openstack/openstack-manuals
Code Issues Proposed changes
ddbd734e93
openstack-manuals/doc/admin-guide-cloud/section_rootwrap.xml
Diane Fleming 64b6c9261e Folder rename, file rename, flattening of directories 
Current folder name	New folder name	        Book title
----------------------------------------------------------
basic-install 	        DELETE
cli-guide	        DELETE
common	                common
NEW	                admin-guide-cloud	Cloud Administrators Guide
docbkx-example	        DELETE
openstack-block-storage-admin 	DELETE
openstack-compute-admin 	DELETE
openstack-config 	config-reference	OpenStack Configuration Reference
openstack-ha 	        high-availability-guide	OpenStack High Availabilty Guide
openstack-image	        image-guide	OpenStack Virtual Machine Image Guide
openstack-install 	install-guide	OpenStack Installation Guide
openstack-network-connectivity-admin 	admin-guide-network 	OpenStack Networking Administration Guide
openstack-object-storage-admin 	DELETE
openstack-security 	security-guide	OpenStack Security Guide
openstack-training 	training-guide	OpenStack Training Guide
openstack-user 	        user-guide	OpenStack End User Guide
openstack-user-admin 	user-guide-admin	OpenStack Admin User Guide
glossary	        NEW        	OpenStack Glossary

bug: #1220407

Change-Id: Id5ffc774b966ba7b9a591743a877aa10ab3094c7
author: diane fleming
2013-09-08 15:15:50 -07:00

106 lines
5.5 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section xml:id="root-wrap-reference"
xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0">
<title>Secure with root wrappers</title>
<para>The goal of the root wrapper is to allow the nova
unprivileged user to run a number of actions as the root user,
in the safest manner possible. Historically, Nova used a
specific sudoers file listing every command that the nova user
was allowed to run, and just used sudo to run that command as
root. However this was difficult to maintain (the sudoers file
was in packaging), and did not allow for complex filtering of
parameters (advanced filters). The rootwrap was designed to
solve those issues.</para>
<simplesect> <title>How rootwrap works</title>
<para>Instead of just calling sudo make me a sandwich, Compute services starting with nova- call
sudo nova-rootwrap /etc/nova/rootwrap.conf make me a sandwich.
A generic sudoers entry lets the nova user run nova-rootwrap
as root. The nova-rootwrap code looks for filter definition directories
in its configuration file, and loads command filters from
them. Then it checks if the command requested by Compute matches
one of those filters, in which case it executes the command
(as root). If no filter matches, it denies the request.</para></simplesect>
<simplesect>
<title>Security model</title>
<para>The escalation path is fully controlled by the root
user. A sudoers entry (owned by root) allows nova to run
(as root) a specific rootwrap executable, and only with a
specific configuration file (which should be owned by
root). nova-rootwrap imports the Python modules it needs
from a cleaned (and system-default) PYTHONPATH. The
configuration file (also root-owned) points to root-owned
filter definition directories, which contain root-owned
filters definition files. This chain ensures that the nova
user itself is not in control of the configuration or
modules used by the nova-rootwrap executable.</para>
</simplesect>
<simplesect>
<title>Details of rootwrap.conf</title>
<para>The <filename>rootwrap.conf</filename> file is used to
influence how nova-rootwrap works. Since it's in the
trusted security path, it needs to be owned and writable
only by the root user. Its location is specified both in
the sudoers entry and in the
<filename>nova.conf</filename> configuration file with
the rootwrap_config= entry.</para>
<para>It uses an INI file format with the following sections and parameters:</para>
<table rules= "all" frame= "border" xml:id= "rootwrap-conf-table-filter-path" width= "100%">
<caption>Description of rootwrap.conf configuration options
</caption>
<col width= "50%"/>
<col width= "50%"/>
<thead>
<tr>
<td><para>Configuration option=Default value</para></td>
<td><para>(Type) Description</para></td>
</tr>
</thead>
<tbody><tr>
<td><para>
[DEFAULT]</para>
<para>filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap
</para></td>
<td><para>(ListOpt) Comma-separated list of directories containing filter
definition files. Defines where filters
for root wrap are stored. Directories
defined on this line should all exist, be
owned and writable only by the root
user.</para></td>
</tr>
</tbody></table>
</simplesect>
<simplesect>
<title>Details of .filters files</title>
<para>Filters definition files contain lists of filters that
nova-rootwrap will use to allow or deny a specific
command. They are generally suffixed by .filters. Since
they are in the trusted security path, they need to be
owned and writable only by the root user. Their location
is specified in the rootwrap.conf file.</para>
<para>It uses an INI file format with a [Filters] section and several lines, each with a unique parameter name (different for each filter you define):</para>
<table rules= "all" frame= "border" xml:id= "rootwrap-conf-table-filter-name" width= "100%">
<caption>Description of rootwrap.conf configuration options
</caption>
<col width= "50%"/>
<col width= "50%"/>
<thead>
<tr>
<td><para>Configuration option=Default value</para></td>
<td><para>(Type) Description</para></td>
</tr>
</thead>
<tbody><tr>
<td><para>
[Filters]</para>
<para>filter_name=kpartx: CommandFilter, /sbin/kpartx, root
</para></td>
<td><para>(ListOpt) Comma-separated list containing first the Filter class to use, followed by that Filter arguments (which vary depending on the Filter class selected). .</para></td>
</tr>
</tbody></table>
</simplesect>
</section>
View Git Blame Copy Permalink