[Spacewalk-list] how to block yum usage on client systems

Musayev, Ilya imusayev at webmd.net
Thu Jun 7 22:33:08 UTC 2012 

FYI: wrote YUM plugin and posted it on spacewalk-devel list, tested on my hosts - it works - code below.

While RHN has a limitation on locking the host from the Web UI, user is still able to run yum operations from the host (granted user has proper access).

I wrote a simple YUM plugin to check if the host is locked in RHN and if it is, prevent yum usage on the host.

Needless to say, this is proof of concept and my python skills are lacking, nevertheless it works.

TODO:
* Move Authentication part into config - easy to do but not secure
* Use alternative method of authentication used by rhnplugin - need to see how that can be done - if it all possible

I need help with understanding how i can leverage rhnplugin type of auth with RHN Lock Yum Plugin.

The proof of concept code is below - if you could make any suggestions and improvements - it would be appreciated.


Thanks
ilya



----------- /etc/yum/pluginconf.d/rhnlockplugin.conf --------
[main]
enabled=1
------------


---------- /usr/share/yum-plugins/rhnlockplugin.py ----------

from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
from xml.dom import minidom
import xmlrpclib

requires_api_version = '2.3'
plugin_type = (TYPE_CORE, TYPE_INTERACTIVE)

def init_hook(conduit):
    conduit.info(2, 'Checking if system is locked in RHN/Spacewalk')
    SATELLITE_URL = "http://spacewalk.hostname.com/rpc/api"
    SATELLITE_LOGIN = "admin"
    SATELLITE_PASSWORD = "password"

    client = xmlrpclib.Server(SATELLITE_URL, verbose=0)

    key = client.auth.login(SATELLITE_LOGIN, SATELLITE_PASSWORD)

    #----------------------------------------------------------------------
    def getSystemID(xml):
        """
        Print out all names found in xml
        """
        doc = minidom.parse(xml)
        node = doc.documentElement
        members = doc.getElementsByTagName("member")

        for member in members:
            name = member.getElementsByTagName("name")[0].firstChild.data
            if name == "system_id":
                value = \
                    member.getElementsByTagName("string")[0].firstChild.data
                return value.replace("ID-","")

    def getLockStatus(sysID):
        """
        Function to check if the host is locked
        """
        details = client.system.getDetails(key, int(sysID))
        if details['lock_status']:
            #print "ERROR: Skipping RHN/Spacewalk locked system %s" % sysID
            raise PluginYumExit('ERROR: Skipping RHN/Spacewalk locked system: %s' % sysID)
        else:
            print "NOTE: This host in not locked in RHN/Spacewalk"

    systemIDfile = '/etc/sysconfig/rhn/systemid'
    mySystemID = getSystemID(systemIDfile)
    getLockStatus(getSystemID(systemIDfile))

    client.auth.logout(key)
-----------------------------------


________________________________________
From: spacewalk-list-bounces at redhat.com [spacewalk-list-bounces at redhat.com] On Behalf Of Musayev, Ilya [imusayev at webmd.net]
Sent: Thursday, June 07, 2012 2:45 PM
To: spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] how to block yum usage on client systems

An example, various business units have their own developers/admins that require root on their own servers which run in their own SILOs.

The right way of deploying RPMs in house is through an intermediary utility such as opsware SA. Through that, we can reproduce and keep the state of the box consistent. If the box was to die, a new one comes up online and the same RPMs+configs (via software policy created on opsware) will be installed - end of story - box is ready to be used.

IF we loosen the access now with spacewalk, then rogue elements will take shortcuts and quickly deploy this or that RPM - because its convenient.

In the long term - not easily reproducible and will create a mess - especially when count of servers is in 1000s.

I agree there are many ways to poke a hole and get around YUM, but restricting YUM via spacewalk - would at least give some piece of mind - knowing - no one deployed and installed something that would not be easily reproducible in the future.

Its a business mindset - i don't disagree with - and i have to work with it.






________________________________________
From: spacewalk-list-bounces at redhat.com [spacewalk-list-bounces at redhat.com] On Behalf Of Brian Collins [brianc at sedata.com]
Sent: Thursday, June 07, 2012 1:48 PM
To: spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] how to block yum usage on client systems

> My issues is identical to yours.
>
> I'm afraid to give users YUM access as they will begin Installing stuff left and
> right, bypassing the other system we use for package deployment - HP SA
> (aka Opsware).

If they have root, they can also just go grab tarballs, make them, and install them.  Or they can wget pre-built RPMs and install them using 'RPM'.  The real problem is that you have users with root access whom you do not trust.  THAT is the problem to fix.  Either trust them or remove root from them.

Also, what software might they install that you do not want them having?

--Brian Collins

_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list



_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list

More information about the Spacewalk-list mailing list