apache · zar3bski · Sep 15, 2022 · Sep 16, 2022 · Sep 21, 2022
diff --git a/apisix/runner/server/config.py b/apisix/runner/server/config.py
@@ -27,6 +27,7 @@ def __init__(self):
         init socket config handler
         """
         self.file = "/tmp/runner.sock"
+        self.owner = "nobody"
 
     @property
     def file(self):
@@ -36,6 +37,14 @@ def file(self):
         """
         return self._file
 
+    @property
+    def owner(self):
+        """
+        get config owner for socket
+        :return:
+        """
+        return self._owner
+
     @file.setter
     def file(self, file: str) -> None:
         """
@@ -44,6 +53,15 @@ def file(self, file: str) -> None:
         :return:
         """
         self._file = file.replace("unix:", "")
+
+    @owner.setter
+    def owner(self, owner: str) -> None:
+        """
+        set config owner for socket
+        :param owner:
+        :return:
+        """
+        self._owner = owner
 
 
 class _ConfigLogging:
@@ -128,6 +146,12 @@ def _loading_config(self, config_path: str, config_name: str):
         socket_file = self._get_env_config(socket.get("file"))
         if socket_file:
             self.socket.file = socket_file
+        # owner config
+        socket_owner = self._get_env_config(socket.get("owner"))
+        if socket_owner:
+            self.socket.owner = socket_owner
+        else:
+            self.socket.owner = "nobody"
 
         # logging config
         logger = configs.get("logging", {})

diff --git a/apisix/runner/server/server.py b/apisix/runner/server/server.py
@@ -18,6 +18,7 @@
 import os
 import socket
 
+from pwd import getpwnam
 from threading import Thread as NewThread
 from apisix.runner.server.handle import Handle as NewServerHandle
 from apisix.runner.server.protocol import Protocol as NewServerProtocol
@@ -82,6 +83,8 @@ def __init__(self, config: NewServerConfig):
             os.remove(self.fd)
         self.sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
         self.sock.bind(self.fd)
+        user = getpwnam(config.socket.owner)
+        os.chown(self.fd, user.pw_uid, user.pw_gid)
         self.sock.listen(1024)
 
         self.logger = NewServerLogger(config.logging.level)

diff --git a/conf/config.yaml b/conf/config.yaml
@@ -17,6 +17,8 @@
 
 socket:
   file: $env.APISIX_LISTEN_ADDRESS # Environment variable or absolute path
+  # owner: somebody # optional Environment variable or user name
+
 
 logging:
   level: warn # error warn info debug
diff --git a/docs/en/latest/getting-started.md b/docs/en/latest/getting-started.md
@@ -22,13 +22,13 @@ title: Getting started
 -->
 
 ## Overview
+
 This document explains how to use Python Runner
 
 ## Prerequisites
 
-* Python 3.7+
-* APISIX 2.7.0+
-
+- Python 3.7+
+- APISIX 2.7.0+
 
 ## Installation
 
@@ -46,12 +46,14 @@ $ make install
 > Development Mode
 
 #### Run APISIX Python Runner
+
 ```bash
 $ cd /path/to/apisix-python-plugin-runner
 $ make dev
 ```
 
 #### Modify APISIX configuration file
+
 ```bash
 $ vim /path/to/apisix/conf/config.yaml
 apisix:
@@ -66,6 +68,7 @@ ext-plugin:
 > Production Mode
 
 #### Modify APISIX configuration file
+
 ```bash
 $ vim /path/to/apisix/conf/config.yaml
 apisix:
@@ -83,19 +86,22 @@ ext-plugin:
 $ vim /path/to/apisix-python-plugin-runner/conf/config.yaml
 socket:
   file: $env.APISIX_LISTEN_ADDRESS # Environment variable or absolute path
+  owner: $env.SOCKET_OWNER # optional Environment variable or user name. Default: 'nobody' (default user for Apisix runners)
 
 logging:
   level: debug # error warn info debug
 ```
 
 ### Start or Restart APISIX
+
 ```bash
 $ cd /path/to/apisix
 # Start or Restart
 $ ./bin/apisix [ start | restart ]
 ```
 
 ### Configure APISIX Routing Rule
+
 ```bash
 $ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
 {
@@ -116,8 +122,8 @@ $ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f
 }'
 ```
 
-
 # Testing
+
 ```bash
 $ curl http://127.0.0.1:9080/get -i
 HTTP/1.1 200 OK

diff --git a/tests/conf/config.yaml b/tests/conf/config.yaml
@@ -0,0 +1,23 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+socket:
+  file: $env.APISIX_LISTEN_ADDRESS # Environment variable or absolute path
+
+
+logging:
+  level: warn # error warn info debug
diff --git a/tests/conf/config_with_owner.yaml b/tests/conf/config_with_owner.yaml
@@ -0,0 +1,24 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+socket:
+  file: $env.APISIX_LISTEN_ADDRESS # Environment variable or absolute path
+  owner: somebody # optional Environment variable or user name
+
+
+logging:
+  level: warn # error warn info debug
diff --git a/tests/runner/server/test_config.py b/tests/runner/server/test_config.py
@@ -38,9 +38,11 @@ def test_config_default():
     config.socket.file = "/test/runner.sock"
     assert config.socket.file == "/test/runner.sock"
 
+    assert config.socket.owner == "nobody"
+
 
 def test_config_custom():
-    config = NewServerConfig("%s" % os.path.abspath(os.path.join(os.getcwd())), "config.yaml")
+    config = NewServerConfig("%s" % os.path.abspath(os.path.join(os.getcwd(), "tests")), "config_with_owner.yaml")
 
     config.logging.level = "NOTSET"
     assert config.logging.level == logging.NOTSET
@@ -56,3 +58,5 @@ def test_config_custom():
 
     config.socket.file = "/test/runner.sock"
     assert config.socket.file == "/test/runner.sock"
+
+    assert config.socket.owner == "somebody"
diff --git a/tests/runner/server/test_server.py b/tests/runner/server/test_server.py
@@ -15,17 +15,22 @@
 # limitations under the License.
 #
 
+import os
+from pwd import struct_passwd
 import socket
 import logging
+from unittest.mock import patch
 from apisix.runner.server.server import Server as RunnerServer
 from apisix.runner.server.server import RPCRequest as RunnerRPCRequest
 from apisix.runner.server.logger import Logger as RunnerServerLogger
 from apisix.runner.server.config import Config as RunnerConfig
 
-
-def test_server(capsys):
-    config = RunnerConfig()
+@patch('pwd.getpwnam', return_value=struct_passwd({"pw_name":"nobody", "pw_passwd":"x", "pw_uid":65534, "pw_gid":65534, "pw_gecos":"nobody", "pw_dir":"/", "pw_shell":"/sbin/nologin"}))
+@patch('os.chown')
+def test_server(mock_chown,mock_getpwnam,capsys):
+    config = RunnerConfig("%s" % os.path.abspath(os.path.join(os.getcwd(),"tests")), "config.yaml")
     server = RunnerServer(config)
+    mock_chown.assert_called_with("/tmp/runner.sock",65534,65534)
     del server
     captured = capsys.readouterr()
     assert captured.out.find("listening on unix") != -1