[ARVADOS] updated: 397a21ef82d7d7a7f61b1b88250cc21702d3847b
git at public.curoverse.com
git at public.curoverse.com
Tue Jul 7 15:41:46 EDT 2015
Summary of changes:
{services/libpam => sdk/pam}/arvados_pam.py | 0
{services/libpam => sdk/pam}/debian/shellinabox | 0
2 files changed, 0 insertions(+), 0 deletions(-)
rename {services/libpam => sdk/pam}/arvados_pam.py (100%)
rename {services/libpam => sdk/pam}/debian/shellinabox (100%)
discards 61600bd3353859a609fd6416be65d2cfe1a8c46a (commit)
discards 76e74a7feb2142ff48a1189957626cc8f6deb360 (commit)
discards 0ebc3631838c34c0307fe73beb8e8037b0110bcf (commit)
discards 34ec4990bb0deaa6c7bef5b9793da3c6836b79e2 (commit)
via 397a21ef82d7d7a7f61b1b88250cc21702d3847b (commit)
via 25d4718345b22916d1b865c164437934a2a6cddd (commit)
via 9df4975aa288c0847d69c25474fe4711ba5b91f3 (commit)
This update added new revisions after undoing existing revisions. That is
to say, the old revision is not a strict subset of the new revision. This
situation occurs when you --force push a change and generate a repository
containing something like this:
* -- * -- B -- O -- O -- O (61600bd3353859a609fd6416be65d2cfe1a8c46a)
\
N -- N -- N (397a21ef82d7d7a7f61b1b88250cc21702d3847b)
When this happens we assume that you've already had alert emails for all
of the O revisions, and so we here report only the revisions in the N
branch from the common base, B.
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 397a21ef82d7d7a7f61b1b88250cc21702d3847b
Author: Ward Vandewege <ward at curoverse.com>
Date: Mon Jul 6 08:28:36 2015 -0400
Add arvados_pam.py and shellinabox pam configuration file.
Refs #2256
diff --git a/sdk/pam/arvados_pam.py b/sdk/pam/arvados_pam.py
new file mode 100644
index 0000000..4ea1320
--- /dev/null
+++ b/sdk/pam/arvados_pam.py
@@ -0,0 +1,94 @@
+import syslog
+import sys
+sys.argv=['']
+import arvados
+import os
+
+def auth_log(msg):
+ """Send errors to default auth log"""
+ syslog.openlog(facility=syslog.LOG_AUTH)
+ #syslog.openlog()
+ syslog.syslog("libpam python Logged: " + msg)
+ syslog.closelog()
+
+
+def check_arvados_token(requested_username, token):
+ auth_log("%s %s" % (requested_username, token))
+ ARVADOS_API_HOST='4xphq.arvadosapi.com' ## FIXME replace with puppet
+ # BUG: hostname stored on the API is just "foo.shell", not "foo.shell.zzzzz.arvadosapi.com"!
+ my_hostname='shell' ## FIXME replace with puppet
+
+ try:
+ arv = arvados.api('v1',host=ARVADOS_API_HOST, token=token, cache=None)
+ except Exception as e:
+ auth_log(str(e))
+ return False
+
+ try:
+ matches = arv.virtual_machines().list(filters=[['hostname','=',my_hostname]]).execute()['items']
+ except Exception as e:
+ auth_log(str(e))
+ return False
+
+
+ if len(matches) != 1:
+ auth_log("libpam_arvados could not dertermine vm uuid for '%s'" % my_hostname)
+ return False
+
+ this_vm_uuid = matches[0]['uuid']
+ auth_log("this_vm_uuid: %s" % this_vm_uuid)
+ client_user_uuid = arv.users().current().execute()['uuid']
+
+ filters = [
+ ['link_class','=','permission'],
+ ['name','=','can_login'],
+ ['head_uuid','=',this_vm_uuid],
+ ['tail_uuid','=',client_user_uuid]]
+
+ for l in arv.links().list(filters=filters).execute()['items']:
+ if requested_username == l['properties']['username']:
+ return True
+ return False
+
+
+def pam_sm_authenticate(pamh, flags, argv):
+ try:
+ user = pamh.get_user()
+ except pamh.exception, e:
+ return e.pam_result
+
+ if not user:
+ return pamh.PAM_USER_UNKNOWN
+
+ try:
+ resp = pamh.conversation(pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, ''))
+ except pamh.exception, e:
+ return e.pam_result
+
+ try:
+ check = check_arvados_token(user, resp.resp)
+ except Exception as e:
+ auth_log(str(e))
+ return False
+
+ if not check:
+ auth_log("Auth failed Remote Host: %s (%s:%s)" % (pamh.rhost, user, resp.resp))
+ return pamh.PAM_AUTH_ERR
+
+ auth_log("Success! Remote Host: %s (%s:%s)" % (pamh.rhost, user, resp.resp))
+ return pamh.PAM_SUCCESS
+
+def pam_sm_setcred(pamh, flags, argv):
+ return pamh.PAM_SUCCESS
+
+def pam_sm_acct_mgmt(pamh, flags, argv):
+ return pamh.PAM_SUCCESS
+
+def pam_sm_open_session(pamh, flags, argv):
+ return pamh.PAM_SUCCESS
+
+def pam_sm_close_session(pamh, flags, argv):
+ return pamh.PAM_SUCCESS
+
+def pam_sm_chauthtok(pamh, flags, argv):
+ return pamh.PAM_SUCCESS
diff --git a/sdk/pam/debian/shellinabox b/sdk/pam/debian/shellinabox
new file mode 100644
index 0000000..d69fdd0
--- /dev/null
+++ b/sdk/pam/debian/shellinabox
@@ -0,0 +1,136 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+#auth optional pam_faildelay.so delay=3000000
+auth optional pam_faildelay.so delay=0
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth required pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+#
+# With the default control of this module:
+# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
+# root will not be prompted for a password on insecure lines.
+# if an invalid username is entered, a password is prompted (but login
+# will eventually be rejected)
+#
+# You can change it to a "requisite" module if you think root may mis-type
+# her login and should not be prompted for a password in that case. But
+# this will leave the system as vulnerable to user enumeration attacks.
+#
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root on insecure lines), but root passwords may be
+# communicated over insecure lines.
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth requisite pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without out this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+#
+# parsing /etc/environment needs "readenv=1"
+session required pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session required pam_env.so readenv=1 envfile=/etc/default/locale
+
+
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules. See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+auth [success=1 default=ignore] pam_python.so /usr/local/bin/arvados_pam.py
+# here's the fallback if no module succeeds
+auth requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+auth optional pam_ecryptfs.so unwrap
+# end of pam-auth-update config
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth optional pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restrainst on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account requisite pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account required pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session required pam_limits.so
+
+# Prints the last login info upon succesful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session optional pam_lastlog.so
+
+# Prints the message of the day upon succesful login.
+# (Replaces the `MOTD_FILE' option in login.defs)
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session optional pam_motd.so motd=/run/motd.dynamic
+session optional pam_motd.so
+
+# Prints the status of the user's mailbox upon succesful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session optional pam_mail.so standard
+
+# Standard Un*x account and session
+ at include common-account
+ at include common-session
+ at include common-password
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
commit 25d4718345b22916d1b865c164437934a2a6cddd
Author: Nico Cesar <nico at curoverse.com>
Date: Thu Jul 2 10:35:03 2015 -0400
5989: bug_1 added puppet repository patch
this is duplicated code from:
puppet/modules/arvados-git-server/templates/usr-local-arvados-update-gitolite.rb.erb
I just copy the code that was there
diff --git a/docker/api/update-gitolite.rb b/docker/api/update-gitolite.rb
index a1500e0..1f178cb 100755
--- a/docker/api/update-gitolite.rb
+++ b/docker/api/update-gitolite.rb
@@ -35,6 +35,7 @@ gitolite_arvados_git_user_key = cp_config['gitolite_arvados_git_user_key']
gitolite_tmpdir = File.join(File.absolute_path(File.dirname(__FILE__)),
cp_config['gitolite_tmp'])
gitolite_admin = File.join(gitolite_tmpdir, 'gitolite-admin')
+gitolite_admin_keydir = File.join(gitolite_admin, 'keydir')
gitolite_keydir = File.join(gitolite_admin, 'keydir', 'arvados')
ENV['ARVADOS_API_HOST'] = cp_config['arvados_api_host']
@@ -228,10 +229,12 @@ begin
permissions = arv.repository.get_all_permissions
ensure_directory(gitolite_keydir, 0700)
- user_ssh_keys = UserSSHKeys.new(permissions[:user_keys], gitolite_keydir)
- # Make sure the arvados_git_user key is installed
- user_ssh_keys.install('arvados_git_user.pub', gitolite_arvados_git_user_key)
+ admin_user_ssh_keys = UserSSHKeys.new(permissions[:user_keys], gitolite_admin_keydir)
+ # Make sure the arvados_git_user key is installed; put it in gitolite_admin_keydir
+ # because that is where gitolite will try to put it if we do not.
+ admin_user_ssh_keys.install('arvados_git_user.pub', gitolite_arvados_git_user_key)
+ user_ssh_keys = UserSSHKeys.new(permissions[:user_keys], gitolite_keydir)
permissions[:repositories].each do |repo_record|
repo = Repository.new(repo_record, user_ssh_keys)
repo.ensure_config(gitolite_admin)
commit 9df4975aa288c0847d69c25474fe4711ba5b91f3
Author: Nico Cesar <nico at curoverse.com>
Date: Wed Jul 1 16:23:33 2015 -0400
5989: create directory structure for temp files
refs #5989 bug_1
diff --git a/docker/api/update-gitolite.rb b/docker/api/update-gitolite.rb
index 8247931..a1500e0 100755
--- a/docker/api/update-gitolite.rb
+++ b/docker/api/update-gitolite.rb
@@ -5,6 +5,7 @@ require 'pp'
require 'arvados'
require 'tempfile'
require 'yaml'
+require 'fileutils'
# This script does the actual gitolite config management on disk.
#
@@ -54,6 +55,7 @@ end
def replace_file(path, contents)
unlink_now = true
dirname, basename = File.split(path)
+ FileUtils.mkpath(dirname)
new_file = Tempfile.new([basename, ".tmp"], dirname)
begin
new_file.write(contents)
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list