starlingx/docs
Code Issues Proposed changes

Playbook for managing local ldap admin user

Browse Source 
Story: 2009759
Task: 45440

Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
Change-Id: Ic55e2a5852545b3921647ffa5e83833cad82c6cd
This commit is contained in:
Elisamara Aoki Goncalves 2022-05-20 10:32:15 -03:00
parent 1c23c1abca
commit 2e8a5f69b0
5 changed files with 175 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
doc/source/security/kubernetes/create-ldap-linux-accounts.rst
View File

@ -13,7 +13,7 @@ Create LDAP Linux Accounts
.. note::
For security reasons, it is recommended that ONLY admin level users be
allowed to |SSH| to the nodes of the |prod|. Non-admin level users should
strictly use remote |CLIs| or remote web GUIs.
strictly use remote CLIs or remote web GUIs.
The :command:`ldapusersetup` command provides an interactive method for setting
up |LDAP| Linux user accounts.
@ -57,11 +57,11 @@ For convenience, identify the user's Keystone account user name in |prod-long|.
.. code-block:: none
Enter username to add to |LDAP|:
Enter username to add to LDAP:
.. code-block:: none
Successfully added user user1 to |LDAP|
Successfully added user user1 to LDAP
Successfully set password for user user1
@ -79,7 +79,7 @@ For convenience, identify the user's Keystone account user name in |prod-long|.
.. code-block:: none
Successfully modified user entry uid=ldapuser1, ou=People, dc=cgcs, dc=local in |LDAP|
Successfully modified user entry uid=ldapuser1, ou=People, dc=cgcs, dc=local in LDAP
Updating password expiry to 90 days
#. Change the warning period before the password expires.
@ -102,7 +102,11 @@ On completion of the script, the command prompt is displayed.
.. rubric:: |result|
The |LDAP| account is created. For information about the user login process,
see :ref:`For StarlingX and Platform OpenStack CLIs from a Local LDAP Linux
Account Login <establish-keystone-credentials-from-a-linux-account>`.
The Local |LDAP| account is created. For information about the user login
process, see :ref:`For StarlingX and Platform OpenStack CLIs from a Local LDAP
Linux Account Login <establish-keystone-credentials-from-a-linux-account>`.
For managing composite Local |LDAP| Accounts (i.e. with associated Keystone and
Kubernetes accounts) for a standalone cloud or a distributed cloud, see
:ref:`Manage Composite Local LDAP Accounts at Scale
<manage-local-ldap-39fe3a85a528>`.

1
doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst
View File

@ -21,6 +21,7 @@ System Accounts
keystone-accounts
remote-windows-active-directory-accounts
starlingx-system-accounts-system-account-password-rules
manage-local-ldap-39fe3a85a528
*****************
Access the System

36
doc/source/security/kubernetes/local-ldap-linux-user-accounts.rst
View File

@ -8,23 +8,25 @@ Local LDAP Linux User Accounts
You can create regular Linux user accounts using the |prod| LDAP service.
LDAP accounts are centrally managed; changes made on any host are propagated
automatically to all hosts on the cluster.
Local |LDAP| accounts are centrally managed on the active controller; all
hosts in the cloud/cluster use the Local |LDAP| server on the active controller
for |SSH| and Console authentication.
The intended use of these accounts is to provide additional admin level user
accounts \(in addition to sysadmin\) that can SSH to the nodes of the |prod|.
accounts \(in addition to sysadmin\) that can |SSH| to the nodes of the |prod|.
.. note::
For security reasons, it is recommended that ONLY admin level users be
allowed to SSH to the nodes of the |prod|. Non-admin level users should
strictly use remote CLIs or remote web GUIs.
allowed to |SSH| to the nodes of the |prod|. Non-admin level users should
strictly use remote |CLIs| or remote web GUIs.
Apart from being centrally managed, LDAP user accounts behave as any local user
account. They can be added to the sudoers list, and can acquire Keystone
administration credentials, Kubernetes kubectl, and helm administrative
commands as the Kubernetes admin user, when executing on the active controller.
Apart from being centrally managed, Local |LDAP| user accounts behave as any
local user account. They can be added to the sudoers list, and can acquire
Keystone administration credentials, Kubernetes kubectl, and helm
administrative commands as the Kubernetes admin user, when executing on the
active controller.
LDAP user accounts share the following set of attributes:
Local |LDAP| user accounts share the following set of attributes:
.. _local-ldap-linux-user-accounts-ul-d4q-g5c-5p:
@ -47,8 +49,8 @@ LDAP user accounts share the following set of attributes:
- Home directories and passwords are backed up and restored by the system
backup utilities. Note that only passwords are synced across hosts \(both
LDAP users and **sysadmin**\). Home directories are not automatically synced
and are local to that host.
|LDAP| users and **sysadmin**\). Home directories are not automatically
synced and are local to that host.
.. _local-ldap-linux-user-accounts-section-kts-bvh-ynb:
@ -57,8 +59,8 @@ LDAP user accounts share the following set of attributes:
Default LDAP User Accounts
--------------------------
The following LDAP user accounts are available by default on newly deployed
hosts, regardless of their personality:
The following Local |LDAP| user accounts are available by default on newly
deployed hosts, regardless of their personality:
**operator**
A cloud administrative account, comparable to the default **admin**
@ -73,12 +75,12 @@ hosts, regardless of their personality:
commands and is included in the sudoers list.
For increased security, the **admin** and **operator** accounts must be used
from the console ports of the hosts; no SSH access is allowed.
from the console ports of the hosts; no |SSH| access is allowed.
.. _local-ldap-linux-user-accounts-ul-h22-ql4-tz:
- These accounts serve as system access redundancies in the event that SSH
- These accounts serve as system access redundancies in the event that |SSH|
access is unavailable. In the event of any issues with connectivity, user
lockout, or **sysadmin** passwords being forgotten or not getting propagated
properly, the presence of these accounts can be essential in gaining access
@ -89,4 +91,4 @@ from the console ports of the hosts; no SSH access is allowed.
.. seealso::
:ref:`Creating LDAP Linux Accounts <create-ldap-linux-accounts>`
:ref:`Create LDAP Linux Accounts <create-ldap-linux-accounts>`

140
doc/source/security/kubernetes/manage-local-ldap-39fe3a85a528.rst Normal file
View File

@ -0,0 +1,140 @@
.. _manage-local-ldap-39fe3a85a528:
=============================================
Manage Composite Local LDAP Accounts at Scale
=============================================
.. rubric:: |context|
The purpose of this playbook is to simplify and automate the management of
composite Local |LDAP| accounts across multiple |DC| systems or standalone
systems. A composite Local |LDAP| account is defined as a Local |LDAP| account
that also has a unique keystone account with admin role credentials and access
to a K8S serviceAccount with ``cluster-admin`` role credentials.
A user with such a composite Local |LDAP| account can |SSH| to systems'
controllers and subclouds and:
- execute Linux commands (with local |LDAP| account credentials; with or
without sudo capabilities),
- execute |prod| |CLI| commands (with its keystone account (admin role)
credentials) and
- execute K8S |CLI| commands (with credentials of a ``cluster-admin`` K8S
serviceAccount).
A unique Local |LDAP| account and unique keystone account enables user-specific
command audit logging for security and tracking purposes.
Besides creating the required Local |LDAP|, Keystone and K8S accounts, the
playbook also fully sets up Keystone and K8S credentials in the Local |LDAP|
user's home directory on all controllers of all systems (i.e. standalone
systems, |DC| SystemControllers and |DC| Subclouds).
The playbook can be used to create or delete such composite Local |LDAP|
Accounts, manage access to sudo capabilities and manage password change
parameters.
-----------------------------------------
Create inventory file using Ansible-Vault
-----------------------------------------
Users are required to create an inventory file to specify playbook parameters.
Using ``ansible-vault`` is highly recommended for improved security. An
``ansible-vault`` password needs to be created during this step, which is required
for subsequent access to the ``ansible-vault`` and ansible-playbook commands.
Create a secure inventory file:
.. code-block:: none
~(keystone_admin)]$ ansible-vault create secure-inventory
This will open a text editor where you can fill the inventory parameters as
shown on the example below:
.. code-block:: none
[all:vars]
ansible_user=sysadmin
ansible_password=<sysadmin-password>
ansible_become_pass=<sysadmin-password>
[systemcontroller]
systemcontroller-0 ansible_host=127.0.0.1
The inventory parameters are:
``ansible_user``
Specify the ``sysadmin`` user for ansible to use.
``ansible_password``
The ``sysadmin`` password.
``ansible_become_pass``
The ``sysadmin`` password for using sudo.
``systemcontroller-0 ansible_host``
The target |DC|/Standalone system controller IP Address or |FQDN| to
create/delete the composite Local |LDAP| account. Use 127.0.0.1, loopback
address, if running the ansible playbook locally on the target
|DC|/Standalone system controller.
----------------
Run the playbook
----------------
After the inventory file is created, the ansible playbook can be run to perform
the user creation or removal process. The previously created ``ansible-vault``
password will be prompted during runtime.
.. code-block:: none
~(keystone_admin)]$ ansible-playbook --inventory secure-inventory --ask-vault-pass --extra-vars='user_id=na-admin mode=create' \ /usr/share/ansible/stx-ansible/ playbooks/manage_local_ldap_account.yml
- Extra-vars parameter options:
``user_id``
Username that will be used for both the Local |LDAP| account and the
Keystone account on the target |DC|/Standalone system and associated
|DC| Subclouds.
- mode:
``create``
Creates users within Local |LDAP| and Keystone. This is the default
value when not specified.
``delete``
Removes existing users from Local |LDAP| and Keystone.
- ``sudo_permission`` (optional):
``yes``
The created Local |LDAP| user will have ``sudo`` capabilities to
execute commands with root privileges on the |DC|/Standalone system and
associated |DC| Subclouds.
``no``
The created Local |LDAP| user will NOT have ``sudo`` capabilities to
execute commands with root privileges on the |DC|/Standalone system and
associated |DC| Subclouds.
- ``password_change_period``:
``<int>``
Related to the /etc/shadow file, this attribute specifies the maximum
number of days that the Local |LDAP| account's is valid.
- ``password_warning_period``:
``<int>``
Related to the /etc/shadow file, this attribute specifies the number
of days before password expiration that the Local |LDAP| user is warned.

6
doc/source/security/kubernetes/overview-of-system-accounts.rst
View File

@ -27,7 +27,8 @@ A brief description of the system accounts available in a |prod| system.
of the |prod|.
See :ref:`Local LDAP Linux User Accounts <local-ldap-linux-user-accounts>`
for more details.
and :ref:`Manage Composite Local LDAP Accounts at Scale
<manage-local-ldap-39fe3a85a528>` for more details.
.. note::
For security reasons, it is recommended that ONLY admin level users be
@ -47,4 +48,5 @@ For more information, refer to the following:
estabilish-credentials-for-linux-user-accounts
establish-keystone-credentials-from-a-linux-account
starlingx-openstack-kubernetes-from-stsadmin-account-login
kubernetes-cli-from-local-ldap-linux-account-login
kubernetes-cli-from-local-ldap-linux-account-login
manage-local-ldap-39fe3a85a528