[MediaWiki-commits] [Gerrit] Add a new security module with ::pam and ::access - change (operations/puppet)

coren (Code Review) Thu, 03 Dec 2015 07:34:32 -0800

coren has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/256693


Change subject: Add a new security module with ::pam and ::access
......................................................................

Add a new security module with ::pam and ::access

This helps clean up security configuration mostly in labs right
now, but provides general-use classes and defines to customize
PAM configuration cleanly (including access.conf handling)

This changeset does not replace current instances of manual
handling of access.conf in the manifests, only creates the
infrastructure to do so.

Bug: T120106
Change-Id: Id0183e2bc677c6d4893aeb2956c3e3650b174da6
---
M modules/ldap/files/wikimedia-labs-pam
M modules/ldap/manifests/client/pam.pp
A modules/security/files/wikimedia-pam-access
A modules/security/manifests/access.pp
A modules/security/manifests/pam.pp
5 files changed, 87 insertions(+), 14 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/93/256693/1

diff --git a/modules/ldap/files/wikimedia-labs-pam 
b/modules/ldap/files/wikimedia-labs-pam
index e34e611..589dede 100644
--- a/modules/ldap/files/wikimedia-labs-pam
+++ b/modules/ldap/files/wikimedia-labs-pam
@@ -4,6 +4,3 @@
 Session-Type: Additional
 Session:
     [success=ok new_authtok_reqd=ok default=ignore] pam_mkhomedir.so umask=0077
-Account-Type: Primary
-Account:
-    [success=ok new_authtok_reqd=ok ignore=ignore default=bad] pam_access.so
diff --git a/modules/ldap/manifests/client/pam.pp 
b/modules/ldap/manifests/client/pam.pp
index 8b1bdb9..81013ef 100644
--- a/modules/ldap/manifests/client/pam.pp
+++ b/modules/ldap/manifests/client/pam.pp
@@ -4,19 +4,17 @@
         ensure => present,
     }
 
-    exec { 'pam-auth-update':
-        command     => '/usr/sbin/pam-auth-update --package',
-        refreshonly => true,
-        require     => Package['libpam-ldapd'],
+    security::pam::config {
+        source => 'puppet:///modules/ldap/wikimedia-labs-pam',
     }
 
-    file { '/usr/share/pam-configs/wikimedia-labs-pam':
-        ensure => present,
-        source => 'puppet:///modules/ldap/wikimedia-labs-pam',
-        notify => Exec['pam-auth-update'],
-        owner  => 'root',
-        group  => 'root',
-        mode   => '0444',
+    #
+    # FIXME: This is needed transitionally until the
+    # access.conf handling is changed to the security::access
+    # scheme.
+    #
+    security::pam::config {
+        source => 'puppet:///modules/security/wikimedia-pam-access',
     }
 
     file { '/usr/local/sbin/cleanup-pam-config':
diff --git a/modules/security/files/wikimedia-pam-access 
b/modules/security/files/wikimedia-pam-access
new file mode 100644
index 0000000..63dfbfa
--- /dev/null
+++ b/modules/security/files/wikimedia-pam-access
@@ -0,0 +1,6 @@
+Name: Use access.conf control
+Default: yes
+Priority: 200
+Account-Type: Primary
+Account:
+    [success=ok new_authtok_reqd=ok ignore=ignore default=bad] pam_access.so
diff --git a/modules/security/manifests/access.pp 
b/modules/security/manifests/access.pp
new file mode 100644
index 0000000..881605e
--- /dev/null
+++ b/modules/security/manifests/access.pp
@@ -0,0 +1,44 @@
+
+define security::access(
+    $contents = undef,
+    $source = undef,
+    $priority = 50,
+)
+{
+    include security::access::conf
+
+    file { "/etc/security/access.conf.d/${priority}-${name}":
+        ensure   => present,
+        source   => $source,
+        contents => $contents,
+        owner    => 'root',
+        group    => 'root',
+        mode     => '0444',
+        require  => File['/etc/security/access.conf.d'],
+    }
+}
+
+
+class security::access::conf
+{
+    file { '/etc/security/access.conf.d':
+        ensure  => directory,
+        recurse => true,
+        purge   => true,
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0555',
+        notify  => Exec['merge-access-conf'],
+    }
+
+    exec { 'merge-access-conf':
+        refreshonly => true,
+        cwd         => '/etc/security',
+        command     => '/bin/cat access.conf.d/* >access.conf~ && mv 
access.conf~ access.conf',
+    }
+
+    security::pam::config {
+        source => 'puppet:///modules/security/wikimedia-pam-access',
+    }
+}
+
diff --git a/modules/security/manifests/pam.pp 
b/modules/security/manifests/pam.pp
new file mode 100644
index 0000000..8c03ad8
--- /dev/null
+++ b/modules/security/manifests/pam.pp
@@ -0,0 +1,28 @@
+
+
+define security::pam::config(
+    $source = undef,
+    $contents = undef,
+)
+{
+    include security::pam::configs
+
+    file { "/usr/share/pam-configs/$name":
+        ensure   => present,
+        source   => $source,
+        contents => $contents,
+        owner    => 'root',
+        group    => 'root',
+        mode     => '0444',
+        notify   => Exec['pam-auth-update'],
+    }
+}
+
+class security::pam::configs
+{
+    exec { 'pam-auth-update':
+        command     => '/usr/sbin/pam-auth-update --package',
+        refreshonly => true,
+    }
+}
+

-- 
To view, visit https://gerrit.wikimedia.org/r/256693
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Id0183e2bc677c6d4893aeb2956c3e3650b174da6
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: coren <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Add a new security module with ::pam and ::access - change (operations/puppet)

Reply via email to