forked from aws/aws-parallelcluster-cookbook
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
19 changed files
with
326 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
57 changes: 57 additions & 0 deletions
57
cookbooks/aws-parallelcluster-platform/resources/sudo_access/partial/_sudo_access_common.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
# frozen_string_literal: true | ||
# | ||
# Copyright:: 2013-2023 Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"). | ||
# You may not use this file except in compliance with the License. | ||
# A copy of the License is located at | ||
# | ||
# http://aws.amazon.com/apache2.0/ | ||
# | ||
# or in the "LICENSE.txt" file accompanying this file. | ||
# This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied. | ||
# See the License for the specific language governing permissions and limitations under the License. | ||
|
||
unified_mode true | ||
default_action :setup | ||
|
||
property :user_name, String, default: node['cluster']['cluster_user'] | ||
|
||
action :setup do | ||
node['cluster']['disable_sudo_access_for_default_user'] == 'true' ? action_disable : action_enable | ||
end | ||
|
||
action :enable do | ||
Chef::Log.info("Enabling Sudo Access for #{new_resource.user_name}") | ||
# Enable sudo access for default user | ||
template '/etc/sudoers.d/99-parallelcluster-revoke-sudo-access' do | ||
only_if { ::File.exist? "/etc/sudoers.d/99-parallelcluster-revoke-sudo-access" } | ||
source 'sudo_access/99-parallelcluster-revoke-sudo.erb' | ||
cookbook 'aws-parallelcluster-platform' | ||
action :delete | ||
end | ||
end | ||
|
||
action :disable do | ||
Chef::Log.info("Disabling Sudo Access for #{new_resource.user_name}") | ||
replace_or_add "Disable Sudo Access for #{new_resource.user_name}" do | ||
path "/etc/sudoers" | ||
pattern "^#{new_resource.user_name}*" | ||
line "" | ||
remove_duplicates true | ||
replace_only true | ||
end | ||
|
||
# Disable sudo access for default user | ||
template '/etc/sudoers.d/99-parallelcluster-revoke-sudo-access' do | ||
source 'sudo_access/99-parallelcluster-revoke-sudo.erb' | ||
cookbook 'aws-parallelcluster-platform' | ||
owner 'root' | ||
group 'root' | ||
mode '0600' | ||
variables( | ||
user_name: new_resource.user_name | ||
) | ||
action :create | ||
end | ||
end |
17 changes: 17 additions & 0 deletions
17
cookbooks/aws-parallelcluster-platform/resources/sudo_access/sudo_access_amazon2.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
# frozen_string_literal: true | ||
|
||
# Copyright:: 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"). | ||
# You may not use this file except in compliance with the License. | ||
# A copy of the License is located at | ||
# | ||
# http://aws.amazon.com/apache2.0/ | ||
# | ||
# or in the "LICENSE.txt" file accompanying this file. | ||
# This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied. | ||
# See the License for the specific language governing permissions and limitations under the License. | ||
|
||
provides :sudo_access, platform: 'amazon', platform_version: '2' | ||
|
||
use 'partial/_sudo_access_common.rb' |
19 changes: 19 additions & 0 deletions
19
cookbooks/aws-parallelcluster-platform/resources/sudo_access/sudo_access_centos7.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# frozen_string_literal: true | ||
|
||
# Copyright:: 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"). | ||
# You may not use this file except in compliance with the License. | ||
# A copy of the License is located at | ||
# | ||
# http://aws.amazon.com/apache2.0/ | ||
# | ||
# or in the "LICENSE.txt" file accompanying this file. | ||
# This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied. | ||
# See the License for the specific language governing permissions and limitations under the License. | ||
|
||
provides :sudo_access, platform: 'centos' do |node| | ||
node['platform_version'].to_i == 7 | ||
end | ||
|
||
use 'partial/_sudo_access_common.rb' |
19 changes: 19 additions & 0 deletions
19
cookbooks/aws-parallelcluster-platform/resources/sudo_access/sudo_access_redhat8.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# frozen_string_literal: true | ||
|
||
# Copyright:: 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"). | ||
# You may not use this file except in compliance with the License. | ||
# A copy of the License is located at | ||
# | ||
# http://aws.amazon.com/apache2.0/ | ||
# | ||
# or in the "LICENSE.txt" file accompanying this file. | ||
# This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied. | ||
# See the License for the specific language governing permissions and limitations under the License. | ||
|
||
provides :sudo_access, platform: 'redhat' do |node| | ||
node['platform_version'].to_i == 8 | ||
end | ||
|
||
use 'partial/_sudo_access_common.rb' |
19 changes: 19 additions & 0 deletions
19
cookbooks/aws-parallelcluster-platform/resources/sudo_access/sudo_access_rocky8.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# frozen_string_literal: true | ||
|
||
# Copyright:: 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"). | ||
# You may not use this file except in compliance with the License. | ||
# A copy of the License is located at | ||
# | ||
# http://aws.amazon.com/apache2.0/ | ||
# | ||
# or in the "LICENSE.txt" file accompanying this file. | ||
# This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied. | ||
# See the License for the specific language governing permissions and limitations under the License. | ||
|
||
provides :sudo_access, platform: 'rocky' do |node| | ||
node['platform_version'].to_i == 8 | ||
end | ||
|
||
use 'partial/_sudo_access_common.rb' |
19 changes: 19 additions & 0 deletions
19
cookbooks/aws-parallelcluster-platform/resources/sudo_access/sudo_access_ubuntu20+.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# frozen_string_literal: true | ||
|
||
# Copyright:: 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"). | ||
# You may not use this file except in compliance with the License. | ||
# A copy of the License is located at | ||
# | ||
# http://aws.amazon.com/apache2.0/ | ||
# | ||
# or in the "LICENSE.txt" file accompanying this file. | ||
# This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied. | ||
# See the License for the specific language governing permissions and limitations under the License. | ||
|
||
provides :sudo_access, platform: 'ubuntu' do |node| | ||
node['platform_version'].to_i >= 20 | ||
end | ||
|
||
use 'partial/_sudo_access_common.rb' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
81 changes: 81 additions & 0 deletions
81
cookbooks/aws-parallelcluster-platform/spec/unit/resources/sudo_access_spec.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
require 'spec_helper' | ||
|
||
class ConvergeDisableSudoAccess | ||
def self.setup(chef_run) | ||
chef_run.converge_dsl('aws-parallelcluster-platform') do | ||
sudo_access 'setup' do | ||
action :setup | ||
end | ||
end | ||
end | ||
end | ||
|
||
describe 'sudo_access:setup' do | ||
for_all_oses do |platform, version| | ||
context "on #{platform}#{version}" do | ||
cached(:default_user) { 'ubuntu' } | ||
let(:chef_run) do | ||
runner(platform: platform, version: version, step_into: ['sudo_access']) do |node| | ||
node.override['cluster']['cluster_user'] = default_user | ||
end | ||
end | ||
|
||
context "when disable_sudo_access_for_default_user is true" do | ||
before do | ||
chef_run.node.override['cluster']['disable_sudo_access_for_default_user'] = 'true' | ||
ConvergeDisableSudoAccess.setup(chef_run) | ||
end | ||
|
||
it('it disables sudo access for default user') do | ||
is_expected.to edit_replace_or_add("Disable Sudo Access for #{default_user}").with( | ||
path: '/etc/sudoers', | ||
pattern: "^#{default_user}*", | ||
line: "", | ||
remove_duplicates: true, | ||
replace_only: true | ||
) | ||
is_expected.to create_template("/etc/sudoers.d/99-parallelcluster-revoke-sudo-access").with( | ||
source: 'sudo_access/99-parallelcluster-revoke-sudo.erb', | ||
cookbook: 'aws-parallelcluster-platform', | ||
user: 'root', | ||
group: 'root', | ||
mode: '0600', | ||
variables: { | ||
user_name: default_user, | ||
} | ||
) | ||
end | ||
end | ||
|
||
context "when disable_sudo_access_for_default_user is false" do | ||
before do | ||
chef_run.node.override['cluster']['disable_sudo_access_for_default_user'] = 'false' | ||
end | ||
|
||
context 'and 99-parallelcluster-revoke-sudo-access file doesnt exist' do | ||
before do | ||
mock_file_exists("/etc/sudoers.d/99-parallelcluster-revoke-sudo-access", false) | ||
ConvergeDisableSudoAccess.setup(chef_run) | ||
end | ||
it('it enables sudo access for default user') do | ||
is_expected.not_to delete_template('/etc/sudoers.d/99-parallelcluster-revoke-sudo-access').with( | ||
source: "sudo_access/99-parallelcluster-revoke-sudo.erb" | ||
) | ||
end | ||
end | ||
|
||
context 'and 99-parallelcluster-revoke-sudo-access file exists' do | ||
before do | ||
mock_file_exists("/etc/sudoers.d/99-parallelcluster-revoke-sudo-access", true) | ||
ConvergeDisableSudoAccess.setup(chef_run) | ||
end | ||
it('it enables sudo access for default user') do | ||
is_expected.to delete_template('/etc/sudoers.d/99-parallelcluster-revoke-sudo-access').with( | ||
source: "sudo_access/99-parallelcluster-revoke-sudo.erb" | ||
) | ||
end | ||
end | ||
end | ||
end | ||
end | ||
end |
1 change: 1 addition & 0 deletions
1
...oks/aws-parallelcluster-platform/templates/sudo_access/99-parallelcluster-revoke-sudo.erb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
<%= @user_name %> ALL=(ALL) !ALL |
11 changes: 8 additions & 3 deletions
11
...s/aws-parallelcluster-platform/templates/supervisord/parallelcluster_supervisord.conf.erb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.