From 04fc48c8f0cff77f988cdd25d79ce26c5a8b1cec Mon Sep 17 00:00:00 2001
From: Philip ABBET <philip.abbet@idiap.ch>
Date: Mon, 24 Apr 2017 11:49:33 +0200
Subject: [PATCH] Allows to use a directory with restricted access for the
 datasets

---
 beat/core/agent.py                      | 31 +++++++++++-------
 beat/core/scripts/databases_provider.py | 42 +++++++++++++++++++++++++
 2 files changed, 62 insertions(+), 11 deletions(-)
 mode change 100644 => 100755 beat/core/scripts/databases_provider.py

diff --git a/beat/core/agent.py b/beat/core/agent.py
index 6b2b2898..86393dff 100755
--- a/beat/core/agent.py
+++ b/beat/core/agent.py
@@ -227,17 +227,18 @@ class Agent(object):
 
       database_paths = {}
 
-      for db_name in configuration.databases.keys():
-        json_path = os.path.join(root_folder, db_name + '.json')
+      if not configuration.data.has_key('datasets_root_path'):
+        for db_name in configuration.databases.keys():
+          json_path = os.path.join(root_folder, db_name + '.json')
 
-        with open(json_path, 'r') as f:
-          db_data = simplejson.load(f)
+          with open(json_path, 'r') as f:
+            db_data = simplejson.load(f)
 
-        database_paths[db_name] = db_data['root_folder']
-        db_data['root_folder'] = os.path.join('/databases', db_name)
+          database_paths[db_name] = db_data['root_folder']
+          db_data['root_folder'] = os.path.join('/databases', db_name)
 
-        with open(json_path, 'w') as f:
-          simplejson.dump(db_data, f, indent=4)
+          with open(json_path, 'w') as f:
+            simplejson.dump(db_data, f, indent=4)
 
     # Server for our single client
     self.server = Server(configuration.input_list, configuration.output_list,
@@ -277,12 +278,20 @@ class Agent(object):
 
         volumes = {}
 
-        for db_name, db_path in database_paths.items():
-          volumes[db_path] = {
-            'bind': os.path.join('/databases', db_name),
+        if not configuration.data.has_key('datasets_root_path'):
+          for db_name, db_path in database_paths.items():
+            volumes[db_path] = {
+              'bind': os.path.join('/databases', db_name),
+              'mode': 'ro',
+            }
+        else:
+          volumes[configuration.data['datasets_root_path']] = {
+            'bind': configuration.data['datasets_root_path'],
             'mode': 'ro',
           }
 
+        print volumes
+
         # Note: we only support one databases image loaded at the same time
         self.db_process = dock.Popen(
           host,
diff --git a/beat/core/scripts/databases_provider.py b/beat/core/scripts/databases_provider.py
old mode 100644
new mode 100755
index 64a1a67d..fa8ac7d3
--- a/beat/core/scripts/databases_provider.py
+++ b/beat/core/scripts/databases_provider.py
@@ -51,6 +51,7 @@ import logging
 import os
 import sys
 import docopt
+import simplejson
 
 import zmq
 
@@ -104,6 +105,7 @@ def main():
   args = docopt.docopt(__doc__ % dict(prog=prog, version=version),
           version=version)
 
+
   # Sets up the logging system
   if args['--debug']:
     logging.basicConfig(format='[remote|%(name)s] %(levelname)s: %(message)s',
@@ -114,6 +116,44 @@ def main():
 
   logger = logging.getLogger(__name__)
 
+
+  # If necessary, change to another user (with less privileges, but has access
+  # to the databases)
+  with open(os.path.join(args['<dir>'], 'configuration.json'), 'r') as f:
+    cfg = simplejson.load(f)
+
+  if cfg.has_key('datasets_uid'):
+    # First create the user (if it doesn't exists)
+    try:
+      user = pwd.getpwuid(cfg['datasets_uid'])
+    except:
+      import subprocess
+      retcode = subprocess.call(['adduser', '--uid', str(cfg['datasets_uid']),
+                                 '--no-create-home', '--disabled-password',
+                                 '--disabled-login', '--gecos', '""', '-q',
+                                 'beat-nobody'])
+      if retcode != 0:
+        send_error(logger, socket, 'sys', 'Failed to create an user with the UID %s' % args['uid'])
+        return 1
+
+    # Next, ensure that the needed files are readable by this user
+    access = stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR | stat.S_IRGRP | stat.S_IXGRP | stat.S_IROTH | stat.S_IXOTH
+    os.chmod(args['<dir>'], access)
+    for root, dirs, files in os.walk(args['<dir>']):
+      for d in dirs:
+        os.chmod(os.path.join(root, d), access)
+      for f in files:
+        os.chmod(os.path.join(root, f), access)
+
+    # Change the current user
+    try:
+      os.setuid(cfg['datasets_uid'])
+    except:
+      import traceback
+      send_error(logger, socket, 'sys', traceback.format_exc())
+      return 1
+
+
   # Creates the 0MQ socket for communication with BEAT
   context = zmq.Context()
   socket = context.socket(zmq.PAIR)
@@ -121,6 +161,7 @@ def main():
   socket.connect(address)
   logger.debug("zmq client connected to `%s'", address)
 
+
   try:
 
     # Check the dir
@@ -188,5 +229,6 @@ def main():
   return 0
 
 
+
 if __name__ == '__main__':
   sys.exit(main())
-- 
GitLab