From 9642611dc63a51f6fe578465966e28803aaaba0b Mon Sep 17 00:00:00 2001 From: Reception123 Date: Sun, 18 Aug 2024 11:44:07 +0200 Subject: [PATCH 1/9] create new deploy test user for T12486 In order to have a group that will only be able to deploy changes on beta, we need a new group as well as a test user that will allow us to make sure that access is limited before adding users to the group. --- modules/users/data/data.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/modules/users/data/data.yaml b/modules/users/data/data.yaml index d1a77329b7..d9161aa7af 100644 --- a/modules/users/data/data.yaml +++ b/modules/users/data/data.yaml @@ -68,6 +68,11 @@ groups: 'ALL = (ALL) NOPASSWD: /usr/sbin/service mariadb status', 'ALL = (ALL) NOPASSWD: /usr/bin/puppet *', 'ALL = (ALL) NOPASSWD: /bin/journalctl *'] + mediawiki-deploy-users: + gid: 2009 + description: ability to deploy changes on the MediaWiki test server + members: [] + privileges: ['ALL = (ALL) NOPASSWD: /usr/sbin/service mwdeploy *',] users: johnflewis: @@ -194,3 +199,11 @@ users: name: evalprime realname: EvalPrime ssh_keys: [ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII58/9ujLHNt1p1YOlHJr7Y2D7laEkYzQSOKcAhF8r1Q] + testuser: + ensure: present + uid: 1020 + name: Test User + realname: Test User (user for testing access) + ssh_keys: + - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApGU+6cUDu6gLhJY547Ge/2r4FU382qFx6wVGHN/+FP + - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMGnrVrhB1ZfXRouXhLzjsWjx3dTVYxxvsIzTD2JJg/ reception From bad649d55fb3d5f9132b7c19c5d779b61741e965 Mon Sep 17 00:00:00 2001 From: Reception123 Date: Sun, 18 Aug 2024 11:44:53 +0200 Subject: [PATCH 2/9] Update test151.yaml --- hieradata/hosts/test151.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/hieradata/hosts/test151.yaml b/hieradata/hosts/test151.yaml index 1da928d742..3dd887746e 100644 --- a/hieradata/hosts/test151.yaml +++ b/hieradata/hosts/test151.yaml @@ -2,6 +2,7 @@ users::groups: - mediawiki-admins - mediawiki-roots - mediawiki-test-admins + - mediawiki-test-deploy-users contactgroups: ['infra', 'mediawiki'] From 7cd7c3df7a5a4879c71f6f41e06b9f7d03fedfe7 Mon Sep 17 00:00:00 2001 From: Reception123 Date: Sun, 18 Aug 2024 11:45:20 +0200 Subject: [PATCH 3/9] Update data.yaml --- modules/users/data/data.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/users/data/data.yaml b/modules/users/data/data.yaml index d9161aa7af..15b3b5ac5e 100644 --- a/modules/users/data/data.yaml +++ b/modules/users/data/data.yaml @@ -68,7 +68,7 @@ groups: 'ALL = (ALL) NOPASSWD: /usr/sbin/service mariadb status', 'ALL = (ALL) NOPASSWD: /usr/bin/puppet *', 'ALL = (ALL) NOPASSWD: /bin/journalctl *'] - mediawiki-deploy-users: + mediawiki-test-deploy-users: gid: 2009 description: ability to deploy changes on the MediaWiki test server members: [] From 73edcfd2f0689734cc2422c923fcc3b0123b5d50 Mon Sep 17 00:00:00 2001 From: Reception123 Date: Sun, 18 Aug 2024 11:47:31 +0200 Subject: [PATCH 4/9] Update data.yaml --- modules/users/data/data.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/users/data/data.yaml b/modules/users/data/data.yaml index 15b3b5ac5e..2bca52432d 100644 --- a/modules/users/data/data.yaml +++ b/modules/users/data/data.yaml @@ -72,7 +72,7 @@ groups: gid: 2009 description: ability to deploy changes on the MediaWiki test server members: [] - privileges: ['ALL = (ALL) NOPASSWD: /usr/sbin/service mwdeploy *',] + privileges: ['ALL = (ALL) NOPASSWD: /usr/local/bin/mwdeploy *',] users: johnflewis: From d1948b7cb4ab1123c822ee10a4368b1b55a743c8 Mon Sep 17 00:00:00 2001 From: Reception123 Date: Sun, 18 Aug 2024 11:59:43 +0200 Subject: [PATCH 5/9] Update data.yaml --- modules/users/data/data.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/modules/users/data/data.yaml b/modules/users/data/data.yaml index 2bca52432d..ecf80f0805 100644 --- a/modules/users/data/data.yaml +++ b/modules/users/data/data.yaml @@ -72,8 +72,10 @@ groups: gid: 2009 description: ability to deploy changes on the MediaWiki test server members: [] - privileges: ['ALL = (ALL) NOPASSWD: /usr/local/bin/mwdeploy *',] - + privileges: ['ALL = (ALL) NOPASSWD: /bin/nano /srv/mediawiki/*', + 'ALL = (ALL) NOPASSWD: /bin/nano /srv/mediawiki-staging/*', + 'ALL = (ALL) NOPASSWD: /bin/rm /srv/mediawiki/*', + 'ALL = (ALL) NOPASSWD: /bin/rm /srv/mediawiki-staging/*',] users: johnflewis: ensure: absent @@ -201,7 +203,7 @@ users: ssh_keys: [ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII58/9ujLHNt1p1YOlHJr7Y2D7laEkYzQSOKcAhF8r1Q] testuser: ensure: present - uid: 1020 + uid: 3000 name: Test User realname: Test User (user for testing access) ssh_keys: From 6b08e54ac08d510199582e11f7b49a75fa24b74a Mon Sep 17 00:00:00 2001 From: Reception123 Date: Sun, 18 Aug 2024 12:42:47 +0200 Subject: [PATCH 6/9] Update data.yaml --- modules/users/data/data.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/users/data/data.yaml b/modules/users/data/data.yaml index ecf80f0805..66002a835f 100644 --- a/modules/users/data/data.yaml +++ b/modules/users/data/data.yaml @@ -72,9 +72,9 @@ groups: gid: 2009 description: ability to deploy changes on the MediaWiki test server members: [] - privileges: ['ALL = (ALL) NOPASSWD: /bin/nano /srv/mediawiki/*', + privileges: ['ALL = (ALL) NOPASSWD: /usr/sbin/service mwdeploy *', + 'ALL = (ALL) NOPASSWD: /usr/bin/rsync *', 'ALL = (ALL) NOPASSWD: /bin/nano /srv/mediawiki-staging/*', - 'ALL = (ALL) NOPASSWD: /bin/rm /srv/mediawiki/*', 'ALL = (ALL) NOPASSWD: /bin/rm /srv/mediawiki-staging/*',] users: johnflewis: From 2ac3e0288360c12064f9a957428f1eed008e784c Mon Sep 17 00:00:00 2001 From: Reception123 Date: Sun, 18 Aug 2024 12:54:02 +0200 Subject: [PATCH 7/9] nano is dangerous --- modules/users/data/data.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/users/data/data.yaml b/modules/users/data/data.yaml index 66002a835f..9eb186bed8 100644 --- a/modules/users/data/data.yaml +++ b/modules/users/data/data.yaml @@ -74,7 +74,7 @@ groups: members: [] privileges: ['ALL = (ALL) NOPASSWD: /usr/sbin/service mwdeploy *', 'ALL = (ALL) NOPASSWD: /usr/bin/rsync *', - 'ALL = (ALL) NOPASSWD: /bin/nano /srv/mediawiki-staging/*', + 'ALL = (ALL) NOPASSWD: /bin/sudoedit /srv/mediawiki-staging/*', 'ALL = (ALL) NOPASSWD: /bin/rm /srv/mediawiki-staging/*',] users: johnflewis: From 119e38e4f693348b3173787fa99d84c567a14e4c Mon Sep 17 00:00:00 2001 From: Reception123 Date: Sun, 18 Aug 2024 12:59:35 +0200 Subject: [PATCH 8/9] Update data.yaml --- modules/users/data/data.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/users/data/data.yaml b/modules/users/data/data.yaml index 9eb186bed8..19645fcd17 100644 --- a/modules/users/data/data.yaml +++ b/modules/users/data/data.yaml @@ -74,8 +74,8 @@ groups: members: [] privileges: ['ALL = (ALL) NOPASSWD: /usr/sbin/service mwdeploy *', 'ALL = (ALL) NOPASSWD: /usr/bin/rsync *', - 'ALL = (ALL) NOPASSWD: /bin/sudoedit /srv/mediawiki-staging/*', - 'ALL = (ALL) NOPASSWD: /bin/rm /srv/mediawiki-staging/*',] + 'ALL = (www-data) NOPASSWD: /bin/sudoedit /srv/mediawiki-staging/*', + 'ALL = (www-data) NOPASSWD: /bin/rm /srv/mediawiki-staging/*',] users: johnflewis: ensure: absent From e45a214f76d6301e70594fa8dfb1eb1ef2e7ad98 Mon Sep 17 00:00:00 2001 From: Reception123 Date: Sun, 18 Aug 2024 13:07:06 +0200 Subject: [PATCH 9/9] Update data.yaml --- modules/users/data/data.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/users/data/data.yaml b/modules/users/data/data.yaml index 19645fcd17..4c8dd57268 100644 --- a/modules/users/data/data.yaml +++ b/modules/users/data/data.yaml @@ -75,7 +75,7 @@ groups: privileges: ['ALL = (ALL) NOPASSWD: /usr/sbin/service mwdeploy *', 'ALL = (ALL) NOPASSWD: /usr/bin/rsync *', 'ALL = (www-data) NOPASSWD: /bin/sudoedit /srv/mediawiki-staging/*', - 'ALL = (www-data) NOPASSWD: /bin/rm /srv/mediawiki-staging/*',] + 'ALL = (www-data) NOPASSWD: /bin/rm /srv/mediawiki-staging/*'] users: johnflewis: ensure: absent