added perun_sync

martin-kuba · martin-kuba · commit b59025599ca8 · 2024-03-20T18:34:39.000+01:00
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -706,6 +706,15 @@ perun_msmtp_config: |
   user test
   password test
 
+# Perun-to-Perun synchronization
+perun_sync_enabled: no
+perun_sync_users:
+  - user: perunsync
+    group: perunsync
+    comment: Perun-to-Perun synchronization
+    src_host: idm.ics.muni.cz
+    ssh_key_file: files/idm.ics.muni.cz/id_rsa.pub
+
 ######################
 # You do not need to modify values below
 ######################
diff --git a/files/perun_sync.py b/files/perun_sync.py
@@ -0,0 +1,60 @@
+#!/usr/bin/env python3
+import grp
+import os
+import pwd
+import sys
+import json
+
+DIR = os.getenv('HOME')
+RESOURCE_ATTR_NAME = "urn:perun:resource:attribute-def:def:authorizationResourceId"
+
+def update_json(data):
+    for user_uuid, user_data in data["users"].items():
+        allowed_resources_uuids = list(user_data.get("allowed_resources", {}).keys())
+        for resource_uuid in allowed_resources_uuids:
+            if resource_uuid in data["resources"]:
+                data["resources"].setdefault(resource_uuid, {}).setdefault("members", {})
+                data["resources"][resource_uuid]["members"][user_uuid] = user_data["attributes"]
+        data["users"][user_uuid].pop("allowed_resources", None)
+    return data
+
+
+def remove_unmatched_files(data):
+    all_resources_names = []
+    for resource_uuid, resource_data in data["resources"].items():
+        all_resources_names.append(resource_data["attributes"][RESOURCE_ATTR_NAME])
+
+    for filename in os.listdir(DIR):
+        if filename.endswith(".json") and filename.split(".json")[0] not in all_resources_names:
+            filepath = os.path.join(DIR, filename)
+            os.remove(filepath)
+
+
+def replace_files(data):
+    for resource_uuid, resource_data in data["resources"].items():
+        resource_name = resource_data["attributes"][RESOURCE_ATTR_NAME]
+        filepath = os.path.join(DIR, resource_name)
+        with open(f"{filepath}.tmp", "w") as tmp_file:
+            json.dump(resource_data, tmp_file, indent=4)
+            tmp_file.flush()
+            os.fsync(tmp_file.fileno())
+        # uid = pwd.getpwnam("perunrpc").pw_uid
+        # gid = grp.getgrnam("perunrpc").gr_gid
+        # os.chown(f"{filepath}.tmp", uid, gid)
+        os.replace(f"{filepath}.tmp", f"{filepath}.json")
+
+
+if __name__ == "__main__":
+    if len(sys.argv) != 2:
+        print("Usage: python script.py <file_path>")
+        sys.exit(1)
+
+    # Load JSON from file
+    file_path = sys.argv[1]
+
+    with open(file_path, "r") as f:
+        data = json.load(f)
+
+    data = update_json(data)
+    remove_unmatched_files(data)
+    replace_files(data)
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -3,16 +3,24 @@
   assert:
     that:
       - ansible_version is defined
-      - ansible_version.full is version_compare('2.14.3', '>=')
-    msg: "Required version is 2.14.3, this is {{ ansible_version.full }}"
+      - ansible_version.full is version_compare('2.16.4', '>=')
+    msg: "Required version is 2.16.4, this is {{ ansible_version.full }}"
     quiet: true
   tags: always
 
 - name: "Collection community.general version check ({{ lookup('community.general.collection_version', 'community.general') }})"
   assert:
     that:
-      - lookup('community.general.collection_version', 'community.general') is version('6.4.0','>=')
-    msg: "Required version is 6.4.0, this is {{lookup('community.general.collection_version', 'community.general') }}"
+      - lookup('community.general.collection_version', 'community.general') is version('8.4.0','>=')
+    msg: "Required version is 8.4.0, this is {{lookup('community.general.collection_version', 'community.general') }}"
+    quiet: true
+  tags: always
+
+- name: "Collection community.docker version check ({{ lookup('community.general.collection_version', 'community.docker') }})"
+  assert:
+    that:
+      - lookup('community.general.collection_version', 'community.docker') is version('3.8.0','>=')
+    msg: "Required version is 3.8.0, this is {{lookup('community.general.collection_version', 'community.docker') }}"
     quiet: true
   tags: always
 
@@ -187,6 +195,16 @@
     - site_specific
     - site_specific_before
 
+- name: "setup of Perun-to-Perun synchronization"
+  when: perun_sync_enabled
+  include_tasks:
+    file: perun_sync.yml
+    apply:
+      tags:
+        - perun_sync
+  tags:
+    - perun_sync
+
 - name: "perun rpc setup"
   import_tasks: perun_rpc.yml
   tags:
diff --git a/tasks/perun_apache.yml b/tasks/perun_apache.yml
@@ -423,7 +423,9 @@
       - name: perun_net
     network_mode: perun_net
     etc_hosts: "{{ perun_containers_etc_hosts | combine( { 'perun-host': perun_net_info.network.IPAM.Config[0].Gateway }) }}"
-    container_default_behavior: no_defaults
+    image_name_mismatch: recreate
+    comparisons:
+      '*': strict
     ports:
       - 80:80
       - 443:443
diff --git a/tasks/perun_auditlogger.yml b/tasks/perun_auditlogger.yml
@@ -125,7 +125,9 @@
       - name: perun_net
     network_mode: perun_net
     etc_hosts: "{{ perun_containers_etc_hosts | combine( { 'perun-host': perun_net_info.network.IPAM.Config[0].Gateway }) }}"
-    container_default_behavior: no_defaults
+    image_name_mismatch: recreate
+    comparisons:
+      '*': strict
     state: "{{ 'started' if perun_auditlogger_enabled else 'absent' }}"
   register: perun_auditlogger_container
 
diff --git a/tasks/perun_engine.yml b/tasks/perun_engine.yml
@@ -329,7 +329,9 @@
       - name: perun_net
     network_mode: perun_net
     etc_hosts: "{{ perun_containers_etc_hosts | combine( { 'perun-host': perun_net_info.network.IPAM.Config[0].Gateway }) }}"
-    container_default_behavior: no_defaults
+    image_name_mismatch: recreate
+    comparisons:
+      '*': strict
     state: "{{ 'started' if perun_engine_enabled else 'absent' }}"
   register: perun_engine_container
 
diff --git a/tasks/perun_ldapc.yml b/tasks/perun_ldapc.yml
@@ -122,7 +122,9 @@
       - name: perun_net
     network_mode: perun_net
     etc_hosts: "{{ perun_containers_etc_hosts | combine( { 'perun-host': perun_net_info.network.IPAM.Config[0].Gateway }) }}"
-    container_default_behavior: no_defaults
+    image_name_mismatch: recreate
+    comparisons:
+      '*': strict
     state: "{{ 'started' if perun_ldapc_enabled else 'absent' }}"
   register: perun_ldapc_container
 
diff --git a/tasks/perun_rpc.yml b/tasks/perun_rpc.yml
@@ -237,6 +237,14 @@
   set_fact:
     rpc_mounts: "{{ rpc_mounts + perun_rpc_mounts_additional }}"
 
+- name: "add sync dirs to perun_rpc mounts"
+  when: perun_sync_enabled
+  loop: "{{ perun_sync_users }}"
+  loop_control:
+    label: "/home/{{ item.user }}"
+  set_fact:
+    rpc_mounts: "{{ rpc_mounts  + [ { 'type': 'bind', 'source': '/home/' + item.user, 'target': '/home/' + item.user } ] }}"
+
 - name: "get perun_net info"
   docker_network_info:
     name: perun_net
@@ -262,7 +270,9 @@
     memory: "{{ (ansible_memtotal_mb * 0.6)|int }}M"
     #memory_swap: "{{ (ansible_memtotal_mb * 0.6)|int }}M"
     #memory_swappiness: 0
-    container_default_behavior: no_defaults
+    image_name_mismatch: recreate
+    comparisons:
+      '*': strict
   register: perun_rpc_container
 
 - name: "remove old hostname"
diff --git a/tasks/perun_sync.yml b/tasks/perun_sync.yml
@@ -0,0 +1,69 @@
+- name: "install perun slave scripts for receiving from Peruns"
+  apt:
+    name:
+      - perun-slave-base
+      - perun-slave-process-generic-json-gen
+    state: present
+
+- name: "allow propagation to {{ perun_instance_hostname }}"
+  copy:
+    dest: /etc/perunv3.conf
+    content: |
+      DNS_ALIAS_WHITELIST=( {{ perun_instance_hostname }} )
+
+- name: "create /etc/perun/generic_json_gen.d/pre_10_set_script"
+  copy:
+    dest: /etc/perun/generic_json_gen.d/pre_10_set_script
+    content: |
+      #!/bin/bash
+      export DST_SCRIPT="/opt/perun/perun_sync.py"
+
+- name: "create /opt/perun/perun_sync.py"
+  copy:
+    dest: /opt/perun/perun_sync.py
+    src: perun_sync.py
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: "create groups for each source Perun"
+  loop: "{{ perun_sync_users }}"
+  group:
+    name: "{{ item.group }}"
+
+- name: "create users for each source Perun"
+  loop: "{{ perun_sync_users }}"
+  user:
+    name: "{{ item.user }}"
+    group: "{{ item.group }}"
+    comment: "{{ item.comment }}"
+    shell: /bin/bash
+    create_home: true
+
+- name: "add source Perun's engine ssh keys"
+  loop: "{{ perun_sync_users }}"
+  authorized_key:
+    exclusive: true
+    user: "{{ item.user }}"
+    key_options: 'from="{{ item.src_host }}",command="/opt/perun/bin/perun"'
+    key: "{{ lookup('ansible.builtin.file', item.ssh_key_file ) }}"
+
+- name: "allow UseDNS for sshd"
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: 'UseDNS'
+    line: 'UseDNS yes'
+  register: sshd_config
+
+- name: "restart sshd"
+  when: sshd_config.changed
+  systemd:
+    name: sshd
+    state: reloaded
+
+- name: "add perunrpc to groups for sync"
+  loop: "{{ perun_sync_users }}"
+  user:
+    name: perunrpc
+    groups: "{{ item.group }}"
+    append: true
