Operations grimoire/Create and revoke user accounts on Salt servers
Create an user
- Add entry to shellusers in the `pillar/core/users.sls`
- uid: you can run `utils/next-uid` to generate one (if not, take the greatest 2xxx and do +1)
- shell: default shell is bash, other availables are fish / nologin / tcsh / zsh
- fullname: this is a public information, so publish only if the user is comfortable with that (ie if they publish the full name elsewhere like DevCentral, GitHub, etc.)
Revoke an user
- Keep the entry in shellusers at pillar/core/users.sls
- Append the element to the 'revokedusers' list
- Remove it from relevant groups in pillar/core/groups.sls
Assign an user to a group
If you only put an user in shellusers, that's a no op operation.
Each server take users through the shellgroups dictionary in pillar/core/groups.sls.
|Group||Description||Example of servers|
|shell||Shell access on Eglide (e.g. for IRC purpose)||eglide.org|
|ops||Nasqueron Operations||Access everywhere|
|nasquenautes||Shell access on Nasqueron dev servers||ysul, WindRiver|
Generally, the target groups are `shell` or `nasquenautes`.
Some specialized groups exist for a particular piece of software or service. It's generally ignored when adding a new user.
Run the Salt
If you've access to the Salt master in production:
salt eglide state.apply roles/shellserver/users