Add SSSD sudo configuration in sysinv

This commit updates SSSD configuration to support SSSD sudo
capabilities for ldap users and groups.
Remote WAD ldap users as well as local openldap users can be
configured to get "sudo" and "sys_protected" privileges on
the stx platform when connecting using SSH.
Configuration updates were done by adding SSSD sudo service
and supporting parameters in the SSSD configuration file.

Test Plan:
PASS: Verify SSSD configuration in "/etc/sssd/sssd.conf" gets
updated with sudo parameters.
PASS: Create a user with sudo privileges in openldap and verify
that the sudo privileges are available in the stx platform
when the user connects with SSH.
PASS: Create a user with sys_protected privileges in openldap
and verify that the sys_protected privileges are available in
the stx platform when user connects with SSH.
PASS: Configure a sys_protected group in a remote WAD server and
verify it has been cached in the stx platform.
PASS: Add a WAD user to the sys_protected WAD group and verify the
user has sys_protected privileges in the stx platform.
PASS: Configure a sudo rule for a remote WAD user and verify the user
has sudo privileges in the stx platform.
PASS: Verify that a regular WAD user that has no sudo rules defined,
does not have sudo privileges in the stx platform.

Story: 2010589
Task: 47588
Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/876393

Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
Change-Id: Id505d462cca26daad3fd82a49929e41a3d2cc1f4
This commit is contained in:
Carmen Rata 2023-03-03 22:28:19 +00:00
parent e4cc8c7ee2
commit d150393de4
1 changed files with 15 additions and 0 deletions

View File

@ -24,6 +24,7 @@ class SssdPuppet(base.BasePuppet):
domains = {}
nss = self._get_nss_parameters()
pam = self._get_pam_parameters()
sudo = self._get_sudo_parameters()
# update local domain
domains.update({'controller': self._get_local_domain()})
@ -50,6 +51,7 @@ class SssdPuppet(base.BasePuppet):
'platform::sssd::params::domains': domains,
'platform::sssd::params::nss_options': nss,
'platform::sssd::params::pam_options': pam,
'platform::sssd::params::sudo_options': sudo,
})
return config
@ -207,6 +209,7 @@ class SssdPuppet(base.BasePuppet):
'access_provider': 'ldap',
'ldap_access_filter': '(& (objectclass=posixAccount))',
'ldap_search_base': 'dc=cgcs,dc=local',
'ldap_sudo_search_base': 'ou=SUDOers,dc=cgcs,dc=local',
'ldap_user_home_directory': '/home/$cn',
'ldap_user_shell': '/bin/bash',
'ldap_uri': ldap_uri,
@ -276,6 +279,8 @@ class SssdPuppet(base.BasePuppet):
domain_parameters['ldap_uri'] = uri
domain_parameters['ldap_access_filter'] = access_filter
domain_parameters['ldap_search_base'] = search_base
sudo_search_base = "OU=sudoers" + search_base[search_base.find(','):]
domain_parameters['ldap_sudo_search_base'] = sudo_search_base
domain_parameters['ldap_default_bind_dn'] = default_bind_dn
domain_parameters['ldap_default_authtok'] = default_authtok
else:
@ -334,6 +339,16 @@ class SssdPuppet(base.BasePuppet):
return pam_parameters
def _get_sudo_parameters(self):
# debug_level = 0x0070 Log fatal failures, critical failures,
# serious failures
sudo_parameters = {
'debug_level': '0x0070',
}
return sudo_parameters
def _get_local_domain_uri(self):
ldapserver_host = constants.CONTROLLER
if self._distributed_cloud_role() == \