Operations grimoire/Create and revoke user accounts on Salt servers

From Nasqueron Agora

Create an user

  1. Add entry to shellusers in the pillar/core/users.sls
    1. uid: you can run utils/next-uid.py to generate one (if not, take the greatest 2xxx and do +1)
    2. shell: default shell is bash, other availables are fish / nologin / tcsh / zsh
    3. fullname: this is a public information, so publish only if the user is comfortable with that (ie if they publish the full name elsewhere like DevCentral, GitHub, etc.)

Revoke an user

  1. Keep the entry in shellusers at pillar/core/users.sls
  2. Append the element to the 'revokedusers' list
  3. Remove it from relevant groups in pillar/core/groups.sls

Assign an user to a group

If you only put an user in shellusers, that's a no op operation.

Each server take users through the shellgroups dictionary in pillar/core/groups.sls.

Group Description Example of servers
shell Shell access on Eglide (e.g. for IRC purpose) eglide.org
ops Nasqueron Operations Access everywhere
nasquenautes Shell access on Nasqueron dev servers ysul, WindRiver

Generally, the target groups are `shell` or `nasquenautes`.

Some specialized groups exist for a particular piece of software or service. It's generally ignored when adding a new user.

Run the Salt

If you've access to the Salt primary server in production:

salt eglide state.apply roles/core/users

Or locally while Eglide doesn't have have a direct access to the Salt primary server:

sudo salt-call --local state.apply roles/shellserver/users

Take care of the SSH key changes during the output. Please notify concerned users about any SSH keys change when running this.

See Operations grimoire/Deploy with Salt.

Best practices

Check the request is legitimate is important:

  • If a being has MFA enabled on Phabricator, they should sign with MFA the key request, see for example T2005.