forked from ISTI-ansible-roles/ansible-roles
d4science-ghn-cluster: dataminer and rstudio: new sudoers allowed commands.
library/roles/smartgears/r_connector: Install the RProfile file, more tight permissions on the users home directories.
This commit is contained in:
Andrea Dell'Amico
parent
a6dc7a6d2a
commit
facb92becf
|
|
@ -10,6 +10,10 @@ r_connector_usershome: /home/
|
|||
r_connector_userconfig: userconfig.csv
|
||||
r_connector_adduserscript: /usr/local/bin/rusersadd
|
||||
r_connector_rstudio_cookie_key: /var/lib/rstudio-server/secure-cookie-key
|
||||
r_connector_rprofile_svn_url: 'http://svn.research-infrastructures.eu/public/d4science/gcube/trunk/data-analysis/RConfiguration/RStudioConfiguration'
|
||||
r_connector_rprofile_filename: '.Rprofile'
|
||||
r_connector_rprofile_base_dir: '/srv/d4science'
|
||||
r_connector_rprofile_path: '{{ r_connector_rprofile_base_dir }}/RStudioConfiguration'
|
||||
r_connector_deb_pkgs:
|
||||
- ldap-utils
|
||||
- nslcd
|
||||
|
|
|
|||
|
|
@ -1,21 +1,20 @@
|
|||
---
|
||||
- block:
|
||||
|
||||
- name: Remove the installed R connector before upgrading
|
||||
file: dest={{ item }} state=absent
|
||||
with_items:
|
||||
- '{{ smartgears_instance_path }}/webapps/r-connector'
|
||||
- '{{ smartgears_instance_path }}/webapps/r-connector.war'
|
||||
when: smartgears_upgrade or not r_connector_install
|
||||
when: smartgears_upgrade
|
||||
|
||||
- name: Get the R connector war file
|
||||
get_url: url={{ r_connector_url }} dest={{ smartgears_instance_path }}/webapps/{{ r_connector_war_file }}
|
||||
|
||||
- name: Unpack the R connector war file
|
||||
shell: mkdir {{ smartgears_instance_path }}/webapps/r-connector ; cd {{ smartgears_instance_path }}/webapps/r-connector ; jar xf {{ smartgears_instance_path }}/webapps/{{ r_connector_war_file }}
|
||||
- name: Create the R connector webapp directory
|
||||
file: dest={{ smartgears_instance_path }}/webapps/r-connector state=directory
|
||||
|
||||
- name: Get and unpack the R connector war file
|
||||
unarchive: copy=no src={{ r_connector_url }} dest={{ smartgears_instance_path }}/webapps/r-connector
|
||||
args:
|
||||
creates: '{{ smartgears_instance_path }}/webapps/r-connector/WEB-INF/web.xml'
|
||||
|
||||
|
||||
- name: Obtain the permission to read the Rstudio secure cookie key
|
||||
become: False
|
||||
file: dest={{ r_connector_rstudio_cookie_key }} mode=640 group={{ smartgears_user }}
|
||||
|
|
@ -24,15 +23,55 @@
|
|||
template: src=r-web.xml.j2 dest={{ smartgears_instance_path }}/webapps/r-connector/WEB-INF/web.xml mode=0440
|
||||
notify: Restart smartgears
|
||||
|
||||
- name: Install the R add users script
|
||||
become: False
|
||||
template: src=rusersadd.j2 dest={{ r_connector_adduserscript }} owner=root group=root mode=0555
|
||||
|
||||
- name: Install the packages required to enable the LDAP PAM authentication
|
||||
apt: pkg={{ item }} state=present update_cache=yes cache_valid_time=1800
|
||||
with_items: '{{ r_connector_deb_pkgs }}'
|
||||
|
||||
- name: Install the R add users script
|
||||
become: False
|
||||
template: src=rusersadd.j2 dest={{ r_connector_adduserscript }} owner=root group=root mode=0555
|
||||
tags: [ 'smartgears', 'r_connector', 'tomcat', 'rusersadd' ]
|
||||
|
||||
- name: Crete the directory that will host the RConfiguration stuff
|
||||
become: False
|
||||
file: dest={{ r_connector_rprofile_base_dir }} owner={{ d4science_user }} group={{ d4science_user }} state=directory
|
||||
tags: [ 'smartgears', 'r_connector', 'tomcat', 'rusersadd' ]
|
||||
|
||||
- name: Get the svn repository that provides the .Rprofile
|
||||
subversion: repo={{ r_connector_rprofile_svn_url }} dest={{ r_connector_rprofile_path }}
|
||||
tags: [ 'smartgears', 'r_connector', 'tomcat', 'rusersadd' ]
|
||||
|
||||
- name: Install the cron job that regulary updates the Rprofile
|
||||
cron: name="Update the RStudioConfiguration repo" special_time=daily job="cd {{ r_connector_rprofile_path }} ; svn update >/dev/null 2>&1"
|
||||
tags: [ 'smartgears', 'r_connector', 'tomcat', 'rusersadd' ]
|
||||
|
||||
become: True
|
||||
become_user: '{{ smartgears_user }}'
|
||||
when: r_connector_install
|
||||
tags: [ 'smartgears', 'r_connector', 'tomcat' ]
|
||||
|
||||
- block:
|
||||
- name: Remove the installed R connector before upgrading
|
||||
file: dest={{ item }} state=absent
|
||||
with_items:
|
||||
- '{{ smartgears_instance_path }}/webapps/r-connector'
|
||||
- '{{ smartgears_instance_path }}/webapps/r-connector.war'
|
||||
|
||||
- name: Remove the packages required to enable the LDAP PAM authentication
|
||||
apt: pkg={{ item }} state=absent
|
||||
with_items: '{{ r_connector_deb_pkgs }}'
|
||||
|
||||
- name: Remove the connector raddusers script
|
||||
become: False
|
||||
file: dest={{ r_connector_adduserscript }} state=absent
|
||||
|
||||
- name: Remove the RConfiguration repo
|
||||
file: dest={{ r_connector_rprofile_path }} state=absent
|
||||
|
||||
- name: Remove the cron job that regulary updates the Rprofile
|
||||
cron: name="Update the RStudioConfiguration repo" job="cd {{ r_connector_rprofile_path }} ; svn update >/dev/null 2>&1" state=absent
|
||||
|
||||
become: True
|
||||
become_user: '{{ smartgears_user }}'
|
||||
when: not r_connector_install
|
||||
tags: [ 'smartgears', 'r_connector', 'tomcat' ]
|
||||
|
|
|
|||
|
|
@ -2,31 +2,44 @@
|
|||
|
||||
USER="$1"
|
||||
HDIR="{{ r_connector_usershome }}$USER"
|
||||
logfile={{ smartgears_user_home }}/tomcat/logs/runuseradd.log
|
||||
exec >> $logfile 2>&1
|
||||
|
||||
# We use logger to log directly to syslog
|
||||
LOG_PREFIX="r-connector rusersadd:"
|
||||
# 0: allowed
|
||||
# 1: not allowed
|
||||
ALLOW_LOCAL_USERS=1
|
||||
RPROFILE_FILE='{{ r_connector_rprofile_path }}/{{ r_connector_rprofile_filename }}'
|
||||
|
||||
if [ -d $HDIR ] ; then
|
||||
echo "user $HDIR dir exists"
|
||||
logger "$LOG_PREFIX user $HDIR directory exists"
|
||||
exit 0
|
||||
else
|
||||
if id -u $USER >/dev/null 2>&1
|
||||
then
|
||||
echo "ldap user $USER first login"
|
||||
logger "$LOG_PREFIX ldap user $USER first login"
|
||||
sudo /bin/mkdir -p $HDIR
|
||||
sudo /bin/chown -R $USER $HDIR
|
||||
sudo /bin/chmod g+ws $HDIR
|
||||
sudo /bin/chmod g-wr,o-rwx $HDIR
|
||||
sudo /usr/bin/touch $HDIR/{{ r_connector_userconfig }}
|
||||
sudo /bin/chmod 660 $HDIR/{{ r_connector_userconfig }}
|
||||
sudo /bin/chgrp -R {{ smartgears_user }} $HDIR
|
||||
#sudo /bin/chgrp -R {{ smartgears_user }} $HDIR
|
||||
sudo /bin/chgrp {{ smartgears_user }} $HDIR
|
||||
sudo /bin/chown {{ smartgears_user }}:{{ smartgears_user }} $HDIR/{{ r_connector_userconfig }}
|
||||
sudo /bin/ln -s $RPROFILE_FILE $HDIR/{{ r_connector_rprofile_filename }}
|
||||
exit 0
|
||||
else
|
||||
echo "user $USER does not exist and is not into ldap"
|
||||
sudo /usr/sbin/useradd -m -s /bin/false -g {{ smartgears_user }} $USER
|
||||
sudo /bin/chmod g+ws $HDIR
|
||||
sudo /usr/bin/touch $HDIR/{{ r_connector_userconfig }}
|
||||
sudo /bin/chmod 660 $HDIR/{{ r_connector_userconfig }}
|
||||
sudo /bin/chgrp -R {{ smartgears_user }} $HDIR
|
||||
exit 0
|
||||
logger "$LOG_PREFIX user $USER does not exist locally and is not an ldap user"
|
||||
if [ $ALLOW_LOCAL_USERS -eq 1 ] ; then
|
||||
logger "$LOG_PREFIX non ldap users not allowed, refusing to create the user."
|
||||
exit 1
|
||||
else
|
||||
logger "$LOG_PREFIX non ldap users allowed, adding the user $USER locally"
|
||||
sudo /usr/sbin/useradd -m -s /bin/false -g {{ smartgears_user }} $USER
|
||||
sudo /bin/chmod g+ws $HDIR
|
||||
sudo /usr/bin/touch $HDIR/{{ r_connector_userconfig }}
|
||||
sudo /bin/chmod 660 $HDIR/{{ r_connector_userconfig }}
|
||||
sudo /bin/chgrp -R {{ smartgears_user }} $HDIR
|
||||
sudo /bin/ln -s $RPROFILE_FILE $HDIR/{{ r_connector_rprofile_filename }}
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
|
|
|||
Loading…
Reference in New Issue