Page MenuHomePhabricator
Create Task
Maniphest T392797

Retire explicit 'roots' sudo policies
Closed, ResolvedPublic
Actions

Description

In tools and toolsbeta we have a roots sudo policy with a duplicated list of folks with sudo privileges. In addition the profile::toolforge::base puppet profile provisions a sudo rule grants full sudo privileges to everyone in the ${::wmcs_project}.admin group.

In order to drop one more manually maintained list of Toolforge admins, I propose we migrate that Puppet-managed sudo rule to profile::toolforge::infrastructure (which applies to all the nodes in the project, not just ones with custom Toolforge-specific roles) and drop the LDAP-managed rule.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
P:toolforge: Apply admin-root sudo policy to all instancesoperations/puppetproduction+18 -17
Customize query in gerrit

Event Timeline

taavi created this task.Apr 28 2025, 9:09 AM
Restricted Application added a project: cloud-services-team. · View Herald TranscriptApr 28 2025, 9:09 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot added a comment.Apr 28 2025, 9:15 AM

Change #1139416 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] P:toolforge: Apply admin-root sudo policy to all instances

https://gerrit.wikimedia.org/r/1139416

gerritbot added a project: Patch-For-Review.Apr 28 2025, 9:15 AM
dcaro subscribed.May 6 2025, 2:47 PM
fnegri subscribed.May 6 2025, 4:12 PM
fnegri added a comment.May 6 2025, 4:16 PM

I support dropping the redundant list. I thought I filed a related phab task about simplifying root/admin lists, but I cannot find it so maybe I never created it. :)

This documentation page will need an update after this task is resolved: https://wikitech.wikimedia.org/wiki/Portal:Toolforge/Admin/Toolforge_roots_and_Toolforge_admins

taavi claimed this task.May 7 2025, 8:14 AM
gerritbot added a comment.May 7 2025, 9:02 AM

Change #1139416 merged by Majavah:

[operations/puppet@production] P:toolforge: Apply admin-root sudo policy to all instances

https://gerrit.wikimedia.org/r/1139416

Maintenance_bot removed a project: Patch-For-Review.May 7 2025, 9:30 AM
Stashbot added a comment.May 7 2025, 9:36 AM

Mentioned in SAL (#wikimedia-cloud) [2025-05-07T09:36:57Z] <taavi> remove 'roots' ldap sudo policy T392797

taavi added a comment.May 7 2025, 9:39 AM

Dropped the toolsbeta policy from LDAP and as far as I can tell the access is still there:

taavi@toolsbeta-puppetserver-1:~$ sudo -u raymond-ndibe sudo -l
Matching Defaults entries for raymond-ndibe on toolsbeta-puppetserver-1:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, passwd_tries=0, lecture=never

User raymond-ndibe may run the following commands on toolsbeta-puppetserver-1:
    (ALL) NOPASSWD: ALL
    (ALL) NOPASSWD: ALL
    (toolsbeta.admin) NOPASSWD: AL
Stashbot added a comment.May 7 2025, 9:40 AM

Mentioned in SAL (#wikimedia-cloud) [2025-05-07T09:40:33Z] <taavi> remove 'roots' ldap sudo policy T392797

taavi closed this task as Resolved.May 7 2025, 9:41 AM

I dropped it from tools as well, and updated the docs.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits