From 47af8693606c783f714eb43206b07c8e9cf11ee2 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Thu, 16 Mar 2023 15:15:46 -0400 Subject: [PATCH] Allow ansible plays to be private Since the node need not have access, the ansible plays may be made private instead. This enables potentially sensitive plays to be protected. --- confluent_server/confluent/selfservice.py | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/confluent_server/confluent/selfservice.py b/confluent_server/confluent/selfservice.py index 29b7fa01..52cff7ab 100644 --- a/confluent_server/confluent/selfservice.py +++ b/confluent_server/confluent/selfservice.py @@ -469,18 +469,19 @@ def handle_request(env, start_response): yield '' elif env['PATH_INFO'].startswith('/self/remoteconfig/') and 'POST' == operation: scriptcat = env['PATH_INFO'].replace('/self/remoteconfig/', '') - slist, profile = get_scriptlist( - scriptcat, cfg, nodename, - '/var/lib/confluent/public/os/{0}/ansible/{1}') playlist = [] - dirname = '/var/lib/confluent/public/os/{0}/ansible/{1}/'.format( - profile, scriptcat) - if not os.path.isdir(dirname): - dirname = '/var/lib/confluent/public/os/{0}/ansible/{1}.d/'.format( - profile, scriptcat) - for filename in slist: - if filename.endswith('.yaml') or filename.endswith('.yml'): - playlist.append(os.path.join(dirname, filename)) + for privacy in ('public', 'private'): + slist, profile = get_scriptlist( + scriptcat, cfg, nodename, + '/var/lib/confluent/{0}/os/{{0}}/ansible/{{1}}'.format(privacy)) + dirname = '/var/lib/confluent/{2}/os/{0}/ansible/{1}/'.format( + profile, scriptcat, privacy) + if not os.path.isdir(dirname): + dirname = '/var/lib/confluent/{2}/os/{0}/ansible/{1}.d/'.format( + profile, scriptcat, privacy) + for filename in slist: + if filename.endswith('.yaml') or filename.endswith('.yml'): + playlist.append(os.path.join(dirname, filename)) if playlist: runansible.run_playbooks(playlist, [nodename]) start_response('202 Queued', ())