Sudo configuration (AEN 4.1.2)#
Sudo configuration overview¶
If your organization’s IT security policy does not allow root access or has restrictions on the use of sudo, you may customize your Anaconda Enterprise Notebook’s (AEN) install to meet their requirements after completing installation.
Your organization may choose to implement any or all of the following:
- Remove root access for AEN service account (Note: this restricts AEN from managing user accounts)
- Configurable sudo command
- Restrict sudo access to all processes
These customizations must be done in a terminal window after copying the files to the AEN Server instance.
Remove all root access from the AEN service account¶
This restricts AEN from managing user accounts because root access is
required for useradd.
Modify /etc/sudoers.d/wakari_sudo to read:
Defaults:wakari !requiretty, visiblepw
Runas_Alias OP = ALL,!root
wakari ALL=(OP) NOPASSWD: ALL
NOTE: If you used a service account name other than wakari, that name should appear instead of wakari in the file above.
Next, modify the file
/opt/wakari/wakari-compute/etc/wakari/config.json, setting to read:
"MANAGE_ACCOUNTS": false,
NOTE: Using this option means that the IT department must create and manage all user accounts at the OS level. After an OS-level account exists, an AEN account using the same name may be created on the main AEN webpage. The password chosen on the AEN webpage is not linked in any way to the OS-level password for the account. Alternatively, the system can be configured to use LDAP for authenticating users.
If you wish to allow public user access to projects, an account must
also be created for the public to use, for example, public or
anonymous. Create the public account and specify the name in the
following two configuration files:
Locate the file /opt/wakari/wakari-compute/etc/wakari/config.json
and modify the line:
"ANON_USER": "public"
Next, locate the second file
/opt/wakari/wakari-server/etc/wakari/config.json and modify the
line:
"ANON_USER": "public"
The Configuration Files page has more information about these configuration keys.
Alternative sudo command¶
You may configure AEN to use an alternative to sudo, provided it supports the same execution semantics.
In your terminal window, navigate to the AEN files, locate the file
/opt/wakari/wakari-compute/ etc/wakari/config.json
and modify the line:
"AEN_SUDO_CMD": "/path/to/alternative/sudo",
If the alternate sudo command is available on the PATH then the full path is not required.
The alternative sudo must be configured to give the service account permission
to run commands on behalf of Anaconda Enterprise users.
Restrict sudo access to a single executable¶
The sudoers configuration, by default, allows Anaconda Enterprise to run any
command as a particular user. This allows Anaconda Enterprise to initiate processes
as the logged in end user. If more restrictive control is required it should, in
the first instance, be implemented via a suitable sudoers policy.
If that is not possible or practical, it is also possible to route all Anaconda Enterprise ID-changing operations through a single gatekeeper. This gatekeeper wraps the desired executable and provides an alternate way to log, monitor, or control which processes can be initiated by Anaconda Enterprise on behalf of another user.
This gatekeeper is a special case configuration that should only be used if required.
To configure Anaconda Enterprise accordingly modify
/etc/sudoers.d/wakari_sudo to contain
Defaults:wakari !requiretty, visiblepw
Runas_Alias OP = ALL,!root
wakari ALL=(OP) NOPASSWD: /path/to/gatekeeper
Locate the file /opt/wakari/wakari-compute/etc/wakari/config.json and modify the line:
"AEN_SUDO_SH": "/path/to/gatekeeper"
The gatekeeper can be as simple as a script which could have contents such as:
#!/bin/bash
first_cmd=$1
if [ 'bash' == $1 ]; then
shift
export HOME=~
export SHELL=/bin/bash
export PATH=$PATH:/opt/wakari/anaconda/bin
bash "$@"
else
exec $@
fi