ipa / client: setup nopasswd sudo groups for maintainer test

For the maintainer_tests instances we just want to allow anyone with shell access ability to sudo with no password. In this case asking for password/tokens could provide a MITM attack vector. This matches up with the way they were setup before with fas2. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2021-04-20 14:40:49 -07:00 · 2021-04-20 14:40:49 -07:00 · 6e1ab9cd21
commit 6e1ab9cd21
parent 7e4543be97
3 changed files with 24 additions and 1 deletions
--- a/inventory/group_vars/maintainer_test
+++ b/inventory/group_vars/maintainer_test
@ -11,5 +11,6 @@ ipa_host_group: maintainer_test
 ipa_host_group_desc: Test hosts for package maintainers
 ipa_client_shell_groups:
 - packager
-ipa_client_sudo_groups:
+ipa_client_sudo_nopasswd_groups:
+- sysadmin-main
 - packager
--- a/roles/ipa/client/tasks/prepare-ipa-info.yml
+++ b/roles/ipa/client/tasks/prepare-ipa-info.yml
@ -40,6 +40,7 @@
 #       "host_group_1": {
 #         "shell_groups": [...],
 #         "sudo_groups": [...],
+#         "sudo_nopasswd_groups": [...],
 #         "hosts": {        # <-- This could be a list with Ansible >= 2.10
 #           "host_1": true,
 #           ...,
@ -85,6 +86,8 @@
                  (ipa_hosts_combined_shell_groups_dict[item] | length > 0)
                  | ternary(ipa_hosts_combined_shell_groups_dict[item], omit),
                'sudo_groups': hostvars[item]['ipa_client_sudo_groups'] | default(omit),
+                'sudo_nopasswd_groups':
+                    hostvars[item]['ipa_client_sudo_nopasswd_groups'] | default(omit),
                'hosts': {item: true},
              }
            }
@ -99,6 +102,8 @@
            hostvars[item]['ipa_server']: {
              'groups': ipa_hosts_combined_shell_groups_dict[item] | union(
                hostvars[item]['ipa_client_sudo_groups'] | default([])
+              ) | union(
+                hostvars[item]['ipa_client_sudo_nopasswd_groups'] | default([])
              ),
              'hosts': {item: True},
            }
--- a/roles/ipa/client/tasks/sudo.yml
+++ b/roles/ipa/client/tasks/sudo.yml
@ -34,3 +34,20 @@
  notify: clean sss caches
  loop: "{{ ipa_server_host_groups }}"
  when: ipa_server_host_groups is defined and ipa_server_host_groups_dict[item[0]][item[1]]['sudo_groups'] is defined
+
+- name: Give certain groups passwordless sudo access to anything per host group
+  delegate_to: "{{ item[0] }}"
+  ipasudorule:
+    name: "hostgroup/{{ item[1] }}/nopasswd"
+    description: "Grant passwordless sudo access to anything on host group {{ item[1] }}"
+    ipaadmin_password: "{{ ipa_server_admin_passwords[item[0]] }}"
+    state: present
+    group: "{{ ipa_server_host_groups_dict[item[0]][item[1]]['sudo_nopasswd_groups'] }}"
+    hostgroup: "{{ item[1] }}"
+    cmdcategory: "all"
+    runasusercategory: "all"
+    runasgroupcategory: "all"
+    options: "!authenticate"
+  notify: clean sss caches
+  loop: "{{ ipa_server_host_groups }}"
+  when: ipa_server_host_groups is defined and ipa_server_host_groups_dict[item[0]][item[1]]['sudo_nopasswd_groups'] is defined