Amend deployment initialize for consistent ownership

Depending on the options selected/not selected, the /var/lib/confluent directory may have been initialized incorrectly. Have all the potential paths begin with ensuring /var/lib/confluent is correct, and then use seteuid consistently to take care of the rest.
2024-11-25 19:10:10 +00:00 · 2022-01-14 15:08:19 -05:00 · 2022-01-14 15:08:19 -05:00 · 2d13921d54
commit 2d13921d54
parent 8b95e8f507
3 changed files with 26 additions and 5 deletions
--- a/confluent_server/bin/osdeploy
+++ b/confluent_server/bin/osdeploy
@ -258,6 +258,14 @@ def initialize(cmdset):
            sys.exit(1)
        init_confluent_myname()
        sshutil.initialize_root_key(False)
+    if cmdset.t or cmdset.s or cmdset.a or cmdset.u:
+        neededuid = os.stat('/etc/confluent').st_uid
+        try:
+            os.makedirs('/var/lib/confluent')
+            os.chown('/var/lib/confluent', neededuid, -1)
+        except OSError as e:
+            if e.errno != 17:
+                raise
    if cmdset.t:
        didsomething = True
        init_confluent_myname()
--- a/confluent_server/confluent/certutil.py
+++ b/confluent_server/confluent/certutil.py
@ -15,6 +15,15 @@ def get_openssl_conf_location():
    else:
        raise Exception("Cannot find openssl config file")

+def normalize_uid():
+    curruid = os.geteuid()
+    neededuid = os.stat('/etc/confluent').st_uid
+    if curruid != neededuid:
+        os.seteuid(neededuid)
+    if os.geteuid() != neededuid:
+        raise Exception('Need to run as root or owner of /etc/confluent')
+    return curruid
+
 def get_ip_addresses():
    lines, _ = util.run(['ip', 'addr'])
    if not isinstance(lines, str):
@ -96,11 +105,14 @@ def assure_tls_ca():
            os.remove(tmpconfig)
    fname = '/var/lib/confluent/public/site/tls/{0}.pem'.format(
        collective.get_myname())
+    ouid = normalize_uid()
    try:
        os.makedirs(os.path.dirname(fname))
    except OSError as e:
        if e.errno != 17:
            raise
+    finally:
+        os.seteuid(ouid)
    shutil.copy2('/etc/confluent/tls/cacert.pem', fname)
    hv, _ = util.run(
        ['openssl', 'x509', '-in', '/etc/confluent/tls/cacert.pem', '-hash', '-noout'])
--- a/confluent_server/confluent/sshutil.py
+++ b/confluent_server/confluent/sshutil.py
@ -89,11 +89,14 @@ def initialize_ca():
        ['ssh-keygen', '-C', comment, '-t', 'ed25519', '-f',
         '/etc/confluent/ssh/ca', '-N', get_passphrase()],
         preexec_fn=normalize_uid)
+    ouid = normalize_uid()
    try:
        os.makedirs('/var/lib/confluent/public/site/ssh/', mode=0o755)
    except OSError as e:
        if e.errno != 17:
            raise
+    finally:
+        os.seteuid(ouid)
    cafilename = '/var/lib/confluent/public/site/ssh/{0}.ca'.format(myname)
    shutil.copy('/etc/confluent/ssh/ca.pub', cafilename)
    #    newent = '@cert-authority * ' + capub.read()
@ -167,16 +170,14 @@ def initialize_root_key(generate, automation=False):
            '-C', 'Confluent Automation by {}'.format(myname)],
            preexec_fn=normalize_uid)
        authorized = ['/etc/confluent/ssh/automation.pub']
+    ouid = normalize_uid()
    try:
        os.makedirs('/var/lib/confluent/public/site/ssh', mode=0o755)
-        neededuid = os.stat('/etc/confluent').st_uid
-        os.chown('/var/lib/confluent', neededuid, -1)
-        os.chown('/var/lib/confluent/public', neededuid, -1)
-        os.chown('/var/lib/confluent/public/site', neededuid, -1)
-        os.chown('/var/lib/confluent/public/site/ssh', neededuid, -1)
    except OSError as e:
        if e.errno != 17:
            raise
+    finally:
+        os.seteuid(ouid)
    neededuid = os.stat('/etc/confluent').st_uid
    if automation:
        suffix = 'automationpubkey'