Page MenuHomePhabricator
Create Task
Maniphest T212949

Allow the deployment of users without SSH access
Closed, ResolvedPublic8 Estimated Story Points
Actions

Description

The Analytics team is working on tightening the Hadoop security standards of the Analytics cluster. As part of this effort, there are these tasks opened:

  • Configure Yarn to use proper Linux containers when executing JVMs across worker nodes. This means that each container will run as the user that started it, not as 'yarn' as it happens now.
  • Reduce access to the Hadoop master nodes to admin only. We are currently mapping POSIX groups deployed to the Hadoop master nodes to HDFS in order to have a nice and easy way to add users/groups to HDFS via puppet.

Both tasks are currently difficult to achieve since the admin module doesn't contemplate the idea of a user deployed without SSH access (if keys are configured). A possible solution is
to add a new parameter to admin's init.pp to configure groups of users that should not have their SSH keys configured.

Use cases to keep in consideration:

  • if a user belongs to a group added to both admin::groups and admin::groups_no_ssh, then the former should have higher priority (namely the user should get SSH access).
  • if a user belongs to a group added to admin::groups_no_ssh then its ssh keys needs to be absented from the host(s) if the above point does not hold.
  • if a user belongs to a group added to admin::groups_no_ssh only it should not get any SSH key deployed, the opposite for admin::groups.

Details

SubjectRepoBranchLines +/-
Remove unnecessary SSH keys from Hadoop masters (testing cluster)operations/puppetproduction+6 -4
role::analytics_cluster::hadoop: add groups without ssh accessoperations/puppetproduction+6 -4
admin: allow users to be deployed without ssh keys configuredoperations/puppetproduction+41 -12
Customize query in gerrit

Event Timeline

elukey triaged this task as Medium priority.Jan 4 2019, 4:16 PM
elukey created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 4 2019, 4:16 PM
elukey moved this task from Next Up to In Progress on the Analytics-Kanban board.Jan 4 2019, 4:17 PM
gerritbot subscribed.Jan 4 2019, 4:18 PM

Change 482275 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] [WIP] admin: allow users to be deployed without ssh keys configured

https://gerrit.wikimedia.org/r/482275

gerritbot added a project: Patch-For-Review.Jan 4 2019, 4:18 PM
elukey added subscribers: akosiaris, fgiunchedi, Joe, MoritzMuehlenhoff.Jan 4 2019, 4:18 PM
Milimetric raised the priority of this task from Medium to High.Jan 7 2019, 4:53 PM
Milimetric moved this task from Incoming to Operational Excellence on the Analytics board.
Ottomata added a parent task: T212801: TEC3:O3:O3.1:Q3 Goal - Move cxserver, citoid, changeprop, eventgate (new service) and ORES (partially) through the production CD Pipeline.Jan 7 2019, 6:32 PM
Ottomata removed a parent task: T212801: TEC3:O3:O3.1:Q3 Goal - Move cxserver, citoid, changeprop, eventgate (new service) and ORES (partially) through the production CD Pipeline.
gerritbot added a comment.Jan 14 2019, 8:20 AM

Change 484165 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] role::analytics_cluster::hadoop::master: add groups without ssh access

https://gerrit.wikimedia.org/r/484165

elukey moved this task from In Progress to In Code Review on the Analytics-Kanban board.Jan 15 2019, 2:28 PM
Stashbot subscribed.Jan 21 2019, 10:51 AM

Mentioned in SAL (#wikimedia-operations) [2019-01-21T10:51:32Z] <elukey> disable puppet fleetwide to ease the merge/deploy of a puppet admin module change - T212949

gerritbot added a comment.Jan 21 2019, 11:03 AM

Change 482275 merged by Elukey:
[operations/puppet@production] admin: allow users to be deployed without ssh keys configured

https://gerrit.wikimedia.org/r/482275

elukey moved this task from In Code Review to Done on the Analytics-Kanban board.Jan 21 2019, 12:30 PM
elukey set the point value for this task to 8.
gerritbot added a comment.Jan 21 2019, 12:32 PM

Change 485640 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] Remove unnecessary SSH keys from Hadoop masters (testing cluster)

https://gerrit.wikimedia.org/r/485640

gerritbot added a comment.Jan 21 2019, 12:36 PM

Change 485640 merged by Elukey:
[operations/puppet@production] Remove unnecessary SSH keys from Hadoop masters (testing cluster)

https://gerrit.wikimedia.org/r/485640

gerritbot added a comment.Jan 21 2019, 12:42 PM

Change 484165 merged by Elukey:
[operations/puppet@production] role::analytics_cluster::hadoop: add groups without ssh access

https://gerrit.wikimedia.org/r/484165

Nuria closed this task as Resolved.Jan 25 2019, 11:38 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL