[Bugfix] [zos_fetch] Fix permission issue when using become and become_user (#2079)

rexemin · web-flow · commit afa69cd4f567 · 2025-05-27T09:48:20.000-06:00
* Use become_user in _transfer_remote_content

* Fix become validation

* Fix cleanup when escalating privileges

* Add changelog fragment

* Update 2079-become-use-zos_fetch.yml
diff --git a/changelogs/fragments/2079-become-use-zos_fetch.yml b/changelogs/fragments/2079-become-use-zos_fetch.yml
@@ -0,0 +1,5 @@
+bugfixes:
+  - zos_fetch - Previously, the use of `become` would result in a permissions error
+    while trying to fetch a data set or a member. Fix now allows a user to escalate
+    privileges when fetching resources.
+    (https://github.com/ansible-collections/ibm_zos_core/pull/2079)
diff --git a/plugins/action/zos_fetch.py b/plugins/action/zos_fetch.py
@@ -363,6 +363,7 @@ def _transfer_remote_content(
         sftp_transfer_method = "sftp"
         user_ssh_transfer_method = None
         is_ssh_transfer_method_updated = False
+        was_user_updated = False
 
         try:
             if version_major == 2 and version_minor >= 11:
@@ -383,7 +384,16 @@ def _transfer_remote_content(
                 display.vvv(u"ibm_zos_fetch SSH transfer method updated from {0} to {1}.".format(user_ssh_transfer_method,
                             sftp_transfer_method), host=self._play_context.remote_addr)
 
+            if self._connection.become:
+                was_user_updated = True
+                self._connection.set_option('remote_user', self._play_context._become_user)
+                display.vvv(
+                    u"ibm_zos_fetch SSH transfer user updated to {0}".format(self._play_context._become_user),
+                    host=self._play_context.remote_addr
+                )
+
             display.vvv(u"{0} {1} TO {2}".format(_sftp_action, remote_path, dest), host=self._play_context.remote_addr)
+            display.vvv(u"{0}, {1}".format(vars(self._connection), vars(self._play_context)))
             (returncode, stdout, stderr) = self._connection._file_transport_command(remote_path, dest, _sftp_action)
 
             display.vvv(u"ibm_zos_fetch return code: {0}".format(returncode), host=self._play_context.remote_addr)
@@ -424,6 +434,13 @@ def _transfer_remote_content(
                 result["failed"] = True
 
         finally:
+            if was_user_updated:
+                self._connection.set_option('remote_user', self._play_context._remote_user)
+                display.vvv(
+                    u"ibm_zos_fetch SSH transfer user restored to {0}".format(self._play_context._remote_user),
+                    host=self._play_context.remote_addr
+                )
+
             # Restore the users defined option `ssh_transfer_method` if it was overridden
 
             if is_ssh_transfer_method_updated:
@@ -446,4 +463,21 @@ def _remote_cleanup(self, remote_path, src_type, encoding):
             rm_cmd = "rm -r {0}".format(remote_path)
             if src_type != "PO" and src_type != "GDG":
                 rm_cmd = rm_cmd.replace(" -r", "")
+
+            # If another user created the temporary files, we'll need to run rm
+            # with it too, lest we get a permissions issue.
+            if self._connection.become:
+                self._connection.set_option('remote_user', self._play_context._become_user)
+                display.vvv(
+                    u"ibm_zos_fetch SSH cleanup user updated to {0}".format(self._play_context._become_user),
+                    host=self._play_context.remote_addr
+                )
+
             self._connection.exec_command(rm_cmd)
+
+            if self._connection.become:
+                self._connection.set_option('remote_user', self._play_context._remote_user)
+                display.vvv(
+                    u"ibm_zos_fetch SSH cleanup user restored to {0}".format(self._play_context._remote_user),
+                    host=self._play_context.remote_addr
+                )
