Operations grimoire/Create and revoke user accounts on Salt servers
Create an user
- Add entry to shellusers in the
pillar/core/users.sls- uid: you can run
utils/next-uid.pyto generate one (if not, take the greatest 2xxx and do +1) - shell: default shell is bash, other availables are fish / nologin / tcsh / zsh
- fullname: this is a public information, so publish only if the user is comfortable with that (ie if they publish the full name elsewhere like DevCentral, GitHub, etc.)
- uid: you can run
Revoke an user
- Keep the entry in shellusers at pillar/core/users.sls
- Append the element to the 'revokedusers' list
- Remove it from relevant groups in pillar/core/groups.sls
Assign an user to a group
If you only put an user in shellusers, that's a no op operation.
Each server take users through the shellgroups dictionary in pillar/core/groups.sls.
| Group | Description | Example of servers |
|---|---|---|
| shell | Shell access on Eglide (e.g. for IRC purpose) | eglide.org |
| ops | Nasqueron Operations | Access everywhere |
| nasquenautes | Shell access on Nasqueron dev servers | ysul, WindRiver |
Generally, the target groups are `shell` or `nasquenautes`.
Some specialized groups exist for a particular piece of software or service. It's generally ignored when adding a new user.
Run the Salt
If you've access to the Salt primary server in production:
salt eglide state.apply roles/core/users
Or locally while Eglide doesn't have have a direct access to the Salt primary server:
sudo salt-call --local state.apply roles/shellserver/users
Take care of the SSH key changes during the output. Please notify concerned users about any SSH keys change when running this.
See Operations grimoire/Deploy with Salt.
Best practices
Check the request is legitimate is important:
- If a being has MFA enabled on Phabricator, they should sign with MFA the key request, see for example T2005.
