Giuseppe Lavagetto has submitted this change and it was merged. Change subject: sudo: create module, remove old files ......................................................................
sudo: create module, remove old files For the sake of structuring our puppet classes/manifests according to the "standard" structure expected by puppet. Also: - removed the sudo::appserver class, that was used in role::snapshot::common and nowhere else. Change-Id: Ic7e883f85b81b516b424168be2a3380dcc5f3121 Signed-off-by: Giuseppe Lavagetto <glavage...@wikimedia.org> --- R files/snapshot/sudoers.snapshot M manifests/misc/fundraising.pp M manifests/role/apertium.pp M manifests/role/cxserver.pp M manifests/role/deployment.pp M manifests/role/parsoid.pp M manifests/role/snapshot.pp M manifests/site.pp D manifests/sudo.pp M modules/authdns/manifests/account.pp M modules/base/manifests/monitoring/host.pp M modules/beta/manifests/mwdeploy_sudo.pp M modules/labs_vagrant/manifests/init.pp M modules/mediawiki/manifests/users.pp M modules/openstack/manifests/project-nfs-storage-service.pp R modules/sudo/files/sudoers.labs A modules/sudo/manifests/group.pp A modules/sudo/manifests/init.pp A modules/sudo/manifests/labs_project.pp A modules/sudo/manifests/user.pp R modules/sudo/templates/sudoers.erb 21 files changed, 70 insertions(+), 78 deletions(-) Approvals: Giuseppe Lavagetto: Looks good to me, approved jenkins-bot: Verified diff --git a/files/sudo/sudoers.appserver b/files/snapshot/sudoers.snapshot similarity index 91% rename from files/sudo/sudoers.appserver rename to files/snapshot/sudoers.snapshot index 9226c8f..373fcf7 100644 --- a/files/sudo/sudoers.appserver +++ b/files/snapshot/sudoers.snapshot @@ -2,8 +2,8 @@ ##################################################################### #### THIS FILE IS MANAGED BY PUPPET -#### puppet:///files/sudo/sudoers.appserver -#### Installed by the sudo::appserver puppet class +#### puppet:///files/snapshot/sudoers.snapshot +#### Installed by the role::snapshot::common puppet class ###################################################################### # # See the sudoers man page for the details on how to write a sudoers file. diff --git a/manifests/misc/fundraising.pp b/manifests/misc/fundraising.pp index 253ae0d..e8f254d 100644 --- a/manifests/misc/fundraising.pp +++ b/manifests/misc/fundraising.pp @@ -2,7 +2,7 @@ include role::logging::systemusers - sudo_user { 'file_mover': + sudo::user { 'file_mover': privileges => ['ALL = NOPASSWD: /usr/bin/killall -HUP udp2log'] } file { '/usr/local/bin/rotate_fundraising_logs': diff --git a/manifests/role/apertium.pp b/manifests/role/apertium.pp index 8c525a6..0d32aab 100644 --- a/manifests/role/apertium.pp +++ b/manifests/role/apertium.pp @@ -14,7 +14,7 @@ include ::apertium # Need to allow jenkins-deploy to reload apertium - sudo_user { 'jenkins-deploy': privileges => [ + sudo::user { 'jenkins-deploy': privileges => [ # Since the "root" user is local, we cant add the sudo policy in # OpenStack manager interface at wikitech 'ALL = (root) NOPASSWD:/usr/sbin/service apertium-apy restart', diff --git a/manifests/role/cxserver.pp b/manifests/role/cxserver.pp index 5432ccf..bdc75ae 100644 --- a/manifests/role/cxserver.pp +++ b/manifests/role/cxserver.pp @@ -25,7 +25,7 @@ } # Need to allow jenkins-deploy to reload cxserver - sudo_user { 'jenkins-deploy': privileges => [ + sudo::user { 'jenkins-deploy': privileges => [ # Since the "root" user is local, we cant add the sudo policy in # OpenStack manager interface at wikitech 'ALL = (root) NOPASSWD:/usr/sbin/service cxserver restart', diff --git a/manifests/role/deployment.pp b/manifests/role/deployment.pp index 5fa97dd..805c6fd 100644 --- a/manifests/role/deployment.pp +++ b/manifests/role/deployment.pp @@ -168,7 +168,7 @@ package { 'percona-toolkit': ensure => latest, } - sudo_group { 'wikidev_deployment_server': + sudo::group { 'wikidev_deployment_server': privileges => [ 'ALL = (root) NOPASSWD: /usr/bin/salt-call -l quiet --out=json pillar.data', 'ALL = (root) NOPASSWD: /usr/bin/salt-call -l quiet publish.runner deploy.fetch *', @@ -232,7 +232,7 @@ maxmemory => '500Mb', monitor => false, } - sudo_group { "project_${::instanceproject}_deployment_server": + sudo::group { "project_${::instanceproject}_deployment_server": privileges => [ 'ALL = (root) NOPASSWD: /usr/bin/salt-call -l quiet --out=json pillar.data', 'ALL = (root) NOPASSWD: /usr/bin/salt-call -l quiet publish.runner deploy.fetch *', diff --git a/manifests/role/parsoid.pp b/manifests/role/parsoid.pp index 648d366..23aeb6a 100644 --- a/manifests/role/parsoid.pp +++ b/manifests/role/parsoid.pp @@ -134,7 +134,7 @@ include role::parsoid::common - sudo_user { 'jenkins-deploy': privileges => [ + sudo::user { 'jenkins-deploy': privileges => [ # Need to allow jenkins-deploy to reload parsoid # Since the "root" user is local, we cant add the sudo policy in # OpenStack manager interface at wikitech diff --git a/manifests/role/snapshot.pp b/manifests/role/snapshot.pp index 0b4708e..a4953f3 100644 --- a/manifests/role/snapshot.pp +++ b/manifests/role/snapshot.pp @@ -1,6 +1,16 @@ class role::snapshot::common { include role::dataset::systemusers - include sudo::appserver + # The snapshot nodes do not include standard, so this is needed. + # It also includes some duplication with other modules, and should really go away. + file { '/etc/sudoers.d/appserver': + ensure => present, + path => '/etc/sudoers.d/appserver', + owner => root, + group => root, + mode => '0440', + source => 'puppet:///files/snapshot/sudoers.snapshot', + } + } class role::snapshot::cron::primary { diff --git a/manifests/site.pp b/manifests/site.pp index 5f2ed2f..3915a1e 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -16,7 +16,6 @@ import 'role/*.pp' import 'role/analytics/*.pp' import 'search.pp' -import 'sudo.pp' import 'swift.pp' import 'webserver.pp' @@ -1220,7 +1219,7 @@ class { 'admin': groups => ['contint-users', 'contint-admins', 'contint-roots'] } # Bug 49846, let us sync VisualEditor in mediawiki/extensions.git - sudo_user { 'jenkins-slave': + sudo::user { 'jenkins-slave': privileges => [ 'ALL = (jenkins) NOPASSWD: /srv/deployment/integration/slave-scripts/bin/gerrit-sync-ve-push.sh', ] diff --git a/manifests/sudo.pp b/manifests/sudo.pp deleted file mode 100644 index d8813d4..0000000 --- a/manifests/sudo.pp +++ /dev/null @@ -1,59 +0,0 @@ -# sudo.pp - -define sudo_user( $privileges ) { - $user = $title - - file { "/etc/sudoers.d/${user}": - owner => root, - group => root, - mode => '0440', - content => template('sudo/sudoers.erb'); - } - -} - -define sudo_group( $privileges=[], $ensure='present', $group = $title ) { - - file { "/etc/sudoers.d/${title}": - ensure => $ensure, - owner => root, - group => root, - mode => '0440', - content => template('sudo/sudoers.erb'), - } - -} - -class sudo::labs_project { - - if $realm == labs { - - # labs specific sudo default - file { '/etc/sudoers': - owner => root, - group => root, - mode => '0440', - source => 'puppet:///files/sudo/sudoers.labs'; - } - - # Was handled via sudo ldap, now handled via puppet - sudo_group { 'ops': privileges => ['ALL=(ALL) NOPASSWD: ALL'] } - # Old way of handling this. - sudo_group { $instanceproject: ensure => absent } - # Another old way, before per-project sudo - sudo_group { $projectgroup: ensure => absent } - } -} - -class sudo::appserver { - - file { '/etc/sudoers.d/appserver': - ensure => present, - path => '/etc/sudoers.d/appserver', - owner => root, - group => root, - mode => '0440', - source => 'puppet:///files/sudo/sudoers.appserver', - } - -} diff --git a/modules/authdns/manifests/account.pp b/modules/authdns/manifests/account.pp index 1c1c00a..1417d2d 100644 --- a/modules/authdns/manifests/account.pp +++ b/modules/authdns/manifests/account.pp @@ -18,7 +18,7 @@ ensure => 'present', } - sudo_user { $user: + sudo::user { $user: privileges => ['ALL=NOPASSWD: /usr/local/sbin/authdns-local-update'], } diff --git a/modules/base/manifests/monitoring/host.pp b/modules/base/manifests/monitoring/host.pp index 7ee8700..34ff53e 100644 --- a/modules/base/manifests/monitoring/host.pp +++ b/modules/base/manifests/monitoring/host.pp @@ -79,7 +79,7 @@ source => 'puppet:///modules/base/check_sysctl', } - sudo_user { 'nagios': + sudo::user { 'nagios': privileges => [ 'ALL = NOPASSWD: /usr/local/bin/check-raid.py', 'ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_puppetrun', diff --git a/modules/beta/manifests/mwdeploy_sudo.pp b/modules/beta/manifests/mwdeploy_sudo.pp index 2f52e45..9c4c4c6 100644 --- a/modules/beta/manifests/mwdeploy_sudo.pp +++ b/modules/beta/manifests/mwdeploy_sudo.pp @@ -6,7 +6,7 @@ # Grant mwdeploy sudo rights to run anything as itself, apache or # l10nupdate and to (re)start the hhvm fcgi service. This is a subset of # the rights granted to the wikidev group by the mediawiki::users class. - sudo_user { 'mwdeploy' : + sudo::user { 'mwdeploy' : privileges => [ 'ALL = (apache,mwdeploy,l10nupdate) NOPASSWD: ALL', 'ALL = (root) NOPASSWD: /sbin/restart hhvm', diff --git a/modules/labs_vagrant/manifests/init.pp b/modules/labs_vagrant/manifests/init.pp index d23e956..4a8f1b2 100644 --- a/modules/labs_vagrant/manifests/init.pp +++ b/modules/labs_vagrant/manifests/init.pp @@ -26,13 +26,13 @@ group => 'vagrant', } - sudo_user { 'vagrant' : + sudo::user { 'vagrant' : privileges => [ 'ALL=(ALL) NOPASSWD: ALL', ], } - sudo_group { 'wikidev_vagrant': + sudo::group { 'wikidev_vagrant': privileges => [ 'ALL=(vagrant) NOPASSWD: ALL', ], diff --git a/modules/mediawiki/manifests/users.pp b/modules/mediawiki/manifests/users.pp index 32ec52e..3c7a3b1 100644 --- a/modules/mediawiki/manifests/users.pp +++ b/modules/mediawiki/manifests/users.pp @@ -74,7 +74,7 @@ mode => '0400', } - sudo_group { 'wikidev': + sudo::group { 'wikidev': privileges => [ 'ALL = (apache,mwdeploy,l10nupdate) NOPASSWD: ALL', 'ALL = (root) NOPASSWD: /sbin/restart hhvm', @@ -85,7 +85,7 @@ ], } - sudo_user { 'l10nupdate': + sudo::user { 'l10nupdate': require => User['l10nupdate', 'mwdeploy'], privileges => ['ALL = (mwdeploy) NOPASSWD: ALL'], } diff --git a/modules/openstack/manifests/project-nfs-storage-service.pp b/modules/openstack/manifests/project-nfs-storage-service.pp index dc6cf8a..c7efd22 100644 --- a/modules/openstack/manifests/project-nfs-storage-service.pp +++ b/modules/openstack/manifests/project-nfs-storage-service.pp @@ -11,7 +11,7 @@ $sudo_privs = [ 'ALL = NOPASSWD: /bin/mkdir -p /srv/*', 'ALL = NOPASSWD: /bin/rmdir /srv/*', 'ALL = NOPASSWD: /usr/local/sbin/sync-exports' ] - sudo_user { [ "nfsmanager" ]: privileges => $sudo_privs, require => User["nfsmanager"] } + sudo::user { [ "nfsmanager" ]: privileges => $sudo_privs, require => User["nfsmanager"] } group { 'nfsmanager': ensure => present, diff --git a/files/sudo/sudoers.labs b/modules/sudo/files/sudoers.labs similarity index 100% rename from files/sudo/sudoers.labs rename to modules/sudo/files/sudoers.labs diff --git a/modules/sudo/manifests/group.pp b/modules/sudo/manifests/group.pp new file mode 100644 index 0000000..d34a805 --- /dev/null +++ b/modules/sudo/manifests/group.pp @@ -0,0 +1,11 @@ +define sudo::group( $privileges=[], $ensure='present', $group = $title ) { + + file { "/etc/sudoers.d/${title}": + ensure => $ensure, + owner => root, + group => root, + mode => '0440', + content => template('sudo/sudoers.erb'), + } + +} diff --git a/modules/sudo/manifests/init.pp b/modules/sudo/manifests/init.pp new file mode 100644 index 0000000..b4f20e5 --- /dev/null +++ b/modules/sudo/manifests/init.pp @@ -0,0 +1 @@ +class sudo{} diff --git a/modules/sudo/manifests/labs_project.pp b/modules/sudo/manifests/labs_project.pp new file mode 100644 index 0000000..2fe0ea1 --- /dev/null +++ b/modules/sudo/manifests/labs_project.pp @@ -0,0 +1,19 @@ +class sudo::labs_project { + if $::realm != 'labs' { + fail('This class is labs-specific') + } + # labs specific sudo default + file { '/etc/sudoers': + owner => root, + group => root, + mode => '0440', + source => 'puppet:///modules/sudo/sudoers.labs'; + } + + # Was handled via sudo ldap, now handled via puppet + sudo::group { 'ops': privileges => ['ALL=(ALL) NOPASSWD: ALL'] } + # Old way of handling this. + sudo::group { $instanceproject: ensure => absent } + # Another old way, before per-project sudo + sudo::group { $projectgroup: ensure => absent } +} diff --git a/modules/sudo/manifests/user.pp b/modules/sudo/manifests/user.pp new file mode 100644 index 0000000..f810305 --- /dev/null +++ b/modules/sudo/manifests/user.pp @@ -0,0 +1,11 @@ +define sudo::user( $privileges ) { + $user = $title + + file { "/etc/sudoers.d/${user}": + owner => root, + group => root, + mode => '0440', + content => template('sudo/sudoers.erb'); + } + +} diff --git a/templates/sudo/sudoers.erb b/modules/sudo/templates/sudoers.erb similarity index 100% rename from templates/sudo/sudoers.erb rename to modules/sudo/templates/sudoers.erb -- To view, visit https://gerrit.wikimedia.org/r/167183 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ic7e883f85b81b516b424168be2a3380dcc5f3121 Gerrit-PatchSet: 7 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Giuseppe Lavagetto <glavage...@wikimedia.org> Gerrit-Reviewer: Dzahn <dz...@wikimedia.org> Gerrit-Reviewer: Filippo Giunchedi <fgiunch...@wikimedia.org> Gerrit-Reviewer: Giuseppe Lavagetto <glavage...@wikimedia.org> Gerrit-Reviewer: Hashar <has...@free.fr> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits