Bug 1418508 - [RFE] Narrow the scope of sudoers permissions for stack and heat-admin [NEEDINFO]
Summary: [RFE] Narrow the scope of sudoers permissions for stack and heat-admin
Keywords:
Status: NEW
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: rhosp-director
Version: 8.0 (Liberty)
Hardware: Unspecified
OS: Unspecified
low
high
Target Milestone: ---
: ---
Assignee: Angus Thomas
QA Contact: Omri Hochman
URL:
Whiteboard:
Depends On: 1657504
Blocks: 1419948
TreeView+ depends on / blocked
 
Reported: 2017-02-02 01:15 UTC by Bryan Yount
Modified: 2021-06-22 00:32 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
rurena: needinfo? (athomas)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2898831 0 None None None 2017-02-02 01:27:48 UTC

Description Bryan Yount 2017-02-02 01:15:04 UTC
Description of problem:
A customer is requesting Red Hat to narrowly define the sudoers permissions for the 'stack' and 'heat-admin'. The current configuration for these users is set to ALL:ALL. In the current state, the OpenStack cloud fails the customer's security scans.

This RFE is to define a sudoers.d file for the stack and heat-admin users similar to how vdsm is configured in Red Hat Virtualization (see below).


Version-Release number of selected component (if applicable):
OpenStack 8.0 (Liberty)
OpenStack 9.0 (Mitaka)
OpenStack 10.0 (Newton)


Actual results:
/etc/sudoers.d is not defined for stack and heat-admin users

Expected results:
/etc/sudoers.d/XX_stack
/etc/sudoers.d/XX_heat-admin

----------------------------------------
Example from RHV:

/etc/sudoers.d/50_vdsm
Cmnd_Alias VDSM_LIFECYCLE = \
    /usr/sbin/dmidecode -s system-uuid, \
    /usr/share/vdsm/mk_sysprep_floppy
Cmnd_Alias VDSM_STORAGE = \
    /usr/sbin/fsck -p *, \
    /usr/sbin/tune2fs -j *, \
    /usr/sbin/mkfs -q -j *, \
    /usr/bin/kill, \
    /usr/bin/chown vdsm\:qemu *, \
    /usr/bin/chown vdsm\:kvm *, \
    /usr/sbin/iscsiadm *, \
    /usr/sbin/lvm, \
    /usr/bin/cat /sys/block/*/device/../../*, \
    /usr/bin/cat /sys/devices/platform/host*, \
    /usr/bin/dd of=/sys/class/scsi_host/host*/scan, \
    /usr/bin/dd, \
    /usr/sbin/multipath, \
    /usr/bin/setsid /usr/bin/ionice -c ? -n ? /usr/bin/su vdsm -s /bin/sh -c /usr/libexec/vdsm/spmprotect.sh*, \
    /usr/sbin/service vdsmd *, \
    /usr/sbin/reboot -f

vdsm  ALL=(ALL) NOPASSWD: VDSM_LIFECYCLE, VDSM_STORAGE
Defaults:vdsm !requiretty
Defaults:vdsm !syslog

Comment 11 Rafael Urena 2020-07-13 13:14:55 UTC
Is there an update on this that i can provide to the customer? 

Rafael Ureña
Technical Account Manager


Note You need to log in before you can comment on or make changes to this bug.