Provide Superuser access for Linux users - Amazon Nimble Studio

Provide Superuser access for Linux users

Providing secure user access is a key aspect of Amazon Nimble Studio. However, there might be cases where you want to provide superuser access to particular users so they can install software. One way to do this is to use the sudoers policy module to indicate a user’s sudo privileges and give that user temporary superuser access.

Important

Any user with sudo access will have full read and write access to all files and folders, including the files in the mounted shared file systems, that are attached to the system. Examples of POSIX file systems: FSx for Lustre and EFS.

This tutorial explains how to create a specific component that you can attach to a launch profile so that you can provide sudo capability. This component will provide sudo capability only to users that you deem appropriate. By granting those users superuser access, you're giving them permission to install software and perform root level operations. However, it's important to be aware that there are risks when providing superuser access. Any user with sudo access can access any file or folder in the studio. For information about security recommendations, see Security best practices in AWS Identity and Access Management in the IAM User Guide.

Prerequisites

  • To complete this tutorial, you need an active Nimble Studio cloud studio deployed in your AWS account. If you don’t have a cloud studio already deployed, see the Deploying a new studio with StudioBuilder tutorial.

Step 1: Add a superuser access component to your studio

In this step, you will use the custom configuration component to create a system initialization script that enables sudo use.

  1. Sign in to the AWS Management Console and open the Nimble Studio console.

  2. Choose Studio resources in the left navigation pane.

  3. Choose Add in the Custom configuration studio resource type.

  4. In the Custom configuration info section, complete the fields as follows:

    1. Region: Select the AWS Region that your studio is deployed in.

    2. Choose the name for your component. Example: Sudo Access.

    3. (Optional) Give your component a description.

      
                        Custom configuration info: Region.
  5. Create a new Script parameter by choosing Add new parameter

  6. In the Parameter name section, enter USERLIST.

  7. In the Parameter value section, enter user names to grant superuser access to specific users. User names should be separated by only a space. Example: Admin maria richard

    
                  Script parameters section. Parameter name is USERLIST and Parameter value
                     is Admin maria richard.
  8. In the Initialization script section, navigate to the Linux section. Add the following code to the system initialization section to give specific users sudo access.

    SUDOERS_FILE=/etc/sudoers.d/50-ad-admin-user echo -e "# Created by studio component $studioComponentId $studioComponentName" > $SUDOERS_FILE # save IFS so we can revert it OLDIFS=$IFS IFS=" " for SUDO_USER in $USERLIST; do echo -e "$SUDO_USER\tALL=(ALL)\tALL" >> $SUDOERS_FILE done # revert IFS IFS=$OLDIFS chmod 440 $SUDOERS_FILE
  9. In the Security groups section, choose the LicenseServer security group.

  10. (Optional) Add tags if you're using tags to track your AWS resources.

  11. Choose Save custom configuration.

Step 2: Add the Sudo Access component to a launch profile

These steps explain how to attach the Sudo Access component to an existing launch profile. We recommend creating a specific launch profile that’s dedicated to Linux administrative work, so it’s clear who has access to this component. Navigate to Creating launch profiles and follow the steps in that tutorial before returning to this step.

  1. Choose Launch profiles in the left navigation pane.

  2. Select a launch profile by selecting the dot to the left of its name.

  3. Choose Action. Then choose Edit.

  4. Navigate to the Launch profile components section.

  5. Select the check box next to the Sudo Access component that you just created.

  6. Choose Update launch profile.

  7. Repeat these steps for all launch profiles that you want to have access to the Sudo Access component

Step 3: Test Sudo Access component

Sign in to a virtual workstation and test the process to check that the Sudo Access component is working as expected. Choose the launch profile that you added the Sudo Access component to.

To launch a virtual workstation
  1. Choose the Launch tab from the left navigation pane.

    
                     Nimble Studio portal with two launch profiles:
                           Workstation-Default and
                           RenderWorker-Default.
  2. Select the vertical ellipsis ( 
                     The vertical ellipsis icon.
                  ) on the card to open a dropdown menu.

    
                  Nimble Studio portal: Workstation-Default menu is open and option
                     Launch with… is selected.
  3. Choose Launch with…

  4. For Instance Type, leave it at the default setting.

  5. For Amazon Machine Image, verify that NimbleStudioWindowsStreamImage is selected.

  6. For Streaming Preference, choose your streaming preference.

    1. For the best performance, we recommend choosing Launch native client.

    2. You must download the NICE DCV client before connecting to your workstation. For more information about the DCV client, as well as links to download, see NICE DCV clients NICE DCV clients.

  7. Choose Launch.

  8. A status bar will appear that shows you the progress of launching your virtual workstation. This might take up to 10 minutes.

To connect to the virtual workstation
  1. When your virtual workstation is ready, a new window appears reminding you that the client must be installed.

  2. Choose Start streaming now.

    1. If you haven’t installed the DCV desktop client, choose Download here and install the client first.

      
                        Nimble Studio portal start streaming screen.
  3. When your browser pops up a window prompting you to open DCV, choose Open to continue. The exact wording of this might vary depending on what browser you're using.

    Note

    The NICE DCV web browser client runs inside a web browser. You don't need to install the web client. We recommend using the Google Chrome browser to avoid latency. For more information, go to the Web browser client page in the NICE DCV User Guide.

  4. After DCV client application opens in a new window, the Windows login screen will display.

  5. Open the instance menu near the top right of the screen and choose Ctrl + Alt + Del. For an OS X DCV client, open the Connection dropdown menu and select Send Ctrl + Alt + Del.

    Important

    Don’t enter Ctrl+Alt+Delete on your keyboard. Doing so sends the command to your local computer, not to your workstation.

    
                  DCV Windows menu Ctrl + Alt + Del.
  6. For User name, enter Admin. For Password, enter the password that you created during your studio deploy. Then press the enter (or return) key.

You're now connected to your virtual workstation.

Now that you have logged in to your virtual workstation, you can test whether your Sudo Access component worked as expected. To do this, use the Terminal to run a sudo command.

Test sudo access
  1. Open the Terminal.

    1. Select Applications in the menu bar. Then choose System Tools and Terminal.

      
                  The Applications dropdown is open and the pointer is hovering over the terminal icon.
  2. In the terminal, enter the command sudo -v to test if your user has sudo access.

  3. Enter the password for your account.

    1. If your account has sudo permissions, a command prompt will appear.

      
                        Linux terminal: sudo -v command runs. Output refers to the usual
                           lecture from local System Admin.
    2. If you don’t have access, you will receive a result like, Sorry, user [username] may not run sudo on [hostname]. If your account doesn’t have permission to run sudo commands, double-check your launch profile to check that you have connected the Sudo Access component.

You have now provided superuser access to your Linux users.