Bug 1418508 - [RFE] Narrow the scope of sudoers permissions for stack and heat-admin
Summary: [RFE] Narrow the scope of sudoers permissions for stack and heat-admin
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: rhosp-director
Version: 8.0 (Liberty)
Hardware: Unspecified
OS: Unspecified
low
high
Target Milestone: ---
: ---
Assignee: Angus Thomas
QA Contact: Omri Hochman
URL:
Whiteboard:
Depends On: 1657504
Blocks: 1419948
TreeView+ depends on / blocked
 
Reported: 2017-02-02 01:15 UTC by Bryan Yount
Modified: 2023-09-15 01:25 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-07-11 20:27:22 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OSP-237 0 None None None 2021-11-25 12:49:52 UTC
Red Hat Knowledge Base (Solution) 2898831 0 None None None 2017-02-02 01:27:48 UTC

Description Bryan Yount 2017-02-02 01:15:04 UTC
Description of problem:
A customer is requesting Red Hat to narrowly define the sudoers permissions for the 'stack' and 'heat-admin'. The current configuration for these users is set to ALL:ALL. In the current state, the OpenStack cloud fails the customer's security scans.

This RFE is to define a sudoers.d file for the stack and heat-admin users similar to how vdsm is configured in Red Hat Virtualization (see below).


Version-Release number of selected component (if applicable):
OpenStack 8.0 (Liberty)
OpenStack 9.0 (Mitaka)
OpenStack 10.0 (Newton)


Actual results:
/etc/sudoers.d is not defined for stack and heat-admin users

Expected results:
/etc/sudoers.d/XX_stack
/etc/sudoers.d/XX_heat-admin

----------------------------------------
Example from RHV:

/etc/sudoers.d/50_vdsm
Cmnd_Alias VDSM_LIFECYCLE = \
    /usr/sbin/dmidecode -s system-uuid, \
    /usr/share/vdsm/mk_sysprep_floppy
Cmnd_Alias VDSM_STORAGE = \
    /usr/sbin/fsck -p *, \
    /usr/sbin/tune2fs -j *, \
    /usr/sbin/mkfs -q -j *, \
    /usr/bin/kill, \
    /usr/bin/chown vdsm\:qemu *, \
    /usr/bin/chown vdsm\:kvm *, \
    /usr/sbin/iscsiadm *, \
    /usr/sbin/lvm, \
    /usr/bin/cat /sys/block/*/device/../../*, \
    /usr/bin/cat /sys/devices/platform/host*, \
    /usr/bin/dd of=/sys/class/scsi_host/host*/scan, \
    /usr/bin/dd, \
    /usr/sbin/multipath, \
    /usr/bin/setsid /usr/bin/ionice -c ? -n ? /usr/bin/su vdsm -s /bin/sh -c /usr/libexec/vdsm/spmprotect.sh*, \
    /usr/sbin/service vdsmd *, \
    /usr/sbin/reboot -f

vdsm  ALL=(ALL) NOPASSWD: VDSM_LIFECYCLE, VDSM_STORAGE
Defaults:vdsm !requiretty
Defaults:vdsm !syslog

Comment 11 Rafael Urena 2020-07-13 13:14:55 UTC
Is there an update on this that i can provide to the customer? 

Rafael Ureña
Technical Account Manager

Comment 18 Red Hat Bugzilla 2023-09-15 01:25:34 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days


Note You need to log in before you can comment on or make changes to this bug.