[Bug 35850] New: Manage sudo per-project

Tue, 10 Apr 2012 01:04:49 -0700 

https://bugzilla.wikimedia.org/show_bug.cgi?id=35850

       Web browser: ---
             Bug #: 35850
           Summary: Manage sudo per-project
           Product: MediaWiki extensions
           Version: any
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: Unprioritized
         Component: OpenStackManager
        AssignedTo: [email protected]
        ReportedBy: [email protected]
    Classification: Unclassified
   Mobile Platform: ---


Currently sudo is managed globally, and only cloudadmins are allowed to modify
the policy. The only policy currently is root access for ops members on all
instances. This isn't a terribly useful way of handling sudo in LDAP. We should
instead allow sudo management per-project, and scrap the idea of global sudo
via LDAP (we can do that in puppet easily enough).

Instances pull sudo information from LDAP via:

  SUDOERS_BASE    ou=sudoers,dc=wikimedia,dc=org

in /etc/sudo-ldap.conf.

On project creation, we can add an OU under the project's entry, like so:

  ou=sudoers,cn=example-project,ou=groups,dc=wikimedia,dc=org

Instances for that project can pull sudo policies from that OU by changing the
SUDOERS_BASE to:

  SUDOERS_BASE    ou=sudoers,cn=example-project,ou=groups,dc=wikimedia,dc=org

The above can be handled by puppet. Also, in puppet, currently, we have a
configuration that's labs specific that allows all project members to sudo to
root, unless a project is marked as global. We must manually mark a project as
global in puppet, and handling out root to anyone other than ops is difficult
in that situation. We can kill a couple birds with one stone here.

If we create a policy on project creation that gives all members sudo access on
all instances in the project, a project can be limited by simply removing the
default policy; here's an example of a default policy:

 dn: cn=default,ou=sudoers,cn=example-project,ou=groups,dc=wikimedia,dc=org
 objectClass: sudorole
 objectClass: top
 sudoCommand: ALL
 sudoUser: ALL
 cn: default
 sudoHost: ALL

Users in the sysadmin role should be able to manage these sudo policies. Users
for the sudoUser field should be manageable in a similar way to roles, but
should also allow for an ALL keyword.

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to