Note:
This topic has been translated from a Chinese forum by GPT and might contain errors.
Original topic: sudo免密权限命令列表有哪些?
When using tiup to deploy clusters and for daily start/stop maintenance, the executing user needs to have passwordless sudo permissions. The official configuration grants ALL permissions to the tidb user, but this configuration does not meet the company’s security requirements, and we do not have the root user password for the operating system.
- Does the official documentation provide a list of sudo passwordless permissions required for tiup deployment and maintenance?
- Can tiup support manual password input for sudo execution?
Same question +1
For intranet environments with high security requirements, cluster installation and management need to have a unified user and user group (such as tidb). This user needs to have limited sudo permissions, meaning they cannot be given sudo all, but only NOPASSWD: /usr/bin/mkdir, /usr/bin/chown
, etc. What are the sudo passwordless commands in this case?
We also have this situation, permissions need to be controlled.
Is it faster to directly provide feedback on document changes in the documentation area?
Same question +1, seeking guidance from experts.
Due to compatibility issues with various Linux distributions, most commands of tiup-cluster are executed within bash, similar to the usage of bash -c "echo foobar"
. Therefore, if you must set a command whitelist for sudo, you also need to add /bin/bash
to the whitelist. The actual effect is no different from setting ALL
.
Thank you. The deployment user’s permissions are only needed during the initial installation phase and can be managed with -u/-p, so it should be fine. As for the sudo permissions of the operations user, we might need to find another way to restrict them.
This topic will be automatically closed 60 days after the last reply. No new replies are allowed.