===============================
Configuring sudo customizations
===============================

If your organization's IT security policy does not allow root
access or has restrictions on the use of sudo, after AEN
installation, you may customize AEN to meet their requirements.

Your organization may choose to implement any or all of the following:

* :ref:`Remove root access <remove-root-access>` for AEN service account (Note: this restricts AEN from managing user accounts).
* :ref:`Configurable sudo command <sudo-alt>`.
* :ref:`Restrict sudo access to all processes <single-gatekeeper>`.

These customizations must be done in a terminal window after copying the files to the server node.

.. _remove-root-access:

Removing all root access from the service account
=================================================

Because root access is required for ``useradd``, the following
process restricts AEN from managing user accounts.

#. Modify the ``/etc/sudoers.d/wakari_sudo`` file to read:

   .. code-block:: bash

      Defaults:wakari !requiretty, visiblepw
      Runas_Alias    OP = ALL,!root
      wakari ALL=(OP) NOPASSWD: ALL

   NOTE: If you used a service account name other than wakari,
   enter that name instead of ``wakari``.

#. Modify the
   ``/opt/wakari/wakari-compute/etc/wakari/config.json`` file to
   read:

   .. code-block:: bash

      "MANAGE_ACCOUNTS": false,

Using this option means that your IT department must create
and manage all user accounts at the OS level.

After an OS-level account exists, you may create on the main AEN web page an
AEN account using the same name. The password you choose is not linked in any
way to the OS-level password for the account.

Alternatively, you can configure the system to :doc:`use LDAP for
authenticating users <authenticate-with-ldap>`.


Allowing public users to have access to your AEN projects
---------------------------------------------------------

A public account is visible to anyone who can access the AEN server.
The name of this account can be configured to any name you wish.
For example, ``public`` or ``anonymous``. To disable this feature use
the special value ``disabled``.

#. In the ``/opt/wakari/wakari-compute/etc/wakari/wk-compute-launcher-config.json``
   file, modify the ANON_USER line to read:

   .. code-block:: bash

      "ANON_USER": "public"

#. Restart AEN compute node:

   .. code-block:: bash

      sudo service wakari-compute restart

#. In the ``/opt/wakari/wakari-server/etc/wakari/wk-server-config.json``
   file, modify the ANON_USER line to read:

   .. code-block:: bash

      "ANON_USER": "public"

#. Restart AEN server:

   .. code-block:: bash

      sudo service wakari-server restart

For more information about configuration keys, see
:doc:`use-config-files`.


.. _sudo-alt:

Using a sudo alternative
========================

You can use a sudo alternative as long as it supports the same
execution semantics as the original sudo. The alternative must be
configured to give the service account permission to run commands
on behalf of AEN users.

#. In your terminal window, open the
   ``/opt/wakari/wakari-compute/etc/wakari/config.json`` file.

#. Modify the AEN_SUDO_CMD line to read:

   .. code-block:: bash

      "AEN_SUDO_CMD": "/path/to/alternative/sudo",

   NOTE: If the alternate sudo command is available on PATH, then
   the full path is not required.


.. _single-gatekeeper:

Restricting sudo access to a single gatekeeper
==============================================

By default, sudoers is configured to allow AEN to run any command
as a particular user which allows the platform to initiate
processes as the logged-in end user. If more restrictive control
is required, it should be implemented using a suitable sudoers
policy. If that is not possible or practical, it is also
possible to route all AEN ID-changing operations through a single
gatekeeper.

This gatekeeper wraps the desired executable and provides an
alternate way to log, monitor, or control which processes can be
initiated by AEN on behalf of a user.

CAUTION: Gatekeeper is a special case configuration and should
only be used if required.

To configure an AEN gatekeeper:

#. Modify the ``/etc/sudoers.d/wakari_sudo`` file to contain:

   .. code-block:: bash

      Defaults:wakari !requiretty, visiblepw
      Runas_Alias    OP = ALL,!root
      wakari ALL=(OP) NOPASSWD: /path/to/gatekeeper

#. In the ``/opt/wakari/wakari-compute/etc/wakari/config.json``
   file, modify the AEN_SUDO_SH line to read:

   .. code-block:: bash

    "AEN_SUDO_SH": "/path/to/gatekeeper"

EXAMPLE: The gatekeeper can be as simple as a script with
contents such as:

.. code-block:: bash

    #!/bin/bash
    first_cmd=$1
    if [ 'bash' == $1 ]; then
        shift
        export HOME=~
        export SHELL=/bin/bash
        export PATH=$PATH:/opt/wakari/anaconda/bin
        bash "$@"
    else
        exec $@
    fi
