Description of problem: A customer is requesting Red Hat to narrowly define the sudoers permissions for the 'stack' and 'heat-admin'. The current configuration for these users is set to ALL:ALL. In the current state, the OpenStack cloud fails the customer's security scans. This RFE is to define a sudoers.d file for the stack and heat-admin users similar to how vdsm is configured in Red Hat Virtualization (see below). Version-Release number of selected component (if applicable): OpenStack 8.0 (Liberty) OpenStack 9.0 (Mitaka) OpenStack 10.0 (Newton) Actual results: /etc/sudoers.d is not defined for stack and heat-admin users Expected results: /etc/sudoers.d/XX_stack /etc/sudoers.d/XX_heat-admin ---------------------------------------- Example from RHV: /etc/sudoers.d/50_vdsm Cmnd_Alias VDSM_LIFECYCLE = \ /usr/sbin/dmidecode -s system-uuid, \ /usr/share/vdsm/mk_sysprep_floppy Cmnd_Alias VDSM_STORAGE = \ /usr/sbin/fsck -p *, \ /usr/sbin/tune2fs -j *, \ /usr/sbin/mkfs -q -j *, \ /usr/bin/kill, \ /usr/bin/chown vdsm\:qemu *, \ /usr/bin/chown vdsm\:kvm *, \ /usr/sbin/iscsiadm *, \ /usr/sbin/lvm, \ /usr/bin/cat /sys/block/*/device/../../*, \ /usr/bin/cat /sys/devices/platform/host*, \ /usr/bin/dd of=/sys/class/scsi_host/host*/scan, \ /usr/bin/dd, \ /usr/sbin/multipath, \ /usr/bin/setsid /usr/bin/ionice -c ? -n ? /usr/bin/su vdsm -s /bin/sh -c /usr/libexec/vdsm/spmprotect.sh*, \ /usr/sbin/service vdsmd *, \ /usr/sbin/reboot -f vdsm ALL=(ALL) NOPASSWD: VDSM_LIFECYCLE, VDSM_STORAGE Defaults:vdsm !requiretty Defaults:vdsm !syslog
Is there an update on this that i can provide to the customer? Rafael Ureña Technical Account Manager
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days