From c6f376c6635cb63854fc5f2e50a3ed8b241ae0d6 Mon Sep 17 00:00:00 2001
From: lilyeyes <llzhao@suse.com>
Date: Thu, 12 Dec 2024 11:00:29 +0800
Subject: [PATCH] Enhance /etc/sudoers.d/HanaSystemReplication

TEAM-9048 - [timeboxed] Evaluate less restrictive /etc/sudoers.d/HanaSystemReplication
---
 .../sap-hana-system-replication-hooks.yaml    | 20 +++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/ansible/playbooks/sap-hana-system-replication-hooks.yaml b/ansible/playbooks/sap-hana-system-replication-hooks.yaml
index bb828e51..ec06945c 100644
--- a/ansible/playbooks/sap-hana-system-replication-hooks.yaml
+++ b/ansible/playbooks/sap-hana-system-replication-hooks.yaml
@@ -82,7 +82,7 @@
             - {'section': 'ha_dr_provider_SAPHanaSR', 'key': 'execution_order', 'value': '1'}
             - {'section': 'trace', 'key': 'ha_dr_saphanasr', 'value': 'info'}
 
-        - name: Add hooks into sudoers
+        - name: Add hooks into sudoers (SAPHanaSR-ScaleUp entries for writing srHook cluster attribute)
           ansible.builtin.lineinfile:
             path: /etc/sudoers.d/HanaSystemReplication
             state: present
@@ -97,4 +97,20 @@
             - {'regexp': '^Cmnd_Alias SFAIL_SITEA ', 'line': 'Cmnd_Alias SFAIL_SITEA = /usr/sbin/crm_attribute -n hana_{{ sap_hana_install_sid | lower }}_site_srHook_{{ primary_site }} -v SFAIL -t crm_config -s SAPHanaSR'}
             - {'regexp': '^Cmnd_Alias SOK_SITEB', 'line': 'Cmnd_Alias SOK_SITEB = /usr/sbin/crm_attribute -n hana_{{ sap_hana_install_sid | lower }}_site_srHook_{{ secondary_site }} -v SOK -t crm_config -s SAPHanaSR'}
             - {'regexp': '^Cmnd_Alias SFAIL_SITEB', 'line': 'Cmnd_Alias SFAIL_SITEB = /usr/sbin/crm_attribute -n hana_{{ sap_hana_install_sid | lower }}_site_srHook_{{ secondary_site }} -v SFAIL -t crm_config -s SAPHanaSR'}
-            - {'regexp': '^{{ sap_hana_install_sid | lower }}adm ALL=(ALL) NOPASSWD', 'line': '{{ sap_hana_install_sid | lower }}adm ALL=(ALL) NOPASSWD: SOK_SITEA, SFAIL_SITEA, SOK_SITEB, SFAIL_SITEB'}
+            - {'regexp': '^Cmnd_Alias HOOK_HELPER', 'line': 'Cmnd_Alias HOOK_HELPER = /usr/sbin/SAPHanaSR-hookHelper --sid={{ sap_hana_install_sid | upper }} --case=checkTakeover'}
+            - {'regexp': '^{{ sap_hana_install_sid | lower }}adm ALL=(ALL) NOPASSWD', 'line': '{{ sap_hana_install_sid | lower }}adm ALL=(ALL) NOPASSWD: SOK_SITEA, SFAIL_SITEA, SOK_SITEB, SFAIL_SITEB, HOOK_HELPER'}
+          when: 0
+
+        - name: Add hooks into sudoers (SAPHanaSR-ScaleUp entries for writing srHook cluster attribute and SAPHanaSR-hookHelper)
+          ansible.builtin.lineinfile:
+            path: /etc/sudoers.d/HanaSystemReplication
+            state: present
+            regexp: "{{ item.regexp }}"
+            line: "{{ item.line }}"
+            validate: /usr/sbin/visudo -cf %s
+            create: true
+            mode: '0440'
+          loop:
+            - {'regexp': '^{{ sap_hana_install_sid | lower }}adm ALL=(ALL) NOPASSWD', 'line': '{{ sap_hana_install_sid | lower }}adm ALL=(ALL) NOPASSWD: /usr/sbin/crm_attribute -n hana_{{ sap_hana_install_sid | lower }}_site_srHook_*'}
+            - {'regexp': '^{{ sap_hana_install_sid | lower }}adm ALL=(ALL) NOPASSWD', 'line': '{{ sap_hana_install_sid | lower }}adm ALL=(ALL) NOPASSWD: /usr/sbin/SAPHanaSR-hookHelper *'}
+          when: 1