coren has submitted this change and it was merged.
Change subject: Add a new security module with ::pam and ::access
......................................................................
Add a new security module with ::pam and ::access
This helps clean up security configuration mostly in labs right
now, but provides general-use classes and defines to customize
PAM configuration cleanly (including access.conf handling)
Bug: T120106
Change-Id: Id0183e2bc677c6d4893aeb2956c3e3650b174da6
---
M modules/beta/manifests/deployaccess.pp
D modules/beta/templates/pam-access.conf.erb
M modules/ldap/files/wikimedia-labs-pam
M modules/ldap/manifests/client/includes.pp
M modules/ldap/manifests/client/pam.pp
M modules/ldap/manifests/role/client.pp
D modules/ldap/templates/access.conf.erb
A modules/security/files/local-pam-access
A modules/security/manifests/access.pp
A modules/security/manifests/access/config.pp
A modules/security/manifests/pam.pp
A modules/security/manifests/pam/config.pp
M modules/toollabs/files/project-make-access
M modules/toollabs/manifests/hba.pp
M modules/toollabs/manifests/infrastructure.pp
15 files changed, 202 insertions(+), 59 deletions(-)
Approvals:
Andrew Bogott: Looks good to me, but someone else must approve
coren: Looks good to me, approved
Faidon Liambotis: Looks good to me, but someone else must approve
jenkins-bot: Verified
diff --git a/modules/beta/manifests/deployaccess.pp
b/modules/beta/manifests/deployaccess.pp
index 51de78f..331c601 100644
--- a/modules/beta/manifests/deployaccess.pp
+++ b/modules/beta/manifests/deployaccess.pp
@@ -1,18 +1,10 @@
class beta::deployaccess(
$bastion_ip = '10.68.16.58', # ip of deployment-bastion
) {
- # Hack to replace /etc/security/access.conf (which is managed by the
- # ldap::client class) with a modified version that includes an access
- # grant for the mwdeploy user to authenticate from deployment-bastion.
- file { '/etc/security/access.conf~':
- owner => 'root',
- group => 'root',
- mode => '0444',
- content => template('beta/pam-access.conf.erb'),
+
+ security::access::config { 'beta-allow-mwdeploy':
+ content => "+ : deploy-service mwdeploy : ${bastion_ip}\n",
+ priority => 50,
}
- File <| title == '/etc/security/access.conf' |> {
- content => undef,
- source => '/etc/security/access.conf~',
- require => File['/etc/security/access.conf~'],
- }
+
}
diff --git a/modules/beta/templates/pam-access.conf.erb
b/modules/beta/templates/pam-access.conf.erb
deleted file mode 100644
index fa77641..0000000
--- a/modules/beta/templates/pam-access.conf.erb
+++ /dev/null
@@ -1,7 +0,0 @@
-# This file is managed by puppet! (beta/templates/pam-access.conf.erb)
-# Disallow access to all forms of login to all
-# users except for members of the nova project
-# that this instance is a member of:
-
-+ : deploy-service mwdeploy : <%= @bastion_ip %>
--:ALL EXCEPT (project-deployment-prep) root:ALL
diff --git a/modules/ldap/files/wikimedia-labs-pam
b/modules/ldap/files/wikimedia-labs-pam
index e34e611..589dede 100644
--- a/modules/ldap/files/wikimedia-labs-pam
+++ b/modules/ldap/files/wikimedia-labs-pam
@@ -4,6 +4,3 @@
Session-Type: Additional
Session:
[success=ok new_authtok_reqd=ok default=ignore] pam_mkhomedir.so umask=0077
-Account-Type: Primary
-Account:
- [success=ok new_authtok_reqd=ok ignore=ignore default=bad] pam_access.so
diff --git a/modules/ldap/manifests/client/includes.pp
b/modules/ldap/manifests/client/includes.pp
index f7b4f38..575b367 100644
--- a/modules/ldap/manifests/client/includes.pp
+++ b/modules/ldap/manifests/client/includes.pp
@@ -37,12 +37,4 @@
}
}
- if 'access' in $ldapincludes {
- file { '/etc/security/access.conf':
- owner => 'root',
- group => 'root',
- mode => '0444',
- content => template('ldap/access.conf.erb'),
- }
- }
}
diff --git a/modules/ldap/manifests/client/pam.pp
b/modules/ldap/manifests/client/pam.pp
index 8b1bdb9..3722647 100644
--- a/modules/ldap/manifests/client/pam.pp
+++ b/modules/ldap/manifests/client/pam.pp
@@ -4,19 +4,8 @@
ensure => present,
}
- exec { 'pam-auth-update':
- command => '/usr/sbin/pam-auth-update --package',
- refreshonly => true,
- require => Package['libpam-ldapd'],
- }
-
- file { '/usr/share/pam-configs/wikimedia-labs-pam':
- ensure => present,
+ security::pam::config { 'wikimedia-labs-pam':
source => 'puppet:///modules/ldap/wikimedia-labs-pam',
- notify => Exec['pam-auth-update'],
- owner => 'root',
- group => 'root',
- mode => '0444',
}
file { '/usr/local/sbin/cleanup-pam-config':
diff --git a/modules/ldap/manifests/role/client.pp
b/modules/ldap/manifests/role/client.pp
index 4f6a52c..f3c80d2 100644
--- a/modules/ldap/manifests/role/client.pp
+++ b/modules/ldap/manifests/role/client.pp
@@ -2,7 +2,40 @@
include ldap::role::config::labs
if ( $::realm == 'labs' ) {
- $includes = ['openldap', 'pam', 'nss', 'sudo', 'utils', 'access']
+ $includes = ['openldap', 'pam', 'nss', 'sudo', 'utils']
+
+ # Labs instance default to allowing root and project members
+ # only (members of the project-foo group).
+ #
+ # In addition, there are variables that can be set on wikitech
+ # to alter that:
+ # $restricted_from
+ # limits the specified group or user from loggin in
+ # (used to prevent opsen from logging onto unsecured
+ # bastions, for instance)
+ # $restricted_to
+ # replaces the default group allowed to login
+ # (project members) with an explicitly specified one.
+ #
+ if ( $::restricted_from ) {
+ security::access::config { 'labs-restrict-from':
+ content => "-:${restricted_from}:ALL\n",
+ priority => '98',
+ }
+ }
+
+ if ( $::restricted_to ) {
+ security::access::config { 'labs-restrict-to-group':
+ content => "-:ALL EXCEPT (${::restricted_to}) root:ALL\n",
+ priority => '99',
+ }
+ } else {
+ security::access::config { 'labs-restrict-to-project':
+ content => "-:ALL EXCEPT (${::projectgroup}) root:ALL\n",
+ priority => '99',
+ }
+ }
+
} else {
$includes = $ldapincludes
}
diff --git a/modules/ldap/templates/access.conf.erb
b/modules/ldap/templates/access.conf.erb
deleted file mode 100644
index 583816e..0000000
--- a/modules/ldap/templates/access.conf.erb
+++ /dev/null
@@ -1,6 +0,0 @@
-# Disallow access to all forms of login to all
-# users except for members of the nova project
-# that this instance is a member of:
-<% if has_variable?("restricted_from") %>-:<%= restricted_from %>:ALL<% end %>
-<% if has_variable?("restricted_to") %>-:ALL EXCEPT <%= restricted_to %>
root:ALL
-<% else %>-:ALL EXCEPT (<%= projectgroup %>) root:ALL<% end %>
diff --git a/modules/security/files/local-pam-access
b/modules/security/files/local-pam-access
new file mode 100644
index 0000000..63dfbfa
--- /dev/null
+++ b/modules/security/files/local-pam-access
@@ -0,0 +1,6 @@
+Name: Use access.conf control
+Default: yes
+Priority: 200
+Account-Type: Primary
+Account:
+ [success=ok new_authtok_reqd=ok ignore=ignore default=bad] pam_access.so
diff --git a/modules/security/manifests/access.pp
b/modules/security/manifests/access.pp
new file mode 100644
index 0000000..b5b3d99
--- /dev/null
+++ b/modules/security/manifests/access.pp
@@ -0,0 +1,31 @@
+# == security::access ==
+#
+# This class is included implicitly by security::access::config resources
+# to create the access.conf.d directory and add access.conf checking to
+# the system PAM configuration.
+#
+
+class security::access {
+
+ file { '/etc/security/access.conf.d':
+ ensure => directory,
+ recurse => true,
+ purge => true,
+ owner => 'root',
+ group => 'root',
+ mode => '0555',
+ notify => Exec['merge-access-conf'],
+ }
+
+ exec { 'merge-access-conf':
+ refreshonly => true,
+ cwd => '/etc/security',
+ command => '/bin/cat access.conf.d/* >access.conf~ && mv
access.conf~ access.conf',
+ }
+
+ security::pam::config { 'local-pam-access':
+ source => 'puppet:///modules/security/local-pam-access',
+ }
+
+}
+
diff --git a/modules/security/manifests/access/config.pp
b/modules/security/manifests/access/config.pp
new file mode 100644
index 0000000..4bc3106
--- /dev/null
+++ b/modules/security/manifests/access/config.pp
@@ -0,0 +1,58 @@
+# == security::access::config ==
+#
+# Allows defining an access.conf stanza to limit logins into the server to
+# specified sets of groups or users. See access.conf(5) for syntax
+#
+# The actual /etc/security/access.conf file is constructed from fragments
+# created by those resources and collected in /etc/security/access.conf.d
+# ordered by (numeric) priority.
+#
+# Having a security::access::config resource in the manifest implicitly
+# pulls in the security::access class that creates the access.conf.d
+# directory and adds access.conf checking to the system PAM configuration.
+#
+# === Parameters ===
+#
+# [*content*]
+# The content of the access.conf fragment. Either this or [*source*]
+# must be specified.
+#
+# [*source*]
+# The source of the access.conf fragment. Either this or [*content*]
+# must be specified.
+#
+# [*priority*]
+# The priority at which the fragment will be concatenated with any
+# other specified ones, with lower priorities coming first in the
+# resulting access.conf file. Note that access.conf is evaluated in
+# order, with the first matching entry being used.
+#
+# === Example ===
+#
+# This resource limits logging into the server only to the "ops" group
+# and the root user:
+#
+# security::access::config { 'ospen-only':
+# content => "- : ALL EXCEPT (ops) root : ALL\n",
+# }
+
+define security::access::config(
+ $content = undef,
+ $source = undef,
+ $priority = 50,
+)
+{
+ include security::access
+
+ file { "/etc/security/access.conf.d/${priority}-${name}":
+ ensure => present,
+ source => $source,
+ content => $content,
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ require => File['/etc/security/access.conf.d'],
+ notify => Exec['merge-access-conf'],
+ }
+}
+
diff --git a/modules/security/manifests/pam.pp
b/modules/security/manifests/pam.pp
new file mode 100644
index 0000000..49a2408
--- /dev/null
+++ b/modules/security/manifests/pam.pp
@@ -0,0 +1,13 @@
+# == security::pam ==
+#
+# This class is pulled in implicitly by the security::pam::config
+# resources to allow PAM reconfiguration when we install local
+# configs.
+
+class security::pam {
+ exec { 'pam-auth-update':
+ command => '/usr/sbin/pam-auth-update --package',
+ refreshonly => true,
+ }
+}
+
diff --git a/modules/security/manifests/pam/config.pp
b/modules/security/manifests/pam/config.pp
new file mode 100644
index 0000000..7b9a630
--- /dev/null
+++ b/modules/security/manifests/pam/config.pp
@@ -0,0 +1,48 @@
+# == security::pam::config ==
+#
+# Allows adding a PAM configuration file to the system configuration.
+# viz.: https://wiki.ubuntu.com/PAMConfigFrameworkSpec for syntax.
+#
+# The configuration files are //not// in a recursively managed puppet
+# directory because system debian packages also add files there; to
+# remove one you need to explicitly set it to ensure => absent
+#
+# Having a security::pam::config resource in the manifest implicitly
+# pulls in the security::pam class.
+#
+# === Parameters ===
+#
+# [*ensure*]
+# Is the usual metaparameter, defaults to present. Valid values are 'present'
+# and 'absent'.
+#
+# [*content*]
+# The content of the PAM configuration file. Either this or [*source*]
+# must be specified.
+#
+# [*source*]
+# The source of the PAM configuration file. Either this or [*content*]
+# must be specified.
+#
+
+define security::pam::config(
+ $ensure = present,
+ $source = undef,
+ $content = undef,
+)
+{
+ include security::pam
+
+ validate_ensure($ensure)
+
+ file { "/usr/share/pam-configs/${name}":
+ ensure => $ensure,
+ source => $source,
+ content => $content,
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ notify => Exec['pam-auth-update'],
+ }
+}
+
diff --git a/modules/toollabs/files/project-make-access
b/modules/toollabs/files/project-make-access
index df1951a..c93e272 100644
--- a/modules/toollabs/files/project-make-access
+++ b/modules/toollabs/files/project-make-access
@@ -10,4 +10,3 @@
cat $host
fi
done)
-echo "-:ALL EXCEPT ($(cat /etc/wmflabs-project).admin) root:ALL"
diff --git a/modules/toollabs/manifests/hba.pp
b/modules/toollabs/manifests/hba.pp
index b85211d..99eb0e7 100644
--- a/modules/toollabs/manifests/hba.pp
+++ b/modules/toollabs/manifests/hba.pp
@@ -44,14 +44,13 @@
}
exec { 'make-access':
- command => '/usr/local/sbin/project-make-access
>/etc/security/access.conf~',
+ command => '/usr/local/sbin/project-make-access >/etc/project.access',
require => File['/usr/local/sbin/project-make-access'],
- onlyif => "/usr/bin/test -n \"\$(/usr/bin/find
/data/project/.system/store -maxdepth 1 \\( -type d -or -type f -name
submithost-\\* \\) -newer /etc/security/access.conf~)\" -o ! -s
/etc/security/access.conf~",
+ onlyif => "/usr/bin/test -n \"\$(/usr/bin/find
/data/project/.system/store -maxdepth 1 \\( -type d -or -type f -name
submithost-\\* \\) -newer /etc/project.access)\" -o ! -s /etc/project.access",
}
- File <| title == '/etc/security/access.conf' |> {
- content => undef,
- source => '/etc/security/access.conf~',
+ security::access::config { 'toollabs-hba':
+ source => '/etc/project.access',
require => Exec['make-access'],
}
diff --git a/modules/toollabs/manifests/infrastructure.pp
b/modules/toollabs/manifests/infrastructure.pp
index b418c74..b408db5 100644
--- a/modules/toollabs/manifests/infrastructure.pp
+++ b/modules/toollabs/manifests/infrastructure.pp
@@ -21,9 +21,8 @@
# Infrastructure instances are limited to an (arbitrarily picked) local
# service group and root.
-
- File <| title == '/etc/security/access.conf' |> {
- source => undef,
+ security::access::config { 'labs-admin-only':
content => "-:ALL EXCEPT (${::labsproject}.admin) root:ALL\n",
}
+
}
--
To view, visit https://gerrit.wikimedia.org/r/256693
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Id0183e2bc677c6d4893aeb2956c3e3650b174da6
Gerrit-PatchSet: 12
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: coren <[email protected]>
Gerrit-Reviewer: Andrew Bogott <[email protected]>
Gerrit-Reviewer: Chasemp <[email protected]>
Gerrit-Reviewer: Faidon Liambotis <[email protected]>
Gerrit-Reviewer: Muehlenhoff <[email protected]>
Gerrit-Reviewer: Yuvipanda <[email protected]>
Gerrit-Reviewer: coren <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
