From 2e8a5f69b066ea29134cbfac6710fd251a4fd85e Mon Sep 17 00:00:00 2001 From: Elisamara Aoki Goncalves Date: Fri, 20 May 2022 10:32:15 -0300 Subject: [PATCH] Playbook for managing local ldap admin user Story: 2009759 Task: 45440 Signed-off-by: Elisamara Aoki Goncalves Change-Id: Ic55e2a5852545b3921647ffa5e83833cad82c6cd --- .../kubernetes/create-ldap-linux-accounts.rst | 18 ++- .../index-security-kub-81153c1254c3.rst | 1 + .../local-ldap-linux-user-accounts.rst | 36 ++--- .../manage-local-ldap-39fe3a85a528.rst | 140 ++++++++++++++++++ .../overview-of-system-accounts.rst | 6 +- 5 files changed, 175 insertions(+), 26 deletions(-) create mode 100644 doc/source/security/kubernetes/manage-local-ldap-39fe3a85a528.rst diff --git a/doc/source/security/kubernetes/create-ldap-linux-accounts.rst b/doc/source/security/kubernetes/create-ldap-linux-accounts.rst index 42ea9263d..2bfa7f8d6 100644 --- a/doc/source/security/kubernetes/create-ldap-linux-accounts.rst +++ b/doc/source/security/kubernetes/create-ldap-linux-accounts.rst @@ -13,7 +13,7 @@ Create LDAP Linux Accounts .. note:: For security reasons, it is recommended that ONLY admin level users be allowed to |SSH| to the nodes of the |prod|. Non-admin level users should - strictly use remote |CLIs| or remote web GUIs. + strictly use remote CLIs or remote web GUIs. The :command:`ldapusersetup` command provides an interactive method for setting up |LDAP| Linux user accounts. @@ -57,11 +57,11 @@ For convenience, identify the user's Keystone account user name in |prod-long|. .. code-block:: none - Enter username to add to |LDAP|: + Enter username to add to LDAP: .. code-block:: none - Successfully added user user1 to |LDAP| + Successfully added user user1 to LDAP Successfully set password for user user1 @@ -79,7 +79,7 @@ For convenience, identify the user's Keystone account user name in |prod-long|. .. code-block:: none - Successfully modified user entry uid=ldapuser1, ou=People, dc=cgcs, dc=local in |LDAP| + Successfully modified user entry uid=ldapuser1, ou=People, dc=cgcs, dc=local in LDAP Updating password expiry to 90 days #. Change the warning period before the password expires. @@ -102,7 +102,11 @@ On completion of the script, the command prompt is displayed. .. rubric:: |result| -The |LDAP| account is created. For information about the user login process, -see :ref:`For StarlingX and Platform OpenStack CLIs from a Local LDAP Linux -Account Login `. +The Local |LDAP| account is created. For information about the user login +process, see :ref:`For StarlingX and Platform OpenStack CLIs from a Local LDAP +Linux Account Login `. +For managing composite Local |LDAP| Accounts (i.e. with associated Keystone and +Kubernetes accounts) for a standalone cloud or a distributed cloud, see +:ref:`Manage Composite Local LDAP Accounts at Scale +`. diff --git a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst index 224422e82..9c61f557c 100644 --- a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst +++ b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst @@ -21,6 +21,7 @@ System Accounts keystone-accounts remote-windows-active-directory-accounts starlingx-system-accounts-system-account-password-rules + manage-local-ldap-39fe3a85a528 ***************** Access the System diff --git a/doc/source/security/kubernetes/local-ldap-linux-user-accounts.rst b/doc/source/security/kubernetes/local-ldap-linux-user-accounts.rst index 4a21692fc..515e869bc 100644 --- a/doc/source/security/kubernetes/local-ldap-linux-user-accounts.rst +++ b/doc/source/security/kubernetes/local-ldap-linux-user-accounts.rst @@ -8,23 +8,25 @@ Local LDAP Linux User Accounts You can create regular Linux user accounts using the |prod| LDAP service. -LDAP accounts are centrally managed; changes made on any host are propagated -automatically to all hosts on the cluster. +Local |LDAP| accounts are centrally managed on the active controller; all +hosts in the cloud/cluster use the Local |LDAP| server on the active controller +for |SSH| and Console authentication. The intended use of these accounts is to provide additional admin level user -accounts \(in addition to sysadmin\) that can SSH to the nodes of the |prod|. +accounts \(in addition to sysadmin\) that can |SSH| to the nodes of the |prod|. .. note:: For security reasons, it is recommended that ONLY admin level users be - allowed to SSH to the nodes of the |prod|. Non-admin level users should - strictly use remote CLIs or remote web GUIs. + allowed to |SSH| to the nodes of the |prod|. Non-admin level users should + strictly use remote |CLIs| or remote web GUIs. -Apart from being centrally managed, LDAP user accounts behave as any local user -account. They can be added to the sudoers list, and can acquire Keystone -administration credentials, Kubernetes kubectl, and helm administrative -commands as the Kubernetes admin user, when executing on the active controller. +Apart from being centrally managed, Local |LDAP| user accounts behave as any +local user account. They can be added to the sudoers list, and can acquire +Keystone administration credentials, Kubernetes kubectl, and helm +administrative commands as the Kubernetes admin user, when executing on the +active controller. -LDAP user accounts share the following set of attributes: +Local |LDAP| user accounts share the following set of attributes: .. _local-ldap-linux-user-accounts-ul-d4q-g5c-5p: @@ -47,8 +49,8 @@ LDAP user accounts share the following set of attributes: - Home directories and passwords are backed up and restored by the system backup utilities. Note that only passwords are synced across hosts \(both - LDAP users and **sysadmin**\). Home directories are not automatically synced - and are local to that host. + |LDAP| users and **sysadmin**\). Home directories are not automatically + synced and are local to that host. .. _local-ldap-linux-user-accounts-section-kts-bvh-ynb: @@ -57,8 +59,8 @@ LDAP user accounts share the following set of attributes: Default LDAP User Accounts -------------------------- -The following LDAP user accounts are available by default on newly deployed -hosts, regardless of their personality: +The following Local |LDAP| user accounts are available by default on newly +deployed hosts, regardless of their personality: **operator** A cloud administrative account, comparable to the default **admin** @@ -73,12 +75,12 @@ hosts, regardless of their personality: commands and is included in the sudoers list. For increased security, the **admin** and **operator** accounts must be used -from the console ports of the hosts; no SSH access is allowed. +from the console ports of the hosts; no |SSH| access is allowed. .. _local-ldap-linux-user-accounts-ul-h22-ql4-tz: -- These accounts serve as system access redundancies in the event that SSH +- These accounts serve as system access redundancies in the event that |SSH| access is unavailable. In the event of any issues with connectivity, user lockout, or **sysadmin** passwords being forgotten or not getting propagated properly, the presence of these accounts can be essential in gaining access @@ -89,4 +91,4 @@ from the console ports of the hosts; no SSH access is allowed. .. seealso:: - :ref:`Creating LDAP Linux Accounts ` \ No newline at end of file + :ref:`Create LDAP Linux Accounts ` \ No newline at end of file diff --git a/doc/source/security/kubernetes/manage-local-ldap-39fe3a85a528.rst b/doc/source/security/kubernetes/manage-local-ldap-39fe3a85a528.rst new file mode 100644 index 000000000..bcf34d085 --- /dev/null +++ b/doc/source/security/kubernetes/manage-local-ldap-39fe3a85a528.rst @@ -0,0 +1,140 @@ +.. _manage-local-ldap-39fe3a85a528: + +============================================= +Manage Composite Local LDAP Accounts at Scale +============================================= + +.. rubric:: |context| + +The purpose of this playbook is to simplify and automate the management of +composite Local |LDAP| accounts across multiple |DC| systems or standalone +systems. A composite Local |LDAP| account is defined as a Local |LDAP| account +that also has a unique keystone account with admin role credentials and access +to a K8S serviceAccount with ``cluster-admin`` role credentials. + +A user with such a composite Local |LDAP| account can |SSH| to systems' +controllers and subclouds and: + +- execute Linux commands (with local |LDAP| account credentials; with or + without sudo capabilities), + +- execute |prod| |CLI| commands (with its keystone account (admin role) + credentials) and + +- execute K8S |CLI| commands (with credentials of a ``cluster-admin`` K8S + serviceAccount). + +A unique Local |LDAP| account and unique keystone account enables user-specific +command audit logging for security and tracking purposes. + +Besides creating the required Local |LDAP|, Keystone and K8S accounts, the +playbook also fully sets up Keystone and K8S credentials in the Local |LDAP| +user's home directory on all controllers of all systems (i.e. standalone +systems, |DC| SystemControllers and |DC| Subclouds). + +The playbook can be used to create or delete such composite Local |LDAP| +Accounts, manage access to sudo capabilities and manage password change +parameters. + +----------------------------------------- +Create inventory file using Ansible-Vault +----------------------------------------- + +Users are required to create an inventory file to specify playbook parameters. +Using ``ansible-vault`` is highly recommended for improved security. An +``ansible-vault`` password needs to be created during this step, which is required +for subsequent access to the ``ansible-vault`` and ansible-playbook commands. + +Create a secure inventory file: + +.. code-block:: none + + ~(keystone_admin)]$ ansible-vault create secure-inventory + + +This will open a text editor where you can fill the inventory parameters as +shown on the example below: + +.. code-block:: none + + [all:vars] + + ansible_user=sysadmin + + ansible_password= + + ansible_become_pass= + + [systemcontroller] + + systemcontroller-0 ansible_host=127.0.0.1 + + +The inventory parameters are: + +``ansible_user`` + Specify the ``sysadmin`` user for ansible to use. + +``ansible_password`` + The ``sysadmin`` password. + +``ansible_become_pass`` + The ``sysadmin`` password for using sudo. + +``systemcontroller-0 ansible_host`` + The target |DC|/Standalone system controller IP Address or |FQDN| to + create/delete the composite Local |LDAP| account. Use 127.0.0.1, loopback + address, if running the ansible playbook locally on the target + |DC|/Standalone system controller. + +---------------- +Run the playbook +---------------- + +After the inventory file is created, the ansible playbook can be run to perform +the user creation or removal process. The previously created ``ansible-vault`` +password will be prompted during runtime. + +.. code-block:: none + + ~(keystone_admin)]$ ansible-playbook --inventory secure-inventory --ask-vault-pass --extra-vars='user_id=na-admin mode=create' \ /usr/share/ansible/stx-ansible/ playbooks/manage_local_ldap_account.yml + +- Extra-vars parameter options: + + ``user_id`` + Username that will be used for both the Local |LDAP| account and the + Keystone account on the target |DC|/Standalone system and associated + |DC| Subclouds. + +- mode: + + ``create`` + Creates users within Local |LDAP| and Keystone. This is the default + value when not specified. + + ``delete`` + Removes existing users from Local |LDAP| and Keystone. + +- ``sudo_permission`` (optional): + + ``yes`` + The created Local |LDAP| user will have ``sudo`` capabilities to + execute commands with root privileges on the |DC|/Standalone system and + associated |DC| Subclouds. + + ``no`` + The created Local |LDAP| user will NOT have ``sudo`` capabilities to + execute commands with root privileges on the |DC|/Standalone system and + associated |DC| Subclouds. + +- ``password_change_period``: + + ```` + Related to the /etc/shadow file, this attribute specifies the maximum + number of days that the Local |LDAP| account's is valid. + +- ``password_warning_period``: + + ```` + Related to the /etc/shadow file, this attribute specifies the number + of days before password expiration that the Local |LDAP| user is warned. diff --git a/doc/source/security/kubernetes/overview-of-system-accounts.rst b/doc/source/security/kubernetes/overview-of-system-accounts.rst index 2df36370a..2e722ee4d 100644 --- a/doc/source/security/kubernetes/overview-of-system-accounts.rst +++ b/doc/source/security/kubernetes/overview-of-system-accounts.rst @@ -27,7 +27,8 @@ A brief description of the system accounts available in a |prod| system. of the |prod|. See :ref:`Local LDAP Linux User Accounts ` - for more details. + and :ref:`Manage Composite Local LDAP Accounts at Scale + ` for more details. .. note:: For security reasons, it is recommended that ONLY admin level users be @@ -47,4 +48,5 @@ For more information, refer to the following: estabilish-credentials-for-linux-user-accounts establish-keystone-credentials-from-a-linux-account starlingx-openstack-kubernetes-from-stsadmin-account-login - kubernetes-cli-from-local-ldap-linux-account-login \ No newline at end of file + kubernetes-cli-from-local-ldap-linux-account-login + manage-local-ldap-39fe3a85a528