What are the commands for passwordless sudo permissions?

This topic has been translated from a Chinese forum by GPT and might contain errors.

Original topic: sudo免密权限命令列表有哪些?

| username: h5n1

When using tiup to deploy clusters and for daily start/stop maintenance, the executing user needs to have passwordless sudo permissions. The official configuration grants ALL permissions to the tidb user, but this configuration does not meet the company’s security requirements, and we do not have the root user password for the operating system.

  1. Does the official documentation provide a list of sudo passwordless permissions required for tiup deployment and maintenance?
  2. Can tiup support manual password input for sudo execution?
| username: ShawnYan | Original post link

Same question +1

For intranet environments with high security requirements, cluster installation and management need to have a unified user and user group (such as tidb). This user needs to have limited sudo permissions, meaning they cannot be given sudo all, but only NOPASSWD: /usr/bin/mkdir, /usr/bin/chown, etc. What are the sudo passwordless commands in this case?

| username: HACK | Original post link

We also have this situation, permissions need to be controlled.

| username: forever | Original post link

Is it faster to directly provide feedback on document changes in the documentation area? :grin:

| username: 履霜知冰 | Original post link

Same question +1, seeking guidance from experts.

| username: AstroProfundis | Original post link

Due to compatibility issues with various Linux distributions, most commands of tiup-cluster are executed within bash, similar to the usage of bash -c "echo foobar". Therefore, if you must set a command whitelist for sudo, you also need to add /bin/bash to the whitelist. The actual effect is no different from setting ALL.

| username: ShawnYan | Original post link

Thank you. The deployment user’s permissions are only needed during the initial installation phase and can be managed with -u/-p, so it should be fine. As for the sudo permissions of the operations user, we might need to find another way to restrict them.

| username: h5n1 | Original post link

This topic will be automatically closed 60 days after the last reply. No new replies are allowed.