" = "never"
|
||||||
|
else
|
||||||
|
# If the user exists, verify it's not non-expiring
|
||||||
|
if [ -n "$(getent passwd $username)" ]; then
|
||||||
|
test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 |
|
||||||
|
tr -d '[:space:]')" != "never"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
_test_sudo_enabled(){
|
||||||
|
username=$1
|
||||||
|
sudo_enable=$2
|
||||||
|
sudoers_file=/etc/sudoers.d/*$username*
|
||||||
|
|
||||||
|
if [ "${sudo_enable}" = "true" ]; then
|
||||||
|
test -f $sudoers_file
|
||||||
|
else
|
||||||
|
test ! -f $sudoers_file
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
_test_ssh_keys(){
|
||||||
|
username=$1
|
||||||
|
sshkey=$2
|
||||||
|
ssh_file=/home/$username/.ssh/authorized_keys
|
||||||
|
|
||||||
|
if [ "$sshkey" = "false" ]; then
|
||||||
|
test ! -f "${ssh_file}"
|
||||||
|
else
|
||||||
|
grep "$sshkey" "${ssh_file}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
test_uamlite(){
|
||||||
|
# Test the first set of values
|
||||||
|
local overrides_yaml=${LOGS_SUBDIR}/${FUNCNAME}-set1.yaml
|
||||||
|
echo "conf:
|
||||||
|
uamlite:
|
||||||
|
users:
|
||||||
|
- user_name: ${USERNAME1}
|
||||||
|
user_sudo: ${USERNAME1_SUDO}
|
||||||
|
user_sshkeys:
|
||||||
|
- ${USERNAME1_SSHKEY1}
|
||||||
|
- user_name: ${USERNAME2}
|
||||||
|
user_sudo: ${USERNAME2_SUDO}
|
||||||
|
user_sshkeys:
|
||||||
|
- ${USERNAME2_SSHKEY1}
|
||||||
|
- ${USERNAME2_SSHKEY2}
|
||||||
|
- ${USERNAME2_SSHKEY3}
|
||||||
|
- user_name: ${USERNAME3}
|
||||||
|
user_sudo: ${USERNAME3_SUDO}
|
||||||
|
- user_name: ${USERNAME4}" > "${overrides_yaml}"
|
||||||
|
install_base "--values=${overrides_yaml}"
|
||||||
|
get_container_status uamlite
|
||||||
|
_test_user_enabled ${USERNAME1} true
|
||||||
|
_test_sudo_enabled ${USERNAME1} ${USERNAME1_SUDO}
|
||||||
|
_test_ssh_keys ${USERNAME1} "${USERNAME1_SSHKEY1}"
|
||||||
|
_test_user_enabled ${USERNAME2} true
|
||||||
|
_test_sudo_enabled ${USERNAME2} ${USERNAME2_SUDO}
|
||||||
|
_test_ssh_keys ${USERNAME2} "${USERNAME2_SSHKEY1}"
|
||||||
|
_test_ssh_keys ${USERNAME2} "${USERNAME2_SSHKEY2}"
|
||||||
|
_test_ssh_keys ${USERNAME2} "${USERNAME2_SSHKEY3}"
|
||||||
|
_test_user_enabled ${USERNAME3} true
|
||||||
|
_test_sudo_enabled ${USERNAME3} ${USERNAME3_SUDO}
|
||||||
|
_test_ssh_keys ${USERNAME3} false
|
||||||
|
_test_user_enabled ${USERNAME4} true
|
||||||
|
_test_sudo_enabled ${USERNAME4} ${USERNAME4_SUDO}
|
||||||
|
_test_ssh_keys ${USERNAME4} false
|
||||||
|
echo '[SUCCESS] uamlite test1 passed successfully' >> "${TEST_RESULTS}"
|
||||||
|
|
||||||
|
# Test an updated set of values
|
||||||
|
overrides_yaml=${LOGS_SUBDIR}/${FUNCNAME}-set2.yaml
|
||||||
|
uname1_sudo=false
|
||||||
|
uname2_sudo=true
|
||||||
|
uname3_sudo=false
|
||||||
|
echo "conf:
|
||||||
|
uamlite:
|
||||||
|
users:
|
||||||
|
- user_name: ${USERNAME1}
|
||||||
|
user_sudo: ${uname1_sudo}
|
||||||
|
- user_name: ${USERNAME2}
|
||||||
|
user_sudo: ${uname2_sudo}
|
||||||
|
user_sshkeys:
|
||||||
|
- ${USERNAME2_SSHKEY1}
|
||||||
|
- ${USERNAME2_SSHKEY2}
|
||||||
|
- user_name: ${USERNAME3}
|
||||||
|
user_sudo: ${uname3_sudo}
|
||||||
|
user_sshkeys:
|
||||||
|
- ${USERNAME1_SSHKEY1}
|
||||||
|
- ${USERNAME2_SSHKEY3}
|
||||||
|
- user_name: ${USERNAME4}" > "${overrides_yaml}"
|
||||||
|
install_base "--values=${overrides_yaml}"
|
||||||
|
get_container_status uamlite
|
||||||
|
_test_user_enabled ${USERNAME1} true
|
||||||
|
_test_sudo_enabled ${USERNAME1} ${uname1_sudo}
|
||||||
|
_test_ssh_keys ${USERNAME1} false
|
||||||
|
_test_user_enabled ${USERNAME2} true
|
||||||
|
_test_sudo_enabled ${USERNAME2} ${uname2_sudo}
|
||||||
|
_test_ssh_keys ${USERNAME2} "${USERNAME2_SSHKEY1}"
|
||||||
|
_test_ssh_keys ${USERNAME2} "${USERNAME2_SSHKEY2}"
|
||||||
|
_test_user_enabled ${USERNAME3} true
|
||||||
|
_test_sudo_enabled ${USERNAME3} ${uname3_sudo}
|
||||||
|
_test_ssh_keys ${USERNAME3} "${USERNAME1_SSHKEY1}"
|
||||||
|
_test_ssh_keys ${USERNAME3} "${USERNAME2_SSHKEY3}"
|
||||||
|
_test_user_enabled ${USERNAME4} true
|
||||||
|
_test_sudo_enabled ${USERNAME4} ${USERNAME4_SUDO}
|
||||||
|
_test_ssh_keys ${USERNAME4} false
|
||||||
|
echo '[SUCCESS] uamlite test2 passed successfully' >> "${TEST_RESULTS}"
|
||||||
|
|
||||||
|
# Test revert/rollback functionality
|
||||||
|
install_base
|
||||||
|
get_container_status uamlite
|
||||||
|
_test_user_enabled ${USERNAME1} false
|
||||||
|
_test_sudo_enabled ${USERNAME1} false
|
||||||
|
_test_user_enabled ${USERNAME2} false
|
||||||
|
_test_sudo_enabled ${USERNAME2} false
|
||||||
|
_test_user_enabled ${USERNAME3} false
|
||||||
|
_test_sudo_enabled ${USERNAME3} false
|
||||||
|
_test_user_enabled ${USERNAME4} false
|
||||||
|
_test_sudo_enabled ${USERNAME4} false
|
||||||
|
echo '[SUCCESS] uamlite test3 passed successfully' >> "${TEST_RESULTS}"
|
||||||
|
}
|
||||||
|
|
||||||
# test daemonset value overrides for hosts and labels
|
# test daemonset value overrides for hosts and labels
|
||||||
test_overrides(){
|
test_overrides(){
|
||||||
overrides_yaml=${LOGS_SUBDIR}/${FUNCNAME}-dryrun.yaml
|
overrides_yaml=${LOGS_SUBDIR}/${FUNCNAME}-dryrun.yaml
|
||||||
|
@ -752,6 +910,7 @@ install_base
|
||||||
test_sysctl
|
test_sysctl
|
||||||
test_mounts
|
test_mounts
|
||||||
test_ethtool
|
test_ethtool
|
||||||
|
test_uamlite
|
||||||
purge_containers
|
purge_containers
|
||||||
test_overrides
|
test_overrides
|
||||||
|
|
||||||
|
|
|
@ -112,10 +112,20 @@ packages
|
||||||
|
|
||||||
Not implemented
|
Not implemented
|
||||||
|
|
||||||
users
|
uamlite
|
||||||
^^^^^
|
^^^^^^^
|
||||||
|
|
||||||
Not implemented
|
Used to manage host level local user accounts, their SSH keys, and their sudo
|
||||||
|
access. Ex::
|
||||||
|
|
||||||
|
conf:
|
||||||
|
uamlite:
|
||||||
|
users:
|
||||||
|
- user_name: testuser
|
||||||
|
user_sudo: True
|
||||||
|
user_sshkeys:
|
||||||
|
- ssh-rsa AAAAB3N... key1-comment
|
||||||
|
- ssh-rsa AAAAVY6... key2-comment
|
||||||
|
|
||||||
Node specific configurations
|
Node specific configurations
|
||||||
----------------------------
|
----------------------------
|
||||||
|
|
Loading…
Reference in New Issue