Merge pull request #1662 from edx/e0d/s3-log-perms

E0d/s3 log perms

Merge pull request #1662 from edx/e0d/s3-log-perms
E0d/s3 log perms
ff4bcb08 · e0d · 98c310ba · 638782cb · ff4bcb08 · ff4bcb08
Commit ff4bcb08 authored Oct 28, 2014 by e0d
Hide whitespace changes
Inline Side-by-side

Showing with 41 additions and 29 deletions

playbooks/roles/aws/defaults/main.yml
+20 -5

playbooks/roles/aws/tasks/main.yml
+12 -24

playbooks/roles/aws/templates/send-logs-to-s3.j2
+9 -0

No files found.
--- a/playbooks/roles/aws/defaults/main.yml
+++ b/playbooks/roles/aws/defaults/main.yml
@@ -28,11 +28,26 @@ AWS_S3_LOGS_FROM_EMAIL: dummy@example.com
 # vars are namespace with the module name.
 #
 aws_role_name: aws
-aws_data_dir: "{{ COMMON_DATA_DIR }}/aws"
-aws_app_dir: "{{ COMMON_APP_DIR }}/aws"
+aws_dirs:
-aws_s3_sync_script: "{{ aws_app_dir }}/send-logs-to-s3"
+  home:
-aws_s3_logfile: "{{ aws_log_dir }}/s3-log-sync.log"
+    path: "{{ COMMON_APP_DIR }}/{{ aws_role_name }}"
-aws_log_dir: "{{ COMMON_LOG_DIR }}/aws"
+    owner: "root"
+    group: "root"
+    mode: "0755"
+  logs:
+    path: "{{ COMMON_LOG_DIR }}/{{ aws_role_name }}"
+    owner: "syslog"
+    group: "syslog"
+    mode: "0700"
+  data:
+    path: "{{ COMMON_DATA_DIR }}/{{ aws_role_name }}"
+    owner: "root"
+    group: "root"
+    mode: "0700"
+aws_s3_sync_script: "{{ aws_dirs.home.path }}/send-logs-to-s3"
+aws_s3_logfile: "{{ aws_dirs.logs.path }}/s3-log-sync.log"
 aws_region: "us-east-1"
 # default path to the aws binary
 aws_s3cmd: "{{ COMMON_BIN_DIR }}/s3cmd"

--- a/playbooks/roles/aws/tasks/main.yml
+++ b/playbooks/roles/aws/tasks/main.yml
@@ -21,26 +21,14 @@
 #
 #
- name: create data directories
+- name: create all service directories
  file: >
-    path={{ item }}
+    path="{{ item.value.path }}"
-    state=directory
+    state="directory"
-    owner=root
+    owner="{{ item.value.owner }}"
-    group=root
+    group="{{ item.value.group }}"
-    mode=0700
+    mode="{{ item.value.mode }}"
-  with_items:
+  with_dict: aws_dirs
-    - "{{ aws_data_dir }}"
-    - "{{ aws_log_dir }}"
- name: create app directory
-  file: >
-    path={{ item }}
-    state=directory
-    owner=root
-    group=root
-    mode=0755
-  with_items:
-    - "{{ aws_app_dir }}"
 - name: install system packages
  apt: >
@@ -57,17 +45,17 @@
 - name: get s3cmd
  get_url: >
    url={{ aws_s3cmd_url }}
-    dest={{ aws_data_dir }}/
+    dest={{ aws_dirs.data.path }}/
 - name: untar s3cmd
  shell: >
-    tar xf {{ aws_data_dir }}/{{ aws_s3cmd_version }}.tar.gz
+    tar xf {{ aws_dirs.data.path }}/{{ aws_s3cmd_version }}.tar.gz
-    creates={{ aws_app_dir }}/{{ aws_s3cmd_version }}/s3cmd
+    creates={{ aws_dirs.data.path }}/{{ aws_s3cmd_version }}/s3cmd
-    chdir={{ aws_app_dir }}
+    chdir={{ aws_dirs.home.path }}
 - name: create symlink for s3cmd
  file: >
-    src={{ aws_app_dir }}/{{ aws_s3cmd_version }}/s3cmd
+    src={{ aws_dirs.home.path }}/{{ aws_s3cmd_version }}/s3cmd
    dest={{ aws_s3cmd }}
    state=link

--- a/playbooks/roles/aws/templates/send-logs-to-s3.j2
+++ b/playbooks/roles/aws/templates/send-logs-to-s3.j2
@@ -11,6 +11,15 @@ if (( $EUID != 0 )); then
    exit 1
 fi
+#
+# Ensure the log processors can read without
+# running as root
+if [ ! -f "{{ aws_s3_logfile }}" ]; then
+  sudo -u syslog touch "{{ aws_s3_logfile }}"
+else
+  chown syslog.syslog "{{ aws_s3_logfile }}"
+fi
 exec > >(tee -a "{{ aws_s3_logfile }}")
 exec 2>&1