Using SaltStack for temporary sudoers access — SaltSudo

SaltSudo

This article shows how easy it is to extend Saltstack and its very rich Python module system to fit into your company’s work requirements.

  1. auditing of what user received the authorization
  2. ACL control of what users can give themselves this authorization
  1. I have authorized a manager/head user Mary to be able to SSH into the Salt Master server (as her own non-root accounts) and give root access to company servers to her non-root subordinate, Frank
  2. they do this via the following command
mary@saltmaster: salt nycweb01 sudo.grant frank 'fixing disk space issue'nycweb01:
User 'frank' has been added to Sudoers group, they can now run root-level commands using 'sudo cmd'

SSH as 'frank@nycweb01'

To revoke sudo access, run 'salt nycweb01 sudo.revoke frank'
root@nycweb01> cat /etc/sudoers.d/salt_sudo
frank ALL=(ALL) NOPASSWD:ALL
ALERT 2019-02-26 11:50:
sudo_mary has ran "salt nycweb01 sudo.grant frank" to request sudo access for: Frank Castle

Comment: production work to migrate from atlas
--------------------------------------------------
User 'frank' has been added to Sudoers group, they can now run root-level commands using 'sudo cmd'

SSH as 'frank@nycweb01'

To revoke sudo access, run 'salt titan sudo.revoke frank'

* frank has been given sudo access for 2 hours
frank@franksMac: ssh frank@nycweb01
frank@nycweb01:
frank@nycweb01: sudo su
root@nycweb01
joe@saltmaster: salt nycweb01 sudo.revoke
nycweb01:
all temporary sudo access has been removed.
salt nycweb01 sudo.revoke frank

Access Lifetime span

You can also pass a time-based expiration to the access by passing “span=” flag.

salt nycweb01 sudo.grant frank 'fixing disk space' span=4h
span=5d
span=2h

The Magic that makes this happen

Heres how Sudo module works,

root@saltmaster> vim /etc/salt/master.d/auth.confpublisher_acl:
mary:
- test.ping
- grains.*
- sudo.*
# then restart salt-master
salt \* saltutil.sync_all

Full documentation for SaltSudo module usage

sudo.status - returns any user that has temporary sudo access to the host
> salt nycweb01 sudo.status
sudo.grant - grants sudo access to user
examples:
> salt nycweb01 sudo.grant jsmith 'fixing disk space'
to add a timelimit pass a 'span=' flag with 'd' for days or 'h' for hours
> salt nycweb01 sudo.grant jsmith 'fixing disk' span=3d
sudo.revoke - revokes temp sudo access for all users configured with temp accessto revoke a specific user only, pass the username to the command
> salt nycweb01 sudo.revoke jsmith