d4science-ghn-cluster: dataminer and rstudio: new sudoers allowed commands.

library/roles/smartgears/r_connector: Install the RProfile file, more tight permissions on the users home directories.

smartgears/r_connector/defaults/main.yml

@@ -10,6 +10,10 @@ r_connector_usershome: /home/
 r_connector_userconfig: userconfig.csv
 r_connector_adduserscript: /usr/local/bin/rusersadd
 r_connector_rstudio_cookie_key: /var/lib/rstudio-server/secure-cookie-key
+r_connector_rprofile_svn_url: 'http://svn.research-infrastructures.eu/public/d4science/gcube/trunk/data-analysis/RConfiguration/RStudioConfiguration'
+r_connector_rprofile_filename: '.Rprofile'
+r_connector_rprofile_base_dir: '/srv/d4science'
+r_connector_rprofile_path: '{{ r_connector_rprofile_base_dir }}/RStudioConfiguration'
 r_connector_deb_pkgs:
   - ldap-utils
   - nslcd

smartgears/r_connector/tasks/main.yml

@@ -1,21 +1,20 @@
 ---
 - block:
-
     - name: Remove the installed R connector before upgrading
       file: dest={{ item }} state=absent
       with_items:
         - '{{ smartgears_instance_path }}/webapps/r-connector'
         - '{{ smartgears_instance_path }}/webapps/r-connector.war'
-      when: smartgears_upgrade or not r_connector_install
+      when: smartgears_upgrade
 
-    - name: Get the R connector war file
+    - name: Create the R connector webapp directory
-      get_url: url={{ r_connector_url }} dest={{ smartgears_instance_path }}/webapps/{{ r_connector_war_file }}
+      file: dest={{ smartgears_instance_path }}/webapps/r-connector state=directory
-      
+
-    - name: Unpack the R connector war file
+    - name: Get and unpack the R connector war file
-      shell: mkdir {{ smartgears_instance_path }}/webapps/r-connector ; cd {{ smartgears_instance_path }}/webapps/r-connector ; jar xf {{ smartgears_instance_path }}/webapps/{{ r_connector_war_file }}
+      unarchive: copy=no src={{ r_connector_url }} dest={{ smartgears_instance_path }}/webapps/r-connector
       args:
         creates: '{{ smartgears_instance_path }}/webapps/r-connector/WEB-INF/web.xml'
-
+      
     - name: Obtain the permission to read the Rstudio secure cookie key
       become: False
       file: dest={{ r_connector_rstudio_cookie_key }} mode=640 group={{ smartgears_user }}
@@ -24,15 +23,55 @@
       template: src=r-web.xml.j2 dest={{ smartgears_instance_path }}/webapps/r-connector/WEB-INF/web.xml mode=0440
       notify: Restart smartgears 
 
-    - name: Install the R add users script
-      become: False
-      template: src=rusersadd.j2 dest={{ r_connector_adduserscript }} owner=root group=root mode=0555
-
     - name: Install the packages required to enable the LDAP PAM authentication
       apt: pkg={{ item }} state=present update_cache=yes cache_valid_time=1800
       with_items: '{{ r_connector_deb_pkgs }}'
 
+    - name: Install the R add users script
+      become: False
+      template: src=rusersadd.j2 dest={{ r_connector_adduserscript }} owner=root group=root mode=0555
+      tags: [ 'smartgears', 'r_connector', 'tomcat', 'rusersadd' ]
+
+    - name: Crete the directory that will host the RConfiguration stuff
+      become: False
+      file: dest={{ r_connector_rprofile_base_dir }} owner={{ d4science_user }} group={{ d4science_user }} state=directory
+      tags: [ 'smartgears', 'r_connector', 'tomcat', 'rusersadd' ]
+
+    - name: Get the svn repository that provides the .Rprofile
+      subversion: repo={{ r_connector_rprofile_svn_url }} dest={{ r_connector_rprofile_path }}
+      tags: [ 'smartgears', 'r_connector', 'tomcat', 'rusersadd' ]
+
+    - name: Install the cron job that regulary updates the Rprofile
+      cron: name="Update the RStudioConfiguration repo" special_time=daily job="cd {{ r_connector_rprofile_path }} ; svn update >/dev/null 2>&1"
+      tags: [ 'smartgears', 'r_connector', 'tomcat', 'rusersadd' ]
+
   become: True
   become_user: '{{ smartgears_user }}'
   when: r_connector_install
   tags: [ 'smartgears', 'r_connector', 'tomcat' ]
+
+- block:
+    - name: Remove the installed R connector before upgrading
+      file: dest={{ item }} state=absent
+      with_items:
+        - '{{ smartgears_instance_path }}/webapps/r-connector'
+        - '{{ smartgears_instance_path }}/webapps/r-connector.war'
+
+    - name: Remove the packages required to enable the LDAP PAM authentication
+      apt: pkg={{ item }} state=absent
+      with_items: '{{ r_connector_deb_pkgs }}'
+
+    - name: Remove the connector raddusers script
+      become: False
+      file: dest={{ r_connector_adduserscript }} state=absent
+
+    - name: Remove the RConfiguration repo
+      file: dest={{ r_connector_rprofile_path }} state=absent
+
+    - name: Remove the cron job that regulary updates the Rprofile
+      cron: name="Update the RStudioConfiguration repo" job="cd {{ r_connector_rprofile_path }} ; svn update >/dev/null 2>&1" state=absent
+
+  become: True
+  become_user: '{{ smartgears_user }}'
+  when: not r_connector_install
+  tags: [ 'smartgears', 'r_connector', 'tomcat' ]

smartgears/r_connector/templates/rusersadd.j2

@@ -2,31 +2,44 @@
 
 USER="$1"
 HDIR="{{ r_connector_usershome }}$USER" 
-logfile={{ smartgears_user_home }}/tomcat/logs/runuseradd.log
+# We use logger to log directly to syslog
-exec >> $logfile 2>&1
+LOG_PREFIX="r-connector rusersadd:"
-
+# 0: allowed
+# 1: not allowed
+ALLOW_LOCAL_USERS=1
+RPROFILE_FILE='{{ r_connector_rprofile_path }}/{{ r_connector_rprofile_filename }}'
 
 if [ -d $HDIR ] ; then
-    echo "user $HDIR dir exists"
+    logger "$LOG_PREFIX user $HDIR directory exists"
     exit 0
 else 
     if id -u $USER >/dev/null 2>&1
     then
-        echo "ldap user $USER first login"
+        logger "$LOG_PREFIX ldap user $USER first login"
         sudo /bin/mkdir -p $HDIR
         sudo /bin/chown -R $USER $HDIR
-        sudo /bin/chmod g+ws $HDIR
+        sudo /bin/chmod g-wr,o-rwx $HDIR
         sudo /usr/bin/touch $HDIR/{{ r_connector_userconfig }}
         sudo /bin/chmod 660 $HDIR/{{ r_connector_userconfig }}
-        sudo /bin/chgrp -R {{ smartgears_user }} $HDIR
+        #sudo /bin/chgrp -R {{ smartgears_user }} $HDIR
+        sudo /bin/chgrp {{ smartgears_user }} $HDIR
+        sudo /bin/chown {{ smartgears_user }}:{{ smartgears_user }} $HDIR/{{ r_connector_userconfig }}
+        sudo /bin/ln -s $RPROFILE_FILE $HDIR/{{ r_connector_rprofile_filename }}
         exit 0
     else
-        echo "user $USER does not exist and is not into ldap"
+        logger "$LOG_PREFIX user $USER does not exist locally and is not an ldap user"
-        sudo /usr/sbin/useradd -m -s /bin/false -g {{ smartgears_user }} $USER
+        if [ $ALLOW_LOCAL_USERS -eq 1 ] ; then
-        sudo /bin/chmod g+ws $HDIR
+            logger "$LOG_PREFIX non ldap users not allowed, refusing to create the user."
-        sudo /usr/bin/touch $HDIR/{{ r_connector_userconfig }}
+            exit 1
-        sudo /bin/chmod 660 $HDIR/{{ r_connector_userconfig }}
+        else
-        sudo /bin/chgrp -R {{ smartgears_user }} $HDIR
+            logger "$LOG_PREFIX non ldap users allowed, adding the user $USER locally"
-        exit 0
+            sudo /usr/sbin/useradd -m -s /bin/false -g {{ smartgears_user }} $USER
+            sudo /bin/chmod g+ws $HDIR
+            sudo /usr/bin/touch $HDIR/{{ r_connector_userconfig }}
+            sudo /bin/chmod 660 $HDIR/{{ r_connector_userconfig }}
+            sudo /bin/chgrp -R {{ smartgears_user }} $HDIR
+            sudo /bin/ln -s $RPROFILE_FILE $HDIR/{{ r_connector_rprofile_filename }}
+            exit 0
+        fi
     fi
 fi