Rush has submitted this change and it was merged. Change subject: admin simplify service permissions grants ......................................................................
admin simplify service permissions grants Change-Id: I5f179d9c1819e327ce2200c4d84647e702f73057 --- M modules/admin/data/data.yaml 1 file changed, 8 insertions(+), 32 deletions(-) Approvals: Rush: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/admin/data/data.yaml b/modules/admin/data/data.yaml index e6a06d1..63521f0 100644 --- a/modules/admin/data/data.yaml +++ b/modules/admin/data/data.yaml @@ -22,10 +22,7 @@ gid: 702 description: RT 5934 members: [ssastry, cscott, arlolra] - privileges: ['ALL = (root) NOPASSWD: /usr/sbin/service parsoid stop', - 'ALL = (root) NOPASSWD: /usr/sbin/service parsoid start', - 'ALL = (root) NOPASSWD: /usr/sbin/service parsoid restart', - 'ALL = (root) NOPASSWD: /usr/sbin/service parsoid reload', + privileges: ['ALL = (root) NOPASSWD: /usr/sbin/service parsoid *', 'ALL = (root) NOPASSWD: /usr/sbin/service parsoid-rt-client restart', 'ALL = (parsoid-rt) NOPASSWD: /home/parsoid-rt/update-code.sh'] gerrit-root: @@ -134,10 +131,7 @@ gid: 721 description: admins for pdf render (rt 6468) members: [cscott, ssastry, gwicke, arlolra] - privileges: ['ALL = (root) NOPASSWD: /usr/sbin/service ocg stop', - 'ALL = (root) NOPASSWD: /usr/sbin/service ocg start', - 'ALL = (root) NOPASSWD: /usr/sbin/service ocg restart', - 'ALL = (root) NOPASSWD: /usr/sbin/service ocg reload', + privileges: ['ALL = (root) NOPASSWD: /usr/sbin/service ocg *', 'ALL = (ocg) NOPASSWD: ALL'] logstash-roots: gid: 722 @@ -188,10 +182,7 @@ gid: 730 description: group of mathoid admins members: [gwicke, catrope] - privileges: ['ALL = (root) NOPASSWD: /usr/sbin/service mathoid stop', - 'ALL = (root) NOPASSWD: /usr/sbin/service mathoid start', - 'ALL = (root) NOPASSWD: /usr/sbin/service mathoid restart', - 'ALL = (root) NOPASSWD: /usr/sbin/service mathoid reload'] + privileges: ['ALL = (root) NOPASSWD: /usr/sbin/service mathoid *'] analytics-users: gid: 7080 description: Gives generic client access to the Analytics (Hadoop) cluster. @@ -232,10 +223,7 @@ gid: 736 description: group of citoid admins members: [gwicke, catrope, mobrovac] - privileges: ['ALL = (root) NOPASSWD: /usr/sbin/service citoid stop', - 'ALL = (root) NOPASSWD: /usr/sbin/service citoid start', - 'ALL = (root) NOPASSWD: /usr/sbin/service citoid restart', - 'ALL = (root) NOPASSWD: /usr/sbin/service citoid reload'] + privileges: ['ALL = (root) NOPASSWD: /usr/sbin/service citoid *'] analytics-roots: gid: 738 description: Full root access to Analytics Cluster nodes. @@ -255,23 +243,14 @@ gid: 741 description: group of cxserver admins members: [kartik, nikerabbit] - privileges: ['ALL = (root) NOPASSWD: /usr/sbin/service cxserver stop', - 'ALL = (root) NOPASSWD: /usr/sbin/service cxserver start', - 'ALL = (root) NOPASSWD: /usr/sbin/service cxserver restart', - 'ALL = (root) NOPASSWD: /usr/sbin/service cxserver reload', + privileges: ['ALL = (root) NOPASSWD: /usr/sbin/service cxserver *', 'ALL = (cxserver) NOPASSWD: ALL'] chromium-admin: gid: 742 description: people who run benchmarking tests with chromium (and xvfb) members: [catrope] - privileges: ['ALL = (root) NOPASSWD: /usr/sbin/service chromium stop', - 'ALL = (root) NOPASSWD: /usr/sbin/service chromium start', - 'ALL = (root) NOPASSWD: /usr/sbin/service chromium restart', - 'ALL = (root) NOPASSWD: /usr/sbin/service chromium reload', - 'ALL = (root) NOPASSWD: /usr/sbin/service xvfb stop', - 'ALL = (root) NOPASSWD: /usr/sbin/service xvfb start', - 'ALL = (root) NOPASSWD: /usr/sbin/service xvfb restart', - 'ALL = (root) NOPASSWD: /usr/sbin/service xvfb reload'] + privileges: ['ALL = (root) NOPASSWD: /usr/sbin/service chromium *', + 'ALL = (root) NOPASSWD: /usr/sbin/service xvfb *'] snapshot-admins: gid: 743 description: People who can sudo into the datasets user on snapshot hosts. @@ -300,10 +279,7 @@ gid: 747 description: group of zotero admins members: [mobrovac] - privileges: ['ALL = (root) NOPASSWD: /usr/sbin/service zotero stop', - 'ALL = (root) NOPASSWD: /usr/sbin/service zotero start', - 'ALL = (root) NOPASSWD: /usr/sbin/service zotero restart', - 'ALL = (root) NOPASSWD: /usr/sbin/service zotero reload'] + privileges: ['ALL = (root) NOPASSWD: /usr/sbin/service zotero *'] phabricator-roots: gid: 748 description: people who have full root on phabricator -- To view, visit https://gerrit.wikimedia.org/r/207788 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I5f179d9c1819e327ce2200c4d84647e702f73057 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Rush <r...@wikimedia.org> Gerrit-Reviewer: Rush <r...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits