Astara

Astara rootwrap

Registered by Adam Gandelman on 2015-11-12

We are still just shelling out directly to sudo. We need to adapt the oslo.rootwrap library, audit our codebase for sudo usage and define appropriate filters for each project. We'll likely run into trouble getting astara packaged and shipped in distros without these types of basic openstack security best practices in place.

Blueprint information

Status:: Complete

Approver:: None

Priority:: High

Drafter:: Adam Gandelman

Direction:: Approved

Assignee:: xiayu

Definition:: Approved

Series goal:: Accepted for mitaka

Implementation:: Implemented

Milestone target:: mitaka-3

Started by: Adam Gandelman on 2016-02-29

Completed by: Adam Gandelman on 2016-03-04

Related branches

Related bugs

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/astara-rootwrap,n,z

Addressed by: https://review.openstack.org/264759
Astara oslo.rootwrap Use oslo.rootwrap to replace the default root_helper sudo. Add network filer for ip, ovs-vsctl, ovs-ofctl command.

Addressed by: https://review.openstack.org/281034
Astara appliance oslo.rootwrap

(?)

Work Items

Work items:
Implement in the orchestrator: DONE
Implement in the appliance: TODO

This blueprint contains Public information

Everyone can see this information.

Subscribers

hideki takashima

xiayu