Configuring sudo customizations (AEN 4.2.0)
===========================================

.. raw:: html

    <p>If your organization&#8217;s IT security policy does not allow root
    access or has restrictions on the use of sudo, after AEN
    installation, you may customize AEN to meet their requirements.</p>
    <p>Your organization may choose to implement any or all of the following:</p>
    <ul class="simple">
    <li><a class="reference internal" href="#remove-root-access"><span class="std std-ref">Remove root access</span></a> for AEN service account (Note: this restricts AEN from managing user accounts).</li>
    <li><a class="reference internal" href="#sudo-alt"><span class="std std-ref">Configurable sudo command</span></a>.</li>
    <li><a class="reference internal" href="#single-gatekeeper"><span class="std std-ref">Restrict sudo access to all processes</span></a>.</li>
    </ul>
    <p>These customizations must be done in a terminal window after copying the files to the server node.</p>
    <div class="section" id="removing-all-root-access-from-the-service-account">
    <span id="remove-root-access"></span><h2>Removing all root access from the service account<a class="headerlink" href="#removing-all-root-access-from-the-service-account" title="Permalink to this headline">¶</a></h2>
    <p>Because root access is required for <code class="docutils literal"><span class="pre">useradd</span></code>, the following
    process restricts AEN from managing user accounts.</p>
    <ol class="arabic">
    <li><p class="first">Modify the <code class="docutils literal"><span class="pre">/etc/sudoers.d/wakari_sudo</span></code> file to read:</p>
    <div class="highlight-bash"><div class="highlight"><pre><span></span>Defaults:wakari !requiretty, visiblepw
    Runas_Alias    <span class="nv">OP</span> <span class="o">=</span> ALL,!root
    wakari <span class="nv">ALL</span><span class="o">=(</span>OP<span class="o">)</span> NOPASSWD: ALL
    </pre></div>
    </div>
    <p>NOTE: If you used a service account name other than wakari,
    enter that name instead of <code class="docutils literal"><span class="pre">wakari</span></code>.</p>
    </li>
    <li><p class="first">Modify the
    <code class="docutils literal"><span class="pre">/opt/wakari/wakari-compute/etc/wakari/config.json</span></code> file to
    read:</p>
    <div class="highlight-bash"><div class="highlight"><pre><span></span><span class="s2">&quot;MANAGE_ACCOUNTS&quot;</span>: false,
    </pre></div>
    </div>
    </li>
    </ol>
    <p>Using this option means that your IT department must create
    and manage all user accounts at the OS level.</p>
    <p>After an OS-level account exists, you may create on the main AEN web page an
    AEN account using the same name. The password you choose is not linked in any
    way to the OS-level password for the account.</p>
    <p>Alternatively, you can configure the system to <a class="reference internal" href="authenticate-with-ldap.html"><span class="doc">use LDAP for
    authenticating users</span></a>.</p>
    <div class="section" id="allowing-public-users-to-have-access-to-your-aen-projects">
    <h3>Allowing public users to have access to your AEN projects<a class="headerlink" href="#allowing-public-users-to-have-access-to-your-aen-projects" title="Permalink to this headline">¶</a></h3>
    <p>A public account is visible to anyone who can access the AEN server.
    The name of this account can be configured to any name you wish.
    For example, <code class="docutils literal"><span class="pre">public</span></code> or <code class="docutils literal"><span class="pre">anonymous</span></code>.</p>
    <ol class="arabic">
    <li><p class="first">In the <code class="docutils literal"><span class="pre">/opt/wakari/wakari-compute/etc/wakari/config.json</span></code>
    file, modify the ANON_USER line to read:</p>
    <div class="highlight-bash"><div class="highlight"><pre><span></span><span class="s2">&quot;ANON_USER&quot;</span>: <span class="s2">&quot;public&quot;</span>
    </pre></div>
    </div>
    </li>
    <li><p class="first">In the <code class="docutils literal"><span class="pre">/opt/wakari/wakari-server/etc/wakari/config.json</span></code>
    file, modify the ANON_USER line to read:</p>
    <div class="highlight-bash"><div class="highlight"><pre><span></span><span class="s2">&quot;ANON_USER&quot;</span>: <span class="s2">&quot;public&quot;</span>
    </pre></div>
    </div>
    </li>
    </ol>
    <p>For more information about configuration keys, see
    <a class="reference internal" href="use-config-files.html"><span class="doc">Using configuration files</span></a>.</p>
    </div>
    </div>
    <div class="section" id="using-a-sudo-alternative">
    <span id="sudo-alt"></span><h2>Using a sudo alternative<a class="headerlink" href="#using-a-sudo-alternative" title="Permalink to this headline">¶</a></h2>
    <p>You can use a sudo alternative as long as it supports the same
    execution semantics as the original sudo. The alternative must be
    configured to give the service account permission to run commands
    on behalf of AEN users.</p>
    <ol class="arabic">
    <li><p class="first">In your terminal window, open the
    <code class="docutils literal"><span class="pre">/opt/wakari/wakari-compute/etc/wakari/config.json</span></code> file.</p>
    </li>
    <li><p class="first">Modify the AEN_SUDO_CMD line to read:</p>
    <div class="highlight-bash"><div class="highlight"><pre><span></span><span class="s2">&quot;AEN_SUDO_CMD&quot;</span>: <span class="s2">&quot;/path/to/alternative/sudo&quot;</span>,
    </pre></div>
    </div>
    <p>NOTE: If the alternate sudo command is available on PATH, then
    the full path is not required.</p>
    </li>
    </ol>
    </div>
    <div class="section" id="restricting-sudo-access-to-a-single-gatekeeper">
    <span id="single-gatekeeper"></span><h2>Restricting sudo access to a single gatekeeper<a class="headerlink" href="#restricting-sudo-access-to-a-single-gatekeeper" title="Permalink to this headline">¶</a></h2>
    <p>By default, sudoers is configured to allow AEN to run any command
    as a particular user which allows the platform to initiate
    processes as the logged-in end user. If more restrictive control
    is required, it should be implemented using a suitable sudoers
    policy. If that is not possible or practical, it is also
    possible to route all AEN ID-changing operations through a single
    gatekeeper.</p>
    <p>This gatekeeper wraps the desired executable and provides an
    alternate way to log, monitor, or control which processes can be
    initiated by AEN on behalf of a user.</p>
    <p>CAUTION: Gatekeeper is a special case configuration and should
    only be used if required.</p>
    <p>To configure an AEN gatekeeper:</p>
    <ol class="arabic">
    <li><p class="first">Modify the <code class="docutils literal"><span class="pre">/etc/sudoers.d/wakari_sudo</span></code> file to contain:</p>
    <div class="highlight-bash"><div class="highlight"><pre><span></span>Defaults:wakari !requiretty, visiblepw
    Runas_Alias    <span class="nv">OP</span> <span class="o">=</span> ALL,!root
    wakari <span class="nv">ALL</span><span class="o">=(</span>OP<span class="o">)</span> NOPASSWD: /path/to/gatekeeper
    </pre></div>
    </div>
    </li>
    <li><p class="first">In the <code class="docutils literal"><span class="pre">/opt/wakari/wakari-compute/etc/wakari/config.json</span></code>
    file, modify the AEN_SUDO_SH line to read:</p>
    <div class="highlight-bash"><div class="highlight"><pre><span></span><span class="s2">&quot;AEN_SUDO_SH&quot;</span>: <span class="s2">&quot;/path/to/gatekeeper&quot;</span>
    </pre></div>
    </div>
    </li>
    </ol>
    <p>EXAMPLE: The gatekeeper can be as simple as a script with
    contents such as:</p>
    <div class="highlight-bash"><div class="highlight"><pre><span></span><span class="ch">#!/bin/bash</span>
    <span class="nv">first_cmd</span><span class="o">=</span><span class="nv">$1</span>
    <span class="k">if</span> <span class="o">[</span> <span class="s1">&#39;bash&#39;</span> <span class="o">==</span> <span class="nv">$1</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span>
        <span class="nb">shift</span>
        <span class="nb">export</span> <span class="nv">HOME</span><span class="o">=</span>~
        <span class="nb">export</span> <span class="nv">SHELL</span><span class="o">=</span>/bin/bash
        <span class="nb">export</span> <span class="nv">PATH</span><span class="o">=</span><span class="nv">$PATH</span>:/opt/wakari/anaconda/bin
        bash <span class="s2">&quot;</span><span class="nv">$@</span><span class="s2">&quot;</span>
    <span class="k">else</span>
        <span class="nb">exec</span> <span class="nv">$@</span>
    <span class="k">fi</span>
    </pre></div>
    </div>
    </div>
