docs/doc/source/security/kubernetes/local-and-ldap-linux-user-accounts.rst
Rafael Jardim d95c80d36f Update Security
Fixed merge conflict (RS)

Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com>
Change-Id: I30b882a14196525f440db1108a56bbf862dfaf55
Signed-off-by: Ron Stone <ronald.stone@windriver.com>
2021-04-01 16:02:36 -04:00

64 lines
2.3 KiB
ReStructuredText

.. xgp1595963622893
.. _local-and-ldap-linux-user-accounts:
==============================
Local LDAP Linux User Accounts
==============================
You can manage regular Linux \(shadow\) user accounts on any host in the
cluster using standard Linux commands.
.. _local-and-ldap-linux-user-accounts-ul-zrv-zwf-mmb:
- Local Linux user accounts should NOT be configured, only use local |LDAP|
accounts for internal system purposes that would usually not be created by
an end-user.
- Password changes are not enforced automatically on the first login, and
they are not propagated by the system \(only for 'sysadmin'\).
- **If the administrator wants to provision additional access to the system, it is better to configure local LDAP Linux accounts.**
- |LDAP| accounts are centrally managed; changes made on any host are
propagated automatically to all hosts on the cluster.
- |LDAP| user accounts behave as any local user account. They can be added
to the sudoers list and can acquire OpenStack administration credentials.
- The initial password must be changed immediately upon the first login.
- Login sessions are logged out automatically after about 15 minutes of
inactivity.
- The accounts block following five consecutive unsuccessful login
attempts. They unblock automatically after a period of about five minutes.
- All authentication attempts are recorded on the file /var/log/auth.log
of the target host.
.. note::
For security reasons, it is recommended that ONLY admin level users be
allowed to |SSH| to the nodes of the |prod|. Non-admin level users should
strictly use remote |CLIs| or remote web GUIs.
Operational complexity:
.. _local-and-ldap-linux-user-accounts-ul-bsv-zwf-mmb:
- Passwords aging is automatically configured.
- |LDAP| user accounts \(operator, admin\) are available by default on
newly deployed hosts. For increased security, the admin and operator
accounts must be used from the console ports of the hosts; no |SSH| access
is allowed.
- |prod| includes a script for creating |LDAP| Linux accounts with built-in
Keystone user support. It provides an interactive method for setting up
|LDAP| Linux user accounts with access to OpenStack commands. You can
assign a limited shell or a bash shell.