[MediaWiki-commits] [Gerrit] operations/puppet[production]: tools: Grant clush user complete sudo rights for everything

Mon, 31 Oct 2016 11:57:09 -0700 

Yuvipanda has submitted this change and it was merged.

Change subject: tools: Grant clush user complete sudo rights for everything
......................................................................


tools: Grant clush user complete sudo rights for everything

Also include toollabs::infrastructure explicitly, to
deny non root / non-admin users access.

SCARY

Change-Id: I99b067b2a76feb0281ac881d7052cceefd790a37
---
M modules/role/manifests/toollabs/clush/master.pp
1 file changed, 8 insertions(+), 3 deletions(-)

Approvals:
  Yuvipanda: Verified; Looks good to me, approved
  Rush: Looks good to me, but someone else must approve



diff --git a/modules/role/manifests/toollabs/clush/master.pp 
b/modules/role/manifests/toollabs/clush/master.pp
index b189a4f..db2cf76 100644
--- a/modules/role/manifests/toollabs/clush/master.pp
+++ b/modules/role/manifests/toollabs/clush/master.pp
@@ -15,10 +15,9 @@
 #
 # This will run it on all the k8s-workers, collect the output
 # from them all (the -b option), dedupes them and displays them. You can 
specify fanout with -f - the default is 16.
-#
-# Right now the user has no sudo rights, but this will probably
-# change!
 class role::toollabs::clush::master {
+    include ::toollabs::infrastructure
+
     class { '::clush::master':
         username => 'clushuser',
     }
@@ -76,4 +75,10 @@
         mode    => '0444',
         content => ini($groups_config),
     }
+
+    # Give it complete sudo rights
+    sudo::user { 'clushuser':
+        ensure     => present,
+        privileges => 'ALL = (ALL) NOPASSWD: ALL',
+    }
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/315736
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I99b067b2a76feb0281ac881d7052cceefd790a37
Gerrit-PatchSet: 4
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Yuvipanda <yuvipa...@wikimedia.org>
Gerrit-Reviewer: Andrew Bogott <abog...@wikimedia.org>
Gerrit-Reviewer: Madhuvishy <mviswanat...@wikimedia.org>
Gerrit-Reviewer: Rush <r...@wikimedia.org>
Gerrit-Reviewer: Yuvipanda <yuvipa...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to