Operations grimoire/Create and revoke user accounts on Salt servers: Difference between revisions
From Nasqueron Agora
No edit summary |
|||
Line 1: | Line 1: | ||
== Create an user == | == Create an user == | ||
# Add entry to shellusers | # Add entry to shellusers in the `pillar/core/users.sls` | ||
## uid: you can run `utils/next-uid` to generate one (if not, take the greatest 2xxx and do +1) | ## uid: you can run `utils/next-uid` to generate one (if not, take the greatest 2xxx and do +1) | ||
## shell: default shell is bash, other availables are fish / nologin / tcsh / zsh | ## shell: default shell is bash, other availables are fish / nologin / tcsh / zsh |
Revision as of 16:02, 6 February 2020
Create an user
- Add entry to shellusers in the `pillar/core/users.sls`
- uid: you can run `utils/next-uid` to generate one (if not, take the greatest 2xxx and do +1)
- shell: default shell is bash, other availables are fish / nologin / tcsh / zsh
- fullname: this is a public information, so publish only if the user is comfortable with that (ie if they publish the full name elsewhere like DevCentral, GitHub, etc.)
Revoke an user
- Keep the entry in shellusers at pillar/core/users.sls
- Append the element to the 'revokedusers' list
- Remove it from relevant groups in pillar/core/groups.sls
Assign an user to a group
If you only put an user in shellusers, that's a no op operation.
Each server take users through the shellgroups dictionary in pillar/core/groups.sls.
Group | Description | Example of servers |
---|---|---|
shell | Shell access on Eglide (e.g. for IRC purpose) | eglide.org |
ops | Nasqueron Operations | Access everywhere |
nasquenautes | Shell access on Nasqueron dev servers | ysul, WindRiver |
Generally, the target groups are `shell` or `nasquenautes`.
Some specialized groups exist for a particular piece of software or service. It's generally ignored when adding a new user.
Run the Salt
If you've access to the Salt master in production:
salt eglide state.apply roles/shellserver/users