Revert "Reapply "Set default permissions""

author: Valerij Fredriksen <freva@users.noreply.github.com> 2022-04-21 13:01:33 +0200
committer: GitHub <noreply@github.com> 2022-04-21 13:01:33 +0200
commit: 26d7ba296e48d59647c0fc1567295ede87cdc0a3 (patch)
tree: 24cbbec6414e3bbdaaa30eba71de31257e9c12f4 /node-admin
parent: 888beccd43a3bb14febb0c2d2838e0dda852593c (diff)
3 files changed, 2 insertions, 75 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentImpl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentImpl.java
index 75977da369c..61e777a9576 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentImpl.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/nodeagent/NodeAgentImpl.java
@@ -27,9 +27,6 @@ import com.yahoo.vespa.hosted.node.admin.maintenance.acl.AclMaintainer;
 import com.yahoo.vespa.hosted.node.admin.maintenance.identity.CredentialsMaintainer;
 import com.yahoo.vespa.hosted.node.admin.maintenance.servicedump.VespaServiceDumper;
 import com.yahoo.vespa.hosted.node.admin.nodeadmin.ConvergenceException;
-import com.yahoo.vespa.hosted.node.admin.task.util.file.FileFinder;
-import com.yahoo.vespa.hosted.node.admin.task.util.file.UnixPath;
-import com.yahoo.vespa.hosted.node.admin.task.util.fs.ContainerPath;
 
 import java.time.Clock;
 import java.time.Duration;
@@ -140,31 +137,6 @@ public class NodeAgentImpl implements NodeAgent {
         if (loopThread != null)
             throw new IllegalStateException("Can not re-start a node agent.");
 
-        // TODO: Remove after this has rolled out everywhere
-        int[] stats = new int[]{0, 0, 0};
-        ContainerPath vespaHome = initialContext.paths().underVespaHome("");
-        FileFinder.files(initialContext.paths().of("/")).forEachPath(path -> {
-            UnixPath unixPath = new UnixPath(path);
-
-            String permissions = unixPath.getPermissions();
-            if (!permissions.endsWith("---")) {
-                unixPath.setPermissions(permissions.substring(0, 6) + "---");
-                stats[0]++;
-            }
-
-            if (path.startsWith(vespaHome) && unixPath.getOwnerId() != initialContext.users().vespa().uid()) {
-                unixPath.setOwnerId(initialContext.users().vespa().uid());
-                stats[1]++;
-            }
-
-            if (path.startsWith(vespaHome) && unixPath.getGroupId() != initialContext.users().vespa().gid()) {
-                unixPath.setGroupId(initialContext.users().vespa().gid());
-                stats[2]++;
-            }
-        });
-        if (stats[0] + stats[1] + stats[2] > 0)
-            initialContext.log(logger, "chmod %d, chown UID %d, chown GID %d files", stats[0], stats[1], stats[2]);
-
         loopThread = new Thread(() -> {
             while (!terminated.get()) {
                 try {
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerFileSystemProvider.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerFileSystemProvider.java
index 2a2e3d611c9..964ed5e0e4d 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerFileSystemProvider.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerFileSystemProvider.java
@@ -26,8 +26,6 @@ import java.nio.file.attribute.FileAttributeView;
 import java.nio.file.attribute.GroupPrincipal;
 import java.nio.file.attribute.PosixFileAttributeView;
 import java.nio.file.attribute.PosixFileAttributes;
-import java.nio.file.attribute.PosixFilePermission;
-import java.nio.file.attribute.PosixFilePermissions;
 import java.nio.file.attribute.UserPrincipal;
 import java.nio.file.spi.FileSystemProvider;
 import java.util.HashMap;
@@ -46,12 +44,6 @@ import static com.yahoo.yolean.Exceptions.uncheck;
  * @author freva
  */
 class ContainerFileSystemProvider extends FileSystemProvider {
-
-    private static final FileAttribute<?> DEFAULT_FILE_PERMISSIONS = PosixFilePermissions.asFileAttribute(Set.of( // 0640
-            PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE, PosixFilePermission.GROUP_READ));
-    private static final FileAttribute<?> DEFAULT_DIRECTORY_PERMISSIONS = PosixFilePermissions.asFileAttribute(Set.of( // 0750
-            PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE, PosixFilePermission.OWNER_EXECUTE, PosixFilePermission.GROUP_READ, PosixFilePermission.GROUP_EXECUTE));
-
     private final ContainerFileSystem containerFs;
     private final ContainerUserPrincipalLookupService userPrincipalLookupService;
 
@@ -90,8 +82,7 @@ class ContainerFileSystemProvider extends FileSystemProvider {
         Path pathOnHost = pathOnHost(path);
         try (SecureDirectoryStream<Path> sds = leafDirectoryStream(pathOnHost)) {
             boolean existedBefore = Files.exists(pathOnHost);
-            SeekableByteChannel seekableByteChannel = sds.newByteChannel(
-                    pathOnHost.getFileName(), addNoFollow(options), addPermissions(DEFAULT_FILE_PERMISSIONS, attrs));
+            SeekableByteChannel seekableByteChannel = sds.newByteChannel(pathOnHost.getFileName(), addNoFollow(options), attrs);
             if (!existedBefore) fixOwnerToContainerRoot(toContainerPath(path));
             return seekableByteChannel;
         }
@@ -108,7 +99,7 @@ class ContainerFileSystemProvider extends FileSystemProvider {
     public void createDirectory(Path dir, FileAttribute<?>... attrs) throws IOException {
         Path pathOnHost = pathOnHost(dir);
         boolean existedBefore = Files.exists(pathOnHost);
-        provider(pathOnHost).createDirectory(pathOnHost, addPermissions(DEFAULT_DIRECTORY_PERMISSIONS, attrs));
+        provider(pathOnHost).createDirectory(pathOnHost);
         if (!existedBefore) fixOwnerToContainerRoot(toContainerPath(dir));
     }
 
@@ -333,16 +324,4 @@ class ContainerFileSystemProvider extends FileSystemProvider {
         copy[options.length] = LinkOption.NOFOLLOW_LINKS;
         return copy;
     }
-
-    private static FileAttribute<?>[] addPermissions(FileAttribute<?> defaultPermissions, FileAttribute<?>... attrs) {
-        for (FileAttribute<?> attr : attrs) {
-            if (attr.name().equals("posix:permissions") || attr.name().equals("unix:permissions"))
-                return attrs;
-        }
-
-        FileAttribute<?>[] copy = new FileAttribute<?>[attrs.length + 1];
-        System.arraycopy(attrs, 0, copy, 0, attrs.length);
-        copy[attrs.length] = defaultPermissions;
-        return copy;
-    }
 }
diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerFileSystemTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerFileSystemTest.java
index b26f0fe5bf8..c3affccc32b 100644
--- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerFileSystemTest.java
+++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerFileSystemTest.java
@@ -16,8 +16,6 @@ import java.nio.file.LinkOption;
 import java.nio.file.Path;
 import java.nio.file.StandardCopyOption;
 import java.nio.file.StandardOpenOption;
-import java.nio.file.attribute.FileAttribute;
-import java.nio.file.attribute.PosixFilePermissions;
 import java.util.Map;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
@@ -176,19 +174,6 @@ class ContainerFileSystemTest {
         Files.writeString(file.pathOnHost(), "hello"); // Writing through host FS works
     }
 
-    @Test
-    public void permissions() throws IOException {
-        assertPermissions(Files.createDirectory(containerFs.getPath("/dir1")), "rwxr-x---");
-        assertPermissions(Files.createDirectory(containerFs.getPath("/dir2"), permissionsFromString("r-x-w-rw-")), "r-x-w-rw-");
-
-        assertPermissions(Files.createDirectories(containerFs.getPath("/sub/dir/leaf"), permissionsFromString("r-x-w-rw-")), "r-x-w-rw-");
-        assertPermissions(containerFs.getPath("/sub/dir"), "r-x-w-rw-"); // Non-leafs get the same permission as the leaf
-
-        // TODO: Uncomment when JimFS forwards attributes for SecureDirectoryStream::newByteChannel
-//        assertPermissions(Files.createFile(containerFs.getPath("/file1")), "rw-r-----");
-//        assertPermissions(Files.createFile(containerFs.getPath("/file2"), permissionsFromString("r-x-w-rw-")), "r-x-w-rw-");
-    }
-
     private static void assertOwnership(ContainerPath path, int contUid, int contGid, int hostUid, int hostGid) throws IOException {
         assertOwnership(path, contUid, contGid);
         assertOwnership(path.pathOnHost(), hostUid, hostGid);
@@ -199,13 +184,4 @@ class ContainerFileSystemTest {
         assertEquals(uid, attrs.get("uid"));
         assertEquals(gid, attrs.get("gid"));
     }
-
-    private static void assertPermissions(Path path, String expected) throws IOException {
-        String actual = PosixFilePermissions.toString(Files.getPosixFilePermissions(path));
-        assertEquals(expected, actual);
-    }
-
-    private static FileAttribute<?> permissionsFromString(String permissions) {
-        return PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString(permissions));
-    }
 }
author	Valerij Fredriksen <freva@users.noreply.github.com>	2022-04-21 13:01:33 +0200
committer	GitHub <noreply@github.com>	2022-04-21 13:01:33 +0200
commit	26d7ba296e48d59647c0fc1567295ede87cdc0a3 (patch)
tree	24cbbec6414e3bbdaaa30eba71de31257e9c12f4 /node-admin
parent	888beccd43a3bb14febb0c2d2838e0dda852593c (diff)