[BACKPORT 2.20.8][PLAT-16115] Fix yba installer data directory permis…

…sions Summary: Original commit: None / D40094 yba installer should ensure all directories are owned by the service user before completing an installation. A few backports were missing to allow this D39256 and D39887 were backported to allow for this fix Test Plan: tested install and validated permissions Reviewers: muthu, sanketh Reviewed By: muthu Subscribers: yugaware Differential Revision: https://phorge.dev.yugabyte.com/D40096
yugabyte · Nov 21, 2024 · c4a0337 · c4a0337
1 parent c5b1f31
commit c4a0337
Show file tree

Hide file tree

Showing 9 changed files with 65 additions and 10 deletions.
diff --git a/managed/yba-installer/cmd/install.go b/managed/yba-installer/cmd/install.go
@@ -105,6 +105,17 @@ var installCmd = &cobra.Command{
 			log.Info("Completed installing component " + name)
 		}
 
+		// Update permissions of data and software to service username
+		if dataless {
+			if err := common.SetSoftwarePermissions(); err != nil {
+				log.Fatal("error updating permissions for software directory: " + err.Error())
+			}
+		} else {
+			if err := common.SetAllPermissions(); err != nil {
+				log.Fatal("error updating permissions for software and data directories: " + err.Error())
+			}
+		}
+
 		// Update state config now that install is complete.
 		state.Config.Hostname = viper.GetString("host")
 		state.CurrentStatus = ybactlstate.InstalledStatus

diff --git a/managed/yba-installer/cmd/platform.go b/managed/yba-installer/cmd/platform.go
@@ -168,6 +168,10 @@ func (plat Platform) Initialize() error {
 	if err := createPemFormatKeyAndCert(); err != nil {
 		return err
 	}
+	// Explicitly set data dir perms only in initialize because we know it exists
+	if err := plat.SetDataDirPerms(); err != nil {
+		return err
+	}
 	if err := plat.Start(); err != nil {
 		return err
 	}

diff --git a/managed/yba-installer/cmd/prometheus.go b/managed/yba-installer/cmd/prometheus.go
@@ -294,8 +294,9 @@ func (prom Prometheus) Upgrade() error {
 	//chown is not needed when we are operating under non-root, the user will already
 	//have the necessary access.
 	if common.HasSudoAccess() {
-		userName := viper.GetString("service_username")
-		common.Chown(common.GetSoftwareRoot()+"/prometheus", userName, userName, true)
+		if err := common.SetSoftwarePermissions(); err != nil {
+			return err
+		}
 	}
 
 	//Crontab based monitoring for non-root installs.

diff --git a/managed/yba-installer/cmd/reconfigure.go b/managed/yba-installer/cmd/reconfigure.go
@@ -80,6 +80,10 @@ var reconfigureCmd = &cobra.Command{
 				pg := services[name].(Postgres)
 				pg.modifyPostgresConf()
 			}
+			// Set permissions to be safe
+			if err := common.SetAllPermissions(); err != nil {
+				log.Fatal("error updating permissions for data and software directories: " + err.Error())
+			}
 			log.Info("Starting service " + name)
 			services[name].Start()
 		}

diff --git a/managed/yba-installer/cmd/service_control.go b/managed/yba-installer/cmd/service_control.go
@@ -48,7 +48,7 @@ var startCmd = &cobra.Command{
 			if preflight.ShouldFail(results) {
 				log.Fatal("preflight failed")
 			}
-			if err := common.Chown(common.GetDataRoot(), "yugabyte", "yugabyte", true); err != nil {
+			if err := common.SetDataPermissions(); err != nil {
 				log.Fatal("Failed to change ownership of data directory: " + err.Error())
 			}
 			log.Info("Initializing YBA before starting services")
@@ -79,6 +79,9 @@ var startCmd = &cobra.Command{
 		if err := common.CheckDataVersionFile(); err != nil {
 			log.Fatal("Failed to validate data version: " + err.Error())
 		}
+		if err := common.SetAllPermissions(); err != nil {
+			log.Fatal("error updating permissions for data and software directories: " + err.Error())
+		}
 		if len(args) == 1 {
 			if err := services[args[0]].Start(); err != nil {
 				log.Fatal("Failed to start " + args[0] + ": " + err.Error())

diff --git a/managed/yba-installer/cmd/upgrade.go b/managed/yba-installer/cmd/upgrade.go
@@ -131,6 +131,11 @@ var upgradeCmd = &cobra.Command{
 			log.Info("Completed upgrade of component " + name)
 		}
 
+		// Permissions update to be safe
+		if err := common.SetAllPermissions(); err != nil {
+			log.Fatal("error updating permissions for data and software directories: " + err.Error())
+		}
+
 		for _, name := range serviceOrder {
 			log.Info("About to restart component " + name)
 			if err := services[name].Restart(); err != nil {

diff --git a/managed/yba-installer/pkg/common/common.go b/managed/yba-installer/pkg/common/common.go
@@ -388,8 +388,9 @@ func extractPlatformSupportPackageAndYugabundle(vers string) {
 		GetInstallerSoftwareDir()+"/packages/yugabyte-"+vers)
 
 	if HasSudoAccess() {
-		userName := viper.GetString("service_username")
-		Chown(GetSoftwareRoot(), userName, userName, true)
+		if err := SetSoftwarePermissions(); err != nil {
+			log.Fatal("failed to set permissions: " + err.Error())
+		}
 	}
 
 }

diff --git a/managed/yba-installer/pkg/common/directory_manager.go b/managed/yba-installer/pkg/common/directory_manager.go
@@ -32,8 +32,7 @@ import (
 * Data directory: /opt/yugabyte/data
 * Active Symlink: /opt/yugabyte/software/active
 *
-* GetInstallRoot will return the CORRECT install root for our workflow (one or two)
-# GetBaseInstall will return the base install. NOTE: the config has this as "installRoot"
+# GetBaseInstall will return the installRoot
 */
 
 // ALl of our install files and directories.
@@ -77,7 +76,7 @@ func DataVersionFile() string {
 	return filepath.Join(GetDataRoot(), dataVersionFileName)
 }
 
-// GetInstallRoot returns the InstallRoot where YBA is installed.
+// GetSoftwareRoot returns the version specific directory inside of installRoot/software
 func GetSoftwareRoot() string {
 	return dm.WorkingDirectory()
 }

diff --git a/managed/yba-installer/pkg/common/utils.go b/managed/yba-installer/pkg/common/utils.go
@@ -117,11 +117,12 @@ func HasSudoAccess() bool {
 func RemoveQuotes(input string) string {
 	return strings.Trim(input, "\"")
 }
+
 // SplitInput parses an input string that is either comma or space separated and returns the
 // individual elements in an array
 func SplitInput(input string) []string {
 	return strings.FieldsFunc(input, func(r rune) bool {
-			return r == ',' || r == ' '
+		return r == ',' || r == ' '
 	})
 }
 
@@ -708,7 +709,7 @@ func SetYamlValue(filePath string, yamlPath string, value interface{}) error {
 		root = yaml.Node{
 			Kind: yaml.DocumentNode,
 			Content: []*yaml.Node{&yaml.Node{
-					Kind: yaml.MappingNode,
+				Kind: yaml.MappingNode,
 			}},
 		}
 	}
@@ -848,3 +849,29 @@ func Bool2Int(b bool) int {
 	}
 	return 0
 }
+
+func SetAllPermissions() error {
+	if err := SetSoftwarePermissions(); err != nil {
+		return err
+	}
+	if err := SetDataPermissions(); err != nil {
+		return err
+	}
+	return nil
+}
+
+func SetSoftwarePermissions() error {
+	userName := viper.GetString("service_username")
+	if err := Chown(GetSoftwareDir(), userName, userName, true); err != nil {
+		return err
+	}
+	return nil
+}
+
+func SetDataPermissions() error {
+	userName := viper.GetString("service_username")
+	if err := Chown(GetDataRoot(), userName, userName, true); err != nil {
+		return err
+	}
+	return nil
+}