[MediaWiki-commits] [Gerrit] admin cleanup for citoid and mathoid perms - change (operations/puppet)

Thu, 30 Apr 2015 09:18:28 -0700 

Rush has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/207818

Change subject: admin cleanup for citoid and mathoid perms
......................................................................

admin cleanup for citoid and mathoid perms

These two services have -root groups but
the permissions do not actually grant it.  The
current permissions allow users to run commands
as the relevant service user.  This is allowed
in other places in the admin role.  I am reducing
complexity here by making role classifications
consistent.

See existing cxserver-admin for an example.

Change-Id: I7cc1b0939c6cc5a28a8933157d26acd285dc31b3
---
M modules/admin/data/data.yaml
1 file changed, 8 insertions(+), 6 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/18/207818/1

diff --git a/modules/admin/data/data.yaml b/modules/admin/data/data.yaml
index 63521f0..3b64d79 100644
--- a/modules/admin/data/data.yaml
+++ b/modules/admin/data/data.yaml
@@ -176,13 +176,14 @@
   mathoid-roots:
     gid: 729
     description: root rights for mathoid
-    members: [gwicke, catrope]
-    privileges: ['ALL = (mathoid) NOPASSWD: ALL']
+    members: []
+    privileges: []
   mathoid-admin:
     gid: 730
     description: group of mathoid admins
     members: [gwicke, catrope]
-    privileges: ['ALL = (root) NOPASSWD: /usr/sbin/service mathoid *']
+    privileges: ['ALL = (root) NOPASSWD: /usr/sbin/service mathoid *',
+                 'ALL = (mathoid) NOPASSWD: ALL']
   analytics-users:
     gid: 7080
     description: Gives generic client access to the Analytics (Hadoop) cluster.
@@ -217,13 +218,14 @@
   citoid-roots:
     gid: 735
     description: rights for debugging citoid
-    members: [gwicke, catrope, mobrovac]
-    privileges: ['ALL = (citoid) NOPASSWD: ALL']
+    members: []
+    privileges: []
   citoid-admin:
     gid: 736
     description: group of citoid admins
     members: [gwicke, catrope, mobrovac]
-    privileges: ['ALL = (root) NOPASSWD: /usr/sbin/service citoid *']
+    privileges: ['ALL = (root) NOPASSWD: /usr/sbin/service citoid *',
+                 'ALL = (citoid) NOPASSWD: ALL']
   analytics-roots:
       gid: 738
       description: Full root access to Analytics Cluster nodes.

-- 
To view, visit https://gerrit.wikimedia.org/r/207818
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I7cc1b0939c6cc5a28a8933157d26acd285dc31b3
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Rush <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to