Merge pull request #35211 from cachedout/issue_31074

Alternative sudo users for salt-ssh
2025-04-17 10:10:20 +00:00 · 2016-08-08 09:40:55 -06:00 · 2016-08-08 09:40:55 -06:00 · f8158124d5
commit f8158124d5
parent 3e4eb13daa 6f53232e6d
5 changed files with 28 additions and 6 deletions
--- a/doc/topics/ssh/roster.rst
+++ b/doc/topics/ssh/roster.rst
@ -42,6 +42,10 @@ The information which can be stored in a roster ``target`` is the following:
        # Optional parameters
        port:        # The target system's ssh port number
        sudo:        # Boolean to run command via sudo
+        sudo_user:   # Str: Set this to execute Salt as a sudo user other than root.
+                     # This user must be in the same system group as the remote user
+                     # that is used to login and is specified above. Alternatively,
+                     # the user must be a super-user.
        tty:         # Boolean: Set this option to True if sudo is also set to
                     # True and requiretty is also set on the target system
        priv:        # File path to ssh private key, defaults to salt-ssh.rsa
--- a/salt/client/ssh/init.py
+++ b/salt/client/ssh/init.py
@ -126,6 +126,9 @@ SUDO=""
 if [ -n "{{SUDO}}" ]
 then SUDO="sudo "
 fi
+if [ "$SUDO" ]
+then SUDO="sudo -u {{SUDO_USER}}"
+fi
 EX_PYTHON_INVALID={EX_THIN_PYTHON_INVALID}
 PYTHON_CMDS="python27 python2.7 python26 python2.6 python2 python"
 for py_cmd in $PYTHON_CMDS
@ -229,6 +232,10 @@ class SSH(object):
                'ssh_sudo',
                salt.config.DEFAULT_MASTER_OPTS['ssh_sudo']
            ),
+            'sudo_user': self.opts.get(
+                'ssh_sudo_user',
+                salt.config.DEFAULT_MASTER_OPTS['ssh_sudo_user']
+            ),
            'identities_only': self.opts.get(
                'ssh_identities_only',
                salt.config.DEFAULT_MASTER_OPTS['ssh_identities_only']
@ -609,6 +616,7 @@ class Single(object):
            mine=False,
            minion_opts=None,
            identities_only=False,
+            sudo_user=None,
            **kwargs):
        # Get mine setting and mine_functions if defined in kwargs (from roster)
        self.mine = mine
@ -656,7 +664,8 @@ class Single(object):
                'sudo': sudo,
                'tty': tty,
                'mods': self.mods,
-                'identities_only': identities_only}
+                'identities_only': identities_only,
+                'sudo_user': sudo_user}
        self.minion_opts = opts.get('ssh_minion_opts', {})
        if minion_opts is not None:
            self.minion_opts.update(minion_opts)
@ -889,6 +898,7 @@ class Single(object):
        Prepare the command string
        '''
        sudo = 'sudo' if self.target['sudo'] else ''
+        sudo_user = self.target['sudo_user']
        if '_caller_cachedir' in self.opts:
            cachedir = self.opts['_caller_cachedir']
        else:
@ -927,10 +937,10 @@ ARGS = {10}\n'''.format(self.minion_config,
                         self.argv)
        py_code = SSH_PY_SHIM.replace('#%%OPTS', arg_str)
        py_code_enc = py_code.encode('base64')
-
        cmd = SSH_SH_SHIM.format(
            DEBUG=debug,
            SUDO=sudo,
+            SUDO_USER=sudo_user,
            SSH_PY_CODE=py_code_enc,
            HOST_PY_MAJOR=sys.version_info[0],
        )
--- a/salt/client/ssh/shell.py
+++ b/salt/client/ssh/shell.py
@ -58,7 +58,8 @@ class Shell(object):
            sudo=False,
            tty=False,
            mods=None,
-            identities_only=False):
+            identities_only=False,
+            sudo_user=None):
        self.opts = opts
        self.host = host
        self.user = user
--- a/salt/client/ssh/ssh_py_shim.py
+++ b/salt/client/ssh/ssh_py_shim.py
@ -65,9 +65,14 @@ def need_deployment():
    # If SUDOing then also give the super user group write permissions
    sudo_gid = os.environ.get('SUDO_GID')
    if sudo_gid:
-        os.chown(OPTIONS.saltdir, -1, int(sudo_gid))
-        stt = os.stat(OPTIONS.saltdir)
-        os.chmod(OPTIONS.saltdir, stt.st_mode | stat.S_IWGRP | stat.S_IRGRP | stat.S_IXGRP)
+        try:
+            os.chown(OPTIONS.saltdir, -1, int(sudo_gid))
+            stt = os.stat(OPTIONS.saltdir)
+            os.chmod(OPTIONS.saltdir, stt.st_mode | stat.S_IWGRP | stat.S_IRGRP | stat.S_IXGRP)
+        except OSError:
+            sys.stdout.write('\n\nUnable to set permissions on thin directory.\nIf sudo_user is set '
+                    'and is not root, be certain the user is in the same group\nas the login user')
+            sys.exit(1)

    # Delimiter emitted on stdout *only* to indicate shim message to master.
    sys.stdout.write("{0}\ndeploy\n".format(OPTIONS.delimiter))
--- a/salt/config.py
+++ b/salt/config.py
@ -705,6 +705,7 @@ VALID_OPTS = {
    'ssh_passwd': str,
    'ssh_port': str,
    'ssh_sudo': bool,
+    'ssh_sudo_user': str,
    'ssh_timeout': float,
    'ssh_user': str,
    'ssh_scan_ports': str,
@ -1200,6 +1201,7 @@ DEFAULT_MASTER_OPTS = {
    'ssh_passwd': '',
    'ssh_port': '22',
    'ssh_sudo': False,
+    'ssh_sudo_user': '',
    'ssh_timeout': 60,
    'ssh_user': 'root',
    'ssh_scan_ports': '22',