Yuvipanda has submitted this change and it was merged.
Change subject: tools: Add a wrapper script to enforce clush access
......................................................................
tools: Add a wrapper script to enforce clush access
Make sure we log accesses to a log file, and that people are
running it as their own users rather than as root interactively.
Note that this isn't foolproof - but can't really foolproof against
people with root!
Change-Id: I57156bb99dbc4a7e42c05efe06156ff001c1216b
---
A modules/role/files/toollabs/clush/clush
M modules/role/manifests/toollabs/clush/master.pp
2 files changed, 38 insertions(+), 1 deletion(-)
Approvals:
Yuvipanda: Looks good to me, approved
jenkins-bot: Verified
diff --git a/modules/role/files/toollabs/clush/clush
b/modules/role/files/toollabs/clush/clush
new file mode 100644
index 0000000..8ef0000
--- /dev/null
+++ b/modules/role/files/toollabs/clush/clush
@@ -0,0 +1,23 @@
+#!/bin/bash
+# Wrapper script around clush to add some additional features
+# - Make sure it is *not* being called by someone as root.
+# We do not want people to be using it directly interactively as
+# root, for auditing purposes.
+# - Log the command run and the user running it. This is for auditing
+# purposes.
+set -e
+
+CALLINGUSER="$(whoami)"
+
+if [[ $CALLINGUSER == "root" ]]; then
+ echo "Only members of tools.admin group can use clush interactively"
+ echo "This is to make sure we have a nice and clean audit trail"
+ echo "Do not run this directly as root or use sudo"
+
+ exit 1
+fi
+
+# Write an entry into the 'log file'
+echo "`date +%Y-%m-%d:%H:%M:%S` ${CALLINGUSER} ${@}" |
+ sudo tee --append /var/log/clush.log >/dev/null
+sudo /usr/bin/clush $@
diff --git a/modules/role/manifests/toollabs/clush/master.pp
b/modules/role/manifests/toollabs/clush/master.pp
index 4ec8e04..b2d8176 100644
--- a/modules/role/manifests/toollabs/clush/master.pp
+++ b/modules/role/manifests/toollabs/clush/master.pp
@@ -7,8 +7,11 @@
# maintained in modules/role/files/toollabs/clush/toollabs-clush-generator.
# This is refreshed every hour.
#
+# You'll have to be a member of tools.admin to run this. All accesses
+# are logged to /var/log/clush.log.
+#
# For example, to run a command on all the kubernetes workers,
-# # clush -g k8s-worker -b 'uname -r'
+# $ clush -g k8s-worker -b 'uname -r'
#
# This will run it on all the k8s-workers, collect the output
# from them all (the -b option), dedupes them and displays them. You can
specify fanout with -f - the default is 16.
@@ -38,6 +41,17 @@
mode => '0555',
}
+ # override /usr/bin/clush with this! Just does additional logging
+ # and makes sure users aren't runnning it as root. It logs to
+ # /var/log/clush.log. Only people in tools.admin can run this!
+ file { '/usr/local/bin/clush':
+ ensure => file,
+ source => 'puppet:///modules/role/toollabs/clush/clush',
+ owner => 'root',
+ group => 'root',
+ mode => '0555',
+ }
+
cron { 'update_tools_clush':
ensure => present,
command => '/usr/local/sbin/tools-clush-generator
/etc/clustershell/tools.yaml',
--
To view, visit https://gerrit.wikimedia.org/r/307026
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I57156bb99dbc4a7e42c05efe06156ff001c1216b
Gerrit-PatchSet: 6
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Yuvipanda <[email protected]>
Gerrit-Reviewer: BryanDavis <[email protected]>
Gerrit-Reviewer: Yuvipanda <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
