Re: [openstack-dev] [tripleo][tripleoclient] No more global sudo for "stack" on the undercloud

2018-06-05 Thread Cédric Jeanneret 


On 06/06/2018 06:59 AM, Mike Carden wrote:
> 
> \o/ - care to add the links on the doc? Would be really helpful for
> others I guess :).
> 
> 
> Doc? What doc?

This one: https://docs.openstack.org/oslo.privsep/latest/index.html

I just created https://review.openstack.org/#/c/572670/

So. back to business: we need some spec and discussions in order to get
a consensus and implement best practices.

Using privsep will allow to drop the sudo part, as it uses rootwrap
instead. This way also allows to filter out the rights, and we can
ensure we actually don't let people do bad things.

The mentioned blog posts also points to the test process, and shows how
we can ensure we actually mock the calls. It also proposes a directory
structure, and stress on the way to actually call the privileged methods.
All of that makes perfectly sense, as it has a simple logic: if you need
privileges, show them without any hide-and-seek game.

Those advice should be followed, and integrated in any spec/blueprint
we're to write prior the implementation.

Regarding the tripleoclient part: there's currently one annoying issue,
as the generated files aren't owned by the deploy user (usually named
"stack").
This isn't a really urgent correction, but I'm pretty sure we have to
lock any change toward a "quick'n'dirty resolution".

Cheers,

C.

> 
> --
> MC
>  
> 
> 
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 

-- 
Cédric Jeanneret
Software Engineer
DFG:DF



signature.asc
Description: OpenPGP digital signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [tripleo][tripleoclient] No more global sudo for "stack" on the undercloud

2018-06-05 Thread Mike Carden 
>
>
> \o/ - care to add the links on the doc? Would be really helpful for
> others I guess :).
>

Doc? What doc?

--
MC
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [tripleo][tripleoclient] No more global sudo for "stack" on the undercloud

2018-06-05 Thread Cédric Jeanneret 


On 06/06/2018 06:37 AM, Mike Carden wrote:
> 
> > In regards to your suggested positions within python code such as the
> > client, its worth looking at oslo.privsep [1] where a decorator can be
> > used for when needing to setuid.
> 
> hmm yep, have to understand how to use it - its doc is.. well. kind of
> sparse. Would be good to get examples.
> 
> 
> 
> Examples you say? Michael Still has been at that recently:
> 
> https://www.madebymikal.com/how-to-make-a-privileged-call-with-oslo-privsep/
> https://www.madebymikal.com/adding-oslo-privsep-to-a-new-project-a-worked-example/

\o/ - care to add the links on the doc? Would be really helpful for
others I guess :).

> 
> -- 
> MC
> 
> 
> 
> 
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 

-- 
Cédric Jeanneret
Software Engineer
DFG:DF



signature.asc
Description: OpenPGP digital signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [tripleo][tripleoclient] No more global sudo for "stack" on the undercloud

2018-06-05 Thread Mike Carden 
>
>
> > In regards to your suggested positions within python code such as the
> > client, its worth looking at oslo.privsep [1] where a decorator can be
> > used for when needing to setuid.
>
> hmm yep, have to understand how to use it - its doc is.. well. kind of
> sparse. Would be good to get examples.



Examples you say? Michael Still has been at that recently:

https://www.madebymikal.com/how-to-make-a-privileged-call-with-oslo-privsep/
https://www.madebymikal.com/adding-oslo-privsep-to-a-new-project-a-worked-example/

-- 
MC
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [tripleo][tripleoclient] No more global sudo for "stack" on the undercloud

2018-06-05 Thread Cédric Jeanneret 


On 06/05/2018 06:08 PM, Luke Hinds wrote:
> 
> 
> On Tue, Jun 5, 2018 at 3:44 PM, Cédric Jeanneret  > wrote:
> 
> Hello guys!
> 
> I'm currently working on python-tripleoclient in order to squash the
> dreadful "NOPASSWD:ALL" allowed to the "stack" user.
> 
> The start was an issue with the rights on some files being wrong (owner
> by root instead of stack, in stack home). After some digging and poking,
> it appears the undercloud deployment is called with a "sudo openstack
> tripleo deploy" command - this, of course, creates some major issues
> regarding both security and right management.
> 
> I see a couple of ways to correct that bad situation:
> - let the global "sudo" call, and play with setuid/setgid when we
> actually don't need the root access (as it's mentioned in this comment¹)
> 
> - drop that global sudo call, and replace all the necessary calls by
> some "sudo" when needed. This involves the replacement of native python
> code, like "os.mkdir" and the like.
> 
> The first one isn't a solution - code maintenance will not be possible,
> having to thing "darn, os.setuid() before calling that, because I don't
> need root" is the current way, and it just doesn't apply.
> 
> So I started the second one. It's, of course, longer, not really nice
> and painful, but at least this will end to a good status, and not so bad
> solution.
> 
> This also meets the current work of the Security Squad about "limiting
> sudo rights and accesses".
> 
> For now I don't have a proper patch to show, but it will most probably
> appear shortly, as a Work In Progress (I don't think it will be
> mergeable before some time, due to all the constraints we have regarding
> version portability, new sudoer integration and so on).
> 
> I'll post the relevant review link as an answer of this thread when I
> have something I can show.
> 
> Cheers,
> 
> C.
> 
> 
> Hi Cédric,

Hello Luke,

> 
> Pleased to hear you are willing to take this on.

Well, we have to ;).

> 
> It makes sense we should co-ordinate efforts here as I have been looking
> at the same item, but planned to start with heat-admin over on the
> overcloud.

yep, took part in some discussions already.

> 
> Due to the complexity / level of coverage in the use of sudo, it makes
> sense to have a spec where we can then get community consensus on the
> approach selected. This is important as it looks like we will need to
> have some sort of white list to maintain and make considerations around
> functional test coverage in CI (in case someone writes something new
> wrapped in sudo).

For now, I'm trying to see how's the extend at the code level itself.
This also helps me understanding the different things involved, and I
also make some archaeology in order to understand the current situation.

But indeed, we should push a spec/blueprint in order to get a good idea
of the task and open the discussion on a clear basis.

> 
> In regards to your suggested positions within python code such as the
> client, its worth looking at oslo.privsep [1] where a decorator can be
> used for when needing to setuid.

hmm yep, have to understand how to use it - its doc is.. well. kind of
sparse. Would be good to get examples.

> 
> Let's discuss this also in the squad meeting tomorrow and try to
> synergize approach for all tripleo nix accounts.

You can ping me on #tripleo - I go there by Tengu nick. I'm CET (so
yeah, already up'n'running ;)).

Cheers,

C.

> 
> [1] https://github.com/openstack/oslo.privsep
> 
> Cheers,
> 
> Luke
> 
> 
> ¹
> 
> https://github.com/openstack/python-tripleoclient/blob/master/tripleoclient/v1/tripleo_deploy.py#L827-L829
> 
> 
> 
> 
> -- 
> Cédric Jeanneret
> Software Engineer
> DFG:DF
> 
> 
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-de
> 
> 
> 
> 
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 

-- 
Cédric Jeanneret
Software Engineer
DFG:DF



signature.asc
Description: OpenPGP digital signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:

Re: [openstack-dev] [tripleo][tripleoclient] No more global sudo for "stack" on the undercloud

2018-06-05 Thread Luke Hinds 
On Tue, Jun 5, 2018 at 3:44 PM, Cédric Jeanneret 
wrote:

> Hello guys!
>
> I'm currently working on python-tripleoclient in order to squash the
> dreadful "NOPASSWD:ALL" allowed to the "stack" user.
>
> The start was an issue with the rights on some files being wrong (owner
> by root instead of stack, in stack home). After some digging and poking,
> it appears the undercloud deployment is called with a "sudo openstack
> tripleo deploy" command - this, of course, creates some major issues
> regarding both security and right management.
>
> I see a couple of ways to correct that bad situation:
> - let the global "sudo" call, and play with setuid/setgid when we
> actually don't need the root access (as it's mentioned in this comment¹)
>
> - drop that global sudo call, and replace all the necessary calls by
> some "sudo" when needed. This involves the replacement of native python
> code, like "os.mkdir" and the like.
>
> The first one isn't a solution - code maintenance will not be possible,
> having to thing "darn, os.setuid() before calling that, because I don't
> need root" is the current way, and it just doesn't apply.
>
> So I started the second one. It's, of course, longer, not really nice
> and painful, but at least this will end to a good status, and not so bad
> solution.
>
> This also meets the current work of the Security Squad about "limiting
> sudo rights and accesses".
>
> For now I don't have a proper patch to show, but it will most probably
> appear shortly, as a Work In Progress (I don't think it will be
> mergeable before some time, due to all the constraints we have regarding
> version portability, new sudoer integration and so on).
>
> I'll post the relevant review link as an answer of this thread when I
> have something I can show.
>
> Cheers,
>
> C.
>
>
Hi Cédric,

Pleased to hear you are willing to take this on.

It makes sense we should co-ordinate efforts here as I have been looking at
the same item, but planned to start with heat-admin over on the overcloud.

Due to the complexity / level of coverage in the use of sudo, it makes
sense to have a spec where we can then get community consensus on the
approach selected. This is important as it looks like we will need to have
some sort of white list to maintain and make considerations around
functional test coverage in CI (in case someone writes something new
wrapped in sudo).

In regards to your suggested positions within python code such as the
client, its worth looking at oslo.privsep [1] where a decorator can be used
for when needing to setuid.

Let's discuss this also in the squad meeting tomorrow and try to synergize
approach for all tripleo nix accounts.

[1] https://github.com/openstack/oslo.privsep

Cheers,

Luke


> ¹
> https://github.com/openstack/python-tripleoclient/blob/
> master/tripleoclient/v1/tripleo_deploy.py#L827-L829
>
>
> --
> Cédric Jeanneret
> Software Engineer
> DFG:DF
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-de
> 
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [tripleo][tripleoclient] No more global sudo for "stack" on the undercloud

2018-06-05 Thread Cédric Jeanneret 
Hello guys!

I'm currently working on python-tripleoclient in order to squash the
dreadful "NOPASSWD:ALL" allowed to the "stack" user.

The start was an issue with the rights on some files being wrong (owner
by root instead of stack, in stack home). After some digging and poking,
it appears the undercloud deployment is called with a "sudo openstack
tripleo deploy" command - this, of course, creates some major issues
regarding both security and right management.

I see a couple of ways to correct that bad situation:
- let the global "sudo" call, and play with setuid/setgid when we
actually don't need the root access (as it's mentioned in this comment¹)

- drop that global sudo call, and replace all the necessary calls by
some "sudo" when needed. This involves the replacement of native python
code, like "os.mkdir" and the like.

The first one isn't a solution - code maintenance will not be possible,
having to thing "darn, os.setuid() before calling that, because I don't
need root" is the current way, and it just doesn't apply.

So I started the second one. It's, of course, longer, not really nice
and painful, but at least this will end to a good status, and not so bad
solution.

This also meets the current work of the Security Squad about "limiting
sudo rights and accesses".

For now I don't have a proper patch to show, but it will most probably
appear shortly, as a Work In Progress (I don't think it will be
mergeable before some time, due to all the constraints we have regarding
version portability, new sudoer integration and so on).

I'll post the relevant review link as an answer of this thread when I
have something I can show.

Cheers,

C.


¹
https://github.com/openstack/python-tripleoclient/blob/master/tripleoclient/v1/tripleo_deploy.py#L827-L829


-- 
Cédric Jeanneret
Software Engineer
DFG:DF



signature.asc
Description: OpenPGP digital signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev