From d150393de4e91dbaac6f113070007416b5df3725 Mon Sep 17 00:00:00 2001 From: Carmen Rata Date: Fri, 3 Mar 2023 22:28:19 +0000 Subject: [PATCH] Add SSSD sudo configuration in sysinv This commit updates SSSD configuration to support SSSD sudo capabilities for ldap users and groups. Remote WAD ldap users as well as local openldap users can be configured to get "sudo" and "sys_protected" privileges on the stx platform when connecting using SSH. Configuration updates were done by adding SSSD sudo service and supporting parameters in the SSSD configuration file. Test Plan: PASS: Verify SSSD configuration in "/etc/sssd/sssd.conf" gets updated with sudo parameters. PASS: Create a user with sudo privileges in openldap and verify that the sudo privileges are available in the stx platform when the user connects with SSH. PASS: Create a user with sys_protected privileges in openldap and verify that the sys_protected privileges are available in the stx platform when user connects with SSH. PASS: Configure a sys_protected group in a remote WAD server and verify it has been cached in the stx platform. PASS: Add a WAD user to the sys_protected WAD group and verify the user has sys_protected privileges in the stx platform. PASS: Configure a sudo rule for a remote WAD user and verify the user has sudo privileges in the stx platform. PASS: Verify that a regular WAD user that has no sudo rules defined, does not have sudo privileges in the stx platform. Story: 2010589 Task: 47588 Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/876393 Signed-off-by: Carmen Rata Change-Id: Id505d462cca26daad3fd82a49929e41a3d2cc1f4 --- sysinv/sysinv/sysinv/sysinv/puppet/sssd.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/sssd.py b/sysinv/sysinv/sysinv/sysinv/puppet/sssd.py index b52d9ad593..a22a07ff57 100644 --- a/sysinv/sysinv/sysinv/sysinv/puppet/sssd.py +++ b/sysinv/sysinv/sysinv/sysinv/puppet/sssd.py @@ -24,6 +24,7 @@ class SssdPuppet(base.BasePuppet): domains = {} nss = self._get_nss_parameters() pam = self._get_pam_parameters() + sudo = self._get_sudo_parameters() # update local domain domains.update({'controller': self._get_local_domain()}) @@ -50,6 +51,7 @@ class SssdPuppet(base.BasePuppet): 'platform::sssd::params::domains': domains, 'platform::sssd::params::nss_options': nss, 'platform::sssd::params::pam_options': pam, + 'platform::sssd::params::sudo_options': sudo, }) return config @@ -207,6 +209,7 @@ class SssdPuppet(base.BasePuppet): 'access_provider': 'ldap', 'ldap_access_filter': '(& (objectclass=posixAccount))', 'ldap_search_base': 'dc=cgcs,dc=local', + 'ldap_sudo_search_base': 'ou=SUDOers,dc=cgcs,dc=local', 'ldap_user_home_directory': '/home/$cn', 'ldap_user_shell': '/bin/bash', 'ldap_uri': ldap_uri, @@ -276,6 +279,8 @@ class SssdPuppet(base.BasePuppet): domain_parameters['ldap_uri'] = uri domain_parameters['ldap_access_filter'] = access_filter domain_parameters['ldap_search_base'] = search_base + sudo_search_base = "OU=sudoers" + search_base[search_base.find(','):] + domain_parameters['ldap_sudo_search_base'] = sudo_search_base domain_parameters['ldap_default_bind_dn'] = default_bind_dn domain_parameters['ldap_default_authtok'] = default_authtok else: @@ -334,6 +339,16 @@ class SssdPuppet(base.BasePuppet): return pam_parameters + def _get_sudo_parameters(self): + # debug_level = 0x0070 Log fatal failures, critical failures, + # serious failures + + sudo_parameters = { + 'debug_level': '0x0070', + } + + return sudo_parameters + def _get_local_domain_uri(self): ldapserver_host = constants.CONTROLLER if self._distributed_cloud_role() == \