Refactor user into forked_user and forked_group

Refactor the single `user` attribute into two separate attributes (one for user and one for group). This makes it more clear as to how you would specify a group for forked child processes. Also add loggging to alert the end user if they only specified a group and not a user. Unicorn does not support dropping group privileges only and requires that a user also be specified.
chef-boneyard · Mar 1, 2013 · baedc35 · baedc35
1 parent c376cf0
commit baedc35
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -28,7 +28,9 @@ an application running under unicorn.
   4.
 * `unicorn_command_line` - If set, specifies the unicorn commandline to set
   in the config file.  Usefull when sandboxing your unicorn installation.
-* `user` - User and optional group to run children as. Default is nil.
+* `forked_user` - User to run children as. Default is nil.
+* `forked_group` - Group to run children as. You *must* specify a `forked_user`
+  as well to use this attribute. Default is nil.
 * `before_exec` - Default is nil.
 * `before_fork` - Default is nil.
 * `after_fork` - Default is nil.

diff --git a/definitions/unicorn_config.rb b/definitions/unicorn_config.rb
@@ -25,7 +25,8 @@
     :preload_app          => false, 
     :worker_processes     => 4,
     :unicorn_command_line => nil, 
-    :user                 => nil, 
+    :forked_user          => nil, 
+    :forked_group         => nil, 
     :pid                  => nil,
     :before_exec          => nil,
     :before_fork          => nil, 
@@ -54,12 +55,7 @@
     end
     tvars[:listen][port] = oarray.join(", ")
   end
-
-  unless params[:user].nil?
-    params[:user] = [params[:user]] if params[:user].is_a? String
-    params[:user].map! {|x| '"' + x + '"'} 
-  end
-
+
   template params[:name] do
     source "unicorn.rb.erb"
     cookbook "unicorn"
@@ -70,5 +66,16 @@
     variables params
     notifies *params[:notifies] if params[:notifies]
   end
-
+
+  # If the user set a group for forked processes but not a user, warn them that
+  # we did not set the group. Unicorn does not allow you to drop privileges at
+  # the group level only.
+  ruby_block "warn-group-no-user" do
+    only_if { params[:forked_user].nil? and !params[:forked_group].nil? }
+    block do
+      Chef::Log.warn "Unable to set the Unicorn 'forked_group' because a "\
+        "forked_user' was not specified! Unicorn will be run as root! Please "\
+        "see the Unicorn documentation regarding `user` for proper usage."
+    end
+  end
 end
diff --git a/templates/default/unicorn.rb.erb b/templates/default/unicorn.rb.erb
@@ -25,9 +25,9 @@ worker_processes <%= @worker_processes %>
 Unicorn::HttpServer::START_CTX[0] = "<%= @unicorn_command_line %>"
 <%- end %>
 
-<%- if @user %>
+<%- if @forked_user %>
 # Run forked children as specified user/group
-user <%= @user.join(", ") %>
+user "<%= @forked_user %>"<%= ", \"#{@forked_group}\"" unless @forked_group.nil? %>
 <%- end %>
 
 <%- if @before_exec %>