Rush has submitted this change and it was merged.
Change subject: Add beta-specific access.conf exceptions in scap::target
......................................................................
Add beta-specific access.conf exceptions in scap::target
Explicitly allow scap-managed users to log in to targets from the
deployment host. refs T121721
Bug: T121721
Change-Id: I3a5b08b0a9c31d8984aac503d8e94fdab00a75cf
---
M hieradata/labs/deployment-prep/common.yaml
M modules/beta/manifests/deployaccess.pp
M modules/scap/manifests/target.pp
3 files changed, 15 insertions(+), 6 deletions(-)
Approvals:
Rush: Looks good to me, approved
jenkins-bot: Verified
diff --git a/hieradata/labs/deployment-prep/common.yaml
b/hieradata/labs/deployment-prep/common.yaml
index 582f22d..e41d43b 100644
--- a/hieradata/labs/deployment-prep/common.yaml
+++ b/hieradata/labs/deployment-prep/common.yaml
@@ -162,6 +162,7 @@
"role::url_downloader::url_downloader_ip": 10.68.16.135
"zotero::http_proxy":
deployment-urldownloader.deployment-prep.eqiad.wmflabs:8080
"trebuchet::deployment_server": deployment-tin.deployment-prep.eqiad.wmflabs
+"scap::deployment_server": deployment-tin.deployment-prep.eqiad.wmflabs
"scap::dsh::group_source": 'puppet:///modules/beta/dsh/group'
"mediawiki::users::mwdeploy_pub_key": 'ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDFwlmBBBJAr1GI+vuYjFh5vq0YIVa5fqE5DZdpzUZISlQ0Kt+9bIr2qNHIj+Jl5Bc6ZY1mkh8l693tAHVx+8tayoiFWYNs9IVsxR+iHgOOhAdDIBXaHaUattdiye5bQmdvJVXaVegckNX2gbmUCOc09jvZvlk3blKFTSEpZRU8dmpXQzKdZgaAq2VTajAegoFnuN9FbC7hzBPA+1NxFNKn94eIeFPSlo5rWr44OEb5Uy3O0B5c6WPM+IgfiygetP+yGL4cKv7qEjZ0Sxok/Rh1lBh1vP1YQ/Mc6tMV0s+kOv7Wz+P88bfU1/uWvy479OZdfh3NQqDTrLzqHwVW1vef
root@deployment-salt'
# NOTE: these elasticsearch settings will need to be overloaded on a per-host
diff --git a/modules/beta/manifests/deployaccess.pp
b/modules/beta/manifests/deployaccess.pp
index 5bcb949..6e56469 100644
--- a/modules/beta/manifests/deployaccess.pp
+++ b/modules/beta/manifests/deployaccess.pp
@@ -9,10 +9,4 @@
priority => 50,
}
- # Allow eventlogging user to deploy.
- security::access::config { 'beta-allow-eventlogging':
- content => "+ : eventlogging : ${bastion_ip}\n",
- priority => 51,
- }
-
}
diff --git a/modules/scap/manifests/target.pp b/modules/scap/manifests/target.pp
index 0b5cfa8..aa7a301 100644
--- a/modules/scap/manifests/target.pp
+++ b/modules/scap/manifests/target.pp
@@ -77,6 +77,20 @@
User[$deploy_user] -> Scap::Target[$title]
}
+ if $::realm == 'labs' {
+ if !defined(Security::Access::Config["beta-allow-${deploy_user}"]) {
+ # Allow $deploy_user login from scap deployment host.
+ # adds an exception in /etc/security/access.conf
+ # to work around labs-specific restrictions
+ $deployment_host = hiera('scap::deployment_server')
+ $deployment_ip = ipresolve($deployment_host)
+ security::access::config { "beta-allow-${deploy_user}":
+ content => "+ : ${deploy_user} : ${deployment_ip}\n",
+ priority => 60,
+ }
+ }
+ }
+
package { $package_name:
install_options => [{
owner => $deploy_user}],
--
To view, visit https://gerrit.wikimedia.org/r/286754
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I3a5b08b0a9c31d8984aac503d8e94fdab00a75cf
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: 20after4 <[email protected]>
Gerrit-Reviewer: Dzahn <[email protected]>
Gerrit-Reviewer: Hashar <[email protected]>
Gerrit-Reviewer: Ottomata <[email protected]>
Gerrit-Reviewer: Rush <[email protected]>
Gerrit-Reviewer: Thcipriani <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
