Operations grimoire/Create and revoke user accounts on Salt servers: Difference between revisions
From Nasqueron Agora
(Created page with "== Create an user == # Add public SSH key to roles/shellserver/users/files/ssh_keys/<account> file # Add entry to pillar/users/shellusers.sls == Revoke an user == # Delete ro...") |
DorianWinty (talk | contribs) No edit summary |
||
(7 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
== Create an user == | == Create an user == | ||
# Add | # Add entry to shellusers in the <code>pillar/core/users.sls</code> | ||
# | ## uid: you can run <code>utils/next-uid.py</code> to generate one (if not, take the greatest 2xxx and do +1) | ||
## shell: default shell is bash, other availables are fish / nologin / tcsh / zsh | |||
## fullname: this is a public information, so publish only if the user is comfortable with that (ie if they publish the full name elsewhere like DevCentral, GitHub, etc.) | |||
== Revoke an user == | == Revoke an user == | ||
# | # Keep the entry in shellusers at pillar/core/users.sls | ||
# Remove | # Append the element to the 'revokedusers' list | ||
# Remove it from relevant groups in pillar/core/groups.sls | |||
== Assign an user to a group == | |||
If you only put an user in shellusers, that's a no op operation. | |||
Each server take users through the shellgroups dictionary in pillar/core/groups.sls. | |||
{| class="wikitable" | |||
|- | |||
! Group !! Description !! Example of servers | |||
|- | |||
| shell || Shell access on Eglide (e.g. for IRC purpose) || eglide.org | |||
|- | |||
| ops || Nasqueron Operations || Access everywhere | |||
|- | |||
| nasquenautes || Shell access on Nasqueron dev servers || ysul, WindRiver | |||
|} | |||
Generally, the target groups are `shell` or `nasquenautes`. | |||
Some specialized groups exist for a particular piece of software or service. | |||
It's generally ignored when adding a new user. | |||
== Run the Salt == | == Run the Salt == | ||
<code>salt eglide state.apply roles/shellserver/users</code> | If you've access to the Salt primary server in production: | ||
<code>salt eglide state.apply roles/core/users</code> | |||
Or locally while Eglide doesn't have have a direct access to the Salt primary server: | |||
<code>sudo salt-call --local state.apply roles/shellserver/users</code> | |||
Take care of the SSH key changes during the output. Please notify concerned users about any SSH keys change when running this. | |||
See [[Operations grimoire/Deploy with Salt]]. | See [[Operations grimoire/Deploy with Salt]]. |
Latest revision as of 18:26, 2 April 2023
Create an user
- Add entry to shellusers in the
pillar/core/users.sls
- uid: you can run
utils/next-uid.py
to generate one (if not, take the greatest 2xxx and do +1) - shell: default shell is bash, other availables are fish / nologin / tcsh / zsh
- fullname: this is a public information, so publish only if the user is comfortable with that (ie if they publish the full name elsewhere like DevCentral, GitHub, etc.)
- uid: you can run
Revoke an user
- Keep the entry in shellusers at pillar/core/users.sls
- Append the element to the 'revokedusers' list
- Remove it from relevant groups in pillar/core/groups.sls
Assign an user to a group
If you only put an user in shellusers, that's a no op operation.
Each server take users through the shellgroups dictionary in pillar/core/groups.sls.
Group | Description | Example of servers |
---|---|---|
shell | Shell access on Eglide (e.g. for IRC purpose) | eglide.org |
ops | Nasqueron Operations | Access everywhere |
nasquenautes | Shell access on Nasqueron dev servers | ysul, WindRiver |
Generally, the target groups are `shell` or `nasquenautes`.
Some specialized groups exist for a particular piece of software or service. It's generally ignored when adding a new user.
Run the Salt
If you've access to the Salt primary server in production:
salt eglide state.apply roles/core/users
Or locally while Eglide doesn't have have a direct access to the Salt primary server:
sudo salt-call --local state.apply roles/shellserver/users
Take care of the SSH key changes during the output. Please notify concerned users about any SSH keys change when running this.