Merge pull request #3322 from edx/e0d/extending-automated

Adding automated to edxapp and discovery plays

Merge pull request #3322 from edx/e0d/extending-automated
Adding automated to edxapp and discovery plays
86fec7d5 · Edward Zarecor · GitHub · 38c9838e · 3ff6ee7b · 86fec7d5
Commit 86fec7d5 authored Aug 19, 2016 by Edward Zarecor Committed by GitHub Aug 19, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 48 additions and 33 deletions

playbooks/edx-east/discovery.yml
+2 -0

playbooks/edx-east/edxapp.yml
+21 -19

playbooks/roles/discovery/defaults/main.yml
+13 -0

playbooks/roles/edxapp/defaults/main.yml
+12 -14

No files found.
--- a/playbooks/edx-east/discovery.yml
+++ b/playbooks/edx-east/discovery.yml
@@ -9,6 +9,8 @@
    CLUSTER_NAME: 'discovery'
  roles:
    - aws
+    - role: automated
+      AUTOMATED_USERS: "{{ DISCOVERY_AUTOMATED_USERS | default({}) }}"
    - role: nginx
      nginx_default_sites:
        - discovery

--- a/playbooks/edx-east/edxapp.yml
+++ b/playbooks/edx-east/edxapp.yml
@@ -7,22 +7,24 @@
    CLUSTER_NAME: 'edxapp'
  serial: "{{ serial_count }}"
  roles:
-    - aws
-    - role: nginx
-      nginx_sites:
-      - lms
-      - cms
-      nginx_default_sites:
-      - lms
-      nginx_extra_sites: "{{ NGINX_EDXAPP_EXTRA_SITES }}"
-      nginx_extra_configs: "{{ NGINX_EDXAPP_EXTRA_CONFIGS }}"
-      nginx_redirects: "{{ NGINX_EDXAPP_CUSTOM_REDIRECTS }}"
-    - edxapp
-    - role: datadog
-      when: COMMON_ENABLE_DATADOG
-    - role: splunkforwarder
-      when: COMMON_ENABLE_SPLUNKFORWARDER
-    - role: newrelic
-      when: COMMON_ENABLE_NEWRELIC
-    - role: minos
-      when: COMMON_ENABLE_MINOS
+   - aws
+   - role: automated
+     AUTOMATED_USERS: "{{ EDXAPP_AUTOMATED_USERS | default({}) }}"
+   - role: nginx
+     nginx_sites:
+     - lms
+     - cms
+     nginx_default_sites:
+     - lms
+     nginx_extra_sites: "{{ NGINX_EDXAPP_EXTRA_SITES }}"
+     nginx_extra_configs: "{{ NGINX_EDXAPP_EXTRA_CONFIGS }}"
+     nginx_redirects: "{{ NGINX_EDXAPP_CUSTOM_REDIRECTS }}"
+   - edxapp
+   - role: datadog
+     when: COMMON_ENABLE_DATADOG
+   - role: splunkforwarder
+     when: COMMON_ENABLE_SPLUNKFORWARDER
+   - role: newrelic
+     when: COMMON_ENABLE_NEWRELIC
+   - role: minos
+     when: COMMON_ENABLE_MINOS
--- a/playbooks/roles/discovery/defaults/main.yml
+++ b/playbooks/roles/discovery/defaults/main.yml
@@ -166,6 +166,19 @@ DISCOVERY_HOSTNAME: '~^((stage|prod)-)?discovery.*'
 nginx_discovery_gunicorn_hosts:
  - 127.0.0.1

+# Vars that are used when the automated role is "mixed-in" via the deploying play
+# This data structure specifies all the users with access to run command remotely
+# over SSH and the fully qualified command that they can run via sudo to the
+# application user
+
+DISCOVERY_AUTOMATED_USERS:
+  automated_user:
+    sudo_commands:
+      - command: "{{ discovery_venv_dir }}/python {{ discovery_home }}/{{ discovery_service_name }}/manage.py migrate --list"
+        sudo_user: "discovery"
+    authorized_keys:
+      - "SSH authorized key"
+
 #
 # vars are namespace with the module name.
 #

--- a/playbooks/roles/edxapp/defaults/main.yml
+++ b/playbooks/roles/edxapp/defaults/main.yml
@@ -351,20 +351,18 @@ EDXAPP_PYTHON_SANDBOX: true
 # it puts the sandbox in 'complain' mode, for reporting but not enforcement
 EDXAPP_SANDBOX_ENFORCE: true

-# Supply authorized keys used for remote management via the user
-# role.
-EDXAPP_AUTOMATOR_NAME: automator
-EDXAPP_AUTOMATOR_AUTHORIZED_KEYS: []
-# These are the commands allowed by the automator role.
-# The --settings parameter must be set at the end so that
-# is caught by the glob.
-# Example: sudo -u www-data /edx/bin/python.edxapp /edx/bin/manage.edxapp lms migrate --settings=aws
-EDXAPP_AUTOMATOR_SUDO_CMDS:
- "ALL=({{ common_web_user }})  NOPASSWD:SETENV:{{ COMMON_BIN_DIR }}/python.edxapp {{ COMMON_BIN_DIR }}/manage.edxapp lms migrate *"
- "ALL=({{ common_web_user }})  NOPASSWD:SETENV:{{ COMMON_BIN_DIR }}/python.edxapp {{ COMMON_BIN_DIR }}/manage.edxapp cms migrate *"
- "ALL=({{ common_web_user }})  NOPASSWD:SETENV:{{ COMMON_BIN_DIR }}/python.edxapp {{ COMMON_BIN_DIR }}/manage.edxapp lms seed_permissions_roles *"
- "ALL=({{ common_web_user }})  NOPASSWD:SETENV:{{ COMMON_BIN_DIR }}/python.edxapp {{ COMMON_BIN_DIR }}/manage.edxapp lms set_staff *"
- "ALL=({{ common_web_user }})  NOPASSWD:SETENV:{{ COMMON_BIN_DIR }}/python.edxapp {{ COMMON_BIN_DIR }}/manage.edxapp lms transfer_students *"
+# Vars that are used when the automated role is "mixed-in" via the deploying play
+# This data structure specifies all the users with access to run command remotely
+# over SSH and the fully qualified command that they can run via sudo to the
+# application user
+
+EDXAPP_AUTOMATED_USERS:
+  automated_user:
+    sudo_commands:
+      - command: "{{ edxapp_venv_bin }}/python {{ edxapp_code_dir }}/manage.py lms migrate --list --settings=aws"
+        sudo_user: "edxapp"
+    authorized_keys:
+      - "SSH authorized key"

 EDXAPP_USE_GIT_IDENTITY: false
 # Paste the contents of the git identity