Skip to content

Commit

Permalink
Fix deployment user permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
@bensofficial
bensofficial committed Dec 17, 2024
1 parent 94c0af3 commit ff7275e
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 4 deletions.
4 changes: 1 addition & 3 deletions roles/artemis/tasks/users.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,7 @@
comment: "{{ artemis_deployment_user_comment }}"
state: present
uid: "{{ artemis_deployment_user_uid }}"
group: "{{ artemis_user_group }}"
groups: "sudo{% if use_docker %},docker{% endif %}"
append: yes
groups: "{% if use_docker %}docker{% endif %}"
when: (artemis_create_deployment_user | bool)

- name: Ensure (limited) sudo privileges for user {{ artemis_deployment_user_name }}
Expand Down
8 changes: 7 additions & 1 deletion roles/artemis/templates/artemis_deployment_sudoers.j2
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,16 @@
{{ artemis_deployment_user_name }} ALL=(ALL) NOPASSWD: /bin/systemctl start artemis
{{ artemis_deployment_user_name }} ALL=(ALL) NOPASSWD: systemctl start artemis
{{ artemis_deployment_user_name }} ALL=(ALL) NOPASSWD: /bin/systemctl stop artemis
{{ artemis_deployment_user_name }} ALL=(ALL) NOPASSWD: systemctl stop artemis
{{ artemis_deployment_user_name }} ALL=(ALL) NOPASSWD: {{ artemis_working_directory }}/artemis-backup.sh

# Whitelist commands for `artemis-server-cli deploy`
{{ artemis_deployment_user_name }} ALL=(ALL) NOPASSWD: /usr/bin/mv /home/{{ artemis_deployment_user_name }}/artemis.war.new {{ artemis_working_directory }}/artemis.war.new
{{ artemis_deployment_user_name }} ALL=(ALL) NOPASSWD: mv /home/{{ artemis_deployment_user_name }}/artemis.war.new {{ artemis_working_directory }}/artemis.war.new
{{ artemis_deployment_user_name }} ALL=(ALL) NOPASSWD: /usr/bin/rm {{ artemis_working_directory }}/artemis.war.old
{{ artemis_deployment_user_name }} ALL=(ALL) NOPASSWD: rm {{ artemis_working_directory }}/artemis.war.old
{{ artemis_deployment_user_name }} ALL=(ALL) NOPASSWD: /usr/bin/mv {{ artemis_working_directory }}/artemis.war {{ artemis_working_directory }}/artemis.war.old
{{ artemis_deployment_user_name }} ALL=(ALL) NOPASSWD: mv {{ artemis_working_directory }}/artemis.war {{ artemis_working_directory }}/artemis.war.old
{{ artemis_deployment_user_name }} ALL=(ALL) NOPASSWD: /usr/bin/mv {{ artemis_working_directory }}/artemis.war.new {{ artemis_working_directory }}/artemis.war
{{ artemis_deployment_user_name }} ALL=(ALL) NOPASSWD: /usr/bin/bash {{ artemis_working_directory }}/artemis-docker.sh *
{{ artemis_deployment_user_name }} ALL=(ALL) NOPASSWD: mv {{ artemis_working_directory }}/artemis.war.new {{ artemis_working_directory }}/artemis.war
{{ artemis_deployment_user_name }} ALL=(ALL) NOPASSWD: /usr/bin/bash {{ artemis_working_directory }}/artemis-docker.sh restart *

0 comments on commit ff7275e

Please sign in to comment.