From 6a8bfb134ff4e594d0c0e8918bdb1e85a2f062eb Mon Sep 17 00:00:00 2001
From: Ben Roberts <ben.roberts@gsacapital.com>
Date: Tue, 12 Jan 2016 13:07:05 +0000
Subject: [PATCH] Allow splunk to run as a non-root user (defaults to root for
 compatibility)

---
 files/RedHat/etc/init.d/splunk | 28 ++++++++++++++++++++++++----
 manifests/init.pp              |  2 ++
 manifests/install.pp           | 17 ++++++++++++++---
 manifests/params.pp            |  8 ++++++++
 manifests/ulimit.pp            | 12 ++++++------
 templates/init_conf.erb        |  2 ++
 6 files changed, 56 insertions(+), 13 deletions(-)
 create mode 100644 templates/init_conf.erb

diff --git a/files/RedHat/etc/init.d/splunk b/files/RedHat/etc/init.d/splunk
index b2d069d..1b5d9b6 100644
--- a/files/RedHat/etc/init.d/splunk
+++ b/files/RedHat/etc/init.d/splunk
@@ -12,27 +12,47 @@ RETVAL=0
 
 . /etc/init.d/functions
 
+test -f /etc/sysconfig/splunk && . /etc/sysconfig/splunk
+
+CMD=${CMD-/opt/splunk/bin/splunk}
+USER="${USER-root}"
+
+CURRENT_USER=`id -nu`
+
+run_splunk() {
+    if [[ $CURRENT_USER == $USER ]]; then
+        $CMD "$@"
+    else
+        if [[ "${CURRENT_USER}" != "root" ]]; then
+            echo "Script must be run from $USER or root. You are '${CURRENT_USER}'"
+            exit 1
+        fi
+
+        su ${USER} --command="$CMD $*"
+    fi
+}
+
 splunk_start() {
   echo Starting Splunk...
-  "/opt/splunk/bin/splunk" start --accept-license --no-prompt --answer-yes
+  run_splunk start --accept-license --no-prompt --answer-yes
   RETVAL=$?
   [ $RETVAL -eq 0 ] && touch /var/lock/subsys/splunk
 }
 splunk_stop() {
   echo Stopping Splunk...
-  "/opt/splunk/bin/splunk" stop 
+  run_splunk stop 
   RETVAL=$?
   [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/splunk
 }
 splunk_restart() {
   echo Restarting Splunk...
-  "/opt/splunk/bin/splunk" restart --accept-license --no-prompt --answer-yes
+  run_splunk restart --accept-license --no-prompt --answer-yes
   RETVAL=$?
   [ $RETVAL -eq 0 ] && touch /var/lock/subsys/splunk
 }
 splunk_status() {
   echo Splunk status:
-  "/opt/splunk/bin/splunk" status 
+  run_splunk status 
   RETVAL=$?
 }
 case "$1" in
diff --git a/manifests/init.pp b/manifests/init.pp
index 999ecf4..d497347 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -120,6 +120,8 @@
   $package_provider  = undef,
   $version           = $::splunk::params::version,
   $replace_passwd    = $::splunk::params::replace_passwd,
+  $user              = $::splunk::params::user,
+  $group             = $::splunk::params::group,
 ) inherits splunk::params {
 
 # Added the preseed hack after getting the idea from very cool
diff --git a/manifests/install.pp b/manifests/install.pp
index f08c00a..2bca2e7 100644
--- a/manifests/install.pp
+++ b/manifests/install.pp
@@ -8,7 +8,10 @@
   $version          = $::splunk::version,
   $package_source   = $::splunk::package_source,
   $package_provider = $::splunk::package_provider,
-  $replace_passwd   = $::splunk::replace_passwd
+  $replace_passwd   = $::splunk::replace_passwd,
+  $user             = $::splunk::user,
+  $group            = $::splunk::group,
+  $init_confdir     = $::splunk::init_confdir,
   ) {
 
   package { $pkgname:
@@ -17,6 +20,14 @@
     source   => $package_source,
   }->
 
+  file { "${init_confdir}/${pkgname}":
+    ensure  => present,
+    mode    => '0700',
+    owner   => 'root',
+    group   => 'root',
+    content => template('splunk/init_conf.erb'),
+  } ->
+
   file { '/etc/init.d/splunk':
     ensure => present,
     mode   => '0700',
@@ -54,8 +65,8 @@
     ensure  => present,
     replace => $replace_passwd,
     mode    => '0600',
-    owner   => 'root',
-    group   => 'root',
+    owner   => $user,
+    group   => $group,
     backup  => true,
     content => template('splunk/opt/splunk/etc/passwd.erb'),
   } ->
diff --git a/manifests/params.pp b/manifests/params.pp
index 42c6934..b15552b 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -14,6 +14,14 @@
   $purge             = undef
   $version           = 'installed'
   $replace_passwd    = 'no'
+  $user              = 'root'
+  $group             = 'root'
+
+  if $::osfamily == 'RedHat' {
+    $init_confdir = '/etc/sysconfig'
+  } else {
+    $init_confdir = '/etc/default'
+  }
 
   if $::mode == maintenance {
     $service_ensure = 'stopped'
diff --git a/manifests/ulimit.pp b/manifests/ulimit.pp
index c6a234f..bf8abcd 100644
--- a/manifests/ulimit.pp
+++ b/manifests/ulimit.pp
@@ -19,15 +19,15 @@
 #    value => '16384',
 #  }
 #
-define splunk::ulimit ( $value = '40960' ) {
+define splunk::ulimit ( $user = 'root', $value = '40960' ) {
   augeas { "set splunk ${name} ulimit":
     context => '/files/etc/security/limits.conf/',
     changes => [
-      "set \"domain[last()]\" root",
-      "set \"domain[.='root']/type\" -",
-      "set \"domain[.='root']/item\" ${name}",
-      "set \"domain[.='root']/value\" ${value}",
+      "set \"domain[last()]\" ${user}",
+      "set \"domain[.='${user}']/type\" -",
+      "set \"domain[.='${user}']/item\" ${name}",
+      "set \"domain[.='${user}']/value\" ${value}",
       ],
-    onlyif  => "match domain[.='root'][type='-'][item='${name}'][value='${value}'] size == 0",
+    onlyif  => "match domain[.='${user}'][type='-'][item='${name}'][value='${value}'] size == 0",
   }
 }
diff --git a/templates/init_conf.erb b/templates/init_conf.erb
new file mode 100644
index 0000000..b845932
--- /dev/null
+++ b/templates/init_conf.erb
@@ -0,0 +1,2 @@
+USER="<%= @user %>"
+