Browse code
Add partially backwards compatible version of _fixup_perms. (#17427)
Also added a deprecation notice for _fixup_perms.
Resolves issue #17352 (assumes custom actions use recursive=False).
(cherry picked from commit 94a0d2afb4b7b74bbefd5ab57d459f0e74b060a2)
Matt Clay authored on 2016/09/07 08:49:59Showing 10 changed files
- CHANGELOG.md
- lib/ansible/plugins/action/__init__.py
- lib/ansible/plugins/action/assemble.py
- lib/ansible/plugins/action/async.py
- lib/ansible/plugins/action/copy.py
- lib/ansible/plugins/action/patch.py
- lib/ansible/plugins/action/script.py
- lib/ansible/plugins/action/template.py
- lib/ansible/plugins/action/unarchive.py
- test/units/plugins/action/test_action.py
| ... | ... |
@@ -7,6 +7,19 @@ Ansible Changes By Release |
| 7 | 7 |
* Fix a bug with async's poll keyword not making use of ansible_python_interpreter to run (and thus breaking when /usr/bin/python is not present on the remote machine.) |
| 8 | 8 |
* Fix a bug where hosts that started with a range in inventory were being treated as an invalid section header. |
| 9 | 9 |
* Fix a bug where the fetch module was not idempotent when retrieving the target of a symlink. |
| 10 |
+ |
|
| 11 |
+###Deprecations: |
|
| 12 |
+ |
|
| 13 |
+* Deprecated the use of `_fixup_perms`. Use `_fixup_perms2` instead. |
|
| 14 |
+ This change only impacts custom action plugins using `_fixup_perms`. |
|
| 15 |
+ |
|
| 16 |
+###Incompatible Changes: |
|
| 17 |
+ |
|
| 18 |
+* Use of `_fixup_perms` with `recursive=True` (the default) is no longer supported. |
|
| 19 |
+ Custom action plugins using `_fixup_perms` will require changes unless they already use `recursive=False`. |
|
| 20 |
+ Use `_fixup_perms2` if support for previous releases is not required. |
|
| 21 |
+ Otherwise use `_fixup_perms` with `recursive=False`. |
|
| 22 |
+ |
|
| 10 | 23 |
## 2.1.1 "The Song Remains the Same" - 07-28-2016 |
| 11 | 24 |
|
| 12 | 25 |
###Minor Changes: |
| ... | ... |
@@ -293,7 +293,29 @@ class ActionBase(with_metaclass(ABCMeta, object)): |
| 293 | 293 |
|
| 294 | 294 |
return remote_path |
| 295 | 295 |
|
| 296 |
- def _fixup_perms(self, remote_paths, remote_user, execute=True): |
|
| 296 |
+ def _fixup_perms(self, remote_path, remote_user, execute=True, recursive=True): |
|
| 297 |
+ """ |
|
| 298 |
+ We need the files we upload to be readable (and sometimes executable) |
|
| 299 |
+ by the user being sudo'd to but we want to limit other people's access |
|
| 300 |
+ (because the files could contain passwords or other private |
|
| 301 |
+ information. |
|
| 302 |
+ |
|
| 303 |
+ Deprecated in favor of _fixup_perms2. Ansible code has been updated to |
|
| 304 |
+ use _fixup_perms2. This code is maintained to provide partial support |
|
| 305 |
+ for custom actions (non-recursive mode only). |
|
| 306 |
+ |
|
| 307 |
+ """ |
|
| 308 |
+ |
|
| 309 |
+ display.deprecated('_fixup_perms is deprecated. Use _fixup_perms2 instead.', version='2.4', removed=False)
|
|
| 310 |
+ |
|
| 311 |
+ if recursive: |
|
| 312 |
+ raise AnsibleError('_fixup_perms with recursive=True (the default) is no longer supported. ' +
|
|
| 313 |
+ 'Use _fixup_perms2 if support for previous releases is not required. ' |
|
| 314 |
+ 'Otherwise use fixup_perms with recursive=False.') |
|
| 315 |
+ |
|
| 316 |
+ return self._fixup_perms2([remote_path], remote_user, execute) |
|
| 317 |
+ |
|
| 318 |
+ def _fixup_perms2(self, remote_paths, remote_user, execute=True): |
|
| 297 | 319 |
""" |
| 298 | 320 |
We need the files we upload to be readable (and sometimes executable) |
| 299 | 321 |
by the user being sudo'd to but we want to limit other people's access |
| ... | ... |
@@ -611,7 +633,7 @@ class ActionBase(with_metaclass(ABCMeta, object)): |
| 611 | 611 |
# Fix permissions of the tmp path and tmp files. This should be |
| 612 | 612 |
# called after all files have been transferred. |
| 613 | 613 |
if remote_files: |
| 614 |
- self._fixup_perms(remote_files, remote_user) |
|
| 614 |
+ self._fixup_perms2(remote_files, remote_user) |
|
| 615 | 615 |
|
| 616 | 616 |
cmd = "" |
| 617 | 617 |
in_data = None |
| ... | ... |
@@ -153,7 +153,7 @@ class ActionModule(ActionBase): |
| 153 | 153 |
xfered = self._transfer_file(path, remote_path) |
| 154 | 154 |
|
| 155 | 155 |
# fix file permissions when the copy is done as a different user |
| 156 |
- self._fixup_perms((tmp, remote_path), remote_user) |
|
| 156 |
+ self._fixup_perms2((tmp, remote_path), remote_user) |
|
| 157 | 157 |
|
| 158 | 158 |
new_module_args.update( dict( src=xfered,)) |
| 159 | 159 |
|
| ... | ... |
@@ -76,7 +76,7 @@ class ActionModule(ActionBase): |
| 76 | 76 |
if argsfile: |
| 77 | 77 |
remote_paths += argsfile, |
| 78 | 78 |
|
| 79 |
- self._fixup_perms(remote_paths, remote_user, execute=True) |
|
| 79 |
+ self._fixup_perms2(remote_paths, remote_user, execute=True) |
|
| 80 | 80 |
|
| 81 | 81 |
async_limit = self._task.async |
| 82 | 82 |
async_jid = str(random.randint(0, 999999999999)) |
| ... | ... |
@@ -230,7 +230,7 @@ class ActionModule(ActionBase): |
| 230 | 230 |
|
| 231 | 231 |
# fix file permissions when the copy is done as a different user |
| 232 | 232 |
if remote_path: |
| 233 |
- self._fixup_perms((tmp, remote_path), remote_user) |
|
| 233 |
+ self._fixup_perms2((tmp, remote_path), remote_user) |
|
| 234 | 234 |
|
| 235 | 235 |
if raw: |
| 236 | 236 |
# Continue to next iteration if raw is defined. |
| ... | ... |
@@ -59,7 +59,7 @@ class ActionModule(ActionBase): |
| 59 | 59 |
tmp_src = self._connection._shell.join_path(tmp, os.path.basename(src)) |
| 60 | 60 |
self._transfer_file(src, tmp_src) |
| 61 | 61 |
|
| 62 |
- self._fixup_perms((tmp, tmp_src), remote_user) |
|
| 62 |
+ self._fixup_perms2((tmp, tmp_src), remote_user) |
|
| 63 | 63 |
|
| 64 | 64 |
new_module_args = self._task.args.copy() |
| 65 | 65 |
new_module_args.update( |
| ... | ... |
@@ -79,7 +79,7 @@ class ActionModule(ActionBase): |
| 79 | 79 |
self._transfer_file(source, tmp_src) |
| 80 | 80 |
|
| 81 | 81 |
# set file permissions, more permissive when the copy is done as a different user |
| 82 |
- self._fixup_perms((tmp, tmp_src), remote_user, execute=True) |
|
| 82 |
+ self._fixup_perms2((tmp, tmp_src), remote_user, execute=True) |
|
| 83 | 83 |
|
| 84 | 84 |
# add preparation steps to one ssh roundtrip executing the script |
| 85 | 85 |
env_string = self._compute_environment_string() |
| ... | ... |
@@ -164,7 +164,7 @@ class ActionModule(ActionBase): |
| 164 | 164 |
xfered = self._transfer_data(self._connection._shell.join_path(tmp, 'source'), resultant) |
| 165 | 165 |
|
| 166 | 166 |
# fix file permissions when the copy is done as a different user |
| 167 |
- self._fixup_perms((tmp, xfered), remote_user) |
|
| 167 |
+ self._fixup_perms2((tmp, xfered), remote_user) |
|
| 168 | 168 |
|
| 169 | 169 |
# run the copy module |
| 170 | 170 |
new_module_args.update( |
| ... | ... |
@@ -93,7 +93,7 @@ class ActionModule(ActionBase): |
| 93 | 93 |
|
| 94 | 94 |
if copy: |
| 95 | 95 |
# fix file permissions when the copy is done as a different user |
| 96 |
- self._fixup_perms((tmp, tmp_src), remote_user) |
|
| 96 |
+ self._fixup_perms2((tmp, tmp_src), remote_user) |
|
| 97 | 97 |
# Build temporary module_args. |
| 98 | 98 |
new_module_args = self._task.args.copy() |
| 99 | 99 |
new_module_args.update( |
| ... | ... |
@@ -570,7 +570,7 @@ class TestActionBase(unittest.TestCase): |
| 570 | 570 |
action_base._transfer_data = MagicMock() |
| 571 | 571 |
action_base._compute_environment_string = MagicMock() |
| 572 | 572 |
action_base._low_level_execute_command = MagicMock() |
| 573 |
- action_base._fixup_perms = MagicMock() |
|
| 573 |
+ action_base._fixup_perms2 = MagicMock() |
|
| 574 | 574 |
|
| 575 | 575 |
action_base._configure_module.return_value = ('new', '#!/usr/bin/python', 'this is the module data')
|
| 576 | 576 |
action_base._late_needs_tmp_path.return_value = False |