updating the meta files for as and edxapp

1a7b4b63 · John Jarvis · d4f78ef6 · 1a7b4b63 · 1a7b4b63 · 1a7b4b63
Commit 1a7b4b63 authored Feb 26, 2014 by John Jarvis
8 changed files
--- a/playbooks/roles/analytics-server/defaults/main.yml
+++ b/playbooks/roles/analytics-server/defaults/main.yml
@@ -19,6 +19,9 @@ AS_SERVER_PORT: '9000'
 AS_ENV_LANG: 'en_US.UTF-8'
 AS_LOG_LEVEL: 'INFO'
 AS_WORKERS: '4'
+# add public keys to enable the automator user
+# for running manage.py commands
+AS_AUTOMATOR_AUTHORIZED_KEYS: []
 DATABASES:
  default: &databases_default
@@ -43,7 +46,7 @@ analytics_auth_config:
    MONGO_STORED_QUERIES_COLLECTION: $AS_DB_RESULTS_COLLECTION
 as_role_name: "analytics-server"
-as_user: "analytics-server" 
+as_user: "analytics-server"
 as_home: "/opt/wwc/analytics-server"
 as_venv_dir: "{{ as_home }}/virtualenvs/analytics-server"
 as_source_repo: "git@github.com:edx/analytics-server.git"

--- a/playbooks/roles/analytics-server/meta/main.yml
+++ b/playbooks/roles/analytics-server/meta/main.yml
 ---
 dependencies:
-  - {
+  - role: user
-  role: automated,
+    name: automator
-  automated_rbash_links: $as_automated_rbash_links,
+    sudoers_template: '99-automator-analytics.j2'
-  autmoated_sudoers_dest: '99-automator-analytics-server',
+    user_authorized_keys: "{{ AS_AUTOMATOR_AUTHORIZED_KEYS }}"
-  automated_sudoers_template: 'roles/analytics-server/templates/etc/sudoers.d/99-automator-analytics-server.j2'
+    rbash_links: "{{ as_automated_rbash_links }}"
-  }
+    when: AS_AUTOMATOR_AUTHORIZED_KEYS|length != 0
--- a/playbooks/roles/edxapp/defaults/main.yml
+++ b/playbooks/roles/edxapp/defaults/main.yml
@@ -123,12 +123,8 @@ EDXAPP_PYTHON_SANDBOX: false
 # it puts the sandbox in 'complain' mode, for reporting but not enforcement
 EDXAPP_SANDBOX_ENFORCE: true
-# Supply authorized keys used for remote management via the automated
+# Supply authorized keys used for remote management via the user
-# role, see meta/main.yml.  Ensure you know what this does before
+# role.
-# enabling.  The boolean flag determines whether the role is included.
-# This is done to make it possible to disable remote access easily by
-# setting the flag to true and providing an empty array.
-EDXAPP_INCLUDE_AUTOMATOR_ROLE: false
 EDXAPP_AUTOMATOR_AUTHORIZED_KEYS: []
 EDXAPP_USE_GIT_IDENTITY: false

--- a/playbooks/roles/edxapp/meta/main.yml
+++ b/playbooks/roles/edxapp/meta/main.yml
@@ -6,8 +6,8 @@ dependencies:
    rbenv_dir: "{{ edxapp_app_dir }}"
    rbenv_ruby_version: "{{ edxapp_ruby_version }}"
  - devpi
-  - role: automated
+  - role: user
-    user_rbash_links: "{{ edxapp_automated_rbash_links }}"
+    name: automator
-    user_sudoers_template: 'roles/edxapp/templates/etc/sudoers.d/99-automator-edxapp-server.j2'
+    sudoers_template: '99-edxapp-manage-cmds.j2'
    user_authorized_keys: "{{ EDXAPP_AUTOMATOR_AUTHORIZED_KEYS }}"
-    when: EDXAPP_INCLUDE_AUTOMATOR_ROLE
+    when: EDXAPP_AUTOMATOR_AUTHORIZED_KEYS|length != 0
--- a/playbooks/roles/user/tasks/main.yml
+++ b/playbooks/roles/user/tasks/main.yml
@@ -144,9 +144,9 @@
  with_items: user_info
 - name: create sudoers file from template
-  copy:
+  template:
    dest=/etc/sudoers.d/{{ item.sudoers_template|basename|replace('.j2','') }}
-    src={{ item.sudoers_template }} owner="root"
+    src=etc/sudoers.d/{{ item.sudoers_template }} owner="root"
    group="root" mode=0440 validate='visudo -cf %s'
  when: item.restricted is defined and item.sudoers_template is defined
  with_items: user_info
@@ -168,9 +168,10 @@
 - name: create allowed command links
  file:
-    src={{ item[1] }} dest=/home/{{ item[0] }}/bin/{{ item.[1]|basename }}
+    src: "{{ item[1] }}"
-    state=link
+    dest: "/home/{{ item[0].name }}/bin/{{ item[1]|basename }}"
-  when: when item[0].restricted is defined
+    state: link
+  when: item[0].restricted is defined
  with_nested:
    - user_info
    - user_rbash_links
--- a/playbooks/roles/user/templates/etc/sudoers.d/99-analytics-manage-cmds.j2
+++ b/playbooks/roles/user/templates/etc/sudoers.d/99-analytics-manage-cmds.j2
+{{ item.user }} ALL=({{ analytics_web_user }}) NOPASSWD:SETENV:{{ analytics_venv_dir }}/bin/django-admin.py	run_all_queries	*
--- a/playbooks/roles/user/templates/etc/sudoers.d/99-edxapp-manage-cmds.j2
+++ b/playbooks/roles/user/templates/etc/sudoers.d/99-edxapp-manage-cmds.j2
+{{ item.name }}	ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	migrate *
+{{ item.name }}	ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	seed_permissions_roles *
+{{ item.name }} ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	set_staff *
+{{ item.name }} ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	transfer_students *
--- a/playbooks/roles/user/templates/restricted.bashrc.j2
+++ b/playbooks/roles/user/templates/restricted.bashrc.j2
+PATH=${HOME}/bin