Merge pull request #724 from edx/e0d/automating-edxapp

E0d/automating edxapp

Merge pull request #724 from edx/e0d/automating-edxapp
E0d/automating edxapp
757fbcb1 · e0d · 1065e035 · 904cdf80 · 1065e035 · 757fbcb1
Commit 757fbcb1 authored Jan 29, 2014 by e0d
5 changed files
--- a/playbooks/roles/automated/files/home/automator/.ssh/authorized_keys
+++ b/playbooks/roles/automated/files/home/automator/.ssh/authorized_keys
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6noLNy7YVFNK6OSOFgPbnGGovgZqLsvJxjhs82jT7tZIsYOjVVCAMk0kkSnBt0etDjGSJlJ664r1aBhubZrujzxns0oOzA7J+tWQ3CiaOBLtOSffeh8a3dTWWNPCAGg9KflPaufXdd31Bf96g9ACGZR7uLYgWUP/J0jOPMCPE1RBfRNFeZ7cHlh3t/pI+JzTcyZTka4AAEsCejBKHngYxVoOk+gfxe+Qo703st0MFuoxVAMymeBGi/1lCwKsV6r9BijzuvIFyQCl2vThjoF32yHmmP8by//hmgpo5UNqG7jbmSrCJhkdh+My3SgEebn5c2QLJepOrUfrZFwz1BQ1l task@edx.org
\ No newline at end of file
--- a/playbooks/roles/automated/tasks/main.yml
+++ b/playbooks/roles/automated/tasks/main.yml
@@ -61,10 +61,6 @@
  user: 
    name={{ automated_user }} state=present shell=/bin/rbash 
    home={{ automated_home }} createhome=yes
-  tags:
-  - automated
-  - install
-  - update

 - name: create sudoers file from file
  copy:
@@ -72,10 +68,6 @@
    src={{ automated_sudoers_file }} owner="root"
    group="root" mode=0440 validate='visudo -cf %s'
  when: automated_sudoers_file
-  tags:
-  - automated
-  - install
-  - update

 - name: create sudoers file from template
  template:
@@ -83,10 +75,6 @@
    src={{ automated_sudoers_template }} owner="root"
    group="root" mode=0440 validate='visudo -cf %s'
  when: automated_sudoers_template
-  tags:
-  - automated
-  - install
-  - update

  #
  # Prevent user from updating their PATH and
@@ -96,10 +84,6 @@
  file:
    path={{ automated_home }}/{{ item }} mode=0640
    state=file owner="root" group={{ automated_user }}
-  tags:
-  - automated
-  - install
-  - update
  with_items:
    - .bashrc
    - .profile
@@ -109,10 +93,6 @@
  file: 
    path={{ automated_home }} mode=0750 state=directory 
    owner="root" group={{ automated_user }}
-  tags:
-  - automated
-  - install
-  - update

  #
  # This ensures that the links are updated with each run
@@ -123,19 +103,11 @@
  file: 
    path={{ automated_home }}/bin state=absent
  ignore_errors: yes
-  tags:
-  - automated
-  - install
-  - update
  
 - name: create ~automated/bin directory
  file: 
    path={{ automated_home }}/bin state=directory mode=0750 
    owner="root" group={{ automated_user }}
-  tags:
-  - automated
-  - install
-  - update
  
 - name: re-write .profile
  copy:
@@ -144,10 +116,6 @@
    owner="root" 
    group={{ automated_user }}
    mode="0744"
-  tags:
-  - automated
-  - install
-  - update
  
 - name: re-write .bashrc
  copy:
@@ -156,36 +124,20 @@
    owner="root" 
    group={{ automated_user }}
    mode="0744"
-  tags:
-  - automated
-  - install
-  - update
  
 - name: create .ssh directory
  file: 
    path={{ automated_home }}/.ssh state=directory mode=0700 
    owner={{ automated_user }} group={{ automated_user }}
-  tags:
-  - automated
-  - install
-  - update
-  
- name: copy key to .ssh/authorized_keys
-  copy: 
-    src=home/automator/.ssh/authorized_keys
+
+- name: build authorized_keys file
+  template:
+    src=home/automator/.ssh/authorized_keys.j2
    dest={{ automated_home }}/.ssh/authorized_keys mode=0600 
    owner={{ automated_user }} group={{ automated_user }}
-  tags:
-  - automated
-  - install
-  - update
-
+  
 - name: create allowed command links
  file:
    src={{ item }} dest={{ automated_home }}/bin/{{ item.split('/').pop() }}
    state=link
-  with_items: automated_rbash_links
-  tags:
-  - automated
-  - install
-  - update  
+  with_items: automated_rbash_links
\ No newline at end of file
--- a/playbooks/roles/edxapp/defaults/main.yml
+++ b/playbooks/roles/edxapp/defaults/main.yml
@@ -123,6 +123,13 @@ EDXAPP_PYTHON_SANDBOX: false
 # it puts the sandbox in 'complain' mode, for reporting but not enforcement
 EDXAPP_SANDBOX_ENFORCE: true

+# Supply authorized keys used for remote management via the automated
+# role, see meta/main.yml.  Ensure you know what this does before
+# enabling.  The boolean flag determines whether the role is included.
+# This is done to make it possible to disable remote access easily by
+# setting the flag to true and providing an empty array.
+EDXAPP_INCLUDE_AUTOMATOR_ROLE: false
+EDXAPP_AUTOMATOR_AUTHORIZED_KEYS: []

 #-------- Everything below this line is internal to the role ------------

@@ -497,3 +504,9 @@ edxapp_cms_variant: cms
 # Worker Settings
 worker_django_settings_module: 'aws'

+# This array is used by the automator role to provide
+# access to a limited set of commands via rbash.  The
+# commands listed here will be symlinked to ~/bin/ for
+# the automator user.
+edxapp_automated_rbash_links:
+  - /usr/bin/sudo
\ No newline at end of file
--- a/playbooks/roles/edxapp/meta/main.yml
+++ b/playbooks/roles/edxapp/meta/main.yml
@@ -6,3 +6,9 @@ dependencies:
    rbenv_dir: "{{ edxapp_app_dir }}"
    rbenv_ruby_version: "{{ edxapp_ruby_version }}"
  - devpi
+  - role: automated
+    automated_rbash_links: "{{ edxapp_automated_rbash_links }}"
+    automated_sudoers_dest: '99-automator-edxapp-server'
+    automated_sudoers_template: 'roles/edxapp/templates/etc/sudoers.d/99-automator-edxapp-server.j2'
+    automated_authorized_keys: "{{ EDXAPP_AUTOMATOR_AUTHORIZED_KEYS }}"
+    when: EDXAPP_INCLUDE_AUTOMATOR_ROLE
--- a/playbooks/roles/edxapp/templates/etc/sudoers.d/99-automator-edxapp-server.j2
+++ b/playbooks/roles/edxapp/templates/etc/sudoers.d/99-automator-edxapp-server.j2
+automator	ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	migrate *
+automator	ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	seed_permissions_roles *
+automator	ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	set_staff *
+automator	ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	transfer_students *
+