Giuseppe Lavagetto has uploaded a new change for review.
https://gerrit.wikimedia.org/r/167183
Change subject: sudo: create module, remove old files
......................................................................
sudo: create module, remove old files
For the sake of structuring our puppet classes/manifests according to
the "standard" structure expected by puppet.
Change-Id: Ic7e883f85b81b516b424168be2a3380dcc5f3121
Signed-off-by: Giuseppe Lavagetto <glavage...@wikimedia.org>
---
M manifests/misc/fundraising.pp
M manifests/openstack.pp
M manifests/role/cxserver.pp
M manifests/role/deployment.pp
M manifests/role/parsoid.pp
M manifests/site.pp
D manifests/sudo.pp
M modules/authdns/manifests/account.pp
M modules/base/manifests/monitoring/host.pp
M modules/beta/manifests/mwdeploy_sudo.pp
M modules/labs_vagrant/manifests/init.pp
M modules/mediawiki/manifests/users.pp
R modules/sudo/files/sudoers.appserver
R modules/sudo/files/sudoers.labs
A modules/sudo/manifests/appserver.pp
A modules/sudo/manifests/group.pp
A modules/sudo/manifests/init.pp
A modules/sudo/manifests/labs_project.pp
A modules/sudo/manifests/user.pp
R modules/sudo/templates/sudoers.erb
20 files changed, 70 insertions(+), 74 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/83/167183/1
diff --git a/manifests/misc/fundraising.pp b/manifests/misc/fundraising.pp
index 253ae0d..e8f254d 100644
--- a/manifests/misc/fundraising.pp
+++ b/manifests/misc/fundraising.pp
@@ -2,7 +2,7 @@
include role::logging::systemusers
- sudo_user { 'file_mover':
+ sudo::user { 'file_mover':
privileges => ['ALL = NOPASSWD: /usr/bin/killall -HUP udp2log'] }
file { '/usr/local/bin/rotate_fundraising_logs':
diff --git a/manifests/openstack.pp b/manifests/openstack.pp
index af8ccf9..e1338a0 100644
--- a/manifests/openstack.pp
+++ b/manifests/openstack.pp
@@ -148,7 +148,7 @@
$sudo_privs = [ 'ALL = NOPASSWD: /bin/mkdir -p /srv/*',
'ALL = NOPASSWD: /bin/rmdir /srv/*',
'ALL = NOPASSWD: /usr/local/sbin/sync-exports' ]
- sudo_user { [ "nfsmanager" ]: privileges => $sudo_privs, require =>
User["nfsmanager"] }
+ sudo::user { [ "nfsmanager" ]: privileges => $sudo_privs, require =>
User["nfsmanager"] }
group { 'nfsmanager':
ensure => present,
diff --git a/manifests/role/cxserver.pp b/manifests/role/cxserver.pp
index 2771c1d..87dbf67 100644
--- a/manifests/role/cxserver.pp
+++ b/manifests/role/cxserver.pp
@@ -25,7 +25,7 @@
}
# Need to allow jenkins-deploy to reload cxserver
- sudo_user { 'jenkins-deploy': privileges => [
+ sudo::user { 'jenkins-deploy': privileges => [
# Since the "root" user is local, we cant add the sudo policy in
# OpenStack manager interface at wikitech
'ALL = (root) NOPASSWD:/usr/sbin/service cxserver restart',
diff --git a/manifests/role/deployment.pp b/manifests/role/deployment.pp
index 6d545d3..fd6b1ab 100644
--- a/manifests/role/deployment.pp
+++ b/manifests/role/deployment.pp
@@ -197,7 +197,7 @@
package { 'percona-toolkit':
ensure => latest,
}
- sudo_group { 'wikidev_deployment_server':
+ sudo::group { 'wikidev_deployment_server':
privileges => [
'ALL = (root) NOPASSWD: /usr/bin/salt-call -l quiet --out=json
pillar.data',
'ALL = (root) NOPASSWD: /usr/bin/salt-call -l quiet publish.runner
deploy.fetch *',
@@ -261,7 +261,7 @@
maxmemory => '500Mb',
monitor => false,
}
- sudo_group { "project_${::instanceproject}_deployment_server":
+ sudo::group { "project_${::instanceproject}_deployment_server":
privileges => [
'ALL = (root) NOPASSWD: /usr/bin/salt-call -l quiet --out=json
pillar.data',
'ALL = (root) NOPASSWD: /usr/bin/salt-call -l quiet publish.runner
deploy.fetch *',
diff --git a/manifests/role/parsoid.pp b/manifests/role/parsoid.pp
index 648d366..23aeb6a 100644
--- a/manifests/role/parsoid.pp
+++ b/manifests/role/parsoid.pp
@@ -134,7 +134,7 @@
include role::parsoid::common
- sudo_user { 'jenkins-deploy': privileges => [
+ sudo::user { 'jenkins-deploy': privileges => [
# Need to allow jenkins-deploy to reload parsoid
# Since the "root" user is local, we cant add the sudo policy in
# OpenStack manager interface at wikitech
diff --git a/manifests/site.pp b/manifests/site.pp
index 988d267..8322ba7 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -18,7 +18,6 @@
import 'role/*.pp'
import 'role/analytics/*.pp'
import 'search.pp'
-import 'sudo.pp'
import 'swift.pp'
import 'webserver.pp'
@@ -1222,7 +1221,7 @@
class { 'admin': groups => ['contint-users', 'contint-admins',
'contint-roots'] }
# Bug 49846, let us sync VisualEditor in mediawiki/extensions.git
- sudo_user { 'jenkins-slave':
+ sudo::user { 'jenkins-slave':
privileges => [
'ALL = (jenkins) NOPASSWD:
/srv/deployment/integration/slave-scripts/bin/gerrit-sync-ve-push.sh',
]
diff --git a/manifests/sudo.pp b/manifests/sudo.pp
deleted file mode 100644
index d8813d4..0000000
--- a/manifests/sudo.pp
+++ /dev/null
@@ -1,59 +0,0 @@
-# sudo.pp
-
-define sudo_user( $privileges ) {
- $user = $title
-
- file { "/etc/sudoers.d/${user}":
- owner => root,
- group => root,
- mode => '0440',
- content => template('sudo/sudoers.erb');
- }
-
-}
-
-define sudo_group( $privileges=[], $ensure='present', $group = $title ) {
-
- file { "/etc/sudoers.d/${title}":
- ensure => $ensure,
- owner => root,
- group => root,
- mode => '0440',
- content => template('sudo/sudoers.erb'),
- }
-
-}
-
-class sudo::labs_project {
-
- if $realm == labs {
-
- # labs specific sudo default
- file { '/etc/sudoers':
- owner => root,
- group => root,
- mode => '0440',
- source => 'puppet:///files/sudo/sudoers.labs';
- }
-
- # Was handled via sudo ldap, now handled via puppet
- sudo_group { 'ops': privileges => ['ALL=(ALL) NOPASSWD: ALL'] }
- # Old way of handling this.
- sudo_group { $instanceproject: ensure => absent }
- # Another old way, before per-project sudo
- sudo_group { $projectgroup: ensure => absent }
- }
-}
-
-class sudo::appserver {
-
- file { '/etc/sudoers.d/appserver':
- ensure => present,
- path => '/etc/sudoers.d/appserver',
- owner => root,
- group => root,
- mode => '0440',
- source => 'puppet:///files/sudo/sudoers.appserver',
- }
-
-}
diff --git a/modules/authdns/manifests/account.pp
b/modules/authdns/manifests/account.pp
index 1c1c00a..1417d2d 100644
--- a/modules/authdns/manifests/account.pp
+++ b/modules/authdns/manifests/account.pp
@@ -18,7 +18,7 @@
ensure => 'present',
}
- sudo_user { $user:
+ sudo::user { $user:
privileges => ['ALL=NOPASSWD: /usr/local/sbin/authdns-local-update'],
}
diff --git a/modules/base/manifests/monitoring/host.pp
b/modules/base/manifests/monitoring/host.pp
index 7ee8700..34ff53e 100644
--- a/modules/base/manifests/monitoring/host.pp
+++ b/modules/base/manifests/monitoring/host.pp
@@ -79,7 +79,7 @@
source => 'puppet:///modules/base/check_sysctl',
}
- sudo_user { 'nagios':
+ sudo::user { 'nagios':
privileges => [
'ALL = NOPASSWD: /usr/local/bin/check-raid.py',
'ALL = NOPASSWD:
/usr/local/lib/nagios/plugins/check_puppetrun',
diff --git a/modules/beta/manifests/mwdeploy_sudo.pp
b/modules/beta/manifests/mwdeploy_sudo.pp
index 2f52e45..9c4c4c6 100644
--- a/modules/beta/manifests/mwdeploy_sudo.pp
+++ b/modules/beta/manifests/mwdeploy_sudo.pp
@@ -6,7 +6,7 @@
# Grant mwdeploy sudo rights to run anything as itself, apache or
# l10nupdate and to (re)start the hhvm fcgi service. This is a subset of
# the rights granted to the wikidev group by the mediawiki::users class.
- sudo_user { 'mwdeploy' :
+ sudo::user { 'mwdeploy' :
privileges => [
'ALL = (apache,mwdeploy,l10nupdate) NOPASSWD: ALL',
'ALL = (root) NOPASSWD: /sbin/restart hhvm',
diff --git a/modules/labs_vagrant/manifests/init.pp
b/modules/labs_vagrant/manifests/init.pp
index d23e956..4a8f1b2 100644
--- a/modules/labs_vagrant/manifests/init.pp
+++ b/modules/labs_vagrant/manifests/init.pp
@@ -26,13 +26,13 @@
group => 'vagrant',
}
- sudo_user { 'vagrant' :
+ sudo::user { 'vagrant' :
privileges => [
'ALL=(ALL) NOPASSWD: ALL',
],
}
- sudo_group { 'wikidev_vagrant':
+ sudo::group { 'wikidev_vagrant':
privileges => [
'ALL=(vagrant) NOPASSWD: ALL',
],
diff --git a/modules/mediawiki/manifests/users.pp
b/modules/mediawiki/manifests/users.pp
index 32ec52e..3c7a3b1 100644
--- a/modules/mediawiki/manifests/users.pp
+++ b/modules/mediawiki/manifests/users.pp
@@ -74,7 +74,7 @@
mode => '0400',
}
- sudo_group { 'wikidev':
+ sudo::group { 'wikidev':
privileges => [
'ALL = (apache,mwdeploy,l10nupdate) NOPASSWD: ALL',
'ALL = (root) NOPASSWD: /sbin/restart hhvm',
@@ -85,7 +85,7 @@
],
}
- sudo_user { 'l10nupdate':
+ sudo::user { 'l10nupdate':
require => User['l10nupdate', 'mwdeploy'],
privileges => ['ALL = (mwdeploy) NOPASSWD: ALL'],
}
diff --git a/files/sudo/sudoers.appserver b/modules/sudo/files/sudoers.appserver
similarity index 100%
rename from files/sudo/sudoers.appserver
rename to modules/sudo/files/sudoers.appserver
diff --git a/files/sudo/sudoers.labs b/modules/sudo/files/sudoers.labs
similarity index 100%
rename from files/sudo/sudoers.labs
rename to modules/sudo/files/sudoers.labs
diff --git a/modules/sudo/manifests/appserver.pp
b/modules/sudo/manifests/appserver.pp
new file mode 100644
index 0000000..a512982
--- /dev/null
+++ b/modules/sudo/manifests/appserver.pp
@@ -0,0 +1,14 @@
+# == Class sudo::appserver
+#
+class sudo::appserver {
+
+ file { '/etc/sudoers.d/appserver':
+ ensure => present,
+ path => '/etc/sudoers.d/appserver',
+ owner => root,
+ group => root,
+ mode => '0440',
+ source => 'puppet:///modules/sudo/sudoers.appserver',
+ }
+
+}
diff --git a/modules/sudo/manifests/group.pp b/modules/sudo/manifests/group.pp
new file mode 100644
index 0000000..d34a805
--- /dev/null
+++ b/modules/sudo/manifests/group.pp
@@ -0,0 +1,11 @@
+define sudo::group( $privileges=[], $ensure='present', $group = $title ) {
+
+ file { "/etc/sudoers.d/${title}":
+ ensure => $ensure,
+ owner => root,
+ group => root,
+ mode => '0440',
+ content => template('sudo/sudoers.erb'),
+ }
+
+}
diff --git a/modules/sudo/manifests/init.pp b/modules/sudo/manifests/init.pp
new file mode 100644
index 0000000..b4f20e5
--- /dev/null
+++ b/modules/sudo/manifests/init.pp
@@ -0,0 +1 @@
+class sudo{}
diff --git a/modules/sudo/manifests/labs_project.pp
b/modules/sudo/manifests/labs_project.pp
new file mode 100644
index 0000000..602c8fb
--- /dev/null
+++ b/modules/sudo/manifests/labs_project.pp
@@ -0,0 +1,19 @@
+class sudo::labs_project {
+ if $::realm != 'labs' {
+ fail('This class is labs-specific')
+ }
+ # labs specific sudo default
+ file { '/etc/sudoers':
+ owner => root,
+ group => root,
+ mode => '0440',
+ source => 'puppet:///modules/sudo/sudoers.labs';
+ }
+
+ # Was handled via sudo ldap, now handled via puppet
+ sudo::group { 'ops': privileges => ['ALL=(ALL) NOPASSWD: ALL'] }
+ # Old way of handling this.
+ sudo::group { $instanceproject: ensure => absent }
+ # Another old way, before per-project sudo
+ sudo::group { $projectgroup: ensure => absent }
+}
diff --git a/modules/sudo/manifests/user.pp b/modules/sudo/manifests/user.pp
new file mode 100644
index 0000000..f810305
--- /dev/null
+++ b/modules/sudo/manifests/user.pp
@@ -0,0 +1,11 @@
+define sudo::user( $privileges ) {
+ $user = $title
+
+ file { "/etc/sudoers.d/${user}":
+ owner => root,
+ group => root,
+ mode => '0440',
+ content => template('sudo/sudoers.erb');
+ }
+
+}
diff --git a/templates/sudo/sudoers.erb b/modules/sudo/templates/sudoers.erb
similarity index 100%
rename from templates/sudo/sudoers.erb
rename to modules/sudo/templates/sudoers.erb
--
To view, visit https://gerrit.wikimedia.org/r/167183
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ic7e883f85b81b516b424168be2a3380dcc5f3121
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Giuseppe Lavagetto <glavage...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
