starlingx/docs
Code Issues Proposed changes

Merge "Update deny access procedure for WAD users to use pam configuration"

Browse Source
This commit is contained in:
Zuul 2024-10-30 14:25:22 +00:00 committed by Gerrit Code Review
commit d580140e8d
2 changed files with 60 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
doc/source/security/kubernetes/add-ldap-users-to-linux-groups-using-pamcconfiguration-d31d95e255e1.rst
View File

@ -8,9 +8,10 @@ Add LDAP Users to Linux Groups Using PAM Configuration
====================================================== ======================================================
The Linux pam_group module enables binding/mapping of |LDAP| users/groups to a The Linux pam_group module enables binding/mapping of |LDAP| users/groups to a
specified list of one or more Linux groups. The mapping will occur after the specified list of one or more Linux groups. The mapping allows Linux
|SSSD| service has discovered the |LDAP| users and groups and cached them on the capabilities (via the Linux groups) to be assigned to the |LDAP| users/groups.
host. The mapping will occur after the |SSSD| service has discovered the |LDAP| users
and groups and cached them on the host.
The mapping between the discovered |LDAP| users and their group membership to the The mapping between the discovered |LDAP| users and their group membership to the
local Linux groups works for all Linux groups, including system groups, such as local Linux groups works for all Linux groups, including system groups, such as
@ -18,8 +19,9 @@ local Linux groups works for all Linux groups, including system groups, such as
.. note:: .. note::
The procedure described in this section applies to all the |LDAP| users, both local The procedure described in this section applies to all the |LDAP| users,
OpenLDAP and |LDAP| users in the remote Windows Active Directory servers. both Local |LDAP| and |LDAP| users in the remote Windows Active Directory
servers.
.. rubric:: |proc| .. rubric:: |proc|
@ -89,11 +91,15 @@ privileges:
[pvtest1@wad.mydomain.com@controller-0 ~(keystone_admin)]$ groups [pvtest1@wad.mydomain.com@controller-0 ~(keystone_admin)]$ groups
eng@wad.mydomain.com root sudo sys_protected pvtest@wad.mydomain.com eng@wad.mydomain.com root sudo sys_protected pvtest@wad.mydomain.com
Local OpenLDAP user example: Local |LDAP| user example:
Add the line ``;%managers;Al0000-2400;sys_protected,root,sudo`` in Add the following line in ``/etc/security/group.conf`` to map users of the
``/etc/security/group.conf`` to map users of the local OpenLDAP group Local |LDAP| group ``managers`` to linux groups: ``sys_protected``, ``root``
``managers`` to linux groups: ``sys_protected``, ``root`` and ``sudo``. and ``sudo``.
.. code-block::
*;*;%managers;Al0000-2400;sys_protected,root,sudo
Log in with user ``johndole`` from ``managers`` group and check the user's Log in with user ``johndole`` from ``managers`` group and check the user's
group memberships and privileges. group memberships and privileges.

83
doc/source/security/kubernetes/selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c.rst
View File

@ -1,35 +1,23 @@
.. _selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c: .. _selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c:
======================================================== ====================================================
Selectively Disable SSH for Local OpenLDAP and WAD Users Selectively Disable SSH for Local LDAP and WAD Users
======================================================== ====================================================
Local OpenLDAP and |WAD| servers are used for K8s API and |SSH| authentication. Local LDAP and |WAD| servers are used for K8s API and |SSH| authentication.
Thus, it is necessary to disallow |SSH| authentication for selective users. In some cases, it may be necessary to disallow |SSH| authentication for selective users or a
group of users.
--------------------------------- The Linux group ``denyssh`` is a system created group which is preconfigured in
Linux Group denyssh Configuration the |SSHD| configuration such that any member of this group is denied |SSH| access.
---------------------------------
The Linux group ``denyssh`` is a pre-configured group to which all the |LDAP| users with --------------------------------
denied |SSH| access will be added. The group is configured in the |SSHD| Deny SSH Access Local LDAP Users
configuration file ``/etc/ssh/sshd_config`` and will be available to use after --------------------------------
system deployment.
Check the ``denyssh`` Linux group created at platform installation:
.. code-block::
[sysadmin@controller-0 ~(keystone_admin)]$ getent group denyssh
denyssh:x:10000
----------------------------------
Deny SSH Access for OpenLDAP Users
----------------------------------
.. rubric:: |proc| .. rubric:: |proc|
#. Create an OpenLDAP user with the :command:`ldapusersetup` command and add #. Create a local |LDAP| user with the :command:`ldapusersetup` command and add
the user to Linux group ``denyssh`` during the creation of the |LDAP| user the user to Linux group ``denyssh`` during the creation of the |LDAP| user
account. account.
@ -67,16 +55,12 @@ Deny SSH Access for OpenLDAP Users
sysadmin@controller-0:~$ getent group|grep denyssh sysadmin@controller-0:~$ getent group|grep denyssh
denyssh:x:10000:test1 denyssh:x:10000:test1
#. Log in as user ``test1``. #. Ssh as user ``test1``.
The login should be denied. The ssh should be denied.
#. Remove the user from ``denyssh`` group. #. Remove the user from ``denyssh`` group.
#. Attempt to :command:`ssh` as the user.
The :command:`ssh` should be successful.
Example: Example:
.. code-block:: .. code-block::
@ -87,25 +71,48 @@ Deny SSH Access for OpenLDAP Users
[sysadmin@controller-0 ~(keystone_admin)]$ id test1 [sysadmin@controller-0 ~(keystone_admin)]$ id test1
uid=10005(test1) gid=100(users) groups=100(users) uid=10005(test1) gid=100(users) groups=100(users)
#. Ssh as user ``test1``.
The ssh should be allowed.
----------------------------- -----------------------------
Deny SSH Access for WAD Users Deny SSH Access for WAD Users
----------------------------- -----------------------------
.. rubric:: |proc| .. rubric:: |proc|
#. Create a |WAD| group ``denyssh`` with the same GID as the Linux group ``denyssh``. #. Create a |WAD| group or use an existing |WAD| group for the users that
should not have access to the platform.
#. Add the |WAD| user to the ``denyssh`` |WAD| group. .. note::
#. Attempt to :command:`ssh` as the |WAD| user. The |WAD| group used should have a name other than ``denyssh``.
The login should be denied. #. Add the |WAD| user to the |WAD| group.
#. Remove the user from |WAD| group ``denyssh``.
The user should be able to :command:`ssh`.
.. note::
The |WAD| user you want to deny access to should not be a member of a
|WAD| group that has allowed access. The allowed user groups are
configured with the |SSSD| parameter ``ldap_access_filter``. Giving and
denying access to the user at the same time leads to inconsistent
authentication results.
#. Map the |WAD| group to the existing Linux group ``denyssh`` following the |PAM|
group configuration described in :ref:`add-ldap-users-to-linux-groups-using-pamcconfiguration-d31d95e255e1`.
Example: Add the following line in ``/etc/security/group.conf`` to map the
|WAD| group to the ``denysssh`` Linux group.
``*;*;%disallowed_users@wad.mydomain.com;Al0000-2400;denyssh``
#. Attempt to ssh as the |WAD| user.
The ssh should be denied.
#. Remove the user from the |WAD| group.
The user should be able to ssh.