include userInGroup check in Lua modules when installation is group-restricted #2274
Conversation
|
As commented in our last telco (https://github.com/easybuilders/easybuild/wiki/Conference-call-notes-20170719), we could extend the Thoughts? |
…work into robust_group_check
|
@boegel currently we can't check properly that the module is correctly generated, since for it we need to have the proper OS setup (user running the tests has to belong the a group used for these tests, and that obviously changes with every computer). What would you suggest? |
…les + more complete test
boegel
changed the title
clean up implementation for including user-in-group check in Lua modules + more complete test
correctly fix broken test_toy_group_check
easybuild/framework/easyblock.py
Outdated
| if len(group_spec) == 2: | ||
| group_spec = group_spec[0] | ||
| else: | ||
| raise EasyBuildError("Found group spec in tuple format that is not a 2-tuple: %s", ec_group) |
There was a problem hiding this comment.
this is not correct:
- uses non-existing variable
ec_group - string templating with a tuple value (
group_spec) doesn't work for a single%s, should bestr(group_spec)
fixed in damianam#11, which includes an enhanced test
fix error for invalid group spec & enhance test to catch it
|
Going in, thanks @damianam! |
|
Can we make this optional through a config item ? That PR caused a bug in our installed recipes. |
|
@mboisson Sure we can. Any particular reason you don't like to have this enabled by default? And are you up for looking into the PR to make this optional yourself? ;) |
|
We use other means of managing user group checks, and the code added by this PR is broken on our system. |
|
Specifically, we do want easybuild to set the correct group-owner for the files, but we do not want to have the check in the module. |
|
I'll work on a PR. The idea could be that |
|
@bartoldeman Thanks, but, your idea is not going to work out well, since if A configuration option like |
Broken how exactly? We definitely don't want to have broken code anywhere, if it breaks in your system I guess it is a bug on the current implementation.
Can I ask why? I have no problem with adding options to remove this check (even though I can't spend time on it until November the earliest), but I wonder what is the rationale behind. Understanding the issue might help to have a better solution. |
|
Broken how: For some reason, on our system, the "userInGroup" function from Lmod fails to resolve the group name, and barfs on numeric IDs. We have a "localUserInGroup" function which works. It does not In comparison, Lmod's userInGroup does: We also tend to centralize any such check in the SitePackage.lua, through a hook. This prevents having one version of a software which has the check, and a second version which does not. |
|
Not a PR yet but at least I solved the mystery on why this happened:
A problem with our Nix setup is that we rely on LD_LIBRARY_PATH to find libnss_sss.so.2 to authenticate successfully. Since the LD_LIBRARY_PATH was not set when Lmod was configured, the capture command did not get the group names. I have now fixed our Lmod to avoid this, but in any case Maxime's comments still hold (the message overrides our logic in SitePackage.lua which is as follows): if the module errors out on its own, |
|
How about (rather than the above suggestion of "None") can do what we want ? |
This enables the use of
userInGroupfunction in lua modules (see #2127).The test is missing because it is not straight forward to implement. We need to create a module with an associated group, but when loading it it needs to fail (so the user can't belong to the group). If the user can't belong to the group, he/she can't install it using that group. Moreover, the group has to exist. This makes it very difficult to implement a reliable test.
Any idea to implement a meaningful test? Should this feature be optional (which would require adding yet another option to enable/disable it)?