Allow to run services with custom user

scollazo · Miguel Angel · commit 6929e1ab333f · 2020-08-28T18:44:51.000+02:00
In some envs, archivematica needs to run with an user different than
"archivematica"

This pr adds two configuration default to allow so:
  - archivematica_src_am_system_user
  - archivematica_src_am_system_group
  - archivematica_src_ss_system_user
  - archivematica_src_ss_system_group
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -16,6 +16,11 @@ archivematica_src_install_acceptance_tests: "no"
 archivematica_src_install_fixity: "no"
 archivematica_src_search_enabled: "yes"
 
+# System Users
+archivematica_src_am_system_user: "archivematica"
+archivematica_src_am_system_group: "archivematica"
+archivematica_src_ss_system_user: "archivematica"
+archivematica_src_ss_system_group: "archivematica"
 #Components to configure
 archivematica_src_configure_dashboard: "no"
 archivematica_src_configure_ss: "no"
@@ -52,7 +57,6 @@ archivematica_src_am_db_name: "MCP"              # Archivematica database name
 archivematica_src_am_db_user: "archivematica"    # Archivematica database user
 archivematica_src_am_db_password: "demo"         # Archivematica database password
 
-
 # Reset data options
 archivematica_src_reset_mcpdb: "false"           # Reset AM MCP database
 archivematica_src_reset_shareddir: "false"       # Reset AM shared directory
diff --git a/tasks/automation-tools.yml b/tasks/automation-tools.yml
@@ -26,8 +26,8 @@
   file:
     dest: "{{ item }}"
     state: "directory"
-    owner: "archivematica"
-    group: "archivematica"
+    owner: "{{ archivematica_src_am_system_user }}"
+    group: "{{ archivematica_src_am_system_user }}"
   with_items:
     - "/var/log/archivematica/automation-tools"
     - "/var/archivematica/automation-tools"
diff --git a/tasks/configure-gpg.yml b/tasks/configure-gpg.yml
@@ -119,8 +119,8 @@
     - name: "Create directories for GPG locations"
       file:
         path: "{{ item }}"
-        owner: "archivematica"
-        group: "archivematica"
+        owner: "{{ archivematica_src_ss_system_user }}"
+        group: "{{ archivematica_src_ss_system_group }}"
         mode: "0755"
         state: "directory"
       become: "yes"
diff --git a/tasks/fixity.yml b/tasks/fixity.yml
@@ -41,26 +41,25 @@
   file:
      path: "{{ archivematica_src_fixity_virtualenv }}"
      state: "directory"
-     owner: "archivematica"
-     group: "archivematica"
+     owner: "{{ archivematica_src_ss_system_user }}"
+     group: "{{ archivematica_src_ss_system_group }}"
      recurse: "yes"
 
 - name: "Create config file"
   template:
      src: "etc/sysconfig/fixity.j2"
      dest: "{{ systemd_environment_path }}/fixity"
      mode: 0640
-     owner: "archivematica"
-     group: "archivematica"
+     owner: "{{ archivematica_src_ss_system_user }}"
+     group: "{{ archivematica_src_ss_system_group }}"
 
 - name: "Create log dir"
   file:
      path: "/var/log/archivematica/fixity/"
      state: "directory"
      mode: 0750
-     owner: "archivematica"
-     group: "archivematica"
-
+     owner: "{{ archivematica_src_ss_system_user }}"
+     group: "{{ archivematica_src_ss_system_group }}"
 
 - name: "Create fixity script"
   template:
@@ -80,7 +79,7 @@
      hour: "3"
      day: "1"
      month: "*/3"
-     user: "archivematica"
+     user: "{{ archivematica_src_ss_system_user }}"
      cron_file: "fixity"
      state: "present"
 
@@ -90,5 +89,5 @@
      env: yes
      value: "/bin/bash"
      cron_file: "fixity"
-     user: "archivematica"
+     user: "{{ archivematica_src_ss_system_user }}"
      state: "present"
diff --git a/tasks/pipeline-instcode.yml b/tasks/pipeline-instcode.yml
@@ -44,16 +44,16 @@
   file:
     dest: "{{ archivematica_src_dir }}"
     state: "directory"
-    owner: "archivematica"
-    group: "archivematica"
+    owner: "{{ archivematica_src_am_system_user }}"
+    group: "{{ archivematica_src_am_system_group }}"
     recurse: "yes"
   with_items:
     - "{{ archivematica_src_dir }}/archivematica/src/dashboard/src/media"
     - "{{ archivematica_src_dir }}/archivematica/src/dashboard/frontend"
 
 - name: "Install front-end dependencies"
   become: "yes"
-  become_user: "archivematica"
+  become_user: "{{ archivematica_src_am_system_user }}"
   command: npm install
   args:
     chdir: "{{ item }}"
diff --git a/tasks/pipeline-osconf.yml b/tasks/pipeline-osconf.yml
@@ -44,8 +44,8 @@
   file:
     dest: "{{ archivematica_src_shareddir }}"
     state: "directory"
-    owner: "archivematica"
-    group: "archivematica"
+    owner: "{{ archivematica_src_am_system_user }}"
+    group: "{{ archivematica_src_am_system_group }}"
   when: "create_shareddir"
 
 # (this is required because some hardcoding of the shared dir remains in archivematica code)
@@ -77,8 +77,8 @@
   file:
     dest: "{{ item }}"
     state: "directory"
-    owner: "archivematica"
-    group: "archivematica"
+    owner: "{{ archivematica_src_am_system_user }}"
+    group: "{{ archivematica_src_am_system_group }}"
     mode: "g+s"
   with_items:
     - "{{ archivematica_src_dashboard_logdir }}"
@@ -90,7 +90,7 @@
   file:
     dest: "{{ item }}"
     state: "directory"
-    owner: "archivematica"
+    owner: "{{ archivematica_src_am_system_user }}"
     group: "syslog"
     mode: "g+w"
   with_items:
@@ -100,8 +100,8 @@
 - name: "Touch log files"
   file:
     path: "{{ item }}"
-    owner: "archivematica"
-    group: "archivematica"
+    owner: "{{ archivematica_src_am_system_user }}"
+    group: "{{ archivematica_src_am_system_group }}"
     state: "touch"
   with_items:
     - "{{ archivematica_src_dashboard_logdir }}/dashboard.log"
diff --git a/tasks/ss-db.yml b/tasks/ss-db.yml
@@ -38,8 +38,8 @@
 - name: "Fix DB permissions"
   file:
     dest: "{{ archivematica_src_ss_environment['SS_DB_NAME'] }}"
-    owner: "archivematica"
-    group: "archivematica"
+    owner: "{{ archivematica_src_ss_system_user }}"
+    group: "{{ archivematica_src_ss_system_group }}"
     mode: "u=rwX,g=rwX,o=rX"
   when: "archivematica_src_ss_environment['SS_DB_URL'] is not defined"
 
diff --git a/tasks/ss-main.yml b/tasks/ss-main.yml
@@ -133,8 +133,8 @@
   file:
     dest: "{{ item }}"
     state: "directory"
-    owner: "archivematica"
-    group: "archivematica"
+    owner: "{{ archivematica_src_ss_system_user }}"
+    group: "{{ archivematica_src_ss_system_group }}"
   with_items:
     - "/var/archivematica/storage-service"
   tags: "amsrc-ss-osconf"
@@ -151,17 +151,17 @@
   file:
     dest: "{{ archivematica_src_ss_logdir }}"
     state: "directory"
-    owner: "archivematica"
-    group: "archivematica"
+    owner: "{{ archivematica_src_ss_system_user }}"
+    group: "{{ archivematica_src_ss_system_group }}"
     mode: "g+s"
   tags: "amsrc-ss-osconf"
   when: "archivematica_src_logging_backward_compatible|bool"
 
 - name: "Touch SS log files"
   file:
     path: "{{ archivematica_src_ss_logdir }}/{{ item }}"
-    owner: "archivematica"
-    group: "archivematica"
+    owner: "{{ archivematica_src_ss_system_user }}"
+    group: "{{ archivematica_src_ss_system_group }}"
     state: "touch"
   with_items:
     - "storage_service.log"
diff --git a/templates/etc/systemd/system/archivematica-dashboard.service.j2 b/templates/etc/systemd/system/archivematica-dashboard.service.j2
@@ -8,8 +8,8 @@ StartLimitBurst=5
 
 [Service]
 PIDFile=/run/archivematica-dashboard_gunicorn.pid
-User=archivematica
-Group=archivematica
+User={{ archivematica_src_am_system_user }}
+Group={{ archivematica_src_am_system_group }}
 EnvironmentFile=-{{ systemd_environment_path }}/archivematica-dashboard
 {% if archivematica_src_syslog_enabled|bool %}
 StandardOutput=syslog
diff --git a/templates/etc/systemd/system/archivematica-mcp-client.service.j2 b/templates/etc/systemd/system/archivematica-mcp-client.service.j2
@@ -6,8 +6,8 @@ After=syslog.target network.target
 
 [Service]
 Type=simple
-User=archivematica
-Group=archivematica
+User={{ archivematica_src_am_system_user }}
+Group={{ archivematica_src_am_system_group }}
 EnvironmentFile=-{{ systemd_environment_path }}/archivematica-mcp-client
 {% if archivematica_src_syslog_enabled|bool %}
 StandardOutput=syslog
diff --git a/templates/etc/systemd/system/archivematica-mcp-server.service.j2 b/templates/etc/systemd/system/archivematica-mcp-server.service.j2
@@ -6,8 +6,8 @@ After=syslog.target network.target mysql.service
 
 [Service]
 Type=simple
-User=archivematica
-Group=archivematica
+User={{ archivematica_src_am_system_user }}
+Group={{ archivematica_src_am_system_group }}
 EnvironmentFile=-{{ systemd_environment_path }}/archivematica-mcp-server
 {% if archivematica_src_syslog_enabled|bool %}
 StandardOutput=syslog
diff --git a/templates/etc/systemd/system/archivematica-storage-service.service.j2 b/templates/etc/systemd/system/archivematica-storage-service.service.j2
@@ -6,8 +6,8 @@ After=network.target
 
 [Service]
 PIDFile=/run/archivematica-storage-service_gunicorn.pid
-User=archivematica
-Group=archivematica
+User={{ archivematica_src_ss_system_user }}
+Group={{ archivematica_src_ss_system_group }}
 EnvironmentFile=-{{ systemd_environment_path }}/archivematica-storage-service
 {% if archivematica_src_syslog_enabled|bool %}
 StandardOutput=syslog
diff --git a/templates/etc/systemd/system/fits-nailgun.service.j2 b/templates/etc/systemd/system/fits-nailgun.service.j2
@@ -5,7 +5,7 @@ Description=FITS Nailgun server
 After=syslog.target network.target
 
 [Service]
-User=archivematica
+User={{ archivematica_src_am_system_user }}
 ExecStart=/usr/bin/fits-ngserver.sh /usr/share/maven-repo/com/martiansoftware/nailgun-server/debian/nailgun-server-debian.jar
 Restart=always
 RestartSec=3
