Last modified: 2012-04-16 00:14:07 UTC
Currently sudo is managed globally, and only cloudadmins are allowed to modify the policy. The only policy currently is root access for ops members on all instances. This isn't a terribly useful way of handling sudo in LDAP. We should instead allow sudo management per-project, and scrap the idea of global sudo via LDAP (we can do that in puppet easily enough). Instances pull sudo information from LDAP via: SUDOERS_BASE ou=sudoers,dc=wikimedia,dc=org in /etc/sudo-ldap.conf. On project creation, we can add an OU under the project's entry, like so: ou=sudoers,cn=example-project,ou=groups,dc=wikimedia,dc=org Instances for that project can pull sudo policies from that OU by changing the SUDOERS_BASE to: SUDOERS_BASE ou=sudoers,cn=example-project,ou=groups,dc=wikimedia,dc=org The above can be handled by puppet. Also, in puppet, currently, we have a configuration that's labs specific that allows all project members to sudo to root, unless a project is marked as global. We must manually mark a project as global in puppet, and handling out root to anyone other than ops is difficult in that situation. We can kill a couple birds with one stone here. If we create a policy on project creation that gives all members sudo access on all instances in the project, a project can be limited by simply removing the default policy; here's an example of a default policy: dn: cn=default,ou=sudoers,cn=example-project,ou=groups,dc=wikimedia,dc=org objectClass: sudorole objectClass: top sudoCommand: ALL sudoUser: ALL cn: default sudoHost: ALL Users in the sysadmin role should be able to manage these sudo policies. Users for the sudoUser field should be manageable in a similar way to roles, but should also allow for an ALL keyword.
Added in change 4985 (commit 5fe2abe35ae467a9a09b57e7119132650cf08307)