Make DirectoryService/AdditionalSssdConfigs be merged into default domain configuration rather than be appended.

gmarciani · gmarciani · commit d5d03b6301b8 · 2022-04-14T12:19:15.000+02:00
Signed-off-by: Giacomo Marciani &lt;mgiacomo@amazon.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,7 @@ This file is used to list changes made in each version of the AWS ParallelCluste
 - Add support for both FQDN and LDAP Distinguished Names in the configuration parameter `DirectoryService/DomainName`. The new validator now checks both the syntaxes.
 - New `update_directory_service_password.sh` script deployed on the head node supports the manual update of the Active Directory password in the SSSD configuration.
   The password is retrieved by the AWS Secrets Manager as from the cluster configuration.
+- Make `DirectoryService/AdditionalSssdConfigs` be merged into final SSSD configuration rather than be appended.
 
 **CHANGES**
 - Disable deeper C-States in x86_64 official AMIs and AMIs created through `build-image` command, to guarantee high performance and low latency.
diff --git a/cookbooks/aws-parallelcluster-config/recipes/directory_service.rb b/cookbooks/aws-parallelcluster-config/recipes/directory_service.rb
@@ -53,16 +53,58 @@
   # Then the sssd.conf file is shared through shared_sssd_conf_path to compute nodes.
   # Only contacting the secret manager from head node avoids giving permission to compute nodes to contact the secret manager.
 
+  # Configure SSSD domain properties
+  domain_properties = {
+    # Mandatory properties that must not be overridden by the user.
+    'id_provider' => 'ldap',
+    'ldap_schema' => 'AD',
+
+    # Mandatory properties that are meant to be set via dedicated cluster config properties,
+    # but that can also be overridden via DirectoryService/AdditionalSssdConfigs.
+    'ldap_uri' => ldap_uri_components.join(','),
+    'ldap_search_base' => ldap_search_base,
+    'ldap_default_bind_dn' => node['cluster']['directory_service']['domain_read_only_user'],
+    'ldap_default_authtok' => shell_out!("aws secretsmanager get-secret-value --secret-id #{node['cluster']['directory_service']['password_secret_arn']} --region #{node['cluster']['region']} --query 'SecretString' --output text").stdout.strip,
+    'ldap_tls_reqcert' => node['cluster']['directory_service']['ldap_tls_req_cert'],
+
+    # Optional properties for which we provide a default value,
+    # that are not meant to be set via dedicated cluster config properties,
+    # but that can be overridden by the user via DirectoryService/AdditionalSssdConfigs.
+    'cache_credentials' => 'True',
+    'default_shell' => '/bin/bash',
+    'fallback_homedir' => '/home/%u',
+    'ldap_id_mapping' => 'True',
+    'ldap_referrals' => 'False',
+    'use_fully_qualified_names' => 'False',
+  }
+
+  # Optional properties that are meant to be set via dedicated cluster config properties.
+  # - ldap_tls_ca_cert
+  # - ldap_access_filter
+  # - access_provider only if ldap_access_filter is specified
+
+  unless node['cluster']['directory_service']['ldap_tls_ca_cert'].eql?('NONE')
+    domain_properties['ldap_tls_cacert'] = node['cluster']['directory_service']['ldap_tls_ca_cert']
+  end
+
+  unless node['cluster']['directory_service']['ldap_access_filter'].eql?('NONE')
+    domain_properties['access_provider'] = 'ldap'
+    domain_properties['ldap_access_filter'] = node['cluster']['directory_service']['ldap_access_filter']
+  end
+
+  # Optional properties that are meant to be set via DirectoryService/AdditionalSssdConfigs
+  if node['cluster']['directory_service']['additional_sssd_configs']
+    domain_properties.merge!(node['cluster']['directory_service']['additional_sssd_configs'])
+  end
+
   # Write sssd.conf file
   template sssd_conf_path do
     source 'directory_service/sssd.conf.erb'
     owner 'root'
     group 'root'
     mode '0600'
     variables(
-      ldap_default_authtok: shell_out!("aws secretsmanager get-secret-value --secret-id #{node['cluster']['directory_service']['password_secret_arn']} --region #{node['cluster']['region']} --query 'SecretString' --output text").stdout,
-      ldap_uri: ldap_uri_components.join(","),
-      ldap_search_base: ldap_search_base
+      domain_properties: domain_properties
     )
     sensitive true
   end
diff --git a/cookbooks/aws-parallelcluster-config/templates/default/directory_service/sssd.conf.erb b/cookbooks/aws-parallelcluster-config/templates/default/directory_service/sssd.conf.erb
@@ -1,28 +1,7 @@
 [domain/default]
-id_provider = ldap
-cache_credentials = True
-ldap_schema = AD
-ldap_uri = <%= @ldap_uri %>
-ldap_search_base = <%=  @ldap_search_base %>
-ldap_default_bind_dn = <%=  node['cluster']['directory_service']['domain_read_only_user'] %>
-ldap_default_authtok = <%= @ldap_default_authtok %>
-<% if node['cluster']['directory_service']['ldap_tls_ca_cert'] != 'NONE' %>
-ldap_tls_cacert = <%=  node['cluster']['directory_service']['ldap_tls_ca_cert'] %>
-<% end %>
-ldap_tls_reqcert = <%=  node['cluster']['directory_service']['ldap_tls_req_cert'] %>
-ldap_id_mapping = True
-fallback_homedir = /home/%u
-default_shell = /bin/bash
-use_fully_qualified_names = False
-ldap_referrals = False
-<% if node['cluster']['directory_service']['additional_sssd_configs'] %>
-  <% node['cluster']['directory_service']['additional_sssd_configs'].each_pair do |param, value| %>
+<%# Domain properties are added in lexicographic order to make the resulting configuration easier to navigate %>
+<% @domain_properties.sort_by { |key| key }.to_h.each_pair do |param, value| %>
 <%= "#{param} = #{value}" %>
-  <% end %>
-<% end %>
-<% if node['cluster']['directory_service']['ldap_access_filter'] != 'NONE' %>
-access_provider = ldap
-ldap_access_filter = <%= node['cluster']['directory_service']['ldap_access_filter'] %>
 <% end %>
 
 [domain/local]
