From 9e23258c9a7f8487ac286c93e3f983b7c8fa8949 Mon Sep 17 00:00:00 2001 From: bellaweo Date: Wed, 21 Dec 2016 11:07:35 -0800 Subject: [PATCH 01/13] Provide an explicit default value for `sudoers:lookup` --- sudoers/map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sudoers/map.jinja b/sudoers/map.jinja index 278d175..14023d0 100644 --- a/sudoers/map.jinja +++ b/sudoers/map.jinja @@ -12,4 +12,4 @@ 'FreeBSD': {'pkg': 'sudo', 'config-path': '/usr/local/etc', 'group': 'wheel'}, -}, merge=salt['pillar.get']('sudoers:lookup')) %} +}, merge=salt['pillar.get']('sudoers:lookup', None)) %} From ebb103d6a47fab288c28e19b9571ae82b1587ee0 Mon Sep 17 00:00:00 2001 From: bellaweo Date: Tue, 14 Feb 2017 13:34:39 -0800 Subject: [PATCH 02/13] init commit, create lookup table --- sudoers/files/sudoers | 8 +++++++- sudoers/map.jinja | 11 +++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/sudoers/files/sudoers b/sudoers/files/sudoers index affc316..4d95f24 100644 --- a/sudoers/files/sudoers +++ b/sudoers/files/sudoers @@ -1,3 +1,4 @@ +{% from "sudoers/map.jinja" import group_maps with context %} {%- if (not included) %} {%- set sudoers = pillar.get('sudoers', {}) %} {%- if grains['os_family'] == 'Debian' %} @@ -91,9 +92,14 @@ Runas_Alias {{ name }} = {{ ",".join(runas) }} # Group privilege specification {%- for group,specs in groups.items() %} {%- for spec in specs %} -%{{ group }} {{ spec }} +{{ group }} {{ spec }} {%- endfor %} {%- endfor %} +{% for unix_group in in salt['pillar.get']('group_map:core', {}).keys() %} + {% if unix_group in group_map.keys() %} +{{ unix_group }} {{ group_map.unix_group }} + {% else %} +{{ unix_group }} (( group_map.default }} {% if includedir %} ## Read drop-in files from /etc/sudoers.d diff --git a/sudoers/map.jinja b/sudoers/map.jinja index 14023d0..23cfeeb 100644 --- a/sudoers/map.jinja +++ b/sudoers/map.jinja @@ -13,3 +13,14 @@ 'config-path': '/usr/local/etc', 'group': 'wheel'}, }, merge=salt['pillar.get']('sudoers:lookup', None)) %} + +{% set group_maps = salt['grains.filter_by']({ + 'default': { 'default': 'ALL = (ALL:ALL) NOPASSWD: SUPPORT' }, + 'dev': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, + 'qa': { 'default': 'ALL = (ALL:ALL) NOPASSWD: SUPPORT', + 'plosqa': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, + }, + grain='environment', + merge=salt['pillar.get']('group_maps:lookup', None)), + default='default' +%} From 35c995aee79eca4d54042c2b91f87c5cfed299b2 Mon Sep 17 00:00:00 2001 From: bellaweo Date: Tue, 14 Feb 2017 15:37:13 -0800 Subject: [PATCH 03/13] syntax errors --- sudoers/files/sudoers | 8 +++++--- sudoers/map.jinja | 3 +-- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/sudoers/files/sudoers b/sudoers/files/sudoers index 4d95f24..78e118e 100644 --- a/sudoers/files/sudoers +++ b/sudoers/files/sudoers @@ -95,11 +95,13 @@ Runas_Alias {{ name }} = {{ ",".join(runas) }} {{ group }} {{ spec }} {%- endfor %} {%- endfor %} -{% for unix_group in in salt['pillar.get']('group_map:core', {}).keys() %} - {% if unix_group in group_map.keys() %} +{%- for unix_group in pillar.get('group_map:core', {}).keys() %} + {%- if unix_group in group_map.keys() %} {{ unix_group }} {{ group_map.unix_group }} - {% else %} + {%- else %} {{ unix_group }} (( group_map.default }} + {%- endif %} +{%- endfor %} {% if includedir %} ## Read drop-in files from /etc/sudoers.d diff --git a/sudoers/map.jinja b/sudoers/map.jinja index 23cfeeb..b019dfc 100644 --- a/sudoers/map.jinja +++ b/sudoers/map.jinja @@ -21,6 +21,5 @@ 'plosqa': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, }, grain='environment', - merge=salt['pillar.get']('group_maps:lookup', None)), - default='default' + merge=salt['pillar.get']('group_maps:lookup', None)) %} From 966b18912767019af65a36cc3045cefdc0f4497f Mon Sep 17 00:00:00 2001 From: bellaweo Date: Tue, 14 Feb 2017 16:30:14 -0800 Subject: [PATCH 04/13] this owrks but would like to remove the if statement --- sudoers/files/sudoers | 10 +++++----- sudoers/init.sls | 3 +++ sudoers/map.jinja | 2 +- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/sudoers/files/sudoers b/sudoers/files/sudoers index 78e118e..1dd198f 100644 --- a/sudoers/files/sudoers +++ b/sudoers/files/sudoers @@ -1,4 +1,4 @@ -{% from "sudoers/map.jinja" import group_maps with context %} +{% from "sudoers/map.jinja" import ad_group_maps with context %} {%- if (not included) %} {%- set sudoers = pillar.get('sudoers', {}) %} {%- if grains['os_family'] == 'Debian' %} @@ -95,11 +95,11 @@ Runas_Alias {{ name }} = {{ ",".join(runas) }} {{ group }} {{ spec }} {%- endfor %} {%- endfor %} -{%- for unix_group in pillar.get('group_map:core', {}).keys() %} - {%- if unix_group in group_map.keys() %} -{{ unix_group }} {{ group_map.unix_group }} +{%- for unix_group in ad_groups.keys() %} + {%- if unix_group in ad_group_maps.keys() %} +{{ unix_group }} {{ ad_group_maps.unix_group }} {%- else %} -{{ unix_group }} (( group_map.default }} +{{ unix_group }} {{ ad_group_maps.default }} {%- endif %} {%- endfor %} diff --git a/sudoers/init.sls b/sudoers/init.sls index 922fdf7..592789e 100644 --- a/sudoers/init.sls +++ b/sudoers/init.sls @@ -1,4 +1,6 @@ {% from "sudoers/map.jinja" import sudoers with context %} +##{%- set ad_groups = pillar.get('group_map:core', {}) %} +{%- set ad_groups = salt['pillar.get']('group_map:core') %} sudo: pkg.installed: @@ -13,5 +15,6 @@ sudo: - source: salt://sudoers/files/sudoers - context: included: False + ad_groups: {{ ad_groups }} - require: - pkg: sudo diff --git a/sudoers/map.jinja b/sudoers/map.jinja index b019dfc..6da727c 100644 --- a/sudoers/map.jinja +++ b/sudoers/map.jinja @@ -14,7 +14,7 @@ 'group': 'wheel'}, }, merge=salt['pillar.get']('sudoers:lookup', None)) %} -{% set group_maps = salt['grains.filter_by']({ +{% set ad_group_maps = salt['grains.filter_by']({ 'default': { 'default': 'ALL = (ALL:ALL) NOPASSWD: SUPPORT' }, 'dev': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, 'qa': { 'default': 'ALL = (ALL:ALL) NOPASSWD: SUPPORT', From c0740ccbff2f8f19e611d0418af375bb6c497fc5 Mon Sep 17 00:00:00 2001 From: bellaweo Date: Wed, 15 Feb 2017 09:19:09 -0800 Subject: [PATCH 05/13] oops. put that % back in for groups additions! --- sudoers/files/sudoers | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sudoers/files/sudoers b/sudoers/files/sudoers index 1dd198f..2463867 100644 --- a/sudoers/files/sudoers +++ b/sudoers/files/sudoers @@ -92,14 +92,14 @@ Runas_Alias {{ name }} = {{ ",".join(runas) }} # Group privilege specification {%- for group,specs in groups.items() %} {%- for spec in specs %} -{{ group }} {{ spec }} +%{{ group }} {{ spec }} {%- endfor %} {%- endfor %} {%- for unix_group in ad_groups.keys() %} {%- if unix_group in ad_group_maps.keys() %} -{{ unix_group }} {{ ad_group_maps.unix_group }} +%{{ unix_group }} {{ ad_group_maps.unix_group }} {%- else %} -{{ unix_group }} {{ ad_group_maps.default }} +%{{ unix_group }} {{ ad_group_maps.default }} {%- endif %} {%- endfor %} From 9fe077af8cec406f0f22d1051617eaff79fa7fda Mon Sep 17 00:00:00 2001 From: bellaweo Date: Wed, 15 Feb 2017 14:25:03 -0800 Subject: [PATCH 06/13] specify group specific value or default --- sudoers/files/sudoers | 6 +++--- sudoers/map.jinja | 7 ++++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/sudoers/files/sudoers b/sudoers/files/sudoers index 2463867..1786748 100644 --- a/sudoers/files/sudoers +++ b/sudoers/files/sudoers @@ -95,11 +95,11 @@ Runas_Alias {{ name }} = {{ ",".join(runas) }} %{{ group }} {{ spec }} {%- endfor %} {%- endfor %} -{%- for unix_group in ad_groups.keys() %} +{%- for unix_group in ad_groups %} {%- if unix_group in ad_group_maps.keys() %} -%{{ unix_group }} {{ ad_group_maps.unix_group }} +%{{ unix_group }} {{ ad_group_maps[unix_group] }} {%- else %} -%{{ unix_group }} {{ ad_group_maps.default }} +%{{ unix_group }} {{ ad_group_maps['default'] }} {%- endif %} {%- endfor %} diff --git a/sudoers/map.jinja b/sudoers/map.jinja index 6da727c..6e9f78e 100644 --- a/sudoers/map.jinja +++ b/sudoers/map.jinja @@ -16,9 +16,10 @@ {% set ad_group_maps = salt['grains.filter_by']({ 'default': { 'default': 'ALL = (ALL:ALL) NOPASSWD: SUPPORT' }, - 'dev': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, - 'qa': { 'default': 'ALL = (ALL:ALL) NOPASSWD: SUPPORT', - 'plosqa': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, + 'vagrant': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, + 'dev': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, + 'qa': { 'default': 'ALL = (ALL:ALL) NOPASSWD: SUPPORT', + 'plosqa': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, }, grain='environment', merge=salt['pillar.get']('group_maps:lookup', None)) From 79d1677e7f7d9b42ab7db8fcba39e6610eac7319 Mon Sep 17 00:00:00 2001 From: bellaweo Date: Wed, 15 Feb 2017 14:27:40 -0800 Subject: [PATCH 07/13] add comment --- sudoers/map.jinja | 1 + 1 file changed, 1 insertion(+) diff --git a/sudoers/map.jinja b/sudoers/map.jinja index 6e9f78e..96b25fc 100644 --- a/sudoers/map.jinja +++ b/sudoers/map.jinja @@ -14,6 +14,7 @@ 'group': 'wheel'}, }, merge=salt['pillar.get']('sudoers:lookup', None)) %} +# our plos active directory core groups sudoers permissions, filtered by environment {% set ad_group_maps = salt['grains.filter_by']({ 'default': { 'default': 'ALL = (ALL:ALL) NOPASSWD: SUPPORT' }, 'vagrant': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, From d1767ba253c27af4850e72539b383c23ee0144cb Mon Sep 17 00:00:00 2001 From: bellaweo Date: Wed, 15 Feb 2017 14:51:53 -0800 Subject: [PATCH 08/13] non vagrant/dev environments can only run commands as root --- sudoers/map.jinja | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sudoers/map.jinja b/sudoers/map.jinja index 96b25fc..cd97539 100644 --- a/sudoers/map.jinja +++ b/sudoers/map.jinja @@ -16,11 +16,11 @@ # our plos active directory core groups sudoers permissions, filtered by environment {% set ad_group_maps = salt['grains.filter_by']({ - 'default': { 'default': 'ALL = (ALL:ALL) NOPASSWD: SUPPORT' }, + 'default': { 'default': 'ALL = (root) NOPASSWD: SUPPORT' }, 'vagrant': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, 'dev': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, - 'qa': { 'default': 'ALL = (ALL:ALL) NOPASSWD: SUPPORT', - 'plosqa': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, + 'qa': { 'default': 'ALL = (root) NOPASSWD: SUPPORT', + 'plosqa': 'ALL = (root) NOPASSWD: ALL' }, }, grain='environment', merge=salt['pillar.get']('group_maps:lookup', None)) From 302063b7a6781e0d26616f22c127877826569970 Mon Sep 17 00:00:00 2001 From: bellaweo Date: Wed, 15 Feb 2017 14:52:37 -0800 Subject: [PATCH 09/13] we only need the keys of the group_maps pillar --- sudoers/init.sls | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sudoers/init.sls b/sudoers/init.sls index 592789e..8c6be9c 100644 --- a/sudoers/init.sls +++ b/sudoers/init.sls @@ -1,6 +1,7 @@ {% from "sudoers/map.jinja" import sudoers with context %} -##{%- set ad_groups = pillar.get('group_map:core', {}) %} -{%- set ad_groups = salt['pillar.get']('group_map:core') %} + +# our list of plos core active directory groups +{%- set ad_groups = salt['pillar.get']('group_map:core').keys() %} sudo: pkg.installed: From fae6d2bff14ab38266f2aebcebe00b5eceaa05ce Mon Sep 17 00:00:00 2001 From: Eldo Varghese Date: Wed, 7 Mar 2018 16:38:01 -0800 Subject: [PATCH 10/13] ITI-3263 added noexec --- sudoers/map.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sudoers/map.jinja b/sudoers/map.jinja index cd97539..8446515 100644 --- a/sudoers/map.jinja +++ b/sudoers/map.jinja @@ -16,10 +16,10 @@ # our plos active directory core groups sudoers permissions, filtered by environment {% set ad_group_maps = salt['grains.filter_by']({ - 'default': { 'default': 'ALL = (root) NOPASSWD: SUPPORT' }, + 'default': { 'default': 'ALL = (root) NOEXEC:NOPASSWD: SUPPORT' }, 'vagrant': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, 'dev': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, - 'qa': { 'default': 'ALL = (root) NOPASSWD: SUPPORT', + 'qa': { 'default': 'ALL = (root) NOEXEC:NOPASSWD: SUPPORT', 'plosqa': 'ALL = (root) NOPASSWD: ALL' }, }, grain='environment', From 0cf768889dcd4676120a6fdf181370005267e5d7 Mon Sep 17 00:00:00 2001 From: Chris Haumesser <1550854+wryfi@users.noreply.github.com> Date: Thu, 27 Sep 2018 17:03:15 -0700 Subject: [PATCH 11/13] ITI-3671 grant qa full access to stage environments --- sudoers/map.jinja | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sudoers/map.jinja b/sudoers/map.jinja index 8446515..a58de65 100644 --- a/sudoers/map.jinja +++ b/sudoers/map.jinja @@ -21,6 +21,8 @@ 'dev': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, 'qa': { 'default': 'ALL = (root) NOEXEC:NOPASSWD: SUPPORT', 'plosqa': 'ALL = (root) NOPASSWD: ALL' }, + 'stage': { 'default': 'ALL = (root) NOEXEC:NOPASSWD: SUPPORT', + 'plosqa': 'ALL = (root) NOPASSWD: ALL' }, }, grain='environment', merge=salt['pillar.get']('group_maps:lookup', None)) From e8677905dd9c6478b64b9937dcf5f7de5efe4a0f Mon Sep 17 00:00:00 2001 From: Chris Haumesser <1550854+wryfi@users.noreply.github.com> Date: Fri, 15 Feb 2019 11:44:08 -0800 Subject: [PATCH 12/13] SRE-650 allow devs root access in qa --- sudoers/map.jinja | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/sudoers/map.jinja b/sudoers/map.jinja index a58de65..3d21736 100644 --- a/sudoers/map.jinja +++ b/sudoers/map.jinja @@ -19,10 +19,16 @@ 'default': { 'default': 'ALL = (root) NOEXEC:NOPASSWD: SUPPORT' }, 'vagrant': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, 'dev': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, - 'qa': { 'default': 'ALL = (root) NOEXEC:NOPASSWD: SUPPORT', - 'plosqa': 'ALL = (root) NOPASSWD: ALL' }, - 'stage': { 'default': 'ALL = (root) NOEXEC:NOPASSWD: SUPPORT', - 'plosqa': 'ALL = (root) NOPASSWD: ALL' }, + 'qa': { + 'default': 'ALL = (root) NOEXEC:NOPASSWD: SUPPORT', + 'plosdev': 'ALL = (ALL:ALL) NOPASSWD: ALL', + 'plosqa': 'ALL = (ALL:ALL) NOPASSWD: ALL', + }, + 'stage': { + 'default': 'ALL = (root) NOEXEC:NOPASSWD: SUPPORT', + 'plosdev': 'ALL = (ALL:ALL) NOPASSWD: ALL', + 'plosqa': 'ALL = (ALL:ALL) NOPASSWD: ALL' + } }, grain='environment', merge=salt['pillar.get']('group_maps:lookup', None)) From 59ef7a2e83ef2430708e94a6e1f71305c96a4ecc Mon Sep 17 00:00:00 2001 From: Stephen Schlie Date: Mon, 6 May 2019 09:09:55 -0700 Subject: [PATCH 13/13] Fixing unicode issues in plos groups --- sudoers/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sudoers/init.sls b/sudoers/init.sls index 8c6be9c..316edba 100644 --- a/sudoers/init.sls +++ b/sudoers/init.sls @@ -16,6 +16,6 @@ sudo: - source: salt://sudoers/files/sudoers - context: included: False - ad_groups: {{ ad_groups }} + ad_groups: {{ ad_groups|tojson }} - require: - pkg: sudo