Operations grimoire/Create and revoke user accounts on Salt servers

From Nasqueron Agora

Create an user

  1. Add entry to shellusers in the pillar/core/users.sls
    1. uid: you can run utils/next-uid.py to generate one (if not, take the greatest 2xxx and do +1)
    2. shell: default shell is bash, other availables are fish / nologin / tcsh / zsh
    3. fullname: this is a public information, so publish only if the user is comfortable with that (ie if they publish the full name elsewhere like DevCentral, GitHub, etc.)

Revoke an user

  1. Keep the entry in shellusers at pillar/core/users.sls
  2. Append the element to the 'revokedusers' list
  3. Remove it from relevant groups in pillar/core/groups.sls

Assign an user to a group

If you only put an user in shellusers, that's a no op operation.

Each server take users through the shellgroups dictionary in pillar/core/groups.sls.

Group Description Example of servers
shell Shell access on Eglide (e.g. for IRC purpose) eglide.org
ops Nasqueron Operations Access everywhere
nasquenautes Shell access on Nasqueron dev servers ysul, WindRiver

Generally, the target groups are `shell` or `nasquenautes`.

Some specialized groups exist for a particular piece of software or service. It's generally ignored when adding a new user.

Run the Salt

If you've access to the Salt primary server in production:

salt eglide state.apply roles/core/users

Or locally while Eglide doesn't have have a direct access to the Salt primary server:

sudo salt-call --local state.apply roles/core/users

Take care of the SSH key changes during the output. Please notify concerned users about any SSH keys change when running this.

See Operations grimoire/Deploy with Salt.

Special case: rename an user

Repository change

Rename directory

This operation needs to be done manually.

If the server uses ZFS: 

   $ zfs unmount arcology/home/inidal
   $ zfs rename arcology/home/inidal arcology/home/ieli
   $ zfs mount arcology/home/ieli

If not: 

   $ mv /home/inidal /home/ieli

As the uid is the same, those operations are fine and rights won't be lost.

Rename account on a server

Normally, once the directory is deleted it's safe to remove user and add it again.

If you want to do it manually:

  • on FreeBSD, you can use chpass <user account> : $EDITOR /etc/group
  • on Linux system, try vipw ; vipw -s ; vigr ; vigr -s

Order of operations

  1. Assert the request is legit enough to risk break things
  2. Change
  3. Rename directory
  4. Decide if it's needed or not to manually rename on the servers
  5. Apply change

Do not apply the change before renaming directory, as that would create a new one, and could potentially remove the old directory too.

Best practices

Check the request is legitimate is important:

  • If a being has MFA enabled on Phabricator, they should sign with MFA the key request, see for example T2005.
Retrieved from "https://agora.nasqueron.org/index.php?title=Operations_grimoire/Create_and_revoke_user_accounts_on_Salt_servers&oldid=2078"