Matanya has uploaded a new change for review. https://gerrit.wikimedia.org/r/111189
Change subject: sudo: convert into a module ...................................................................... sudo: convert into a module 1) renamed sudo_user to sudo::user as autoload requries this 2) renamed sudo_group to sudo::group as autoload requries this 3) left fundrising sudo stuff our, as it is not clear to me whey they don't use the regular layout 4) renamed sudo::labs_project to sudo::labs for sake of clearness Change-Id: Ie471af1d57e59cc5911365ea91278783b79272bf --- M manifests/admins.pp M manifests/misc/fundraising.pp M manifests/openstack.pp M manifests/role/analytics.pp M manifests/role/deployment.pp M manifests/role/fundraising.pp M manifests/role/lucene.pp M manifests/role/parsoid.pp M manifests/site.pp D manifests/sudo.pp M modules/applicationserver/manifests/sudo.pp M modules/authdns/manifests/account.pp M modules/base/manifests/init.pp M modules/base/manifests/monitoring/host.pp M modules/beta/manifests/autoupdater.pp M modules/mediawiki/manifests/users/sudo.pp R modules/sudo/files/sudoers.appserver R modules/sudo/files/sudoers.default A modules/sudo/manifests/appserver.pp A modules/sudo/manifests/default.pp A modules/sudo/manifests/group.pp A modules/sudo/manifests/labs.pp A modules/sudo/manifests/user.pp R modules/sudo/templates/sudoers.erb 24 files changed, 109 insertions(+), 104 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/89/111189/1 diff --git a/manifests/admins.pp b/manifests/admins.pp index fa259c2..c0102ef 100644 --- a/manifests/admins.pp +++ b/manifests/admins.pp @@ -3593,7 +3593,7 @@ include accounts::ssastry # RT 5512 # RT 5934 - sudo_user { ['catrope', 'gwicke']: + sudo::user { ['catrope', 'gwicke']: privileges => ['ALL = (parsoid) NOPASSWD: ALL'], } diff --git a/manifests/misc/fundraising.pp b/manifests/misc/fundraising.pp index 6802d40..8ff6a6f 100644 --- a/manifests/misc/fundraising.pp +++ b/manifests/misc/fundraising.pp @@ -279,7 +279,7 @@ include accounts::file_mover - sudo_user { "file_mover": privileges => ['ALL = NOPASSWD: /usr/bin/killall -HUP udp2log'] } + sudo::user { "file_mover": privileges => ['ALL = NOPASSWD: /usr/bin/killall -HUP udp2log'] } file { '/usr/local/bin/rotate_fundraising_logs': diff --git a/manifests/openstack.pp b/manifests/openstack.pp index 44c3356..5d324c4 100644 --- a/manifests/openstack.pp +++ b/manifests/openstack.pp @@ -160,7 +160,7 @@ $sudo_privs = [ 'ALL = NOPASSWD: /bin/mkdir -p /srv/*', 'ALL = NOPASSWD: /bin/rmdir /srv/*', 'ALL = NOPASSWD: /usr/local/sbin/sync-exports' ] - sudo_user { [ "nfsmanager" ]: privileges => $sudo_privs, require => Generic::Systemuser["nfsmanager"] } + sudo::user { [ "nfsmanager" ]: privileges => $sudo_privs, require => Generic::Systemuser["nfsmanager"] } generic::systemuser { "nfsmanager": name => "nfsmanager", home => "/var/lib/nfsmanager", shell => "/bin/bash" } } @@ -170,7 +170,7 @@ $sudo_privs = [ 'ALL = NOPASSWD: /bin/mkdir -p /a/*', 'ALL = NOPASSWD: /bin/rmdir /a/*', 'ALL = NOPASSWD: /usr/sbin/gluster *' ] - sudo_user { [ "glustermanager" ]: privileges => $sudo_privs, require => Generic::Systemuser["glustermanager"] } + sudo::user { [ "glustermanager" ]: privileges => $sudo_privs, require => Generic::Systemuser["glustermanager"] } package { "python-paramiko": ensure => present; diff --git a/manifests/role/analytics.pp b/manifests/role/analytics.pp index d2f4b41..99e997c 100644 --- a/manifests/role/analytics.pp +++ b/manifests/role/analytics.pp @@ -104,5 +104,5 @@ User<|title == nuria|> { groups +> [ 'stats' ] } # Diederik and Otto have sudo privileges on Analytics nodes. - sudo_user { [ 'diederik', 'otto' ]: privileges => ['ALL = (ALL) NOPASSWD: ALL'] } + sudo::user { [ 'diederik', 'otto' ]: privileges => ['ALL = (ALL) NOPASSWD: ALL'] } } diff --git a/manifests/role/deployment.pp b/manifests/role/deployment.pp index 38ef7ec..83b8807 100644 --- a/manifests/role/deployment.pp +++ b/manifests/role/deployment.pp @@ -247,7 +247,7 @@ package { "percona-toolkit": ensure => latest; } - sudo_group { "wikidev_deployment_server": + sudo::group { "wikidev_deployment_server": privileges => [ "ALL = (root) NOPASSWD: /usr/bin/salt-call -l quiet --out json pillar.data", "ALL = (root) NOPASSWD: /usr/bin/salt-call -l quiet publish.runner deploy.fetch *", @@ -277,7 +277,7 @@ maxmemory => "500Mb", monitor => "false", } - sudo_group { "project_deployment_prep_deployment_server": + sudo::group { "project_deployment_prep_deployment_server": privileges => [ "ALL = (root) NOPASSWD: /usr/bin/salt-call -l quiet --out json pillar.data", "ALL = (root) NOPASSWD: /usr/bin/salt-call -l quiet publish.runner deploy.fetch *", @@ -307,7 +307,7 @@ maxmemory => "500Mb", monitor => "false", } - sudo_group { "project_deployment_prep_deployment_server": + sudo::group { "project_deployment_prep_deployment_server": privileges => [ "ALL = (root) NOPASSWD: /usr/bin/salt-call -l quiet --out json pillar.data", "ALL = (root) NOPASSWD: /usr/bin/salt-call -l quiet publish.runner deploy.fetch *", diff --git a/manifests/role/fundraising.pp b/manifests/role/fundraising.pp index 404ef4f..7374617 100644 --- a/manifests/role/fundraising.pp +++ b/manifests/role/fundraising.pp @@ -11,7 +11,7 @@ #install_certificate{ "star.wikimedia.org": } - sudo_user { [ "khorn" ]: privileges => ['ALL = NOPASSWD: ALL'] } + sudo::user { [ "khorn" ]: privileges => ['ALL = NOPASSWD: ALL'] } $gid = 500 include standard-noexim, diff --git a/manifests/role/lucene.pp b/manifests/role/lucene.pp index 007456c..ae902ff 100644 --- a/manifests/role/lucene.pp +++ b/manifests/role/lucene.pp @@ -144,8 +144,8 @@ admins::mortals, admins::restricted - sudo_user { [ "manybubbles" ]: privileges => ['ALL = NOPASSWD: ALL'] } - sudo_user { [ "demon" ]: privileges => ['ALL = NOPASSWD: ALL'] } + sudo::user { [ "manybubbles" ]: privileges => ['ALL = NOPASSWD: ALL'] } + sudo::user { [ "demon" ]: privileges => ['ALL = NOPASSWD: ALL'] } } } diff --git a/manifests/role/parsoid.pp b/manifests/role/parsoid.pp index 6a54265..18e0352 100644 --- a/manifests/role/parsoid.pp +++ b/manifests/role/parsoid.pp @@ -127,7 +127,7 @@ include role::parsoid::common - sudo_user { 'jenkins-deploy': privileges => [ + sudo::user { 'jenkins-deploy': privileges => [ # Need to allow jenkins-deploy to reload parsoid # Since the "root" user is local, we cant add the sudo policy in # OpenStack manager interface at wikitech diff --git a/manifests/site.pp b/manifests/site.pp index a42232d..2578fb9 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -192,7 +192,7 @@ role::subversion # full root for gerrit admin (RT-3698) - sudo_user { "demon": privileges => ['ALL = NOPASSWD: ALL'] } + sudo::user { "demon": privileges => ['ALL = NOPASSWD: ALL'] } } node "arsenic.eqiad.wmnet" { @@ -207,7 +207,7 @@ groups::wikidev # rt 6189: temporary root for testing - sudo_user { [ "demon" ]: privileges => ['ALL = NOPASSWD: ALL'] } + sudo::user { [ "demon" ]: privileges => ['ALL = NOPASSWD: ALL'] } #just adding this for the mediawiki require class { misc::maintenance::pagetriage: enabled => false } @@ -306,7 +306,7 @@ include standard include groups::wikidev, accounts::gwicke - sudo_user { 'gwicke': + sudo::user { 'gwicke': privileges => ['ALL = (ALL) NOPASSWD: ALL'], } @@ -907,10 +907,10 @@ 'ALL = NOPASSWD: /usr/local/bin/svn-group', 'ALL = NOPASSWD: /usr/local/sbin/add-labs-user', 'ALL = NOPASSWD: /var/lib/gerrit2/review_site/bin/gerrit.sh' ] - sudo_user { [ "robla", "sumanah", "reedy" ]: privileges => $sudo_privs } + sudo::user { [ "robla", "sumanah", "reedy" ]: privileges => $sudo_privs } # full root for gerrit admin (RT-3698) - sudo_user { "demon": privileges => ['ALL = NOPASSWD: ALL'] } + sudo::user { "demon": privileges => ['ALL = NOPASSWD: ALL'] } $gid = 550 $ldapincludes = ['openldap', 'nss', 'utils'] @@ -949,7 +949,7 @@ node "gallium.wikimedia.org" { $cluster = "misc" $gid=500 - sudo_user { [ "demon", "krinkle", "reedy", "dsc", "mholmquist" ]: privileges => [ + sudo::user { [ "demon", "krinkle", "reedy", "dsc", "mholmquist" ]: privileges => [ 'ALL = (jenkins) NOPASSWD: ALL' ,'ALL = (jenkins-slave) NOPASSWD: ALL' ,'ALL = (gerritslave) NOPASSWD: ALL' @@ -960,12 +960,12 @@ ]} # Bug 49846, let us sync VisualEditor in mediawiki/extensions.git - sudo_user { 'jenkins-slave': privileges => [ + sudo::user { 'jenkins-slave': privileges => [ 'ALL = (jenkins) NOPASSWD: /srv/deployment/integration/slave-scripts/bin/gerrit-sync-ve-push.sh', ]} # full root for Jenkins admin (RT-4101) - sudo_user { "hashar": privileges => ['ALL = NOPASSWD: ALL'] } + sudo::user { "hashar": privileges => ['ALL = NOPASSWD: ALL'] } include standard, nrpe, @@ -1060,7 +1060,7 @@ misc::udp2log::utilities, misc::udp2log - sudo_user { "otto": privileges => ['ALL = NOPASSWD: ALL'] } + sudo::user { "otto": privileges => ['ALL = NOPASSWD: ALL'] } # fundraising banner log pipeline (moved to gadolinium) #include misc::fundraising::udp2log_rotation @@ -1319,14 +1319,14 @@ # Used as a Jenkins slave so some folks need escalated privileges $gid=500 - sudo_user { [ 'demon', 'krinkle', 'reedy', 'dsc', 'mholmquist' ]: privileges => [ + sudo::user { [ 'demon', 'krinkle', 'reedy', 'dsc', 'mholmquist' ]: privileges => [ 'ALL = (jenkins-slave) NOPASSWD: ALL', 'ALL = (gerritslave) NOPASSWD: ALL', ] } # full root for Jenkins admin (RT-5677) - sudo_user { "hashar": privileges => ['ALL = NOPASSWD: ALL'] } + sudo::user { "hashar": privileges => ['ALL = NOPASSWD: ALL'] } # lanthanum received a SSD drive just like gallium (RT #5178) mount it file { '/srv/ssd': @@ -2283,10 +2283,10 @@ accounts::nuria, # RT 6525 accounts::csalvia # RT 6664 - sudo_user { "otto": privileges => ['ALL = NOPASSWD: ALL'] } + sudo::user { "otto": privileges => ['ALL = NOPASSWD: ALL'] } # Allow Christian to sudo -u stats to debug and test stats' automated cron jobs. - sudo_user { "qchris": privileges => ['ALL = (stats) NOPASSWD: ALL'] } + sudo::user { "qchris": privileges => ['ALL = (stats) NOPASSWD: ALL'] } include misc::statistics::cron_blog_pageviews, misc::statistics::limn::mobile_data_sync, @@ -2308,7 +2308,7 @@ accounts::qchris, # RT 5474 accounts::tnegrin # RT 5391 - sudo_user { "otto": privileges => ['ALL = NOPASSWD: ALL'] } + sudo::user { "otto": privileges => ['ALL = NOPASSWD: ALL'] } } node "stat1002.eqiad.wmnet" { @@ -2332,7 +2332,7 @@ User<|title == spetrea|> { groups +> [ "stats" ] } User<|title == ironholds|> { groups +> [ "stats" ] } - sudo_user { "otto": privileges => ['ALL = NOPASSWD: ALL'] } + sudo::user { "otto": privileges => ['ALL = NOPASSWD: ALL'] } # include classes needed for storing and crunching # private data on stat1002. @@ -2430,8 +2430,8 @@ accounts::demon, groups::wikidev - sudo_user { [ "manybubbles" ]: privileges => ['ALL = NOPASSWD: ALL'] } - sudo_user { [ "demon" ]: privileges => ['ALL = NOPASSWD: ALL'] } + sudo::user { [ "manybubbles" ]: privileges => ['ALL = NOPASSWD: ALL'] } + sudo::user { [ "demon" ]: privileges => ['ALL = NOPASSWD: ALL'] } include standard include role::elasticsearch::server @@ -2452,7 +2452,7 @@ include accounts::aaron include accounts::bd808 - sudo_user { ['aaron', 'bd808']: # RT 6366 + sudo::user { ['aaron', 'bd808']: # RT 6366 privileges => ['ALL = NOPASSWD: ALL'], } } @@ -2513,7 +2513,7 @@ groups::wikidev, accounts::nuria # RT 6535 - sudo_user { 'nuria': + sudo::user { 'nuria': privileges => ['ALL = NOPASSWD: ALL'], } } @@ -2669,7 +2669,7 @@ install_certificate{ "gerrit.wikimedia.org": ca => "RapidSSL_CA.pem" } # full root for gerrit admin (RT-3698) - sudo_user { "demon": privileges => ['ALL = NOPASSWD: ALL'] } + sudo::user { "demon": privileges => ['ALL = NOPASSWD: ALL'] } } diff --git a/manifests/sudo.pp b/manifests/sudo.pp deleted file mode 100644 index e5b0b6f..0000000 --- a/manifests/sudo.pp +++ /dev/null @@ -1,64 +0,0 @@ -# sudo.pp - -define sudo_user( $privileges ) { - $user = $title - - file { "/etc/sudoers.d/$user": - owner => root, - group => root, - mode => 0440, - content => template("sudo/sudoers.erb"); - } - -} - -define sudo_group( $privileges=[], $ensure="present", $group = $title ) { - - file { "/etc/sudoers.d/$title": - owner => root, - group => root, - mode => 0440, - content => template("sudo/sudoers.erb"), - ensure => $ensure; - } - -} - -class sudo::labs_project { - - if $realm == labs { - include sudo::default - - # Was handled via sudo ldap, now handled via puppet - sudo_group { ops: privileges => ['ALL=(ALL) NOPASSWD: ALL'] } - # Old way of handling this. - sudo_group { $instanceproject: ensure => absent } - # Another old way, before per-project sudo - sudo_group { $projectgroup: ensure => absent } - } - -} - -class sudo::default { - - file { "/etc/sudoers": - owner => root, - group => root, - mode => 0440, - source => "puppet:///files/sudo/sudoers.default"; - } - -} - -class sudo::appserver { - - file { "/etc/sudoers.d/appserver": - path => "/etc/sudoers.d/appserver", - owner => root, - group => root, - mode => 0440, - source => "puppet:///files/sudo/sudoers.appserver", - ensure => present; - } - -} diff --git a/modules/applicationserver/manifests/sudo.pp b/modules/applicationserver/manifests/sudo.pp index 419525f..85a9e75 100644 --- a/modules/applicationserver/manifests/sudo.pp +++ b/modules/applicationserver/manifests/sudo.pp @@ -3,12 +3,12 @@ require groups::wikidev - sudo_group {'wikidev_apache': + sudo::group {'wikidev_apache': privileges => ['ALL = (apache) NOPASSWD: ALL'], group => 'wikidev' } - sudo_group {'wikidev_root': + sudo::group {'wikidev_root': privileges => ['ALL= NOPASSWD: /usr/sbin/apache2ctl, /etc/init.d/apache2, /usr/bin/renice, /usr/local/bin/find-nearest-rsync'], group => 'wikidev' } diff --git a/modules/authdns/manifests/account.pp b/modules/authdns/manifests/account.pp index c741b5a..efccffa 100644 --- a/modules/authdns/manifests/account.pp +++ b/modules/authdns/manifests/account.pp @@ -18,7 +18,7 @@ ensure => 'present', } - sudo_user { $user: + sudo::user { $user: privileges => 'ALL=NOPASSWD: /usr/local/sbin/authdns-local-update', } diff --git a/modules/base/manifests/init.pp b/modules/base/manifests/init.pp index 2eac31c..1b42efa 100644 --- a/modules/base/manifests/init.pp +++ b/modules/base/manifests/init.pp @@ -4,7 +4,7 @@ # hardy doesn't support sudoers.d; only do sudo_user for lucid and later if versioncmp($::lsbdistrelease, '10.04') >= 0 { - sudo_user { [ 'cmjohnson' ]: privileges => [ + sudo::user { [ 'cmjohnson' ]: privileges => [ 'ALL = (root) NOPASSWD: /sbin/fdisk', 'ALL = (root) NOPASSWD: /sbin/mdadm', 'ALL = (root) NOPASSWD: /sbin/parted', diff --git a/modules/base/manifests/monitoring/host.pp b/modules/base/manifests/monitoring/host.pp index 3142480..1f543fe 100644 --- a/modules/base/manifests/monitoring/host.pp +++ b/modules/base/manifests/monitoring/host.pp @@ -55,7 +55,7 @@ source => 'puppet:///modules/base/monitoring/check_puppet_disabled'; } - sudo_user { 'nagios': + sudo::user { 'nagios': privileges => ['ALL = NOPASSWD: /usr/local/bin/check-raid.py'], } nrpe::monitor_service { 'raid': diff --git a/modules/beta/manifests/autoupdater.pp b/modules/beta/manifests/autoupdater.pp index 49b60c8..c63fb7f 100644 --- a/modules/beta/manifests/autoupdater.pp +++ b/modules/beta/manifests/autoupdater.pp @@ -21,7 +21,7 @@ } # Make sure wmf-beta-autoupdate can run the l10n updater as l10nupdate - sudo_user { 'mwdeploy' : + sudo::user { 'mwdeploy' : privileges => [ 'ALL = (l10nupdate) NOPASSWD:/usr/local/bin/mw-update-l10n', 'ALL = (l10nupdate) NOPASSWD:/usr/local/bin/mwscript', diff --git a/modules/mediawiki/manifests/users/sudo.pp b/modules/mediawiki/manifests/users/sudo.pp index 402b0fe..bba6917 100644 --- a/modules/mediawiki/manifests/users/sudo.pp +++ b/modules/mediawiki/manifests/users/sudo.pp @@ -4,11 +4,11 @@ require mediawiki::users::l10nupdate ## sudo definitions - sudo_group {"wikidev_deploy": + sudo::group {"wikidev_deploy": privileges => ['ALL = (apache,mwdeploy,l10nupdate) NOPASSWD: ALL', 'ALL = (root) NOPASSWD: /sbin/restart twemproxy', 'ALL = (root) NOPASSWD: /sbin/start twemproxy'], group => "wikidev" } - sudo_user { "l10nupdate": privileges => ['ALL = (mwdeploy) NOPASSWD: ALL'] } + sudo::user { "l10nupdate": privileges => ['ALL = (mwdeploy) NOPASSWD: ALL'] } } diff --git a/files/sudo/sudoers.appserver b/modules/sudo/files/sudoers.appserver similarity index 100% rename from files/sudo/sudoers.appserver rename to modules/sudo/files/sudoers.appserver diff --git a/files/sudo/sudoers.default b/modules/sudo/files/sudoers.default similarity index 100% rename from files/sudo/sudoers.default rename to modules/sudo/files/sudoers.default diff --git a/modules/sudo/manifests/appserver.pp b/modules/sudo/manifests/appserver.pp new file mode 100644 index 0000000..ea5bd25 --- /dev/null +++ b/modules/sudo/manifests/appserver.pp @@ -0,0 +1,14 @@ +# application servers sudoers file +class sudo::appserver { + + file { '/etc/sudoers.d/appserver': + ensure => 'present', + path => '/etc/sudoers.d/appserver', + owner => 'root', + group => 'root', + mode => '0440', + source => 'puppet:///modules/sudo/sudoers.appserver', + } + +} + diff --git a/modules/sudo/manifests/default.pp b/modules/sudo/manifests/default.pp new file mode 100644 index 0000000..0c9ca5d --- /dev/null +++ b/modules/sudo/manifests/default.pp @@ -0,0 +1,12 @@ +#Class for default sudoers file +class sudo::default { + + file { '/etc/sudoers': + owner => 'root', + group => 'root', + mode => '0440', + source => 'puppet:///modules/sudo/sudoers.default', + } + +} + diff --git a/modules/sudo/manifests/group.pp b/modules/sudo/manifests/group.pp new file mode 100644 index 0000000..1d0b54f --- /dev/null +++ b/modules/sudo/manifests/group.pp @@ -0,0 +1,16 @@ +# A defined type to add agroup to sudoers file. +define sudo::group( + $privileges = [], + $ensure = 'present', + $group = $title +) { + + file { "/etc/sudoers.d/${title}": + ensure => $ensure, + owner => 'root', + group => 'root', + mode => '0440', + content => template('sudo/sudoers.erb'), + } + +} diff --git a/modules/sudo/manifests/labs.pp b/modules/sudo/manifests/labs.pp new file mode 100644 index 0000000..f1ade5b --- /dev/null +++ b/modules/sudo/manifests/labs.pp @@ -0,0 +1,13 @@ +#class for sudo on labs +class sudo::labs{ + + if $::realm == 'labs' { + include sudo::default + + # Was handled via sudo ldap, now handled via puppet + sudo::group { 'ops': + privileges => ['ALL=(ALL) NOPASSWD: ALL'], + } + } +} + diff --git a/modules/sudo/manifests/user.pp b/modules/sudo/manifests/user.pp new file mode 100644 index 0000000..9d33446 --- /dev/null +++ b/modules/sudo/manifests/user.pp @@ -0,0 +1,14 @@ +# A defined type for adding a user to sudoers file. +define sudo::user( + $privileges +) { + $user = $title + + file { "/etc/sudoers.d/${user}": + owner => 'root', + group => 'root', + mode => '0440', + content => template('sudo/sudoers.erb'), + } + +} diff --git a/templates/sudo/sudoers.erb b/modules/sudo/templates/sudoers.erb similarity index 100% rename from templates/sudo/sudoers.erb rename to modules/sudo/templates/sudoers.erb -- To view, visit https://gerrit.wikimedia.org/r/111189 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ie471af1d57e59cc5911365ea91278783b79272bf Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Matanya <mata...@foss.co.il> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits