Configuring sudo customizations

If your organization’s IT security policy does not allow root access or has restrictions on the use of sudo, after AEN installation, you may customize AEN to meet their requirements.

Your organization may choose to implement any or all of the following:

These customizations must be done in a terminal window after copying the files to the server node.

Removing all root access from the service account

Because root access is required for useradd, the following process restricts AEN from managing user accounts.

  1. Modify the /etc/sudoers.d/wakari_sudo file to read:

    Defaults:wakari !requiretty, visiblepw
    Runas_Alias    OP = ALL,!root
    wakari ALL=(OP) NOPASSWD: ALL
    

    NOTE: If you used a service account name other than wakari, enter that name instead of wakari.

  2. Modify the /opt/wakari/wakari-compute/etc/wakari/config.json file to read:

    "MANAGE_ACCOUNTS": false,
    

Using this option means that your IT department must create and manage all user accounts at the OS level.

After an OS-level account exists, you may create on the main AEN web page an AEN account using the same name. The password you choose is not linked in any way to the OS-level password for the account.

Alternatively, you can configure the system to use LDAP for authenticating users.

Allowing public users to have access to your AEN projects

A public account is visible to anyone who can access the AEN server. The name of this account can be configured to any name you wish. For example, public or anonymous. To disable this feature use the special value disabled.

  1. In the /opt/wakari/wakari-compute/etc/wakari/wk-compute-launcher-config.json file, modify the ANON_USER line to read:

    "ANON_USER": "public"
    
  2. Restart AEN compute node:

    sudo service wakari-compute restart
    
  3. In the /opt/wakari/wakari-server/etc/wakari/wk-server-config.json file, modify the ANON_USER line to read:

    "ANON_USER": "public"
    
  4. Restart AEN server:

    sudo service wakari-server restart
    

For more information about configuration keys, see Using configuration files.

Using a sudo alternative

You can use a sudo alternative as long as it supports the same execution semantics as the original sudo. The alternative must be configured to give the service account permission to run commands on behalf of AEN users.

  1. In your terminal window, open the /opt/wakari/wakari-compute/etc/wakari/config.json file.

  2. Modify the AEN_SUDO_CMD line to read:

    "AEN_SUDO_CMD": "/path/to/alternative/sudo",
    

    NOTE: If the alternate sudo command is available on PATH, then the full path is not required.

Restricting sudo access to a single gatekeeper

By default, sudoers is configured to allow AEN to run any command as a particular user which allows the platform to initiate processes as the logged-in end user. If more restrictive control is required, it should be implemented using a suitable sudoers policy. If that is not possible or practical, it is also possible to route all AEN ID-changing operations through a single gatekeeper.

This gatekeeper wraps the desired executable and provides an alternate way to log, monitor, or control which processes can be initiated by AEN on behalf of a user.

CAUTION: Gatekeeper is a special case configuration and should only be used if required.

To configure an AEN gatekeeper:

  1. Modify the /etc/sudoers.d/wakari_sudo file to contain:

    Defaults:wakari !requiretty, visiblepw
    Runas_Alias    OP = ALL,!root
    wakari ALL=(OP) NOPASSWD: /path/to/gatekeeper
    
  2. In the /opt/wakari/wakari-compute/etc/wakari/config.json file, modify the AEN_SUDO_SH line to read:

    "AEN_SUDO_SH": "/path/to/gatekeeper"
    

EXAMPLE: The gatekeeper can be as simple as a script with contents such as:

#!/bin/bash
first_cmd=$1
if [ 'bash' == $1 ]; then
    shift
    export HOME=~
    export SHELL=/bin/bash
    export PATH=$PATH:/opt/wakari/anaconda/bin
    bash "$@"
else
    exec $@
fi