Sudo configuration (AEN 4.1.2)#

Sudo configuration overview

If your organization’s IT security policy does not allow root access or has restrictions on the use of sudo, you may customize your Anaconda Enterprise Notebook’s (AEN) install to meet their requirements after completing installation.

Your organization may choose to implement any or all of the following:

  • Remove root access for AEN service account (Note: this restricts AEN from managing user accounts)
  • Configurable sudo command
  • Restrict sudo access to all processes

These customizations must be done in a terminal window after copying the files to the AEN Server instance.

Remove all root access from the AEN service account

This restricts AEN from managing user accounts because root access is required for useradd.

Modify /etc/sudoers.d/wakari_sudo to read:

Defaults:wakari !requiretty, visiblepw
Runas_Alias    OP = ALL,!root
wakari ALL=(OP) NOPASSWD: ALL

NOTE: If you used a service account name other than wakari, that name should appear instead of wakari in the file above.

Next, modify the file /opt/wakari/wakari-compute/etc/wakari/config.json, setting to read:

"MANAGE_ACCOUNTS": false,

NOTE: Using this option means that the IT department must create and manage all user accounts at the OS level. After an OS-level account exists, an AEN account using the same name may be created on the main AEN webpage. The password chosen on the AEN webpage is not linked in any way to the OS-level password for the account. Alternatively, the system can be configured to use LDAP for authenticating users.

If you wish to allow public user access to projects, an account must also be created for the public to use, for example, public or anonymous. Create the public account and specify the name in the following two configuration files:

Locate the file /opt/wakari/wakari-compute/etc/wakari/config.json and modify the line:

"ANON_USER": "public"

Next, locate the second file /opt/wakari/wakari-server/etc/wakari/config.json and modify the line:

"ANON_USER": "public"

The Configuration Files page has more information about these configuration keys.

Alternative sudo command

You may configure AEN to use an alternative to sudo, provided it supports the same execution semantics.

In your terminal window, navigate to the AEN files, locate the file /opt/wakari/wakari-compute/ etc/wakari/config.json

and modify the line:

"AEN_SUDO_CMD": "/path/to/alternative/sudo",

If the alternate sudo command is available on the PATH then the full path is not required.

The alternative sudo must be configured to give the service account permission to run commands on behalf of Anaconda Enterprise users.

Restrict sudo access to a single executable

The sudoers configuration, by default, allows Anaconda Enterprise to run any command as a particular user. This allows Anaconda Enterprise to initiate processes as the logged in end user. If more restrictive control is required it should, in the first instance, be implemented via a suitable sudoers policy.

If that is not possible or practical, it is also possible to route all Anaconda Enterprise ID-changing operations through a single gatekeeper. This gatekeeper wraps the desired executable and provides an alternate way to log, monitor, or control which processes can be initiated by Anaconda Enterprise on behalf of another user.

This gatekeeper is a special case configuration that should only be used if required.

To configure Anaconda Enterprise accordingly modify /etc/sudoers.d/wakari_sudo to contain

Defaults:wakari !requiretty, visiblepw
Runas_Alias    OP = ALL,!root
wakari ALL=(OP) NOPASSWD: /path/to/gatekeeper

Locate the file /opt/wakari/wakari-compute/etc/wakari/config.json and modify the line:

"AEN_SUDO_SH": "/path/to/gatekeeper"

The gatekeeper can be as simple as a script which could have contents such as:

#!/bin/bash
first_cmd=$1
if [ 'bash' == $1 ]; then
    shift
    export HOME=~
    export SHELL=/bin/bash
    export PATH=$PATH:/opt/wakari/anaconda/bin
    bash "$@"
else
    exec $@
fi