From ebb103d6a47fab288c28e19b9571ae82b1587ee0 Mon Sep 17 00:00:00 2001 From: bellaweo Date: Tue, 14 Feb 2017 13:34:39 -0800 Subject: [PATCH 1/8] init commit, create lookup table --- sudoers/files/sudoers | 8 +++++++- sudoers/map.jinja | 11 +++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/sudoers/files/sudoers b/sudoers/files/sudoers index affc316..4d95f24 100644 --- a/sudoers/files/sudoers +++ b/sudoers/files/sudoers @@ -1,3 +1,4 @@ +{% from "sudoers/map.jinja" import group_maps with context %} {%- if (not included) %} {%- set sudoers = pillar.get('sudoers', {}) %} {%- if grains['os_family'] == 'Debian' %} @@ -91,9 +92,14 @@ Runas_Alias {{ name }} = {{ ",".join(runas) }} # Group privilege specification {%- for group,specs in groups.items() %} {%- for spec in specs %} -%{{ group }} {{ spec }} +{{ group }} {{ spec }} {%- endfor %} {%- endfor %} +{% for unix_group in in salt['pillar.get']('group_map:core', {}).keys() %} + {% if unix_group in group_map.keys() %} +{{ unix_group }} {{ group_map.unix_group }} + {% else %} +{{ unix_group }} (( group_map.default }} {% if includedir %} ## Read drop-in files from /etc/sudoers.d diff --git a/sudoers/map.jinja b/sudoers/map.jinja index 14023d0..23cfeeb 100644 --- a/sudoers/map.jinja +++ b/sudoers/map.jinja @@ -13,3 +13,14 @@ 'config-path': '/usr/local/etc', 'group': 'wheel'}, }, merge=salt['pillar.get']('sudoers:lookup', None)) %} + +{% set group_maps = salt['grains.filter_by']({ + 'default': { 'default': 'ALL = (ALL:ALL) NOPASSWD: SUPPORT' }, + 'dev': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, + 'qa': { 'default': 'ALL = (ALL:ALL) NOPASSWD: SUPPORT', + 'plosqa': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, + }, + grain='environment', + merge=salt['pillar.get']('group_maps:lookup', None)), + default='default' +%} From 35c995aee79eca4d54042c2b91f87c5cfed299b2 Mon Sep 17 00:00:00 2001 From: bellaweo Date: Tue, 14 Feb 2017 15:37:13 -0800 Subject: [PATCH 2/8] syntax errors --- sudoers/files/sudoers | 8 +++++--- sudoers/map.jinja | 3 +-- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/sudoers/files/sudoers b/sudoers/files/sudoers index 4d95f24..78e118e 100644 --- a/sudoers/files/sudoers +++ b/sudoers/files/sudoers @@ -95,11 +95,13 @@ Runas_Alias {{ name }} = {{ ",".join(runas) }} {{ group }} {{ spec }} {%- endfor %} {%- endfor %} -{% for unix_group in in salt['pillar.get']('group_map:core', {}).keys() %} - {% if unix_group in group_map.keys() %} +{%- for unix_group in pillar.get('group_map:core', {}).keys() %} + {%- if unix_group in group_map.keys() %} {{ unix_group }} {{ group_map.unix_group }} - {% else %} + {%- else %} {{ unix_group }} (( group_map.default }} + {%- endif %} +{%- endfor %} {% if includedir %} ## Read drop-in files from /etc/sudoers.d diff --git a/sudoers/map.jinja b/sudoers/map.jinja index 23cfeeb..b019dfc 100644 --- a/sudoers/map.jinja +++ b/sudoers/map.jinja @@ -21,6 +21,5 @@ 'plosqa': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, }, grain='environment', - merge=salt['pillar.get']('group_maps:lookup', None)), - default='default' + merge=salt['pillar.get']('group_maps:lookup', None)) %} From 966b18912767019af65a36cc3045cefdc0f4497f Mon Sep 17 00:00:00 2001 From: bellaweo Date: Tue, 14 Feb 2017 16:30:14 -0800 Subject: [PATCH 3/8] this owrks but would like to remove the if statement --- sudoers/files/sudoers | 10 +++++----- sudoers/init.sls | 3 +++ sudoers/map.jinja | 2 +- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/sudoers/files/sudoers b/sudoers/files/sudoers index 78e118e..1dd198f 100644 --- a/sudoers/files/sudoers +++ b/sudoers/files/sudoers @@ -1,4 +1,4 @@ -{% from "sudoers/map.jinja" import group_maps with context %} +{% from "sudoers/map.jinja" import ad_group_maps with context %} {%- if (not included) %} {%- set sudoers = pillar.get('sudoers', {}) %} {%- if grains['os_family'] == 'Debian' %} @@ -95,11 +95,11 @@ Runas_Alias {{ name }} = {{ ",".join(runas) }} {{ group }} {{ spec }} {%- endfor %} {%- endfor %} -{%- for unix_group in pillar.get('group_map:core', {}).keys() %} - {%- if unix_group in group_map.keys() %} -{{ unix_group }} {{ group_map.unix_group }} +{%- for unix_group in ad_groups.keys() %} + {%- if unix_group in ad_group_maps.keys() %} +{{ unix_group }} {{ ad_group_maps.unix_group }} {%- else %} -{{ unix_group }} (( group_map.default }} +{{ unix_group }} {{ ad_group_maps.default }} {%- endif %} {%- endfor %} diff --git a/sudoers/init.sls b/sudoers/init.sls index 922fdf7..592789e 100644 --- a/sudoers/init.sls +++ b/sudoers/init.sls @@ -1,4 +1,6 @@ {% from "sudoers/map.jinja" import sudoers with context %} +##{%- set ad_groups = pillar.get('group_map:core', {}) %} +{%- set ad_groups = salt['pillar.get']('group_map:core') %} sudo: pkg.installed: @@ -13,5 +15,6 @@ sudo: - source: salt://sudoers/files/sudoers - context: included: False + ad_groups: {{ ad_groups }} - require: - pkg: sudo diff --git a/sudoers/map.jinja b/sudoers/map.jinja index b019dfc..6da727c 100644 --- a/sudoers/map.jinja +++ b/sudoers/map.jinja @@ -14,7 +14,7 @@ 'group': 'wheel'}, }, merge=salt['pillar.get']('sudoers:lookup', None)) %} -{% set group_maps = salt['grains.filter_by']({ +{% set ad_group_maps = salt['grains.filter_by']({ 'default': { 'default': 'ALL = (ALL:ALL) NOPASSWD: SUPPORT' }, 'dev': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, 'qa': { 'default': 'ALL = (ALL:ALL) NOPASSWD: SUPPORT', From c0740ccbff2f8f19e611d0418af375bb6c497fc5 Mon Sep 17 00:00:00 2001 From: bellaweo Date: Wed, 15 Feb 2017 09:19:09 -0800 Subject: [PATCH 4/8] oops. put that % back in for groups additions! --- sudoers/files/sudoers | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sudoers/files/sudoers b/sudoers/files/sudoers index 1dd198f..2463867 100644 --- a/sudoers/files/sudoers +++ b/sudoers/files/sudoers @@ -92,14 +92,14 @@ Runas_Alias {{ name }} = {{ ",".join(runas) }} # Group privilege specification {%- for group,specs in groups.items() %} {%- for spec in specs %} -{{ group }} {{ spec }} +%{{ group }} {{ spec }} {%- endfor %} {%- endfor %} {%- for unix_group in ad_groups.keys() %} {%- if unix_group in ad_group_maps.keys() %} -{{ unix_group }} {{ ad_group_maps.unix_group }} +%{{ unix_group }} {{ ad_group_maps.unix_group }} {%- else %} -{{ unix_group }} {{ ad_group_maps.default }} +%{{ unix_group }} {{ ad_group_maps.default }} {%- endif %} {%- endfor %} From 9fe077af8cec406f0f22d1051617eaff79fa7fda Mon Sep 17 00:00:00 2001 From: bellaweo Date: Wed, 15 Feb 2017 14:25:03 -0800 Subject: [PATCH 5/8] specify group specific value or default --- sudoers/files/sudoers | 6 +++--- sudoers/map.jinja | 7 ++++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/sudoers/files/sudoers b/sudoers/files/sudoers index 2463867..1786748 100644 --- a/sudoers/files/sudoers +++ b/sudoers/files/sudoers @@ -95,11 +95,11 @@ Runas_Alias {{ name }} = {{ ",".join(runas) }} %{{ group }} {{ spec }} {%- endfor %} {%- endfor %} -{%- for unix_group in ad_groups.keys() %} +{%- for unix_group in ad_groups %} {%- if unix_group in ad_group_maps.keys() %} -%{{ unix_group }} {{ ad_group_maps.unix_group }} +%{{ unix_group }} {{ ad_group_maps[unix_group] }} {%- else %} -%{{ unix_group }} {{ ad_group_maps.default }} +%{{ unix_group }} {{ ad_group_maps['default'] }} {%- endif %} {%- endfor %} diff --git a/sudoers/map.jinja b/sudoers/map.jinja index 6da727c..6e9f78e 100644 --- a/sudoers/map.jinja +++ b/sudoers/map.jinja @@ -16,9 +16,10 @@ {% set ad_group_maps = salt['grains.filter_by']({ 'default': { 'default': 'ALL = (ALL:ALL) NOPASSWD: SUPPORT' }, - 'dev': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, - 'qa': { 'default': 'ALL = (ALL:ALL) NOPASSWD: SUPPORT', - 'plosqa': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, + 'vagrant': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, + 'dev': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, + 'qa': { 'default': 'ALL = (ALL:ALL) NOPASSWD: SUPPORT', + 'plosqa': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, }, grain='environment', merge=salt['pillar.get']('group_maps:lookup', None)) From 79d1677e7f7d9b42ab7db8fcba39e6610eac7319 Mon Sep 17 00:00:00 2001 From: bellaweo Date: Wed, 15 Feb 2017 14:27:40 -0800 Subject: [PATCH 6/8] add comment --- sudoers/map.jinja | 1 + 1 file changed, 1 insertion(+) diff --git a/sudoers/map.jinja b/sudoers/map.jinja index 6e9f78e..96b25fc 100644 --- a/sudoers/map.jinja +++ b/sudoers/map.jinja @@ -14,6 +14,7 @@ 'group': 'wheel'}, }, merge=salt['pillar.get']('sudoers:lookup', None)) %} +# our plos active directory core groups sudoers permissions, filtered by environment {% set ad_group_maps = salt['grains.filter_by']({ 'default': { 'default': 'ALL = (ALL:ALL) NOPASSWD: SUPPORT' }, 'vagrant': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, From d1767ba253c27af4850e72539b383c23ee0144cb Mon Sep 17 00:00:00 2001 From: bellaweo Date: Wed, 15 Feb 2017 14:51:53 -0800 Subject: [PATCH 7/8] non vagrant/dev environments can only run commands as root --- sudoers/map.jinja | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sudoers/map.jinja b/sudoers/map.jinja index 96b25fc..cd97539 100644 --- a/sudoers/map.jinja +++ b/sudoers/map.jinja @@ -16,11 +16,11 @@ # our plos active directory core groups sudoers permissions, filtered by environment {% set ad_group_maps = salt['grains.filter_by']({ - 'default': { 'default': 'ALL = (ALL:ALL) NOPASSWD: SUPPORT' }, + 'default': { 'default': 'ALL = (root) NOPASSWD: SUPPORT' }, 'vagrant': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, 'dev': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, - 'qa': { 'default': 'ALL = (ALL:ALL) NOPASSWD: SUPPORT', - 'plosqa': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, + 'qa': { 'default': 'ALL = (root) NOPASSWD: SUPPORT', + 'plosqa': 'ALL = (root) NOPASSWD: ALL' }, }, grain='environment', merge=salt['pillar.get']('group_maps:lookup', None)) From 302063b7a6781e0d26616f22c127877826569970 Mon Sep 17 00:00:00 2001 From: bellaweo Date: Wed, 15 Feb 2017 14:52:37 -0800 Subject: [PATCH 8/8] we only need the keys of the group_maps pillar --- sudoers/init.sls | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sudoers/init.sls b/sudoers/init.sls index 592789e..8c6be9c 100644 --- a/sudoers/init.sls +++ b/sudoers/init.sls @@ -1,6 +1,7 @@ {% from "sudoers/map.jinja" import sudoers with context %} -##{%- set ad_groups = pillar.get('group_map:core', {}) %} -{%- set ad_groups = salt['pillar.get']('group_map:core') %} + +# our list of plos core active directory groups +{%- set ad_groups = salt['pillar.get']('group_map:core').keys() %} sudo: pkg.installed: