Living Without Sudo Open Infrastructure Summit Shanghai Nov

Living Without Sudo Open Infrastructure Summit Shanghai, Nov 2019 Divya K Konoor https: //www. linkedin. com/in/divya-k-konoor-4480339/ https: //twitter. com/dikonoor (IRC )

About Us Divya K Konoor is a Software Architect at IBM, working on a on-premise cloud product named IBM Power. VC, built on Open. Stack. Using and contributing to Open. Stack for 5 years. Areas of interest are security, authentication, authorization, auditing, serviceability, monitoring etc. Abhishek M Sharma is a Staff Software Engineer at IBM, working on Power. VC and contributing to Open. Stack platform for the last 3 years.

Background Open. Stack services run using unprivileged users that are created on the OS For each service, a separate user is created Open. Stack installation assumes that the OS allows local user creation Unprivileged service users executes privileged commands using sudo oslo rootwrap has heavy dependency on sudo Movement to privsep removes this dependency Customers don’t move fast; so many still use older versions

Rootwrap is a oslo library used to filter the privileged commands run by each service Rootwrap uses a filter that defines the sudo commands can be run A hacker who controls the service can manipulate the privileged commands to his/her benefit Community moving towards privsep Privsep replaces the sudo commands with python api calls Movement to privsep not complete Oslo rootwrap and privsep

Problem / Challenge General Data Protection Regulation (May 2018) has increased security consciousness Customers want to use hardened Operation Systems Many environments do not allow creation of local users Environments without sudo Emergence of Centralized PAM / PIM solutions

Customer(s) still at older Open. Stack versions with high dependency on sudo Motivation for this effort Lack of documentation on Open. Stack deployments for such environments Need to validate if Open. Stack could co-exist in such environments 6

Goal of this effort Get Open. Stack up and running with a Privileged Identity and Access Management Solution, without sudo or local users/groups, without any Open. Stack source code changes.

What does this session cover ? • Share insights and experience around the work done deploying Open. Stack in an environment – With no sudo – Access and privileges managed using centralized server – No local user/group accounts – All service users (to start services) available through central identity providers 8

Uses sudo as the defacto utility to manage privileged access Local configuration files Users/Groups are created locally Relies on sudoers files to define permissions Sudoers files have to replicated across all systems within the datacentre to maintain uniformity No central control over access Each system has to be individually updated A Regular Linux OS

A bit on Centralized Privileged Management Solutions Sudo and local user accounts (old style) Open source access control tool Suited for small/medium infrastructures Requires distribution of sudoers file No centralized mechanism to manage access No auditing Local modifications possible defying uniform compliance Emergence of centralized solutions (new trend) Have custom utilities that replace sudo Uses centralized identity backends like LDAP instead of local OS accounts Preferred by large infrastructures to manage compliance 10

Architecture of a Centralized PAM Solution

Access Management Flow Comparison

Linux OS User Role Definition U SERS , ROL E DEFINITIO NS AND ASS IGNMENT S AT THE CENTRAL SERVER

Open. Stack with Centrify Access Manager Environment Used Microsoft Active Directory on Windows Server 2008 Central Access Manager installed on Windows 7 (joined to AD) RHEL 7. * with a Centrify agent running (joined to AD) 14

Regular Open. Stack Installation

Architecture of a Centralized Privileged Identity and Access Management Solution

So how did we go about with the Open. Stack deployment ? Pre-load all service users/groups into the central server Define commands that service users need access to Add role definitions Create a symbolic link/wrapper between sudo and the non-sudo utility (dzdo). 18

Users loaded into the Central Access Manager 20

Groups loaded into the Central Access Manager 21

Commands Definitions 22

User-Role Assignments 23

Final Outcome 01 02 03 04 Open. Stack services running with central users File permissions of Open. Stack config files/logs/database etc points to central users/groups Non-sudo utility is invoked instead of sudo No code changes in Open. Stack; works with oslo rootwrap 24

Take Away Security conscious customers moving towards advanced identity systems Open. Stack can be installed with Centralized Identity and Access Management Solutions Workarounds can be added to make Open. Stack work with non-sudo utilities No official documentation on this work

References Privilege Access Management Solutions > Oslo rootwrap > Finalize transition to privsep (Mar 2018) > Transition nova to privsep (partial – Oct 2017) Adopt oslo. privsep (Nov 2015) > https: //www. gartner. com/revi ews/market/privileged-accessmanagement-solutions https: //docs. openstack. org/osl o. rootwrap/latest/user/index. html https: //blueprints. launchpad. n et/nova/+spec/hurrah-forprivsep-again https: //blueprints. launchpad. n et/nova/+spec/hurrah-forprivsep https: //blueprints. launchpad. n et/nova/+spec/privsep 26

THANK YOU