From 61c0f4082b495bc6cc91dff24f995c2b5b5fc899 Mon Sep 17 00:00:00 2001 From: Dawa Ometto Date: Tue, 14 Jan 2025 14:08:59 +0100 Subject: [PATCH] CO admin group users need TOTP for sudo --- README.md | 2 +- galaxysrv.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 3f9e086..789b304 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ Galaxy is configured to let the webserver (Nginx) handle authentication. The web Any members of the workspace's Collaborative Organisation (CO) will be able to authenticate using the authentication mechanism of their institution (Single Sign-On). -Galaxy is configured such that members of the CO that are in the SRAM workspace admin group (`src_co_admin`) will be Galaxy administrators. Other users are normal users. +Galaxy is configured such that members of the CO that are in the SRAM workspace admin group (`src_co_admin`) will be Galaxy administrator when logging in via SSH (`sudo` will require entering the user's SRAM TOTP). Other users are normal users. ### Logging in via SSH diff --git a/galaxysrv.yml b/galaxysrv.yml index 473800f..5d069a0 100644 --- a/galaxysrv.yml +++ b/galaxysrv.yml @@ -92,7 +92,7 @@ - name: Populate service facts ansible.builtin.service_facts: - # This is to ensure that the Collaborative Organisation admin group can use passwordless sudo on the machine, + # This is to ensure that the Collaborative Organisation admin group can use sudo on the machine, # allowing us to disable the ResearchCloud co_passwordless_sudo parameter, # which grants passwordless sudo to *all* CO users on the machine. - name: Add CO admin group to sudoers @@ -101,7 +101,7 @@ owner: "root" group: "root" mode: "0644" - content: "%{{ _galaxy_admin_co_group }} ALL=(ALL) NOPASSWD: ALL" + content: "%{{ _galaxy_admin_co_group }} ALL=(ALL:ALL) ALL" - name: Enable the server and bootstrap when: "ansible_facts.services['galaxy-gunicorn.service'] is not defined or ansible_facts.services['galaxy-gunicorn.service']['state'] != 'running' or _galaxy_do_bootstrap"