Fix Main impersonation and other protected stuff

galaxyproject · Aug 8, 2017 · 2d2db24 · 2d2db24
1 parent 4d11e2d
commit 2d2db24
Show file tree

Hide file tree

Showing 8 changed files with 177 additions and 31 deletions.
diff --git a/env/common/stack.yml b/env/common/stack.yml
@@ -40,6 +40,8 @@
   remote_user: root
   roles:
     - galaxyproject.nginx
+    - paths   # for tacc_protected in test env
+    - copy    # for tacc_protected in test env
   tags: nginx
 
 - name: Install and manage ProFTPD

diff --git a/env/main/_inc_config_post_tasks.yml b/env/main/_inc_config_post_tasks.yml
@@ -1,11 +1,11 @@
 ---
 
-# create data manager config
+# create impersonate config
 - name: Set galaxy_config to impersonate_config_hash
   set_fact:
     galaxy_config: "{{ impersonate_config_hash }}"
 
-- name: Create Galaxy data manager configuration file
+- name: Create Galaxy impersonation configuration file
   template:
     src: templates/galaxy/config/galaxy.ini.j2
     dest: "{{ galaxy_config_dir }}/impersonate.ini"

diff --git a/env/main/group_vars/galaxyservers/vars.yml b/env/main/group_vars/galaxyservers/vars.yml
@@ -222,11 +222,7 @@ galaxy_config_hash:
     new_file_path: /galaxy-repl/main/scratch2
 
 impersonate_config_hash:
-  "server:main_w1_impersonate":
-    threadpool_workers: 5
-    host: 0.0.0.0
-    port: 9480
-  "server:main_w2_impersonate":
+  "server:galaxy_impersonate":
     threadpool_workers: 5
     host: 0.0.0.0
     port: 9480

diff --git a/env/test/files/nginx/tacc-protected/index.html b/env/test/files/nginx/tacc-protected/index.html
@@ -0,0 +1,86 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+    <link href="//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css" rel="stylesheet"/>
+    <style>
+        div {margin-top:0.5em;}
+        hr {color:#2c3143;}
+        p {
+            margin-left:20px;
+            margin-right:20px;
+        }
+        .white {
+            color:white;
+            font-family: verdana;
+            font-weight: bold;
+            font-size: 20px;
+            margin-top: 10px;
+        }
+        /* Side notes for calling out things
+        -------------------------------------------------- */
+
+        /* Base styles (regardless of theme) */
+        .bs-callout {
+          margin: 20px 0;
+          padding: 15px 30px 15px 15px;
+          border-left: 5px solid #eee;
+        }
+        .bs-callout h4 {
+          margin-top: 0;
+        }
+        .bs-callout p:last-child {
+          margin-bottom: 0;
+        }
+        .bs-callout code,
+        .bs-callout .highlight {
+          background-color: #fff;
+        }
+
+        /* Themes for different contexts */
+        .bs-callout-danger {
+          background-color: #fcf2f2;
+          border-color: #dFb5b4;
+        }
+        .bs-callout-warning {
+          background-color: #fefbed;
+          border-color: #f1e7bc;
+        }
+        .bs-callout-info {
+          background-color: #f0f7fd;
+          border-color: #d0e3f0;
+        }
+    </style>
+    <title>Galaxy Protected Services</title>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    <meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
+    <meta http-equiv="Pragma" content="no-cache" />
+    <meta http-equiv="Expires" content="0" />
+</head>
+<body>
+    <div style="margin:auto; width: 80%;">
+        <div style="background-color: #2c3143; height: 35px;">
+            <p class="white">Galaxy Protected Services</p>
+
+        </div>
+        <div>
+            <ul>
+                <li><a href="/main/reports">Main Reports</a></li>
+                <li><a href="/main/impersonate">Main User Impersonation</a></li>
+                <li><a href="/test/reports">Test Reports</a></li>
+                <li><a href="/galaxy-web-03/supervisor">galaxy-web-03 (Main) supervisor</a></li>
+                <li><a href="/galaxy-web-04/supervisor">galaxy-web-04 (Main) supervisor</a></li>
+                <li><a href="/galaxy-web-05/supervisor">galaxy-web-05 (Main) supervisor</a></li>
+                <li><a href="/galaxy-web-06/supervisor">galaxy-web-06 (Main) supervisor</a></li>
+                <li><a href="/galaxy07/supervisor">galaxy07 (Test) supervisor</a></li>
+            </ul>
+        </div>
+    </div>
+</body>
+</html>
+
+
+</body>
+
+
+</html>
+
diff --git a/env/test/group_vars/webservers/vars.yml b/env/test/group_vars/webservers/vars.yml
@@ -16,10 +16,38 @@ nginx_conf_http:
   proxy_read_timeout: 600
   uwsgi_read_timeout: 300
 
+# used below and in the pam conf template
+nginx_users_allow_path: /etc/nginx/users.allow
+
 nginx_configs:
   - galaxy_test
   - tacc_protected
 
+# might be better to make a usegalaxy_protected role?
+directories:
+  - path: /srv/nginx/tacc-protected.galaxyproject.org/root
+    mode: "0755"
+
+group_files:
+  - content: |
+      ##
+      ## This file is maintained by Ansible - CHANGES WILL BE OVERWRITTEN
+      #$
+      {% for name in vault_tacc_protected_users %}
+      {{ name }}
+      {% endfor %}
+    dest: "{{ nginx_users_allow_path }}"
+    mode: "0444"
+    backup: yes
+  - src: files/nginx/tacc-protected/index.html
+    dest: "/srv/nginx/tacc-protected.galaxyproject.org/root/index.html"
+    mode: "0444"
+
+group_templates:
+  - src: templates/nginx/nginx_galaxy.pam.j2
+    dest: /etc/pam.d/nginx_galaxy
+    mode: "0444"
+
 ## used by: the tacc_protected template
 supervisord_http_auth: "{{ vault_supervisord_http_auth }}"
 

diff --git a/env/test/group_vars/webservers/vault.yml b/env/test/group_vars/webservers/vault.yml
@@ -1,20 +1,36 @@
 $ANSIBLE_VAULT;1.1;AES256
-65303939333862393264373336383032653830396232373836353766393864343465313638353662
-6264383966663364343633646366653566636366346233310a613531623564303635306233356338
-65616264326265313162613037653933363865633338656563376265386365636334333734343335
-3066346131383533350a333666356236386333613263373764636264336165313566346139323330
-32386531653531373461323738373566666239363730303332336237356465643133363966623534
-62616162356132313063376130363936333361376430343437623361376634316166313234306462
-35633639353530353134376432396433373537303566663430626633363762633365373438646635
-61633432386362313735656132383262333664623163626537383234626538346635306262383134
-65356130383266373761386431376366636531373732663835636135663733306465326537656530
-62393237343465663630376232336461613161616465376366303031633533636434303665306134
-38613132336633313965623236323063333532316239663062353738303636613864316463363530
-34643066313263626531303962656137633961383838313136626239343966363765366637356362
-36376536353363303033386464356464373863613765633365303034616162313461653666303963
-62373566303064353731636230623566613439313162623735356432653732623265386364366431
-64623536626664376564653161656234333135363166633236336662386164313762623832316436
-63386537663434636664643131643262333731376631616535313161636165316236666634343239
-39396665356666656434363034353436386262396335646332393336333632313661666230663737
-33393335653563383930386439656263613935303935306135323932383062383661303738353362
-616330636363643230623563376563363233
+61333263343937646565626266366235643633333663623232663934393030363962313237393130
+3433313162313161323865363366663963356233656661320a396163646464633139663039306462
+35313861623630363662386337653132353862353063626236663134393938623732396539373161
+3933383230623338340a366136666165366137363935343035386433373336646564306632636133
+30656331376436393765626330343562323864653738633064613931373833626630666662653238
+66633262646635386434353931306234316565386562326465636637633530343636323737306430
+35613836386231316265336465343734613563643831653139343135366431306136613531656334
+63356231373635363561336466383463383237666235303365633263336463376363616335393662
+36636637386138663430353364343838666335653965396330366234633665396637616231373764
+63303861643965313836323936613338326663323365376533303932353762663763353463373238
+35663834373061396265643436666162363933373366366438623638323236643732613839616631
+37383062643264353937326538663232663137333063663534333530313761396437366165653139
+62323031356363373964343137346366653164383036393762336436343731623763356533636166
+32343262613732306135613939333131313033323562373764616264346565373661356130663964
+37613933636362613130643030396339656139383636626534376366623963643161376466653930
+30353730646235613364303538316436353466393464613162356666393730306165633534323264
+36346336343831346330333766646434356662666361366537343234636333633064643365306665
+36326362346537353564383361313631653235636532366633643139383739613132383662373464
+32646332333265343839363831316364346336316131333030623639373830613665396633663035
+62666631356139653764663237643565303834623462656163356333643433366535623164303663
+63323266623430363734326438363066366639626561623630323532376566316138623930353138
+34353136616136366663373135663035643365633630326664306465303861323937343466633333
+63326131623263373033363133616436663435663261346466373064343235626135343430333435
+33633030373063363166613861373132346161363030616438386662613137376361336265653530
+37376465333563656639353164646238353037613563346634313035343737616439376333373138
+63323430663935356432643337363861346533623663363331373838393665396163613361323262
+65323763323533623964643338323261303265343932393133623532306133613230313364333461
+31626663363237383031656635366531616136343534333665633262623463303361333933366539
+35343065663737623066373562396661383466653235373762373336666430383438353463653264
+61613166383964363461303866646564633135333766346666356562633266356361313164313435
+31376266636639346234393363306632316532666164623332656637326335636338333234643061
+63623436623337383835613234326432343438646636306365393936646265316238623432666662
+64363566346664333130666463616466306132643363313061386339616233396339333233613737
+35633839623464336438393138643336646435616434316565366438656661373032306539383732
+383830363737353134336233643133633464
diff --git a/env/test/templates/nginx/nginx_galaxy.pam.j2 b/env/test/templates/nginx/nginx_galaxy.pam.j2
@@ -0,0 +1,18 @@
+#%PAM-1.0
+##
+## This file is maintained by Ansible - CHANGES WILL BE OVERWRITTEN
+##
+
+## pam stack for nginx's auth_pam
+auth       required     pam_sepermit.so
+auth       substack     password-auth
+
+# only allow users in /etc/users.allow to login
+account    required     pam_listfile.so item=user sense=allow file={{ nginx_users_allow_path }} onerr=fail
+account    required     pam_nologin.so
+# Could use /etc/security/access.conf if the nginx user could read it
+#account    required     pam_access.so
+account    include      password-auth
+
+session    required     pam_loginuid.so
+session    include      password-auth
diff --git a/env/test/templates/nginx/tacc_protected.j2 b/env/test/templates/nginx/tacc_protected.j2
@@ -3,17 +3,17 @@
 ##
 
 upstream impersonate_main {
-    server galaxy-web-01.tacc.utexas.edu:9480;
-    server galaxy-web-02.tacc.utexas.edu:9480;
+    server galaxy-web-05.tacc.utexas.edu:9480;
+    server galaxy-web-06.tacc.utexas.edu:9480;
 }
 
 upstream reports_main {
-    server galaxy-web-01.tacc.utexas.edu:18001;
-    server galaxy-web-02.tacc.utexas.edu:18001;
+    server galaxy-web-05.tacc.utexas.edu:18001;
+    server galaxy-web-06.tacc.utexas.edu:18001;
 }
 
 upstream reports_test {
-    server galaxy01.tacc.utexas.edu:18001;
+    server galaxy07.tacc.utexas.edu:18001;
 }
 
 server {