AWS Elastic Beanstalk - 用户权限问题 [英] AWS Elastic Beanstalk - User Permission Problems

问题描述

我正在尝试将我们的Node.js应用程序配置为使用Amazon Elastic Beanstalk进行部署。

I am trying to configure our Node.js application to be deployed with Amazon Elastic Beanstalk.

实际上我在.ebextensions中做了一些配置文件来启用Websockets，为几个模块安装yum并安装我们需要的一些自定义软件。

Actually I did a few configuration files inside .ebextensions to enable Websockets, doing yum installs for several modules and to install some custom software we need.

到目前为止，App部署正常运行，所有已配置的软件都由Beanstalk安装。

So far the App deployment works and all configured software is installed by Beanstalk.

我遇到的问题是nodejs用户运行节点应用程序，没有权限执行我们的beanstalk自定义配置安装的命令行工具。

The Problem I have is that the nodejs user wich runs the node application, doesnt have permission to execute the commandline tools installed by our beanstalk custom config.

更具体一点：

1. 该应用支持用户文件上传和上传的文件保存
   到实例上的某个临时文件夹（其工作方式应该如此）。

1. The app supports user file uploads and the uploaded files are saved to some temp folder on the instance (that works like it should).

然后该应用程序执行命令行执行将上传的
文件转换为自定义文件格式，执行类似
/ home / ec2-user / converter / bin转换文件名输出文件名的内容。

Then the app does a commandline execution to convert the uploaded file in to a custom file format, whats executing something like /home/ec2-user/converter/bin convert filename output filename.

此时我收到此错误：
{[错误：生成EACCES]代码：'EACCES'，错误号：'EACCES'，系统调用： 'spawn'}

At this point I get this error: { [Error: spawn EACCES] code: 'EACCES', errno: 'EACCES', syscall: 'spawn' }

整体而言，该应用需要多个命令行工具才能使这些转换任务正常运行。
实际上他们都有同样的问题。即使是由yum安装的工具，例如Imagemagick，也不会被应用程序执行。

Overall the app requires several commandline tools for such conversion tasks to run correctly. Actually they all have the same problem. Even tools installed by yum, such as Imagemagick, are not beeing executed by the app.

通过使用ec2-user帐户，我可以手动执行所有这些工具，所有文件都在适当的系统路径上，它们工作正常。因此，所有安装似乎都正常。

Manually, by using the ec2-user account, I am able to execute all these, all files are in place at the right system paths and they work fine. So all installations seem to work right.

我已经尝试手动授予用户nodejs权限并执行chmod文件，但这似乎没有任何效果。

I already tried to grant permissions to the user nodejs manually and did chmod the files, but this doesnt seem to take any effect here.

重要的问题是..如何向nodejs用户授予所需权限，或者如何使用已定义的用户执行node.js？

Big question is.. how can I grant the required permissions to the nodejs user or as alternative how to use a defined User to execute node.js?

推荐答案

我认为 nodejs 用户没有使用shell的权限：

I believe that the nodejs user doesn't have privileges to use the shell:

[ec2-user@host ~]$ cat /etc/passwd
....
nodejs:x:497:497::/tmp:/sbin/nologin

根据文档，节点在shell中运行命令并将其返回。

我也尝试过：

[ec2-user@host ~]$ pwd
/home/ec2-user
[ec2-user@host ~]$ cat test.js 
#!/opt/elasticbeanstalk/node-install/node-v0.10.31-linux-x64/bin/node
require('child_process').exec('/usr/bin/whoami', function (err, data) {
    console.log(data);
});
[ec2-user@host ~]$ ls -l
total 4
-rwxrwxrwx 1 ec2-user ec2-user 169 Nov  3 21:49 test.js
[ec2-user@host ~]$ sudo -u nodejs /home/ec2-user/test.js 
sudo: unable to execute /home/ec2-user/test.js: Permission denied

我会说这个有用，我很困惑（也许有人可以提出澄清）：

I will say that this works, which im confused about (maybe someone can chime in to clarify):

$ sudo -u nodejs /usr/bin/whoami
nodejs

然而，作为一个外部观察者，似乎更像是Beanstalk并不适合你。一般来说，Beanstalk是一个完全由托管完全管理的抽象设计，并且在处理文件系统权限时，用户权限超过了这些边界。

HOWEVER, as an outside observer it seems more like Beanstalk isn't a good fit for you. Generally, Beanstalk is a hands-off fully managed abstraction by design and messing around with the file system permissions and user permissions is over-stepping those boundaries.

顺便说一下，也许你想考虑转移到OpsWorks 。来自 http://aws.amazon.com/opsworks/faqs/ ：

As an aside, maybe you want to consider moving to OpsWorks instead. From http://aws.amazon.com/opsworks/faqs/:

问：AWS OpsWorks与AWS Elastic Beanstalk有何不同？

AWS OpsWorks和AWS Elastic Beanstalk都专注于操作，但
具有非常不同的方向。 AWS Elastic Beanstalk寻求
自动提供关键操作活动，以便开发人员能够最大限度地花费他们在开发上花费的时间，并最大限度地减少他们花在操作上的时间。相比之下，AWS OpsWorks为IT管理员和思维开发人员提供了集成的
体验，他们希望获得高达b $ b的高生产率和对操作的控制。

AWS OpsWorks and AWS Elastic Beanstalk both focus on operations, but with very different orientations. AWS Elastic Beanstalk seeks to automatically provide key operations activities so that developers can maximize the time they spend on development and minimize the time they spend on operations. In contrast, AWS OpsWorks delivers integrated experiences for IT administrators and ops-minded developers who want a high degree of productivity and control over operations.

这篇关于AWS Elastic Beanstalk - 用户权限问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！