Superuser Gateway: 特权命令执行的安全护栏
One misplaced flag in a manual command running as a superuser is enough to delete a production dataset, lock out an entire organization from critical tables, or quietly remove all permissions. A single _rm -r_or recursive _chmod_ on the wrong path running as a superuser account can cause widespread disruption and require lengthy clean-up and data recovery.
手动以超级用户身份运行的命令中一个放置错误的标志就足以删除生产数据集,将整个组织锁定在关键表之外,或悄无声息地移除所有权限。以超级用户帐户在错误路径上运行的单个 _rm -r_or 递归 _chmod_ 可能会造成广泛中断,并需要漫长的清理和数据恢复。
Uber’s data platform relies heavily on GCS (Google Cloud StorageTM), OCI (Oracle Cloud InfrastructureTM) and Apache HDFSTM for large-scale storage and analytics. A small set of engineers occasionally need superuser access to move data, fix permissions, clean up corrupted paths, or unblock time-sensitive incidents. Those same commands can also have the largest blast radius if something goes wrong.
Uber 的数据平台严重依赖 GCS (Google Cloud StorageTM)、OCI (Oracle Cloud InfrastructureTM) 和 Apache HDFSTM 用于大规模存储和分析。一小群工程师偶尔需要 superuser 访问来移动数据、修复权限、清理损坏路径或解除时间敏感事件的阻塞。如果出错,这些相同的命令也可能造成最大的爆炸半径。
Superuser Gateway is a workflow and service that replaces direct superuser command execution with a reviewed, auditable path for dangerous operations. The gateway triggers peer review, runs automated validation on requested commands, verifies approvals, and then executes those commands as a superuser in a controlled, remote environment. As part of this work, we removed superuser access from individual engineers so that only the Superuser Gateway back end holds those privileges going forward. Although our first deployment targets data storage systems, the model is designed for manual superuser actions in general and can be applied to other privileged systems.
Superuser Gateway 是一个工作流程和服务,它用经过审查、可审计的路径替换直接超级用户命令执行,用于危险操作。该网关触发同行审查,对请求的命令运行自动化验证,验证批准,然后在受控的远程环境中以超级用户身份执行这些命令。作为这项工作的一部分,我们从单个工程师那里移除了超级用户访问权限,以便只有 Superuser Gateway 后端今后持有这些特权。虽然我们的首次部署针对数据存储系统,但该模型专为一般手动超级用户操作设计,并可应用于其他特权系统。
Many systems at Uber rely on a small set of owners with elevated permission...