Dynamically choose user to run plugin commands

Instead of always using the 'elasticsearch' user or the user supplied by the `elasticsearch_user` resource, choose 'root' if we're installing via package, otherwise fall back to the previous logic. This also removes the chown command, since we expect choosing the correct user should get rid of the need for the chown. Fixes #421.
sous-chefs · Jan 8, 2016 · 5e07995 · 5e07995
1 parent 082566a
commit 5e07995
Show file tree

Hide file tree

Showing 6 changed files with 61 additions and 8 deletions.
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -102,3 +102,12 @@ suites:
     run_list:
       - recipe[java]
       - recipe[elasticsearch_test::default_with_plugins]
+
+  - name: shieldwatcher # install licensed plugins for testing
+    require_chef_omnibus: true
+    run_list:
+      - recipe[java]
+      - recipe[elasticsearch_test::shieldwatcher]
+    attributes:
+      elasticsearch:
+        install_type: package
diff --git a/libraries/provider_plugin.rb b/libraries/provider_plugin.rb
@@ -32,11 +32,11 @@ def manage_plugin(arguments)
 
     # shell_out! automatically raises on error, logs command output
     # required for package installs that show up with parent dir owned by root
-    shell_out!("mkdir -p #{es_conf.path_plugins[es_install.type]}") unless ::File.exist?(es_conf.path_plugins[es_install.type])
-    shell_out!("chown #{es_user.username}:#{es_user.groupname} #{es_conf.path_plugins[es_install.type]}")
-
-    shell_out!("#{es_conf.path_bin[es_install.type]}/plugin #{arguments.chomp(' ')}".chomp(' ').split(' '), user: es_user.username, group: es_user.groupname)
+    plugin_dir_exists = ::File.exist?(es_conf.path_plugins[es_install.type])
+    shell_out_as_user!("mkdir -p #{es_conf.path_plugins[es_install.type]}", run_context) unless plugin_dir_exists
 
+    command_array = "#{es_conf.path_bin[es_install.type]}/plugin #{arguments.chomp(' ')}".chomp(' ').split(' ')
+    shell_out_as_user!(command_array, run_context)
     new_resource.updated_by_last_action(true)
   end
 
@@ -72,4 +72,19 @@ def assert_state_is_valid(es_user, es_install, es_conf)
 
     return true
   end
+
+  def shell_out_as_user!(command, run_ctx)
+    es_install = find_es_resource(run_ctx, :elasticsearch_install, new_resource)
+
+    # See this link for an explanation:
+    # https://www.elastic.co/guide/en/elasticsearch/plugins/2.1/plugin-management.html
+    if es_install.type == :package
+      # package installations should install plugins as root
+      shell_out!(command)
+    else
+      # non-package installations should install plugins as the ES user
+      es_user = find_es_resource(run_ctx, :elasticsearch_user, new_resource)
+      shell_out!(command, user: es_user.username, group: es_user.groupname)
+    end
+  end
 end # provider
diff --git a/test/fixtures/cookbooks/elasticsearch_test/recipes/shieldwatcher.rb b/test/fixtures/cookbooks/elasticsearch_test/recipes/shieldwatcher.rb
@@ -0,0 +1,11 @@
+# Cookbook Name:: elasticsearch_test
+# Recipe:: shieldwatcher
+
+include_recipe "#{cookbook_name}::default_with_plugins"
+
+# test these since they need to write to 'bin' directory
+%w(license shield watcher).each do |plugin_name|
+  elasticsearch_plugin plugin_name do
+    notifies :restart, 'elasticsearch_service[elasticsearch]', :delayed
+  end
+end
diff --git a/test/integration/helpers/serverspec/plugin_examples.rb b/test/integration/helpers/serverspec/plugin_examples.rb
@@ -1,10 +1,11 @@
 require_relative 'spec_helper'
 
 shared_examples_for 'elasticsearch plugin' do |plugin_name, args = {}|
-  expected_user = args[:user] || 'elasticsearch'
+  expected_user = args[:user] || (package? ? 'root' : 'elasticsearch')
   expected_group = args[:group] || expected_user || 'elasticsearch'
-  expected_home = args[:home] || (package? ? "/usr/share/#{expected_user}" : "/usr/local/#{expected_user}")
+  expected_home = args[:home] || (package? ? '/usr/share/elasticsearch' : '/usr/local/elasticsearch')
   expected_plugin = args[:plugin] || (package? ? "#{expected_home}/plugins/#{plugin_name}" : "#{expected_home}/plugins/#{plugin_name}")
+  expected_response_code = args[:response_code] || 200
 
   describe file(expected_plugin) do
     it { should be_directory }
@@ -13,6 +14,6 @@
   end
 
   describe command("curl -s -o /dev/null -w \"%{http_code}\" http://127.0.0.1:9200/_plugin/#{plugin_name}/") do
-    its(:stdout) { should match(/200/) }
+    its(:stdout) { should match(/#{expected_response_code}/) }
   end
 end
diff --git a/test/integration/helpers/serverspec/service_examples.rb b/test/integration/helpers/serverspec/service_examples.rb
@@ -1,12 +1,14 @@
 require_relative 'spec_helper'
 
 shared_examples_for 'elasticsearch service' do |service_name = 'elasticsearch', args = {}|
+  content_match = args[:content] || 'elasticsearch'
+
   describe service(service_name) do
     it { should be_enabled }
     it { should be_running }
   end
 
   describe command('curl http://localhost:9200') do
-    its(:stdout) { should match(/elasticsearch/) }
+    its(:stdout) { should match(/#{content_match}/) }
   end
 end
diff --git a/test/integration/shieldwatcher/serverspec/default_spec.rb b/test/integration/shieldwatcher/serverspec/default_spec.rb
@@ -0,0 +1,15 @@
+require_relative 'spec_helper'
+
+describe 'standard elasticsearch install and configure' do
+  it_behaves_like 'elasticsearch user'
+  it_behaves_like 'elasticsearch install'
+  it_behaves_like 'elasticsearch configure'
+
+  # because shield, these now should return failures
+  it_behaves_like 'elasticsearch plugin', 'head', response_code: 401
+  it_behaves_like 'elasticsearch service', 'elasticsearch', content: 'missing authentication'
+end
+
+describe package('elasticsearch') do
+  it { should be_installed }
+end