Operations grimoire/Create and revoke user accounts on Salt servers

From Nasqueron Agora
< Operations grimoire
Revision as of 16:02, 6 February 2020 by Dereckson (talk | contribs) (→‎Create an user)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Create an user

  1. Add entry to shellusers in the `pillar/core/users.sls`
    1. uid: you can run `utils/next-uid` to generate one (if not, take the greatest 2xxx and do +1)
    2. shell: default shell is bash, other availables are fish / nologin / tcsh / zsh
    3. fullname: this is a public information, so publish only if the user is comfortable with that (ie if they publish the full name elsewhere like DevCentral, GitHub, etc.)

Revoke an user

  1. Keep the entry in shellusers at pillar/core/users.sls
  2. Append the element to the 'revokedusers' list
  3. Remove it from relevant groups in pillar/core/groups.sls

Assign an user to a group

If you only put an user in shellusers, that's a no op operation.

Each server take users through the shellgroups dictionary in pillar/core/groups.sls.

Group Description Example of servers
shell Shell access on Eglide (e.g. for IRC purpose) eglide.org
ops Nasqueron Operations Access everywhere
nasquenautes Shell access on Nasqueron dev servers ysul, WindRiver

Generally, the target groups are `shell` or `nasquenautes`.

Some specialized groups exist for a particular piece of software or service. It's generally ignored when adding a new user.

Run the Salt

If you've access to the Salt master in production:

salt eglide state.apply roles/shellserver/users

See Operations grimoire/Deploy with Salt.