Add parameter to openrc and change permissions

This commit changes the file "/etc/platform/openrc" to allow its usage by other users. The parameter "--no_credentials" was added for this purpose. Also, the permissions of this openrc file was changed to 0644 to allow its usage by users with no privileges. The typical use case is an LDAP user with or without privileges sources this openrc file and then sets the variables OS_USERNAME, OS_PASSWORD and PS1 (that uses OS_USERNAME). Also, the test to check if the controller is the active one, changed: previously, it was tested just if the password gotten was empty, but as the reason now to get an empty password may be a user with insufficient privileges, the test changed to check whether the executable file "keyring_file" exists (it exists only in the active controller and that is the reason why a standby controller gets an empty password). Test Plan: PASS: Successfully deploy an AIO-DX containing this change. Check that the permissions of "/etc/platform/openrc" are 644, owner root, group sys_protected. PASS: In the deployed AIO-DX, create 2 users: user1 is not part of groups sys_protected and root, user2 is part only of group sys_protected. PASS: In the active controller of AIO-DX, using users user1 and user2, execute the following commands: for "source /etc/platform/openrc --no_credentials" command, the result for all users is that the file is sourced without errors; for "source /etc/platform/openrc; system host-list", user1 gets a message saying it doesn't have privileges to read keyring password and an error message for system command, while user2 gets the commands executed without errors. PASS: Repeat the test above for standby controller: for "source /etc/platform/openrc --no_credentials" command, all users get a message saying it should only be loaded from active controller; for "source /etc/platform/openrc; system host-list", also a message is printed saying it should only be loaded from active controller and an error message appears for system command. Partial-Bug: 2024627 Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com> Change-Id: I6ef2ca16a272d1fc7c4a24b9f5b48a9cb860450f
2023-06-21 18:08:20 -03:00 · 2023-06-21 18:08:20 -03:00 · 9a3f92eed9
commit 9a3f92eed9
parent 6e4f3df557
2 changed files with 32 additions and 7 deletions
--- a/puppet-manifests/src/modules/platform/manifests/client.pp
+++ b/puppet-manifests/src/modules/platform/manifests/client.pp
@ -18,7 +18,7 @@ class platform::client

  file {'/etc/platform/openrc':
    ensure  => 'present',
-    mode    => '0640',
+    mode    => '0644',
    owner   => 'root',
    group   => 'root',
    content => template('platform/openrc.admin.erb'),
--- a/puppet-manifests/src/modules/platform/templates/openrc.admin.erb
+++ b/puppet-manifests/src/modules/platform/templates/openrc.admin.erb
@ -1,10 +1,21 @@
+# Usage: source this file with parameter "--no_credentials" to avoid exporting
+# user and password. Also, PS1 variable is not set.
+
+if [[ $1 == "--no_credentials" ]]; then
+    no_credentials=true
+else
+    no_credentials=false
+fi
+
 unset OS_SERVICE_TOKEN

 export OS_ENDPOINT_TYPE=internalURL
 export CINDER_ENDPOINT_TYPE=internalURL

-export OS_USERNAME=<%= @admin_username %>
-export OS_PASSWORD=`TERM=linux <%= @keyring_file %> 2>/dev/null`
+if [[ "$no_credentials" == false ]]; then
+    export OS_USERNAME=<%= @admin_username %>
+    export OS_PASSWORD=`TERM=linux <%= @keyring_file %> 2>/dev/null`
+fi
 export OS_AUTH_TYPE=password
 export OS_AUTH_URL=<%= @identity_auth_url %>

@ -15,9 +26,23 @@ export OS_IDENTITY_API_VERSION=<%= @identity_api_version %>
 export OS_REGION_NAME=<%= @identity_region %>
 export OS_INTERFACE=internal

-if [ ! -z "${OS_PASSWORD}" ]; then
-    export PS1='[\u@\h \W(keystone_$OS_USERNAME)]\$ '
+if [[ "$no_credentials" == false ]]; then
+    if [ ! -z "${OS_PASSWORD}" ]; then
+        export PS1='[\u@\h \W(keystone_$OS_USERNAME)]\$ '
+    else
+        if [ ! -e <%= @keyring_file %> ]; then
+            echo 'Openstack Admin credentials can only be loaded from the active controller.'
+        else
+            echo 'Not enough privileges to read keyring password.'
+        fi
+        export PS1='\h:\w\$ '
+        return 1
+    fi
 else
-    echo 'Openstack Admin credentials can only be loaded from the active controller.'
-    export PS1='\h:\w\$ '
+    if [ ! -e <%= @keyring_file %> ]; then
+        echo 'This file should only be loaded from the active controller.'
+        return 1
+    fi
 fi
+
+return 0