Merge pull request #825 from edx/jarv/user-refactor

Jarv/user refactor

playbooks/roles/analytics-server/defaults/main.yml

@@ -21,7 +21,11 @@ AS_LOG_LEVEL: 'INFO'
 AS_WORKERS: '4'
 # add public keys to enable the automator user
 # for running manage.py commands
+
+AS_AUTOMATOR_NAME: automator
 AS_AUTOMATOR_AUTHORIZED_KEYS: []
+AS_AUTOMATOR_SUDO_CMDS:
+- "ALL=({{ analytics_web_user }}) NOPASSWD:SETENV:{{ analytics_venv_dir }}/bin/django-admin.py	run_all_queries	*"
 
 DATABASES:
   default: &databases_default

playbooks/roles/analytics-server/meta/main.yml

@@ -2,9 +2,9 @@
 dependencies:
   - role: user
     user_info:
-    - name: automator
+    - name: "{{ AS_AUTOMATOR_NAME }}"
       type: restricted
-      sudoers_template: '99-automator-analytics.j2'
+      sudo_cmds: "{{ AS_AUTOMATOR_SUDO_CMDS }}"
       authorized_keys: "{{ AS_AUTOMATOR_AUTHORIZED_KEYS }}"
     user_rbash_links:
       - /usr/bin/sudo

playbooks/roles/edxapp/defaults/main.yml

@@ -125,7 +125,14 @@ EDXAPP_SANDBOX_ENFORCE: true
 
 # Supply authorized keys used for remote management via the user
 # role.
+EDXAPP_AUTOMATOR_NAME: automator
 EDXAPP_AUTOMATOR_AUTHORIZED_KEYS: []
+EDXAPP_AUTOMATOR_SUDO_CMDS:
+- "ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	migrate *"
+- "ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	seed_permissions_roles *"
+- "ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	set_staff *"
+- "ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	transfer_students *"
+
 
 EDXAPP_USE_GIT_IDENTITY: false
 # Example: "{{ secure_dir }}/files/git-identity"

playbooks/roles/edxapp/meta/main.yml

@@ -8,8 +8,8 @@ dependencies:
   - devpi
   - role: user
     user_info:
-      - name: automator
+      - name: "{{ EDXAPP_AUTOMATOR_NAME }}"
+        sudo_cmds: "{{ EDXAPP_AUTOMATOR_SUDO_CMDS }}"
         type: restricted
-        sudoers_template: '99-edxapp-manage-cmds.j2'
         authorized_keys: "{{ EDXAPP_AUTOMATOR_AUTHORIZED_KEYS }}"
     when: EDXAPP_AUTOMATOR_AUTHORIZED_KEYS|length != 0

playbooks/roles/user/tasks/main.yml

@@ -154,11 +154,9 @@
 
 - name: create sudoers file from template
   template:
-    dest=/etc/sudoers.d/{{ item.sudoers_template|basename|replace('.j2','') }}
-    src=etc/sudoers.d/{{ item.sudoers_template }} owner="root"
+    dest=/etc/sudoers.d/restricted.sudoers.conf
+    src=restricted.sudoers.conf.j2 owner="root"
     group="root" mode=0440 validate='visudo -cf %s'
-  when: item.type is defined and item.type == 'restricted' and item.sudoers_template is defined
-  with_items: user_info
 
   # Prevent restricted user from updating their PATH and
   # environment by ensuring root ownership

playbooks/roles/user/templates/etc/sudoers.d/99-analytics-manage-cmds.j2

-{{ item.name }} ALL=({{ analytics_web_user }}) NOPASSWD:SETENV:{{ analytics_venv_dir }}/bin/django-admin.py	run_all_queries	*

playbooks/roles/user/templates/etc/sudoers.d/99-edxapp-manage-cmds.j2

-{{ item.name }}	ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	migrate *
-{{ item.name }}	ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	seed_permissions_roles *
-{{ item.name }} ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	set_staff *
-{{ item.name }} ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	transfer_students *
-

playbooks/roles/user/templates/restricted.sudoers.conf.j2

+{% for user in user_info -%}
+{% if 'sudo_cmds' in user -%}
+{% for cmd in user['sudo_cmds'] -%}
+{{ user['name'] }} {{ cmd }}
+{% endfor %}
+{% endif %}
+{% endfor %}