openstack/tripleo-docs
Code Issues Proposed changes
tripleo-docs/doc/source/developer/mistral_workflows/07-give-elevated-privileges-to-Mistral-actions.rst
Juan Antonio Osorio Robles ab6a95fe96 Move developer documentation to top level 
It's harder to find as part of the install guide, and shouldn't be there
anyway.

Related-Bug: #1804642
Change-Id: Ia677ced783da6383211fb0bb7a28ec5fb2f538fe
2018-11-29 16:15:36 +02:00

34 lines
2.0 KiB
ReStructuredText
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Give elevated privileges to specific Mistral actions that need to run with elevated privileges.
-----------------------------------------------------------------------------------------------
Sometimes it is not possible to execute some restricted actions from
the mistral user, for example, when creating the Undercloud backup we
wont be able to access the **/home/stack/** folder to create a tarball
of it. For this cases its possible to execute elevates actions from the
mistral user:
This is the content of the **sudoers** file in the root of the
**tripleo-common** `repository`_
at the time of the creation of this guide.
::
Defaults!/usr/bin/run-validation !requiretty
Defaults:validations !requiretty
Defaults:mistral !requiretty
mistral ALL = (validations) NOPASSWD:SETENV: /usr/bin/run-validation
mistral ALL = NOPASSWD: /usr/bin/chown -h validations\: /tmp/validations_identity_[A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_], \
/usr/bin/chown validations\: /tmp/validations_identity_[A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_], \
!/usr/bin/chown /tmp/validations_identity_* *, !/usr/bin/chown /tmp/validations_identity_*..*
mistral ALL = NOPASSWD: /usr/bin/rm -f /tmp/validations_identity_[A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_], \
!/usr/bin/rm /tmp/validations_identity_* *, !/usr/bin/rm /tmp/validations_identity_*..*
mistral ALL = NOPASSWD: /bin/nova-manage cell_v2 discover_hosts *
mistral ALL = NOPASSWD: /usr/bin/tar --ignore-failed-read -C / -cf /tmp/undercloud-backup-*.tar *
mistral ALL = NOPASSWD: /usr/bin/chown mistral. /tmp/undercloud-backup-*/filesystem-*.tar
validations ALL = NOPASSWD: ALL
Here you can grant permissions for specific tasks in when executing
Mistral workflows from **tripleo-common**
.. _repository: https://github.com/openstack/tripleo-common/blob/63ab54411e56ad0e70e5e145fcb0ce60a55eb3f8/sudoers
View Git Blame Copy Permalink