From 04aa6ea81be34dee8e99cde0c148fd7dac23e2e2 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 12 Aug 2022 12:01:42 -0700 Subject: [PATCH 1/4] Use primary GID from Gafaelfawr If Gafaelfawr provides a primary GID, use it. Otherwise, fall back on using the UID as the GID, matching the previous behavior. --- src/nublado2/hooks.py | 12 +++++++++--- tests/auth_test.py | 2 ++ 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/src/nublado2/hooks.py b/src/nublado2/hooks.py index 3e2c109..b36708d 100644 --- a/src/nublado2/hooks.py +++ b/src/nublado2/hooks.py @@ -25,10 +25,16 @@ async def pre_spawn(self, spawner: Spawner) -> None: auth_state = await spawner.user.get_auth_state() - # We now always spawn as the target user; there is no way - # to do "provisionator" anymore + # Gafaelfawr 5.1.0 and later will fill out the user's primary GID for + # GitHub and correctly-configured LDAP environments, but some + # configurations don't generate a GID and older versions do not. In + # those cases, fall back on assuming a user private group with the + # same GID as the user's UID, which was the previous behavior. spawner.uid = auth_state["uid"] - spawner.gid = auth_state["uid"] + if "gid" in auth_state: + spawner.gid = auth_state["gid"] + else: + spawner.gid = spawner.uid spawner.supplemental_gids = [g["id"] for g in auth_state["groups"]] # Since we will create a serviceaccount in the user resources, diff --git a/tests/auth_test.py b/tests/auth_test.py index 8e83245..0e4dd93 100644 --- a/tests/auth_test.py +++ b/tests/auth_test.py @@ -95,6 +95,7 @@ async def test_login_handler(config_mock: MagicMock) -> None: { "username": "bar", "uid": 4510, + "gid": 1761, "groups": [ {"name": "group-one", "id": 1726}, {"name": "another", "id": 6789}, @@ -107,6 +108,7 @@ async def test_login_handler(config_mock: MagicMock) -> None: "auth_state": { "username": "bar", "uid": 4510, + "gid": 1761, "token": "user-token", "groups": [ {"name": "group-one", "id": 1726}, From 997d209f64fb75c3cd20ed480c4e01c9c07cb30a Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 16 Aug 2022 07:38:51 -0700 Subject: [PATCH 2/4] Remove primary GID from supplemental GIDs No need to add the primary GID in both places, and NFS imposes a limit on the number of supplemental groups. --- src/nublado2/hooks.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/nublado2/hooks.py b/src/nublado2/hooks.py index b36708d..98bdb2e 100644 --- a/src/nublado2/hooks.py +++ b/src/nublado2/hooks.py @@ -35,7 +35,9 @@ async def pre_spawn(self, spawner: Spawner) -> None: spawner.gid = auth_state["gid"] else: spawner.gid = spawner.uid - spawner.supplemental_gids = [g["id"] for g in auth_state["groups"]] + spawner.supplemental_gids = [ + g["id"] for g in auth_state["groups"] if g["id"] != spawner.gid + ] # Since we will create a serviceaccount in the user resources, # make the pod use that. This will also automount the token, From 71930266d6c778f1899bcc8b1a8906bcaba2522e Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 16 Aug 2022 07:53:34 -0700 Subject: [PATCH 3/4] Remove reference to CHANGELOG.rst We don't maintain a changelog for this package. --- setup.cfg | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup.cfg b/setup.cfg index 6268fd1..05ab438 100644 --- a/setup.cfg +++ b/setup.cfg @@ -3,11 +3,10 @@ name = nublado2 description = Nublado v2. author = Association of Universities for Research in Astronomy, Inc. (AURA) author_email = sqre-admin@lists.lsst.org -long_description = file: README.rst, CHANGELOG.rst, LICENSE +long_description = file: README.rst, LICENSE long_description_content_type = text/x-rst url = https://github.com/lsst-sqre/nublado2 project_urls = - Change log = https://github.com/lsst-sqre/nublado2/master/blob/CHANGELOG.rst Source code = https://github.com/lsst-sqre/nublado2 Issue tracker = https://github.com/lsst-sqre/nublado2/issues classifiers = @@ -17,6 +16,7 @@ classifiers = Programming Language :: Python :: 3 Programming Language :: Python :: 3.8 Programming Language :: Python :: 3.9 + Programming Language :: Python :: 3.10 Natural Language :: English Operating System :: POSIX keywords = From bf87257234b2defadb321717b720b8436909f0dd Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 16 Aug 2022 07:58:17 -0700 Subject: [PATCH 4/4] Add a LICENSE file It's referenced in setup.cfg and it's our normal practice, so may as well. --- LICENSE | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..e33ee19 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2020-2022 Association of Universities for Research in Astronomy, Inc. (AURA) + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE.