Configuring sudo customizations (AEN 4.2.0)#
If your organization’s IT security policy does not allow root access or has restrictions on the use of sudo, after AEN installation, you may customize AEN to meet their requirements.
Your organization may choose to implement any or all of the following:
- Remove root access for AEN service account (Note: this restricts AEN from managing user accounts).
- Configurable sudo command.
- Restrict sudo access to all processes.
These customizations must be done in a terminal window after copying the files to the server node.
Removing all root access from the service account¶
Because root access is required for useradd
, the following
process restricts AEN from managing user accounts.
Modify the
/etc/sudoers.d/wakari_sudo
file to read:Defaults:wakari !requiretty, visiblepw Runas_Alias OP = ALL,!root wakari ALL=(OP) NOPASSWD: ALL
NOTE: If you used a service account name other than wakari, enter that name instead of
wakari
.Modify the
/opt/wakari/wakari-compute/etc/wakari/config.json
file to read:"MANAGE_ACCOUNTS": false,
Using this option means that your IT department must create and manage all user accounts at the OS level.
After an OS-level account exists, you may create on the main AEN web page an AEN account using the same name. The password you choose is not linked in any way to the OS-level password for the account.
Alternatively, you can configure the system to use LDAP for authenticating users.
Allowing public users to have access to your AEN projects¶
A public account is visible to anyone who can access the AEN server.
The name of this account can be configured to any name you wish.
For example, public
or anonymous
.
In the
/opt/wakari/wakari-compute/etc/wakari/config.json
file, modify the ANON_USER line to read:"ANON_USER": "public"
In the
/opt/wakari/wakari-server/etc/wakari/config.json
file, modify the ANON_USER line to read:"ANON_USER": "public"
For more information about configuration keys, see Using configuration files.
Using a sudo alternative¶
You can use a sudo alternative as long as it supports the same execution semantics as the original sudo. The alternative must be configured to give the service account permission to run commands on behalf of AEN users.
In your terminal window, open the
/opt/wakari/wakari-compute/etc/wakari/config.json
file.Modify the AEN_SUDO_CMD line to read:
"AEN_SUDO_CMD": "/path/to/alternative/sudo",
NOTE: If the alternate sudo command is available on PATH, then the full path is not required.
Restricting sudo access to a single gatekeeper¶
By default, sudoers is configured to allow AEN to run any command as a particular user which allows the platform to initiate processes as the logged-in end user. If more restrictive control is required, it should be implemented using a suitable sudoers policy. If that is not possible or practical, it is also possible to route all AEN ID-changing operations through a single gatekeeper.
This gatekeeper wraps the desired executable and provides an alternate way to log, monitor, or control which processes can be initiated by AEN on behalf of a user.
CAUTION: Gatekeeper is a special case configuration and should only be used if required.
To configure an AEN gatekeeper:
Modify the
/etc/sudoers.d/wakari_sudo
file to contain:Defaults:wakari !requiretty, visiblepw Runas_Alias OP = ALL,!root wakari ALL=(OP) NOPASSWD: /path/to/gatekeeper
In the
/opt/wakari/wakari-compute/etc/wakari/config.json
file, modify the AEN_SUDO_SH line to read:"AEN_SUDO_SH": "/path/to/gatekeeper"
EXAMPLE: The gatekeeper can be as simple as a script with contents such as:
#!/bin/bash
first_cmd=$1
if [ 'bash' == $1 ]; then
shift
export HOME=~
export SHELL=/bin/bash
export PATH=$PATH:/opt/wakari/anaconda/bin
bash "$@"
else
exec $@
fi