Operations grimoire/Create and revoke user accounts on Salt servers: Difference between revisions
From Nasqueron Agora
No edit summary |
DorianWinty (talk | contribs) No edit summary |
||
(4 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
== Create an user == | == Create an user == | ||
# Add entry to shellusers | # Add entry to shellusers in the <code>pillar/core/users.sls</code> | ||
## uid: you can run | ## uid: you can run <code>utils/next-uid.py</code> to generate one (if not, take the greatest 2xxx and do +1) | ||
## shell: default shell is bash, other availables are fish / nologin / tcsh / zsh | ## shell: default shell is bash, other availables are fish / nologin / tcsh / zsh | ||
## fullname: this is a public information, so publish only if the user is comfortable with that (ie if they publish the full name elsewhere like DevCentral, GitHub, etc.) | ## fullname: this is a public information, so publish only if the user is comfortable with that (ie if they publish the full name elsewhere like DevCentral, GitHub, etc.) | ||
Line 32: | Line 32: | ||
== Run the Salt == | == Run the Salt == | ||
If you've access to the Salt | If you've access to the Salt primary server in production: | ||
<code>salt eglide state.apply roles/shellserver/users</code> | <code>salt eglide state.apply roles/core/users</code> | ||
Or locally while Eglide doesn't have have a direct access to the Salt primary server: | |||
<code>sudo salt-call --local state.apply roles/shellserver/users</code> | |||
Take care of the SSH key changes during the output. Please notify concerned users about any SSH keys change when running this. | |||
See [[Operations grimoire/Deploy with Salt]]. | See [[Operations grimoire/Deploy with Salt]]. |
Latest revision as of 18:26, 2 April 2023
Create an user
- Add entry to shellusers in the
pillar/core/users.sls
- uid: you can run
utils/next-uid.py
to generate one (if not, take the greatest 2xxx and do +1) - shell: default shell is bash, other availables are fish / nologin / tcsh / zsh
- fullname: this is a public information, so publish only if the user is comfortable with that (ie if they publish the full name elsewhere like DevCentral, GitHub, etc.)
- uid: you can run
Revoke an user
- Keep the entry in shellusers at pillar/core/users.sls
- Append the element to the 'revokedusers' list
- Remove it from relevant groups in pillar/core/groups.sls
Assign an user to a group
If you only put an user in shellusers, that's a no op operation.
Each server take users through the shellgroups dictionary in pillar/core/groups.sls.
Group | Description | Example of servers |
---|---|---|
shell | Shell access on Eglide (e.g. for IRC purpose) | eglide.org |
ops | Nasqueron Operations | Access everywhere |
nasquenautes | Shell access on Nasqueron dev servers | ysul, WindRiver |
Generally, the target groups are `shell` or `nasquenautes`.
Some specialized groups exist for a particular piece of software or service. It's generally ignored when adding a new user.
Run the Salt
If you've access to the Salt primary server in production:
salt eglide state.apply roles/core/users
Or locally while Eglide doesn't have have a direct access to the Salt primary server:
sudo salt-call --local state.apply roles/shellserver/users
Take care of the SSH key changes during the output. Please notify concerned users about any SSH keys change when running this.