Once the cloudcumin setup is complete and we can succesfully run cookbooks from there as root (T319401), we would like to let other non-root users also run WMCS cookbooks (or a subset of them) from cloudcuminXXXX hosts.
We can probably define some sudoers rule in a similar way to what is in place for cuminXXXX hosts.
Some security considerations of having non-root (and volunteers) run cookbooks from cloudcumin hosts are being discussed at T324986.
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| cluster::cloud_management allow access to wmcs | operations/puppet | production | +2 -0 |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | fnegri | T343330 WMCS cookbooks: provide shared hosts for people without global root privileges | |||
| Resolved | fnegri | T325067 cloudcumin: decide sudoers rules for users without global root | |||
| Restricted Task |
It's definitely a bit vague at the moment :) I just wanted to split it from the main task, as it can be discussed and addressed separately.
We will have to consider which commands will be allowed for non-root users SSHing to the new cloudcumin hosts. We want both WMF staff without global root and external volunteers to be able to run (at least some) cookbooks from cloudcumin hosts.
Let's discuss details and possible options in the comments of this task.
As someone without global root who has been a test case in the past for this, allowing wmcs* cookbook runs for a subset of users has been an interim solution. I suspect however that useful cookbooks would be more nuanced than that. For example, I would love to be able to run cookbooks to reimage machines; albeit only the machines I do have root on. There may also be specific cookbooks that would want to be more restricted that a blanket PREFIX* might not cover.
Indeed, I agree that we might need later on some more fine-tuned way to authorize things. That said the new cloudcumin setup will already have only access to the WMCS-owned production hosts as root, although they will have root access on all Openstack VMs.
Change 952448 had a related patch set uploaded (by FNegri; author: FNegri):
[operations/puppet@production] cluster::cloud_management allow access to wmcs
I created a patch to propose a specific solution for this task: https://gerrit.wikimedia.org/r/952448
Before merging it, we need to find a consensus about the security concerns in T324986.
Change 952448 merged by FNegri:
[operations/puppet@production] cluster::cloud_management allow access to wmcs
The patch above has been merged and now all members of the wmcs-roots group can ssh to cloudcumins and run cookbooks from there.
Please note that some cookbooks are not working correctly from cloudcumins, until we find a solution for T347490: [wmcs-cookbooks] Downtime alerts from cloudcumins.