[MediaWiki-commits] [Gerrit] operations/puppet[production]: Allow aklapper to `sudo -E` phabricator admin utilities

[20after4 (Code Review)]

20after4 has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/322781

Change subject: Allow aklapper to `sudo -E` phabricator admin utilities
......................................................................

Allow aklapper to `sudo -E` phabricator admin utilities

Due to changes from T146055, Phabricator now requires that the
environment variable PHABRICATOR_ENV is set when running any
phabricator cli tools. @aklapper has sudoers rules to allow him to
use some of the admin tools, however, preserve_environment (`sudo -E`)
is not enabled:

```
aklapper@iridium:~$ export PHABRICATOR_ENV=phd
aklapper@iridium:~$ sudo -E /srv/phab/phabricator/bin/remove destroy F4740754
sudo: sorry, you are not allowed to preserve the environment
```

This change should allow sudo -E.

Bug: T151148
Change-Id: I7e714fbbcabf5228704e73ac5b640ece7e3cd5f1
---
M modules/admin/data/data.yaml
1 file changed, 8 insertions(+), 8 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/81/322781/1

diff --git a/modules/admin/data/data.yaml b/modules/admin/data/data.yaml
index 7d4ef8d..cbf4cf0 100644
--- a/modules/admin/data/data.yaml
+++ b/modules/admin/data/data.yaml
@@ -292,14 +292,14 @@
                  * Delete users (e.g. unverified accounts due to wrong email 
address)
                  * Delete files (e.g. copyright violations)
     members: [aklapper]
-    privileges: ['ALL = NOPASSWD: /srv/phab/phabricator/bin/remove destroy F*',
-                 'ALL = NOPASSWD: /srv/phab/phabricator/bin/remove destroy r*',
-                 'ALL = NOPASSWD: /srv/phab/phabricator/bin/remove destroy @*',
-                 'ALL = NOPASSWD: /srv/phab/phabricator/bin/repository',
-                 'ALL = NOPASSWD: /srv/phab/phabricator/bin/phd',
-                 'ALL = NOPASSWD: /srv/phab/phabricator/bin/policy',
-                 'ALL = NOPASSWD: /srv/phab/phabricator/bin/worker',
-                 'ALL = NOPASSWD: /srv/phab/phabricator/bin/auth strip 
--all-types --user *']
+    privileges: ['ALL = NOPASSWD:SETENV: /srv/phab/phabricator/bin/remove 
destroy F*',
+                 'ALL = NOPASSWD:SETENV: /srv/phab/phabricator/bin/remove 
destroy r*',
+                 'ALL = NOPASSWD:SETENV: /srv/phab/phabricator/bin/remove 
destroy @*',
+                 'ALL = NOPASSWD:SETENV: /srv/phab/phabricator/bin/repository',
+                 'ALL = NOPASSWD:SETENV: /srv/phab/phabricator/bin/phd',
+                 'ALL = NOPASSWD:SETENV: /srv/phab/phabricator/bin/policy',
+                 'ALL = NOPASSWD:SETENV: /srv/phab/phabricator/bin/worker',
+                 'ALL = NOPASSWD:SETENV: /srv/phab/phabricator/bin/auth strip 
--all-types --user *']
   zotero-admin:
     gid: 747
     description: group of zotero admins

-- 
To view, visit https://gerrit.wikimedia.org/r/322781
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I7e714fbbcabf5228704e73ac5b640ece7e3cd5f1
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: 20after4 <mmod...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits