Astara rootwrap

Registered by Adam Gandelman on 2015-11-12

We are still just shelling out directly to sudo. We need to adapt the oslo.rootwrap library, audit our codebase for sudo usage and define appropriate filters for each project. We'll likely run into trouble getting astara packaged and shipped in distros without these types of basic openstack security best practices in place.

Blueprint information

Status:
Complete
Approver:
None
Priority:
High
Drafter:
Adam Gandelman
Direction:
Approved
Assignee:
xiayu
Definition:
Approved
Series goal:
Accepted for mitaka
Implementation:
Implemented
Milestone target:
milestone icon mitaka-3
Started by
Adam Gandelman on 2016-02-29
Completed by
Adam Gandelman on 2016-03-04

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/astara-rootwrap,n,z

Addressed by: https://review.openstack.org/264759
    Astara oslo.rootwrap Use oslo.rootwrap to replace the default root_helper sudo. Add network filer for ip, ovs-vsctl, ovs-ofctl command.

Addressed by: https://review.openstack.org/281034
    Astara appliance oslo.rootwrap

(?)

Work Items

Work items:
Implement in the orchestrator: DONE
Implement in the appliance: TODO

This blueprint contains Public information 
Everyone can see this information.