Ori.livneh has uploaded a new change for review.
https://gerrit.wikimedia.org/r/173364
Change subject: mediawiki: move beta::mwdeploy_sudo to mediawiki::users
......................................................................
mediawiki: move beta::mwdeploy_sudo to mediawiki::users
Currently, when deployers run scap, scap SSHs them into each application
servers and runs commands as mwdeploy and as apache by running 'sudo -u
mwdeploy ..', 'sudo -u apache ..', etc. This is possible because users in the
wikidev group are allowed to sudo to mwdeploy and apache. We're changing scap
to make it SSH into each host as mwdeploy, using the shared keyholder key. To
make the migration smooth, we need to continue to allow scap to run commands on
application servers by running 'sudo -u mwdeploy' or ('-u apache'). At the
moment, however, mwdeploy is not allowed to sudo as itself.
Bryan has already done this for beta, so it's simply a matter of moving the
code to mediawiki::users rather than the beta-specific beta::mwdeploy_sudo.
This scheme conforms to the security hierarchy:
https://wikitech.wikimedia.org/wiki/UID
Change-Id: I50a5aa3ffa102556f2efcd5ad3c2b7a046511722
---
M modules/beta/manifests/autoupdater.pp
D modules/beta/manifests/mwdeploy_sudo.pp
M modules/beta/manifests/scap/target.pp
M modules/mediawiki/manifests/users.pp
4 files changed, 11 insertions(+), 18 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/64/173364/1
diff --git a/modules/beta/manifests/autoupdater.pp
b/modules/beta/manifests/autoupdater.pp
index d31074b..3205801 100644
--- a/modules/beta/manifests/autoupdater.pp
+++ b/modules/beta/manifests/autoupdater.pp
@@ -6,7 +6,6 @@
class beta::autoupdater {
include ::beta::config
require misc::deployment::common_scripts
- include ::beta::mwdeploy_sudo
$stage_dir = $::beta::config::scap_stage_dir
diff --git a/modules/beta/manifests/mwdeploy_sudo.pp
b/modules/beta/manifests/mwdeploy_sudo.pp
deleted file mode 100644
index 9c4c4c6..0000000
--- a/modules/beta/manifests/mwdeploy_sudo.pp
+++ /dev/null
@@ -1,16 +0,0 @@
-# == Class: beta::mwdeploy_sudo
-#
-# Manage sudo rights for the mwdeploy user.
-#
-class beta::mwdeploy_sudo {
- # Grant mwdeploy sudo rights to run anything as itself, apache or
- # l10nupdate and to (re)start the hhvm fcgi service. This is a subset of
- # the rights granted to the wikidev group by the mediawiki::users class.
- sudo::user { 'mwdeploy' :
- privileges => [
- 'ALL = (apache,mwdeploy,l10nupdate) NOPASSWD: ALL',
- 'ALL = (root) NOPASSWD: /sbin/restart hhvm',
- 'ALL = (root) NOPASSWD: /sbin/start hhvm',
- ]
- }
-}
diff --git a/modules/beta/manifests/scap/target.pp
b/modules/beta/manifests/scap/target.pp
index 4958a4f..541c56f 100644
--- a/modules/beta/manifests/scap/target.pp
+++ b/modules/beta/manifests/scap/target.pp
@@ -5,7 +5,6 @@
class beta::scap::target {
include ::beta::config
include ::mediawiki::scap
- include ::beta::mwdeploy_sudo
# Install authorized_keys for mwdeploy user
file { '/etc/ssh/userkeys/mwdeploy':
diff --git a/modules/mediawiki/manifests/users.pp
b/modules/mediawiki/manifests/users.pp
index 5f00aef..db1f493 100644
--- a/modules/mediawiki/manifests/users.pp
+++ b/modules/mediawiki/manifests/users.pp
@@ -106,6 +106,17 @@
],
}
+ # Grant mwdeploy sudo rights to run anything as itself or apache.
+ # This allows MediaWiki deployers to deploy as mwdeploy.
+
+ sudo::user { 'mwdeploy':
+ privileges => [
+ 'ALL = (apache,mwdeploy,l10nupdate) NOPASSWD: ALL',
+ 'ALL = (root) NOPASSWD: /sbin/restart hhvm',
+ 'ALL = (root) NOPASSWD: /sbin/start hhvm',
+ ]
+ }
+
sudo::user { 'l10nupdate':
require => User['l10nupdate', 'mwdeploy'],
privileges => ['ALL = (mwdeploy) NOPASSWD: ALL'],
--
To view, visit https://gerrit.wikimedia.org/r/173364
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I50a5aa3ffa102556f2efcd5ad3c2b7a046511722
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ori.livneh <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
