diff options
| author | Sol Jerome <sol.jerome@gmail.com> | 2012-03-24 11:20:07 -0500 |
|---|---|---|
| committer | Sol Jerome <sol.jerome@gmail.com> | 2012-03-24 11:20:07 -0500 |
| commit | dab1d03d81c538966d03fb9318a4588a9e803b44 (patch) | |
| tree | f51e27fa55887e9fb961766805fe43f0da56c5b9 /src/lib/Bcfg2/Server/Plugins/Account.py | |
| parent | 5cd6238df496a3cea178e4596ecd87967cce1ce6 (diff) | |
| download | bcfg2-dab1d03d81c538966d03fb9318a4588a9e803b44.tar.gz bcfg2-dab1d03d81c538966d03fb9318a4588a9e803b44.tar.bz2 bcfg2-dab1d03d81c538966d03fb9318a4588a9e803b44.zip | |
Allow to run directly from a git checkout (#1037)
Signed-off-by: Sol Jerome <sol.jerome@gmail.com>
Diffstat (limited to 'src/lib/Bcfg2/Server/Plugins/Account.py')
| -rw-r--r-- | src/lib/Bcfg2/Server/Plugins/Account.py | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/src/lib/Bcfg2/Server/Plugins/Account.py b/src/lib/Bcfg2/Server/Plugins/Account.py new file mode 100644 index 000000000..f2703dccb --- /dev/null +++ b/src/lib/Bcfg2/Server/Plugins/Account.py @@ -0,0 +1,101 @@ +"""This handles authentication setup.""" + +import Bcfg2.Server.Plugin + + +class Account(Bcfg2.Server.Plugin.Plugin, + Bcfg2.Server.Plugin.Generator): + """This module generates account config files, + based on an internal data repo: + static.(passwd|group|limits.conf) -> static entries + dyn.(passwd|group) -> dynamic entries (usually acquired from yp or somesuch) + useraccess -> users to be granted login access on some hosts + superusers -> users to be granted root privs on all hosts + rootlike -> users to be granted root privs on some hosts + + """ + name = 'Account' + __author__ = 'bcfg-dev@mcs.anl.gov' + + def __init__(self, core, datastore): + Bcfg2.Server.Plugin.Plugin.__init__(self, core, datastore) + Bcfg2.Server.Plugin.Generator.__init__(self) + self.Entries = {'ConfigFile': {'/etc/passwd': self.from_yp_cb, + '/etc/group': self.from_yp_cb, + '/etc/security/limits.conf': self.gen_limits_cb, + '/root/.ssh/authorized_keys': self.gen_root_keys_cb, + '/etc/sudoers': self.gen_sudoers}} + try: + self.repository = Bcfg2.Server.Plugin.DirectoryBacked(self.data, + self.core.fam) + except: + self.logger.error("Failed to load repos: %s, %s" % \ + (self.data, "%s/ssh" % (self.data))) + raise Bcfg2.Server.Plugin.PluginInitError + + def from_yp_cb(self, entry, metadata): + """Build password file from cached yp data.""" + fname = entry.attrib['name'].split('/')[-1] + entry.text = self.repository.entries["static.%s" % (fname)].data + entry.text += self.repository.entries["dyn.%s" % (fname)].data + perms = {'owner': 'root', + 'group': 'root', + 'perms': '0644'} + [entry.attrib.__setitem__(key, value) for (key, value) in \ + list(perms.items())] + + def gen_limits_cb(self, entry, metadata): + """Build limits entries based on current ACLs.""" + entry.text = self.repository.entries["static.limits.conf"].data + superusers = self.repository.entries["superusers"].data.split() + useraccess = [line.split(':') for line in \ + self.repository.entries["useraccess"].data.split()] + users = [user for (user, host) in \ + useraccess if host == metadata.hostname.split('.')[0]] + perms = {'owner': 'root', + 'group': 'root', + 'perms': '0600'} + [entry.attrib.__setitem__(key, value) for (key, value) in \ + list(perms.items())] + entry.text += "".join(["%s hard maxlogins 1024\n" % uname for uname in superusers + users]) + if "*" not in users: + entry.text += "* hard maxlogins 0\n" + + def gen_root_keys_cb(self, entry, metadata): + """Build root authorized keys file based on current ACLs.""" + superusers = self.repository.entries['superusers'].data.split() + try: + rootlike = [line.split(':', 1) for line in \ + self.repository.entries['rootlike'].data.split()] + superusers += [user for (user, host) in rootlike \ + if host == metadata.hostname.split('.')[0]] + except: + pass + rdata = self.repository.entries + entry.text = "".join([rdata["%s.key" % user].data for user \ + in superusers if \ + ("%s.key" % user) in rdata]) + perms = {'owner': 'root', + 'group': 'root', + 'perms': '0600'} + [entry.attrib.__setitem__(key, value) for (key, value) \ + in list(perms.items())] + + def gen_sudoers(self, entry, metadata): + """Build root authorized keys file based on current ACLs.""" + superusers = self.repository.entries['superusers'].data.split() + try: + rootlike = [line.split(':', 1) for line in \ + self.repository.entries['rootlike'].data.split()] + superusers += [user for (user, host) in rootlike \ + if host == metadata.hostname.split('.')[0]] + except: + pass + entry.text = self.repository.entries['static.sudoers'].data + entry.text += "".join(["%s ALL=(ALL) ALL\n" % uname \ + for uname in superusers]) + perms = {'owner': 'root', + 'group': 'root', + 'perms': '0440'} + [entry.attrib.__setitem__(key, value) for (key, value) \ + in list(perms.items())] |