| *** salv-orl_ has joined #openstack-security | 02:51 | |
| *** salv-orlando has quit IRC | 02:53 | |
| *** rcernin_ has joined #openstack-security | 03:23 | |
| *** rcernin has quit IRC | 03:25 | |
| *** rcernin_ has quit IRC | 03:29 | |
| *** rcernin has joined #openstack-security | 03:29 | |
| *** rcernin has quit IRC | 03:33 | |
| *** rcernin has joined #openstack-security | 03:49 | |
| *** mihero has left #openstack-security | 04:20 | |
| *** openstackgerrit has quit IRC | 05:49 | |
| *** d0ugal has joined #openstack-security | 07:00 | |
| *** d0ugal has quit IRC | 07:00 | |
| *** d0ugal has joined #openstack-security | 07:00 | |
| *** rcernin has quit IRC | 07:07 | |
| *** pcaruana has joined #openstack-security | 07:39 | |
| *** AlexeyAbashkin has joined #openstack-security | 07:54 | |
| *** liujiong has joined #openstack-security | 07:56 | |
| *** tesseract has joined #openstack-security | 08:17 | |
| *** vds has joined #openstack-security | 08:20 | |
| *** jaosorior has joined #openstack-security | 08:40 | |
| *** salv-orl_ has quit IRC | 09:09 | |
| *** salv-orlando has joined #openstack-security | 09:09 | |
| *** salv-orlando has quit IRC | 09:14 | |
| *** uhscinawa has joined #openstack-security | 09:21 | |
| *** uhscinawa has quit IRC | 09:22 | |
| *** liujiong has quit IRC | 09:59 | |
| *** salv-orlando has joined #openstack-security | 11:05 | |
| *** edmondsw has joined #openstack-security | 11:14 | |
| *** edmondsw has quit IRC | 11:18 | |
| *** edmondsw has joined #openstack-security | 12:15 | |
| *** atoth has joined #openstack-security | 12:18 | |
| *** casynfinatic has joined #openstack-security | 12:30 | |
| *** tobberydberg_ has joined #openstack-security | 12:30 | |
| *** tobberydberg_ has quit IRC | 12:35 | |
| *** liverpooler has joined #openstack-security | 12:39 | |
| *** liverpooler has quit IRC | 12:40 | |
| *** liverpooler has joined #openstack-security | 12:40 | |
| *** salv-orlando has quit IRC | 14:32 | |
| *** salv-orlando has joined #openstack-security | 14:33 | |
| *** salv-orlando has quit IRC | 14:46 | |
| *** salv-orlando has joined #openstack-security | 14:47 | |
| *** salv-orlando has quit IRC | 14:51 | |
| *** chyka has joined #openstack-security | 14:55 | |
| *** atoth has quit IRC | 15:04 | |
| *** atoth has joined #openstack-security | 15:05 | |
| *** liverpooler has quit IRC | 15:08 | |
| *** liverpooler has joined #openstack-security | 15:26 | |
| *** chyka has quit IRC | 15:30 | |
| *** chyka has joined #openstack-security | 15:30 | |
| *** jhfeng has joined #openstack-security | 15:49 | |
| *** jhfeng has quit IRC | 15:52 | |
| *** markvoelker_ has joined #openstack-security | 15:56 | |
| *** markvoelker has quit IRC | 15:56 | |
| *** markvoelker has joined #openstack-security | 15:59 | |
| *** jhfeng has joined #openstack-security | 16:00 | |
| *** markvoelker_ has quit IRC | 16:01 | |
| *** salv-orlando has joined #openstack-security | 16:05 | |
| *** pcaruana has quit IRC | 16:07 | |
| *** salv-orlando has quit IRC | 16:09 | |
| *** salv-orlando has joined #openstack-security | 16:18 | |
| *** gyee has joined #openstack-security | 16:49 | |
| *** dikonoor has joined #openstack-security | 16:51 | |
| *** AlexeyAbashkin has quit IRC | 16:51 | |
| dikonoor | fungi: Hi fungi. I have a query around sudo and OpenStack. Would this be the right channel to ask this query | 16:54 |
|---|---|---|
| fungi | dikonoor: as good a place as any, probably | 16:54 |
| dikonoor | fungi: Sure. I am not sure if there has been any discussion around this, which can be shared. This is basically about OpenStack tight coupling with sudo via oslo rootwrap or privsep. I believe both of them uses sudo | 16:55 |
| fungi | that sounds right | 16:56 |
| dikonoor | fungi: Even though sudo seems to be the most common escalated privilege mechanism that gets used, enterprises are moving towards other advanced solutions that provides support for centralized tracking, version management and lot of other features. | 16:57 |
| fungi | have you read the docs for them both? https://docs.openstack.org/oslo.rootwrap/ and https://docs.openstack.org/oslo.privsep/ | 16:57 |
| fungi | actually, their documentation seems to be pretty sparse | 16:58 |
| dikonoor | I did read them both last day but is there something that you think I might have missed reading in this regard ? | 16:58 |
| dikonoor | oslo rootwrap documentation is good..it explains how sudo gets used | 16:59 |
| dikonoor | privsep is sparse | 16:59 |
| fungi | nope, i'm not deeply familiar with either of them (and i'm not a developer of openstack services which use them, nor do i regularly deploy/manage such services) | 16:59 |
| fungi | there are likely some people in here who have a firmer grasp of how they're used in various services, but if you're looking to discuss changing their backend implementation the #openstack-oslo channel might be a more appropriate place to reach the maintainers of those libraries | 17:00 |
| dikonoor | ok. the basic problem here is that OpenStack is tightly coupled with sudo at the moment and I am exploring if there are any options to use anything other than sudo. I am sure there would be others who would have run into a similar problem but I can't find any threads / discussions around this | 17:01 |
| dikonoor | Perhaps I should try asking this in the oslo channel as well. | 17:01 |
| fungi | do you have an example sudo alternative you're considering? i'm aware of the doas took in openbsd but beyond that not terribly familiar with sudo alternatives | 17:02 |
| fungi | er, s/took/tool/ | 17:02 |
| fungi | https://man.openbsd.org/doas | 17:03 |
| dikonoor | fungi : I haven't used one myself..but I am aware that there are tools/softwares like PowerBroker and BOKS etc that offer to provide more advanced features compared to sudo | 17:03 |
| fungi | have a link to the source code for either of those? i'm interested to take a look at how they're implemented | 17:03 |
| fungi | looks like http://www.foxt.com/ may be the people who make boks | 17:05 |
| fungi | though seems to be closed/proprietary software from what i can tell | 17:05 |
| dikonoor | yeah..both of them seem to be proprietary.. | 17:07 |
| fungi | hard to evaluate the merits of either, i'm afraid | 17:07 |
| dikonoor | https://www.beyondtrust.com/blog/you-could-be-sudoing-better-introducing-powerbroker-for-sudo/ | 17:07 |
| fungi | i guess https://www.beyondtrust.com/ is the company making powerbroker | 17:07 |
| fungi | yeah, just found it | 17:07 |
| dikonoor | these software give a provision for centralized sudoer files, logging, monitoring , auditing , policy etc.. | 17:08 |
| fungi | but anyway, if the question is about making oslo.privsep (oslo.rootwrap is mostly deprecated at this point i think) support pluggable backend drivers, the feasibility of that is probably a discussion for #openstack-oslo | 17:09 |
| dikonoor | yeah..right..Let me check there.. | 17:09 |
| fungi | it's worth noting that /etc/sudoers was originally designed with the idea that you could maintain one central copy of policy and then distribute that to multiple systems | 17:10 |
| fungi | which is why sudoers supports host matching (though people rarely rely on that usage model in practice) | 17:10 |
| dikonoor | ok..good to know that..but copying around the file to many systems could be a pain..Also, the root in each system could go and make local changes | 17:12 |
| *** d0ugal has quit IRC | 17:21 | |
| *** dikonoor has quit IRC | 17:45 | |
| *** tesseract has quit IRC | 18:07 | |
| fungi | yep, i think its design recalls a time when all your servers had one central set of root admins responsible for configuring and maintaining your systems, who further delegated some "safe" commands their users could run | 18:14 |
| fungi | and also things like /etc (or even / in its entirety) consumed over nfs | 18:14 |
| *** AlexeyAbashkin has joined #openstack-security | 18:20 | |
| *** AlexeyAbashkin has quit IRC | 18:24 | |
| *** dave-mccowan has joined #openstack-security | 18:27 | |
| *** AlexeyAbashkin has joined #openstack-security | 19:20 | |
| *** AlexeyAbashkin has quit IRC | 19:24 | |
| *** atoth has quit IRC | 19:29 | |
| *** liverpooler has quit IRC | 19:36 | |
| *** jhfeng has quit IRC | 19:39 | |
| *** jhfeng has joined #openstack-security | 19:39 | |
| *** jhfeng has quit IRC | 19:42 | |
| *** jhfeng has joined #openstack-security | 19:45 | |
| *** jhfeng has quit IRC | 19:49 | |
| *** jhfeng has joined #openstack-security | 20:14 | |
| *** jhfeng has quit IRC | 20:19 | |
| *** jhfeng has joined #openstack-security | 20:20 | |
| *** AlexeyAbashkin has joined #openstack-security | 20:21 | |
| *** jhfeng has quit IRC | 20:25 | |
| *** AlexeyAbashkin has quit IRC | 20:26 | |
| *** jhfeng has joined #openstack-security | 20:46 | |
| *** jhfeng has quit IRC | 20:55 | |
| *** Canaimero-e64b1 has joined #openstack-security | 21:25 | |
| *** Canaimero-e64b1 has quit IRC | 21:26 | |
| *** jessegler has joined #openstack-security | 21:27 | |
| *** gyee has quit IRC | 21:50 | |
| *** AlexeyAbashkin has joined #openstack-security | 22:20 | |
| *** AlexeyAbashkin has quit IRC | 22:25 | |
| *** rcernin has joined #openstack-security | 22:34 | |
| *** edmondsw has quit IRC | 22:49 | |
| *** AlexeyAbashkin has joined #openstack-security | 23:20 | |
| *** AlexeyAbashkin has quit IRC | 23:24 | |
| *** chyka has quit IRC | 23:30 | |
| *** chyka has joined #openstack-security | 23:31 | |
| *** jessegler has quit IRC | 23:52 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!