Let ganeti-rapi run under a different user/group

Signed-off-by: René Nussbaumer <rn@google.com>
Reviewed-by: Michael Hanselmann <hansmi@google.com>

Makefile.am

@@ -514,6 +514,9 @@ lib/_autoconf.py: Makefile stamp-directories
 	  echo "PKGLIBDIR = '$(pkglibdir)'"; \
 	  echo "DRBD_BARRIERS = $(DRBD_BARRIERS)"; \
 	  echo "SYSLOG_USAGE = '$(SYSLOG_USAGE)'"; \
+	  echo "DAEMONS_GROUP = '$(DAEMONS_GROUP)'"; \
+	  echo "MASTERD_USER = '$(MASTERD_USER)'"; \
+	  echo "RAPI_USER = '$(RAPI_USER)'"; \
 	} > $@
 
 $(REPLACE_VARS_SED): Makefile

daemons/ganeti-rapi

@@ -214,21 +214,23 @@ def CheckRapi(options, args):
 
   ssconf.CheckMaster(options.debug)
 
+  # Read SSL certificate (this is a little hackish to read the cert as root)
+  if options.ssl:
+    options.ssl_params = http.HttpSslParams(ssl_key_path=options.ssl_key,
+                                            ssl_cert_path=options.ssl_cert)
+  else:
+    options.ssl_params = None
+
 
 def ExecRapi(options, _):
   """Main remote API function, executed with the PID file held.
 
   """
-  # Read SSL certificate
-  if options.ssl:
-    ssl_params = http.HttpSslParams(ssl_key_path=options.ssl_key,
-                                    ssl_cert_path=options.ssl_cert)
-  else:
-    ssl_params = None
 
   mainloop = daemon.Mainloop()
   server = RemoteApiHttpServer(mainloop, options.bind_address, options.port,
-                               ssl_params=ssl_params, ssl_verify_peer=False,
+                               ssl_params=options.ssl_params,
+                               ssl_verify_peer=False,
                                request_executor_class=JsonErrorRequestExecutor)
   # pylint: disable-msg=E1101
   # it seems pylint doesn't see the second parent class there
@@ -251,7 +253,8 @@ def main():
   dirs.append((constants.LOG_OS_DIR, 0750))
   daemon.GenericMain(constants.RAPI, parser, dirs, CheckRapi, ExecRapi,
                      default_ssl_cert=constants.RAPI_CERT_FILE,
-                     default_ssl_key=constants.RAPI_CERT_FILE)
+                     default_ssl_key=constants.RAPI_CERT_FILE,
+                     user=constants.RAPI_USER, group=constants.DAEMONS_GROUP)
 
 
 if __name__ == "__main__":

lib/constants.py

@@ -82,16 +82,21 @@ CONFIG_MINOR = int(_autoconf.VERSION_MINOR)
 CONFIG_REVISION = 0
 CONFIG_VERSION = BuildVersion(CONFIG_MAJOR, CONFIG_MINOR, CONFIG_REVISION)
 
+# user separation
+DAEMONS_GROUP = _autoconf.DAEMONS_GROUP
+MASTERD_USER = _autoconf.MASTERD_USER
+RAPI_USER = _autoconf.RAPI_USER
+
 # file paths
 DATA_DIR = _autoconf.LOCALSTATEDIR + "/lib/ganeti"
 RUN_DIR = _autoconf.LOCALSTATEDIR + "/run"
 RUN_GANETI_DIR = RUN_DIR + "/ganeti"
 BDEV_CACHE_DIR = RUN_GANETI_DIR + "/bdev-cache"
 DISK_LINKS_DIR = RUN_GANETI_DIR + "/instance-disks"
-RUN_DIRS_MODE = 0755
+RUN_DIRS_MODE = 0775
 SOCKET_DIR = RUN_GANETI_DIR + "/socket"
 SECURE_DIR_MODE = 0700
-SOCKET_DIR_MODE = SECURE_DIR_MODE
+SOCKET_DIR_MODE = 0750
 CRYPTO_KEYS_DIR = RUN_GANETI_DIR + "/crypto"
 CRYPTO_KEYS_DIR_MODE = SECURE_DIR_MODE
 IMPORT_EXPORT_DIR = RUN_GANETI_DIR + "/import-export"