4 # Copyright (C) 2011 Google Inc.
6 # This program is free software; you can redistribute it and/or modify
7 # it under the terms of the GNU General Public License as published by
8 # the Free Software Foundation; either version 2 of the License, or
9 # (at your option) any later version.
11 # This program is distributed in the hope that it will be useful, but
12 # WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 # General Public License for more details.
16 # You should have received a copy of the GNU General Public License
17 # along with this program; if not, write to the Free Software
18 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
21 """Script to ensure permissions on files/dirs are accurate.
31 from ganeti import constants
32 from ganeti import errors
33 from ganeti import runtime
34 from ganeti import ssconf
35 from ganeti import utils
36 from ganeti import cli
41 QUEUE_DIR) = range(1, 4)
43 ALL_TYPES = frozenset([
50 def RecursiveEnsure(path, uid, gid, dir_perm, file_perm):
51 """Ensures permissions recursively down a directory.
53 This functions walks the path and sets permissions accordingly.
55 @param path: The absolute path to walk
56 @param uid: The uid used as owner
57 @param gid: The gid used as group
58 @param dir_perm: The permission bits set for directories
59 @param file_perm: The permission bits set for files
62 assert os.path.isabs(path), "Path %s is not absolute" % path
63 assert os.path.isdir(path), "Path %s is not a dir" % path
65 logging.debug("Recursively processing %s", path)
67 for root, dirs, files in os.walk(path):
69 utils.EnforcePermission(os.path.join(root, subdir), dir_perm, uid=uid,
72 for filename in files:
73 utils.EnforcePermission(os.path.join(root, filename), file_perm, uid=uid,
77 def EnsureQueueDir(path, mode, uid, gid):
78 """Sets the correct permissions on all job files in the queue.
80 @param path: Directory path
81 @param mode: Wanted file mode
82 @param uid: Wanted user ID
83 @param gid: Wanted group ID
86 for filename in utils.ListVisibleFiles(path):
87 if constants.JOB_FILE_RE.match(filename):
88 utils.EnforcePermission(utils.PathJoin(path, filename), mode, uid=uid,
92 def ProcessPath(path):
93 """Processes a path component.
95 @param path: A tuple of the path component to process
98 (pathname, pathtype, mode, uid, gid) = path[0:5]
100 assert pathtype in ALL_TYPES
102 if pathtype in (DIR, QUEUE_DIR):
103 # No additional parameters
104 assert len(path[5:]) == 0
106 utils.MakeDirWithPerm(pathname, mode, uid, gid)
107 elif pathtype == QUEUE_DIR:
108 EnsureQueueDir(pathname, mode, uid, gid)
109 elif pathtype == FILE:
110 (must_exist, ) = path[5:]
111 utils.EnforcePermission(pathname, mode, uid=uid, gid=gid,
112 must_exist=must_exist)
116 """Returns a tuple of path objects to process.
119 getent = runtime.GetEnts()
120 masterd_log = constants.DAEMONS_LOGFILES[constants.MASTERD]
121 noded_log = constants.DAEMONS_LOGFILES[constants.NODED]
122 confd_log = constants.DAEMONS_LOGFILES[constants.CONFD]
123 rapi_log = constants.DAEMONS_LOGFILES[constants.RAPI]
125 rapi_dir = os.path.join(constants.DATA_DIR, "rapi")
128 (constants.DATA_DIR, DIR, 0755, getent.masterd_uid,
130 (constants.CLUSTER_DOMAIN_SECRET_FILE, FILE, 0640,
131 getent.masterd_uid, getent.masterd_gid, False),
132 (constants.CLUSTER_CONF_FILE, FILE, 0640, getent.masterd_uid,
133 getent.confd_gid, False),
134 (constants.CONFD_HMAC_KEY, FILE, 0440, getent.confd_uid,
135 getent.masterd_gid, False),
136 (constants.SSH_KNOWN_HOSTS_FILE, FILE, 0644, getent.masterd_uid,
137 getent.masterd_gid, False),
138 (constants.RAPI_CERT_FILE, FILE, 0440, getent.rapi_uid,
139 getent.masterd_gid, False),
140 (constants.SPICE_CERT_FILE, FILE, 0440, getent.noded_uid,
141 getent.masterd_gid, False),
142 (constants.SPICE_CACERT_FILE, FILE, 0440, getent.noded_uid,
143 getent.masterd_gid, False),
144 (constants.NODED_CERT_FILE, FILE, 0440, getent.masterd_uid,
145 getent.masterd_gid, False),
148 ss = ssconf.SimpleStore()
149 for ss_path in ss.GetFileList():
150 paths.append((ss_path, FILE, constants.SS_FILE_PERMS,
151 getent.noded_uid, 0, False))
154 (constants.QUEUE_DIR, DIR, 0700, getent.masterd_uid,
156 (constants.QUEUE_DIR, QUEUE_DIR, 0600, getent.masterd_uid,
158 (constants.JOB_QUEUE_LOCK_FILE, FILE, 0600,
159 getent.masterd_uid, getent.masterd_gid, False),
160 (constants.JOB_QUEUE_SERIAL_FILE, FILE, 0600,
161 getent.masterd_uid, getent.masterd_gid, False),
162 (constants.JOB_QUEUE_VERSION_FILE, FILE, 0600,
163 getent.masterd_uid, getent.masterd_gid, False),
164 (constants.JOB_QUEUE_ARCHIVE_DIR, DIR, 0700,
165 getent.masterd_uid, getent.masterd_gid),
166 (rapi_dir, DIR, 0750, getent.rapi_uid, getent.masterd_gid),
167 (constants.RAPI_USERS_FILE, FILE, 0640, getent.rapi_uid,
168 getent.masterd_gid, False),
169 (constants.RUN_GANETI_DIR, DIR, 0775, getent.masterd_uid,
171 (constants.SOCKET_DIR, DIR, 0750, getent.masterd_uid,
173 (constants.MASTER_SOCKET, FILE, 0770, getent.masterd_uid,
174 getent.daemons_gid, False),
175 (constants.BDEV_CACHE_DIR, DIR, 0755, getent.noded_uid,
177 (constants.UIDPOOL_LOCKDIR, DIR, 0750, getent.noded_uid,
179 (constants.DISK_LINKS_DIR, DIR, 0755, getent.noded_uid,
181 (constants.CRYPTO_KEYS_DIR, DIR, 0700, getent.noded_uid,
183 (constants.IMPORT_EXPORT_DIR, DIR, 0755, getent.noded_uid,
185 (constants.LOG_DIR, DIR, 0770, getent.masterd_uid,
187 (masterd_log, FILE, 0600, getent.masterd_uid, getent.masterd_gid,
189 (confd_log, FILE, 0600, getent.confd_uid, getent.masterd_gid, False),
190 (noded_log, FILE, 0600, getent.noded_uid, getent.masterd_gid, False),
191 (rapi_log, FILE, 0600, getent.rapi_uid, getent.masterd_gid, False),
192 (constants.LOG_OS_DIR, DIR, 0750, getent.masterd_uid,
199 def SetupLogging(opts):
200 """Configures the logging module.
203 formatter = logging.Formatter("%(asctime)s: %(message)s")
205 stderr_handler = logging.StreamHandler()
206 stderr_handler.setFormatter(formatter)
208 stderr_handler.setLevel(logging.NOTSET)
210 stderr_handler.setLevel(logging.INFO)
212 stderr_handler.setLevel(logging.WARNING)
214 root_logger = logging.getLogger("")
215 root_logger.setLevel(logging.NOTSET)
216 root_logger.addHandler(stderr_handler)
220 """Parses the options passed to the program.
222 @return: Options and arguments
225 program = os.path.basename(sys.argv[0])
227 parser = optparse.OptionParser(usage="%%prog [--full-run]",
229 parser.add_option(cli.DEBUG_OPT)
230 parser.add_option(cli.VERBOSE_OPT)
231 parser.add_option("--full-run", "-f", dest="full_run", action="store_true",
232 default=False, help=("Make a full run and set permissions"
233 " on archived jobs (time consuming)"))
235 return parser.parse_args()
242 (opts, _) = ParseOptions()
247 logging.info("Running in full mode")
249 getent = runtime.GetEnts()
252 for path in GetPaths():
256 RecursiveEnsure(constants.JOB_QUEUE_ARCHIVE_DIR, getent.masterd_uid,
257 getent.masterd_gid, 0700, 0600)
258 except errors.GenericError, err:
259 logging.error("An error occurred while setting permissions: %s", err)
260 return constants.EXIT_FAILURE
262 return constants.EXIT_SUCCESS