Living Without Sudo in Open Infrastructure Summit Shanghai

In this presentation at the Open Infrastructure Summit in Shanghai, software architects Divya K. Konoor and Abhishek M. Sharma discuss the challenges of running OpenStack services without using sudo and the movement towards privsep. They also address the impact of GDPR on security practices and the emergence of centralized PAM/PIM solutions in hardened environments without sudo access.

• Open Infrastructure Summit
• OpenStack
• Privsep
• Security
• GDPR

kcasa Follow

Uploaded on Mar 10, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Living Without Sudo Open Infrastructure Summit Shanghai, Nov 2019 Divya K Konoor https://www.linkedin.com/in/divya-k-konoor-4480339/ https://twitter.com/dikonoor dikonoor(IRC )

2. About Us Divya K Konoor is a Software Architect at IBM, working on a on-premise cloud product named IBM PowerVC, built on OpenStack. Using and contributing to OpenStack for 5 years. Areas of interest are security, authentication, authorization, auditing, serviceability, monitoring etc. Abhishek M Sharma is a Staff Software Engineer at IBM, working on PowerVC and contributing to OpenStack platform for the last 3 years.

3. Background Background OpenStack services run using unprivileged users that are created on the OS For each service, a separate user is created OpenStack installation assumes that the OS allows local user creation Unprivileged service users executes privileged commands using sudo oslo rootwrap has heavy dependency on sudo Movement to privsep removes this dependency Customers don t move fast; so many still use older versions

4. Rootwrap is a oslo library used to filter the privileged commands run by each service Rootwrap uses a filter that defines the sudo commands can be run Oslo rootwrap and privsep A hacker who controls the service can manipulate the privileged commands to his/her benefit Community moving towards privsep Privsep replaces the sudo commands with python api calls Movement to privsep not complete

5. Problem / Challenge Problem / Challenge General Data Protection Regulation (May 2018) has increased security consciousness Customers want to use hardened Operation Systems Many environments do not allow creation of local users Environments without sudo Emergence of Centralized PAM / PIM solutions

6. Customer(s) still at older OpenStack versions with high dependency on sudo Motivation for Motivation for this effort this effort Lack of documentation on OpenStack deployments for such environments Need to validate if OpenStack could co-exist in such environments 6

7. Goal of this effort Goal of this effort Get OpenStack up and running with a Privileged Identity and Access Management Solution, without sudo or local users/groups, without any OpenStack source code changes.

8. Share insights and experience around the work done deploying OpenStack in an environment With no sudo Access and privileges managed using centralized server No local user/group accounts All service users (to start services) available through central identity providers What does What does this session this session cover ? cover ? 8

9. Uses sudo as the defacto utility to manage privileged access Local configuration files Users/Groups are created locally A Regular A Regular Linux OS Linux OS Relies on sudoers files to define permissions Sudoers files have to replicated across all systems within the datacentre to maintain uniformity No central control over access Each system has to be individually updated

10. A bit on Centralized Privileged A bit on Centralized Privileged Management Solutions Management Solutions Sudo and local user accounts (old style) Emergence of centralized solutions (new trend) Open source access control tool Have custom utilities that replace sudo Suited for small/medium infrastructures Uses centralized identity backends like LDAP instead of local OS accounts Requires distribution of sudoers file No centralized mechanism to manage access Preferred by large infrastructures to manage compliance No auditing Local modifications possible defying uniform compliance 10

11. Architecture of a Centralized PAM Solution

12. Access Management Flow Comparison

13. Linux OS User Role Definition USERS, ROLE DEFINITIONS AND ASSIGNMENTS AT THE CENTRAL SERVER

14. OpenStack with Centrify Access Manager Microsoft Active Directory on Windows Server 2008 Environment Environment Used Used Central Access Manager installed on Windows7 (joined to AD) RHEL 7.* with a Centrify agent running (joined to AD) 14

15. Regular Regular OpenStack OpenStack Installation Installation

16. Architecture of a Centralized Architecture of a Centralized Privileged Identity and Access Privileged Identity and Access Management Solution Management Solution

18. So how did we go about with the So how did we go about with the OpenStack deployment ? OpenStack deployment ? Pre-load all service users/groups into the central server Define commands that service users need access to Create a symbolic link/wrapper between sudo and the non-sudo utility (dzdo). Add role definitions 18

20. Users loaded into the Central Access Manager 20

21. Groups loaded into the Central Access Manager 21

22. Commands Definitions 22

23. User-Role Assignments 23

24. Final Outcome Final Outcome 01 02 03 04 OpenStack services running with central users File permissions of OpenStack config files/logs/database etc points to central users/groups Non-sudo utility is invoked instead of sudo No code changes in OpenStack; works with oslo rootwrap 24

25. Take Away Take Away OpenStack can be installed with Centralized Identity and Access Management Solutions Security conscious customers moving towards advanced identity systems Workarounds can be added to make OpenStack work with non-sudo utilities No official documentation on this work

26. References References Privilege Access Management Solutions > Oslo rootwrap > Finalize transition to privsep (Mar2018) > Transition nova to privsep (partial Oct 2017) Adopt oslo.privsep (Nov 2015) > https://www.gartner.com/reviews/market/privileged-access-management-solutions https://www.gartner.com/revi ews/market/privileged-access- management-solutions https://docs.openstack.org/oslo.rootwrap/latest/user/index.html https://docs.openstack.org/osl o.rootwrap/latest/user/index. html https://blueprints.launchpad.net/nova/+spec/hurrah-for-privsep-again https://blueprints.launchpad.n et/nova/+spec/hurrah-for- privsep-again https://blueprints.launchpad.net/nova/+spec/hurrah-for-privsep https://blueprints.launchpad.n et/nova/+spec/hurrah-for- privsep https://blueprints.launchpad.net/nova/+spec/privsep https://blueprints.launchpad.n et/nova/+spec/privsep https://www.gartner.com/reviews/market/privileged-access-management-solutions https://docs.openstack.org/oslo.rootwrap/latest/user/index.html https://blueprints.launchpad.net/nova/+spec/hurrah-for-privsep-again https://blueprints.launchpad.net/nova/+spec/hurrah-for-privsep https://blueprints.launchpad.net/nova/+spec/privsep https://www.gartner.com/reviews/market/privileged-access-management-solutions https://docs.openstack.org/oslo.rootwrap/latest/user/index.html https://blueprints.launchpad.net/nova/+spec/hurrah-for-privsep-again https://blueprints.launchpad.net/nova/+spec/hurrah-for-privsep 26

27. THANK YOU