Merge pull request #845 from Bhagyashree-shetty/devel

code changes for ssh access to login node and MS

control_plane/input_params/security_vars.yml

@@ -50,3 +50,12 @@ session_timeout: 180
 # If this variable is left blank, authentication failure alerts will be disabled.
 # Required value
 alert_email_address: ""
+
+# This variable mentions the users to whom the access will be provided
+# format of user shall be username@ip or username 
+# Ex1- root@1.2.3.4 Ex2- root Ex3- root@1.2.3.4 root (if multiple user, provide space seperated values) by default empty
+user: ''
+
+# This variable provides the type of access
+# Accepted values 'Allow' or 'Deny' by default 'Allow'
+allow_deny: 'Allow'

control_plane/roles/control_plane_common/tasks/fetch_security_inputs.yml

@@ -159,3 +159,26 @@
     msg: "{{ alert_email_warning_msg }}"
   tags: security
   when: alert_email_address | length < 1
+
+- name: Prepare user list
+  set_fact:
+      user_list: "{{ lookup('vars', 'user').split()| unique | select| list }}"
+  when: user | length > 1
+
+- name: validate user
+  assert:
+    that:
+      - item is regex("^(?!-)[a-zA-Z]+[0-9-]*[@]((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$") or
+        item is regex("(?!-)[a-zA-Z]+[0-9-]*$")
+    success_msg: "{{ user_success_msg }}"
+    fail_msg: "{{ user_fail_msg }}"
+  with_items: "{{ user_list }}"
+  when:
+    - user | length > 1
+
+- name: Validate allow_deny
+  assert:
+    that:
+      - allow_deny == 'Allow' or allow_deny == 'Deny'
+    success_msg: "{{ allow_deny_success_msg }}"
+    fail_msg: "{{ allow_deny_fail_msg }}"

control_plane/roles/control_plane_security/tasks/configure_sshd.yml

@@ -0,0 +1,71 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Check if AllowUsers entry exixts
+  shell: cat "{{ sshd_conf_file }}"
+  register: file_content
+  changed_when: false
+
+- name: Check if user is specified
+  debug:
+    msg: "Users not specified"
+  when: user | length < 1
+
+- name: Configure sshd_config
+  block:
+    - name: Configure sshd_config file when AllowUsers entry not exists
+      lineinfile:
+        path: "{{ sshd_conf_file }}"
+        line: 'AllowUsers {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Allow'
+        - file_content.stdout.find('AllowUsers') == -1
+
+    - name: Configure sshd_config file when DenyUsers entry not exists
+      lineinfile:
+        path: "{{ sshd_conf_file }}"
+        line: 'DenyUsers {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Deny'
+        - file_content.stdout.find('DenyUsers') == -1
+
+    - name: Configure sshd_config file when AllowUsers entry exists
+      replace:
+        path: "{{ sshd_conf_file }}"
+        regexp: '^(AllowUsers)(.*)'
+        replace: '\1\2 {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Allow'
+        - file_content.stdout.find('AllowUsers') != -1
+
+    - name: Configure sshd_config file when DenyUsers entry exists
+      replace:
+        path: "{{ sshd_conf_file }}"
+        regexp: '^(DenyUsers)(.*)'
+        replace: '\1\2 {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Deny'
+        - file_content.stdout.find('DenyUsers') != -1
+
+  when:
+    - user | length > 1

control_plane/roles/control_plane_security/tasks/main.yml

@@ -53,6 +53,9 @@
     - name: Alert configuration
       include_tasks: configure_alerting.yml
       when: alert_email_address | length > 1
+
+    - name: Configure ssh access to login node
+      include_tasks: configure_sshd.yml
      
     - name: Session timeout configuration
       include_tasks: session_timeout.yml

omnia_security_config.yml

@@ -40,3 +40,12 @@ session_timeout: 180
 # If this variable is left blank, authentication failure alerts will be disabled.
 # Required value
 alert_email_address: ""
+
+# This variable mentions the users to whom the access will be provided
+# format of user shall be username@ip or username 
+# Ex1- root@1.2.3.4 Ex2- root Ex3- root@1.2.3.4 root (if multiple user, provide space seperated values) by default empty
+user: ''
+
+# This variable provides the type of access
+# Accepted values 'Allow' or 'Deny' by default 'Allow'
+allow_deny: 'Allow'

roles/cluster_validation/tasks/fetch_security_inputs.yml

@@ -63,3 +63,26 @@
   debug:
     msg: "{{ alert_email_warning_msg }}"
   when: alert_email_address | length < 1
+
+- name: Prepare user list
+  set_fact:
+      user_list: "{{ lookup('vars', 'user').split()| unique | select| list }}"
+  when: user | length > 1
+
+- name: validate user
+  assert:
+    that:
+      - item is regex("^(?!-)[a-zA-Z]+[0-9-]*[@]((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$") or
+        item is regex("(?!-)[a-zA-Z]+[0-9-]*$")
+    success_msg: "{{ user_success_msg }}"
+    fail_msg: "{{ user_fail_msg }}"
+  with_items: "{{ user_list }}"
+  when:
+    - user | length > 1
+
+- name: Validate allow_deny
+  assert:
+    that:
+      - allow_deny == 'Allow' or allow_deny == 'Deny'
+    success_msg: "{{ allow_deny_success_msg }}"
+    fail_msg: "{{ allow_deny_fail_msg }}"

roles/login_node/tasks/configure_sshd.yml

@@ -0,0 +1,71 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Check if AllowUsers entry exixts
+  shell: cat "{{ sshd_conf_file }}"
+  register: file_content
+  changed_when: false
+
+- name: Check if user is specified
+  debug:
+    msg: "Users not specified"
+  when: user | length < 1
+
+- name: Configure sshd_config
+  block:
+    - name: Configure sshd_config file when AllowUsers entry not exists
+      lineinfile:
+        path: "{{ sshd_conf_file }}"
+        line: 'AllowUsers {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Allow'
+        - file_content.stdout.find('AllowUsers') == -1
+
+    - name: Configure sshd_config file when DenyUsers entry not exists
+      lineinfile:
+        path: "{{ sshd_conf_file }}"
+        line: 'DenyUsers {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Deny'
+        - file_content.stdout.find('DenyUsers') == -1
+
+    - name: Configure sshd_config file when AllowUsers entry exists
+      replace:
+        path: "{{ sshd_conf_file }}"
+        regexp: '^(AllowUsers)(.*)'
+        replace: '\1\2 {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Allow'
+        - file_content.stdout.find('AllowUsers') != -1
+
+    - name: Configure sshd_config file when DenyUsers entry exists
+      replace:
+        path: "{{ sshd_conf_file }}"
+        regexp: '^(DenyUsers)(.*)'
+        replace: '\1\2 {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Deny'
+        - file_content.stdout.find('DenyUsers') != -1
+
+  when:
+    - user | length > 1

roles/login_node/tasks/main.yml

@@ -36,6 +36,9 @@
         - name: Alert configuration
           include_tasks: configure_alerting.yml
           when: hostvars['127.0.0.1']['alert_email_address'] | length > 1
+
+        - name: Configure ssh access to login node
+          include_tasks: configure_sshd.yml
         
         - name: Session timeout configuration
           include_tasks: session_timeout.yml