Operations grimoire/Create and revoke user accounts on Salt servers: Difference between revisions

From Nasqueron Agora
No edit summary
Line 1: Line 1:
== Create an user ==
== Create an user ==
# Add public SSH key to roles/shellserver/users/files/ssh_keys/<account> file
# Add entry to shellusers at pillar/core/users.sls
# Add entry to pillar/users/shellusers.sls
## uid: you can run `utils/next-uid` to generate one (if not, take the greatest 2xxx and do +1)
## shell: default shell is bash, other availables are fish / nologin / tcsh / zsh
## fullname: this is a public information, so publish only if the user is comfortable with that (ie if they publish the full name elsewhere like DevCentral, GitHub, etc.)


== Revoke an user ==
== Revoke an user ==
# Delete roles/shellserver/users/files/ssh_keys/<account> file
# Keep the entry in shellusers at pillar/core/users.sls
# Remove entry from pillar/users/shellusers.sls
# Append the element to the 'revokedusers' list
# Add entry to pillar/users/revokedusers.sls
# Remove it from relevant groups in pillar/core/groups.sls
 
== Assign an user to a group ==
If you only put an user in shellusers, that's a no op operation.
 
Each server take users through the shellgroups dictionary in pillar/core/groups.sls.
 
{| class="wikitable"
|-
! Group !! Description !! Example of servers
|-
| shell || Shell access on Eglide (e.g. for IRC purpose) || eglide.org
|-
| ops || Nasqueron Operations || Access everywhere
|-
| nasquenautes || Shell access on Nasqueron dev servers || ysul, WindRiver
|}
 
Generally, the target groups are `shell` or `nasquenautes`.
 
Some specialized groups exist for a particular piece of software or service.
It's generally ignored when adding a new user.


== Run the Salt ==
== Run the Salt ==

Revision as of 00:25, 6 February 2020

Create an user

  1. Add entry to shellusers at pillar/core/users.sls
    1. uid: you can run `utils/next-uid` to generate one (if not, take the greatest 2xxx and do +1)
    2. shell: default shell is bash, other availables are fish / nologin / tcsh / zsh
    3. fullname: this is a public information, so publish only if the user is comfortable with that (ie if they publish the full name elsewhere like DevCentral, GitHub, etc.)

Revoke an user

  1. Keep the entry in shellusers at pillar/core/users.sls
  2. Append the element to the 'revokedusers' list
  3. Remove it from relevant groups in pillar/core/groups.sls

Assign an user to a group

If you only put an user in shellusers, that's a no op operation.

Each server take users through the shellgroups dictionary in pillar/core/groups.sls.

Group Description Example of servers
shell Shell access on Eglide (e.g. for IRC purpose) eglide.org
ops Nasqueron Operations Access everywhere
nasquenautes Shell access on Nasqueron dev servers ysul, WindRiver

Generally, the target groups are `shell` or `nasquenautes`.

Some specialized groups exist for a particular piece of software or service. It's generally ignored when adding a new user.

Run the Salt

If you've access to the Salt master in production:

salt eglide state.apply roles/shellserver/users

See Operations grimoire/Deploy with Salt.