Page MenuHomePhabricator

Allow the deployment of users without SSH access
Closed, ResolvedPublic8 Story Points

Description

The Analytics team is working on tightening the Hadoop security standards of the Analytics cluster. As part of this effort, there are these tasks opened:

  • Configure Yarn to use proper Linux containers when executing JVMs across worker nodes. This means that each container will run as the user that started it, not as 'yarn' as it happens now.
  • Reduce access to the Hadoop master nodes to admin only. We are currently mapping POSIX groups deployed to the Hadoop master nodes to HDFS in order to have a nice and easy way to add users/groups to HDFS via puppet.

Both tasks are currently difficult to achieve since the admin module doesn't contemplate the idea of a user deployed without SSH access (if keys are configured). A possible solution is
to add a new parameter to admin's init.pp to configure groups of users that should not have their SSH keys configured.

Use cases to keep in consideration:

  • if a user belongs to a group added to both admin::groups and admin::groups_no_ssh, then the former should have higher priority (namely the user should get SSH access).
  • if a user belongs to a group added to admin::groups_no_ssh then its ssh keys needs to be absented from the host(s) if the above point does not hold.
  • if a user belongs to a group added to admin::groups_no_ssh only it should not get any SSH key deployed, the opposite for admin::groups.

Event Timeline

elukey triaged this task as Normal priority.Jan 4 2019, 4:16 PM
elukey created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 4 2019, 4:16 PM
elukey moved this task from Next Up to In Progress on the Analytics-Kanban board.Jan 4 2019, 4:17 PM

Change 482275 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] [WIP] admin: allow users to be deployed without ssh keys configured

https://gerrit.wikimedia.org/r/482275

Milimetric raised the priority of this task from Normal to High.Jan 7 2019, 4:53 PM
Milimetric moved this task from Incoming to Operational Excellence on the Analytics board.

Change 484165 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] role::analytics_cluster::hadoop::master: add groups without ssh access

https://gerrit.wikimedia.org/r/484165

Mentioned in SAL (#wikimedia-operations) [2019-01-21T10:51:32Z] <elukey> disable puppet fleetwide to ease the merge/deploy of a puppet admin module change - T212949

Change 482275 merged by Elukey:
[operations/puppet@production] admin: allow users to be deployed without ssh keys configured

https://gerrit.wikimedia.org/r/482275

elukey moved this task from In Code Review to Done on the Analytics-Kanban board.Jan 21 2019, 12:30 PM
elukey set the point value for this task to 8.

Change 485640 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] Remove unnecessary SSH keys from Hadoop masters (testing cluster)

https://gerrit.wikimedia.org/r/485640

Change 485640 merged by Elukey:
[operations/puppet@production] Remove unnecessary SSH keys from Hadoop masters (testing cluster)

https://gerrit.wikimedia.org/r/485640

Change 484165 merged by Elukey:
[operations/puppet@production] role::analytics_cluster::hadoop: add groups without ssh access

https://gerrit.wikimedia.org/r/484165

Nuria closed this task as Resolved.Jan 25 2019, 11:38 PM