SSSD: use systemd service description to configure service user

SSSD · Aug 13, 2024 · 0b213ff · 0b213ff
1 parent 5afdc33
commit 0b213ff
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 7 deletions.
diff --git a/sssd_test_framework/hosts/client.py b/sssd_test_framework/hosts/client.py
@@ -29,6 +29,12 @@ def __init__(self, *args, **kwargs) -> None:
         super().__init__(*args, **kwargs)
 
         self._features: dict[str, bool] | None = None
+        self.sssd_service_user: str = ""
+        """ SSSD service user configured by default install """
+
+    def pytest_setup(self) -> None:
+        super().pytest_setup()
+        self.sssd_service_user = self.svc.get_property("sssd", "User")
 
     @property
     def features(self) -> dict[str, bool]:

diff --git a/sssd_test_framework/utils/sssd.py b/sssd_test_framework/utils/sssd.py
@@ -9,7 +9,8 @@
 from pytest_mh import MultihostHost, MultihostRole, MultihostUtility
 from pytest_mh.conn import Process, ProcessLogLevel, ProcessResult
 
-from ..hosts.base import BaseDomainHost, BaseHost
+from ..hosts.base import BaseDomainHost
+from ..hosts.client import ClientHost
 from ..misc import to_list
 
 if TYPE_CHECKING:
@@ -113,6 +114,7 @@ def setup(self) -> None:
     def async_start(
         self,
         service="sssd",
+        service_user="sssd",
         *,
         apply_config: bool = True,
         check_config: bool = True,
@@ -132,6 +134,8 @@ def async_start(
         :return: Running SSH process.
         :rtype: Process
         """
+        self.set_service_user(service_user)
+
         if apply_config:
             self.config_apply(check_config=check_config, debug_level=debug_level)
 
@@ -144,6 +148,7 @@ def async_start(
     def start(
         self,
         service="sssd",
+        service_user="sssd",
         *,
         raise_on_error: bool = True,
         apply_config: bool = True,
@@ -166,6 +171,8 @@ def start(
         :return: SSH process result.
         :rtype: ProcessResult
         """
+        self.set_service_user(service_user)
+
         if apply_config:
             self.config_apply(check_config=check_config, debug_level=debug_level)
 
@@ -303,19 +310,40 @@ def clear(self, *, db: bool = True, memcache: bool = True, config: bool = False,
 
     def set_service_user(self, user: str) -> None:
         """
-        Set [sssd]/user option.
+        Reconfigures 'sssd.service' systemd service description
+        to run SSSD service under 'user' (only 'root' or 'sssd'
+        are supported by SSSD).
+        Take a note, this currently doesn't handle reconfiguration
+        of socket activated services.
 
         :param user: Option value to set.
         :type user: str
-        :raises ValueError: If required feature wasn't built.
+        :raises ValueError: in case error happens.
         """
-        if isinstance(self.host, BaseHost):
-            if (user != "root") and (not self.host.features["non-privileged"]):
-                raise ValueError("SSSD was built without support of running under non-root")
+        if isinstance(self.host, ClientHost):
+            if not self.host.features["non-privileged"]:
+                return  # service user configuration isn't supported at all
         else:
             raise ValueError("Unexpected host type")
 
-        self.sssd["user"] = user
+        if user == self.host.sssd_service_user:
+            return  # requested service user matches default, nothing to do
+
+        service_file = "/usr/lib/systemd/system/sssd.service"
+        self.fs.backup(service_file)
+        cmd = f'sed -i "s/^User=.*/User={user}/g" {service_file}\n'
+        cmd += f'sed -i "s/^Group=.*/Group={user}/g" {service_file}\n'
+        if user == "root":
+            cmd += f'sed -i "s/^#SupplementaryGroups=sssd$/SupplementaryGroups=sssd/g" {service_file}\n'
+            cmd += f'sed -i "s/sssd:sssd/root:root/g" {service_file}\n'
+        elif user == "sssd":
+            cmd += f'sed -i "s/^SupplementaryGroups=sssd$/#SupplementaryGroups=sssd/g" {service_file}\n'
+            cmd += f'sed -i "s/root:root/sssd:sssd/g" {service_file}\n'
+        else:
+            raise ValueError("Unexpected value of 'user'")
+        cmd += f"chown -f {user}:{user} /var/lib/sss/db/*.ldb || true"
+        self.host.conn.run(cmd)
+        self.svc.reload_daemon()
 
     def enable_responder(self, responder: str) -> None:
         """