Browse Source

[US367408] Add support for user & ssh key mgmt

Change-Id: I0ef68dfd80194e6da289fbf86f5cd2ee5c7edad8
Craig Anderson 1 year ago
parent
commit
9e7028416e

+ 7
- 1
Makefile View File

@@ -15,8 +15,9 @@
15 15
 HELM := helm
16 16
 TASK := build
17 17
 
18
-EXCLUDES := helm-toolkit doc tests tools logs
18
+EXCLUDES := helm-toolkit docs tests tools logs
19 19
 CHARTS := helm-toolkit $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
20
+CHART := divingbell
20 21
 
21 22
 all: $(CHARTS)
22 23
 
@@ -42,3 +43,8 @@ clean:
42 43
 	rm -rf */templates/_globals.tpl
43 44
 
44 45
 .PHONY: $(EXCLUDES) $(CHARTS)
46
+
47
+.PHONY: charts
48
+charts: clean
49
+	$(HELM) dep up $(CHART)
50
+	$(HELM) package $(CHART)

+ 181
- 0
divingbell/templates/bin/_uamlite.sh.tpl View File

@@ -0,0 +1,181 @@
1
+#!/bin/bash
2
+
3
+{{/*
4
+# Copyright 2018 AT&T Intellectual Property.  All other rights reserved.
5
+#
6
+# Licensed under the Apache License, Version 2.0 (the "License");
7
+# you may not use this file except in compliance with the License.
8
+# You may obtain a copy of the License at
9
+#
10
+#     http://www.apache.org/licenses/LICENSE-2.0
11
+#
12
+# Unless required by applicable law or agreed to in writing, software
13
+# distributed under the License is distributed on an "AS IS" BASIS,
14
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15
+# See the License for the specific language governing permissions and
16
+# limitations under the License.
17
+*/}}
18
+
19
+set -e
20
+
21
+cat <<'EOF' > {{ .Values.conf.chroot_mnt_path | quote }}/tmp/uamlite_host.sh
22
+{{ include "divingbell.shcommon" . }}
23
+
24
+keyword='divingbell'
25
+builtin_acct='ubuntu'
26
+
27
+add_user(){
28
+  die_if_null "${user_name}" ", 'user_name' env var not initialized"
29
+  : ${user_sudo:=false}
30
+
31
+  # Create user if user does not already exist
32
+  getent passwd ${user_name} && \
33
+    log.INFO "User '${user_name}' already exists" || \
34
+  (useradd --create-home --shell /bin/bash --comment ${keyword} ${user_name} && \
35
+    log.INFO "User '${user_name}' successfully created")
36
+
37
+  # Unexpire the user (if user had been previously expired)
38
+  if [ "$(chage -l ${user_name} | grep 'Account expires' | cut -d':' -f2 |
39
+          tr -d '[:space:]')" != "never" ]; then
40
+    usermod --expiredate "" ${user_name}
41
+    log.INFO "User '${user_name}' has been unexpired"
42
+  fi
43
+
44
+  # Add sudoers entry if requested for user
45
+  if [ "${user_sudo}" = 'true' ]; then
46
+    # Add sudoers entry if it does not already exist
47
+    user_sudo_file=/etc/sudoers.d/${keyword}-${user_name}-sudo
48
+    if [ -f "${user_sudo_file}" ] ; then
49
+      log.INFO "User '${user_name}' already added to sudoers: ${user_sudo_file}"
50
+    else
51
+      echo "${user_name} ALL=(ALL) NOPASSWD:ALL" > "${user_sudo_file}"
52
+      log.INFO "User '${user_name}' added to sudoers: ${user_sudo_file}"
53
+    fi
54
+    curr_sudoers="${curr_sudoers}${user_sudo_file}"$'\n'
55
+  else
56
+    log.INFO "User '${user_name}' was not requested sudo access"
57
+  fi
58
+
59
+  curr_userlist="${curr_userlist}${user_name}"$'\n'
60
+}
61
+
62
+add_sshkeys(){
63
+  die_if_null "${user_name}" ", 'user_name' env var not initialized"
64
+  user_sshkeys="$@"
65
+
66
+  sshkey_dir="/home/${user_name}/.ssh"
67
+  sshkey_file="${sshkey_dir}/authorized_keys"
68
+  if [ -z "${user_sshkeys}" ]; then
69
+    log.INFO "User '${user_name}' has no SSH keys defined"
70
+    if [ -f "${sshkey_file}" ]; then
71
+      rm "${sshkey_file}"
72
+      log.INFO "User '${user_name}' has had its authorized_keys file wiped"
73
+    fi
74
+  else
75
+    sshkey_file_contents='# NOTE: This file is managed by divingbell'$'\n'
76
+    for sshkey in "$@"; do
77
+      sshkey_file_contents="${sshkey_file_contents}${sshkey}"$'\n'
78
+    done
79
+    write_file=false
80
+    if [ -f "${sshkey_file}" ]; then
81
+      if [ "$(cat "${sshkey_file}")" = \
82
+           "$(echo "${sshkey_file_contents}" | head -n-1)" ]; then
83
+        log.INFO "User '${user_name}' has no new SSH keys"
84
+      else
85
+        write_file=true
86
+      fi
87
+    else
88
+      write_file=true
89
+    fi
90
+    if [ "${write_file}" = "true" ]; then
91
+      mkdir -p "${sshkey_dir}"
92
+      chmod 700 "${sshkey_dir}"
93
+      echo -e "${sshkey_file_contents}" > "${sshkey_file}"
94
+      chown -R ${user_name}:${user_name} "${sshkey_dir}" || \
95
+        (rm "${sshkey_file}" && die "Error setting ownership on ${sshkey_dir}")
96
+      log.INFO "User '${user_name}' has had SSH keys deployed: ${user_sshkeys}"
97
+    fi
98
+    custom_sshkeys_present=true
99
+  fi
100
+
101
+}
102
+
103
+{{- if hasKey .Values.conf "uamlite" }}
104
+{{- if hasKey .Values.conf.uamlite "users" }}
105
+{{- range $item := .Values.conf.uamlite.users }}
106
+  {{- range $key, $value := . }}
107
+    {{ $key }}={{ $value | quote }} \
108
+  {{- end }}
109
+  add_user
110
+
111
+  {{- range $key, $value := . }}
112
+    {{ $key }}={{ $value | quote }} \
113
+  {{- end }}
114
+  add_sshkeys {{ range $ssh_key := .user_sshkeys }}{{ $ssh_key | quote }} {{end}}
115
+{{- end }}
116
+{{- end }}
117
+{{- end }}
118
+
119
+# TODO: This should be done before applying new settings rather than after
120
+# Expire any previously defined users that are no longer defined
121
+users="$(getent passwd | grep ${keyword} | cut -d':' -f1)"
122
+echo "$users" | sort > /tmp/prev_users
123
+echo "$curr_userlist" | sort > /tmp/curr_users
124
+revert_list="$(comm -23 /tmp/prev_users /tmp/curr_users)"
125
+IFS=$'\n'
126
+for user in ${revert_list}; do
127
+  # We expire rather than delete the user to maintain local UID FS consistency
128
+  usermod --expiredate 1 ${user}
129
+  log.INFO "User '${user}' has been disabled (expired)"
130
+done
131
+
132
+# Delete any previous user sudo access that is no longer defined
133
+sudoers="$(find /etc/sudoers.d | grep ${keyword})"
134
+echo "$sudoers" | sort > /tmp/prev_sudoers
135
+echo "$curr_sudoers" | sort > /tmp/curr_sudoers
136
+revert_list="$(comm -23 /tmp/prev_sudoers /tmp/curr_sudoers)"
137
+IFS=$'\n'
138
+for sudo_file in ${revert_list}; do
139
+  rm "${sudo_file}"
140
+  log.INFO "Sudoers file '${sudo_file}' has been deleted"
141
+done
142
+
143
+if [ -n "${builtin_acct}" ] && [ -n "$(getent passwd ${builtin_acct})" ]; then
144
+  # Disable built-in account as long as there was at least one account defined
145
+  # in this chart with a ssh key present
146
+  if [ "${custom_sshkeys_present}" = "true" ]; then
147
+    if [ "$(chage -l ${builtin_acct} | grep 'Account expires' | cut -d':' -f2 |
148
+          tr -d '[:space:]')" = "never" ]; then
149
+      usermod --expiredate 1 ${builtin_acct}
150
+    fi
151
+  # Re-enable built-in account as a fallback in the event that are no other
152
+  # accounts defined in this chart with a ssh key present
153
+  else
154
+    if [ "$(chage -l ${builtin_acct} | grep 'Account expires' | cut -d':' -f2 |
155
+          tr -d '[:space:]')" != "never" ]; then
156
+      usermod --expiredate "" ${builtin_acct}
157
+    fi
158
+  fi
159
+fi
160
+
161
+if [ -n "${curr_userlist}" ]; then
162
+  log.INFO 'All uamlite data successfully validated on this node.'
163
+else
164
+  log.WARN 'No uamlite overrides defined for this node.'
165
+fi
166
+
167
+exit 0
168
+EOF
169
+
170
+chmod 755 {{ .Values.conf.chroot_mnt_path | quote }}/tmp/uamlite_host.sh
171
+chroot {{ .Values.conf.chroot_mnt_path | quote }} /tmp/uamlite_host.sh
172
+
173
+sleep 1
174
+echo 'INFO Putting the daemon to sleep.'
175
+
176
+while [ 1 ]; do
177
+  sleep 300
178
+done
179
+
180
+exit 0
181
+

+ 30
- 0
divingbell/templates/configmap-uamlite.yaml View File

@@ -0,0 +1,30 @@
1
+{{/*
2
+Copyright 2018 AT&T Intellectual Property.  All other rights reserved.
3
+
4
+Licensed under the Apache License, Version 2.0 (the "License");
5
+you may not use this file except in compliance with the License.
6
+You may obtain a copy of the License at
7
+
8
+   http://www.apache.org/licenses/LICENSE-2.0
9
+
10
+Unless required by applicable law or agreed to in writing, software
11
+distributed under the License is distributed on an "AS IS" BASIS,
12
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
+See the License for the specific language governing permissions and
14
+limitations under the License.
15
+*/}}
16
+
17
+{{- define "divingbell.configmap.uamlite" }}
18
+{{- $configMapName := index . 0 }}
19
+{{- $envAll := index . 1 }}
20
+{{- with $envAll }}
21
+---
22
+apiVersion: v1
23
+kind: ConfigMap
24
+metadata:
25
+  name: {{ $configMapName }}
26
+data:
27
+  uamlite: |+
28
+{{ tuple "bin/_uamlite.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
29
+{{- end }}
30
+{{- end }}

+ 65
- 0
divingbell/templates/daemonset-uamlite.yaml View File

@@ -0,0 +1,65 @@
1
+{{/*
2
+# Copyright 2018 AT&T Intellectual Property.  All other rights reserved.
3
+#
4
+# Licensed under the Apache License, Version 2.0 (the "License");
5
+# you may not use this file except in compliance with the License.
6
+# You may obtain a copy of the License at
7
+#
8
+#     http://www.apache.org/licenses/LICENSE-2.0
9
+#
10
+# Unless required by applicable law or agreed to in writing, software
11
+# distributed under the License is distributed on an "AS IS" BASIS,
12
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
+# See the License for the specific language governing permissions and
14
+# limitations under the License.
15
+*/}}
16
+
17
+{{- define "divingbell.daemonset.uamlite" }}
18
+  {{- $daemonset := index . 0 }}
19
+  {{- $configMapName := index . 1 }}
20
+  {{- $envAll := index . 2 }}
21
+  {{- with $envAll }}
22
+---
23
+apiVersion: extensions/v1beta1
24
+kind: DaemonSet
25
+metadata:
26
+  name: {{ $daemonset }}
27
+spec:
28
+  template:
29
+    metadata:
30
+      labels:
31
+{{ list $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
32
+    spec:
33
+      hostNetwork: true
34
+      hostPID: true
35
+      hostIPC: true
36
+      containers:
37
+      - name: {{ $daemonset }}
38
+        image: {{ .Values.images.divingbell }}
39
+        imagePullPolicy: {{ .Values.images.pull_policy }}
40
+        command:
41
+        - /tmp/{{ $daemonset }}.sh
42
+        volumeMounts:
43
+        - name: rootfs-{{ $daemonset }}
44
+          mountPath: {{ .Values.conf.chroot_mnt_path }}
45
+        - name: {{ $configMapName }}
46
+          mountPath: /tmp/{{ $daemonset }}.sh
47
+          subPath: {{ $daemonset }}
48
+          readOnly: true
49
+        securityContext:
50
+          privileged: true
51
+      volumes:
52
+      - name: rootfs-{{ $daemonset }}
53
+        hostPath:
54
+          path: /
55
+      - name: {{ $configMapName }}
56
+        configMap:
57
+          name: {{ $configMapName }}
58
+          defaultMode: 0555
59
+  {{- end }}
60
+{{- end }}
61
+{{- $daemonset := "uamlite" }}
62
+{{- $configMapName := "divingbell-uamlite" }}
63
+{{- $daemonset_yaml := list $daemonset $configMapName . | include "divingbell.daemonset.uamlite" | toString | fromYaml }}
64
+{{- $configmap_include := "divingbell.configmap.uamlite" }}
65
+{{- list $daemonset $daemonset_yaml $configmap_include $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}

+ 165
- 6
divingbell/tools/gate/test.sh View File

@@ -33,6 +33,18 @@ ETHTOOL_KEY4=tx-nocache-copy
33 33
 ETHTOOL_VAL4_DEFAULT=off
34 34
 ETHTOOL_KEY5=tx-checksum-ip-generic
35 35
 ETHTOOL_VAL5_DEFAULT=on
36
+USERNAME1=userone
37
+USERNAME1_SUDO=true
38
+USERNAME1_SSHKEY1="ssh-rsa abc123 comment"
39
+USERNAME2=usertwo
40
+USERNAME2_SUDO=false
41
+USERNAME2_SSHKEY1="ssh-rsa xyz456 comment"
42
+USERNAME2_SSHKEY2="ssh-rsa qwe789 comment"
43
+USERNAME2_SSHKEY3="ssh-rsa rfv000 comment"
44
+USERNAME3=userthree
45
+USERNAME3_SUDO=true
46
+USERNAME4=userfour
47
+USERNAME4_SUDO=false
36 48
 nic_info="$(lshw -class network)"
37 49
 physical_nic=''
38 50
 IFS=$'\n'
@@ -96,6 +108,14 @@ _write_ethtool(){
96 108
   fi
97 109
 }
98 110
 
111
+_reset_account(){
112
+  if [ -n "$1" ]; then
113
+    sudo deluser $1 >& /dev/null || true
114
+    sudo rm -r /home/$1 >& /dev/null || true
115
+    sudo rm /etc/sudoers.d/*$1* >& /dev/null || true
116
+  fi
117
+}
118
+
99 119
 init_default_state(){
100 120
   if [ "${1}" = 'make' ]; then
101 121
     (cd ../../../; make)
@@ -112,6 +132,11 @@ init_default_state(){
112 132
   _write_ethtool ${DEVICE} ${ETHTOOL_KEY3} ${ETHTOOL_VAL3_DEFAULT}
113 133
   _write_ethtool ${DEVICE} ${ETHTOOL_KEY4} ${ETHTOOL_VAL4_DEFAULT}
114 134
   _write_ethtool ${DEVICE} ${ETHTOOL_KEY5} ${ETHTOOL_VAL5_DEFAULT}
135
+  # Remove any created accounts, SSH keys
136
+  _reset_account ${USERNAME1}
137
+  _reset_account ${USERNAME2}
138
+  _reset_account ${USERNAME3}
139
+  _reset_account ${USERNAME4}
115 140
 }
116 141
 
117 142
 install(){
@@ -134,9 +159,9 @@ get_container_status(){
134 159
   local log_connect_sleep_interval=2
135 160
   local wait_time=0
136 161
   while : ; do
137
-    kubectl logs "${container}" --namespace="${NAME}" > /dev/null && break ||
138
-      echo "Waiting for container logs..." &&
139
-      wait_time=$((${wait_time} + ${log_connect_sleep_interval})) &&
162
+    kubectl logs "${container}" --namespace="${NAME}" > /dev/null && break || \
163
+      echo "Waiting for container logs..." && \
164
+      wait_time=$((${wait_time} + ${log_connect_sleep_interval})) && \
140 165
       sleep ${log_connect_sleep_interval}
141 166
     if [ ${wait_time} -ge ${log_connect_timeout} ]; then
142 167
       echo "Hit timeout while waiting for container logs to become available."
@@ -149,7 +174,8 @@ get_container_status(){
149 174
   while : ; do
150 175
     CLOGS="$(kubectl logs --namespace="${NAME}" "${container}" 2>&1)"
151 176
     local status="$(echo "${CLOGS}" | tail -1)"
152
-    if [[ ${status} = *ERROR* ]] || [[ ${status} = *TRACE* ]]; then
177
+    if [[ $(echo -e ${status} | tr -d '[:cntrl:]') = *ERROR* ]] ||
178
+       [[ $(echo -e ${status} | tr -d '[:cntrl:]') = *TRACE* ]]; then
153 179
       if [ "${2}" = 'expect_failure' ]; then
154 180
         echo 'Pod exited as expected'
155 181
         break
@@ -159,8 +185,8 @@ get_container_status(){
159 185
         echo "${CLOGS}"
160 186
         exit 1
161 187
       fi
162
-    elif [ "${status}" = 'INFO Putting the daemon to sleep.' ] ||
163
-    [ "${status}" = 'DEBUG + exit 0' ]; then
188
+    elif [[ $(echo -e ${status} | tr -d '[:cntrl:]') = *'INFO Putting the daemon to sleep.'* ]] ||
189
+    [[ $(echo -e ${status} | tr -d '[:cntrl:]') = *'DEBUG + exit 0'* ]]; then
164 190
       if [ "${2}" = 'expect_failure' ]; then
165 191
         echo 'Expected pod to die with error, but pod completed successfully'
166 192
         echo 'pod logs:'
@@ -475,6 +501,138 @@ test_ethtool(){
475 501
   echo '[SUCCESS] ethtool test7 passed successfully' >> "${TEST_RESULTS}"
476 502
 }
477 503
 
504
+_test_user_enabled(){
505
+  username=$1
506
+  user_enabled=$2
507
+
508
+  if [ "${user_enabled}" = "true" ]; then
509
+    # verify the user is there and not set to expire
510
+    getent passwd $username >& /dev/null
511
+    test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 |
512
+            tr -d '[:space:]')" = "never"
513
+  else
514
+    # If the user exists, verify it's not non-expiring
515
+    if [ -n "$(getent passwd $username)" ]; then
516
+      test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 |
517
+              tr -d '[:space:]')" != "never"
518
+    fi
519
+  fi
520
+}
521
+
522
+_test_sudo_enabled(){
523
+  username=$1
524
+  sudo_enable=$2
525
+  sudoers_file=/etc/sudoers.d/*$username*
526
+
527
+  if [ "${sudo_enable}" = "true" ]; then
528
+    test -f $sudoers_file
529
+  else
530
+    test ! -f $sudoers_file
531
+  fi
532
+}
533
+
534
+_test_ssh_keys(){
535
+  username=$1
536
+  sshkey=$2
537
+  ssh_file=/home/$username/.ssh/authorized_keys
538
+
539
+  if [ "$sshkey" = "false" ]; then
540
+    test ! -f "${ssh_file}"
541
+  else
542
+    grep "$sshkey" "${ssh_file}"
543
+  fi
544
+}
545
+
546
+test_uamlite(){
547
+  # Test the first set of values
548
+  local overrides_yaml=${LOGS_SUBDIR}/${FUNCNAME}-set1.yaml
549
+  echo "conf:
550
+  uamlite:
551
+    users:
552
+    - user_name: ${USERNAME1}
553
+      user_sudo: ${USERNAME1_SUDO}
554
+      user_sshkeys:
555
+      - ${USERNAME1_SSHKEY1}
556
+    - user_name: ${USERNAME2}
557
+      user_sudo: ${USERNAME2_SUDO}
558
+      user_sshkeys:
559
+      - ${USERNAME2_SSHKEY1}
560
+      - ${USERNAME2_SSHKEY2}
561
+      - ${USERNAME2_SSHKEY3}
562
+    - user_name: ${USERNAME3}
563
+      user_sudo: ${USERNAME3_SUDO}
564
+    - user_name: ${USERNAME4}" > "${overrides_yaml}"
565
+  install_base "--values=${overrides_yaml}"
566
+  get_container_status uamlite
567
+  _test_user_enabled ${USERNAME1} true
568
+  _test_sudo_enabled ${USERNAME1} ${USERNAME1_SUDO}
569
+  _test_ssh_keys     ${USERNAME1} "${USERNAME1_SSHKEY1}"
570
+  _test_user_enabled ${USERNAME2} true
571
+  _test_sudo_enabled ${USERNAME2} ${USERNAME2_SUDO}
572
+  _test_ssh_keys     ${USERNAME2} "${USERNAME2_SSHKEY1}"
573
+  _test_ssh_keys     ${USERNAME2} "${USERNAME2_SSHKEY2}"
574
+  _test_ssh_keys     ${USERNAME2} "${USERNAME2_SSHKEY3}"
575
+  _test_user_enabled ${USERNAME3} true
576
+  _test_sudo_enabled ${USERNAME3} ${USERNAME3_SUDO}
577
+  _test_ssh_keys     ${USERNAME3} false
578
+  _test_user_enabled ${USERNAME4} true
579
+  _test_sudo_enabled ${USERNAME4} ${USERNAME4_SUDO}
580
+  _test_ssh_keys     ${USERNAME4} false
581
+  echo '[SUCCESS] uamlite test1 passed successfully' >> "${TEST_RESULTS}"
582
+
583
+  # Test an updated set of values
584
+  overrides_yaml=${LOGS_SUBDIR}/${FUNCNAME}-set2.yaml
585
+  uname1_sudo=false
586
+  uname2_sudo=true
587
+  uname3_sudo=false
588
+  echo "conf:
589
+  uamlite:
590
+    users:
591
+    - user_name: ${USERNAME1}
592
+      user_sudo: ${uname1_sudo}
593
+    - user_name: ${USERNAME2}
594
+      user_sudo: ${uname2_sudo}
595
+      user_sshkeys:
596
+      - ${USERNAME2_SSHKEY1}
597
+      - ${USERNAME2_SSHKEY2}
598
+    - user_name: ${USERNAME3}
599
+      user_sudo: ${uname3_sudo}
600
+      user_sshkeys:
601
+      - ${USERNAME1_SSHKEY1}
602
+      - ${USERNAME2_SSHKEY3}
603
+    - user_name: ${USERNAME4}" > "${overrides_yaml}"
604
+  install_base "--values=${overrides_yaml}"
605
+  get_container_status uamlite
606
+  _test_user_enabled ${USERNAME1} true
607
+  _test_sudo_enabled ${USERNAME1} ${uname1_sudo}
608
+  _test_ssh_keys     ${USERNAME1} false
609
+  _test_user_enabled ${USERNAME2} true
610
+  _test_sudo_enabled ${USERNAME2} ${uname2_sudo}
611
+  _test_ssh_keys     ${USERNAME2} "${USERNAME2_SSHKEY1}"
612
+  _test_ssh_keys     ${USERNAME2} "${USERNAME2_SSHKEY2}"
613
+  _test_user_enabled ${USERNAME3} true
614
+  _test_sudo_enabled ${USERNAME3} ${uname3_sudo}
615
+  _test_ssh_keys     ${USERNAME3} "${USERNAME1_SSHKEY1}"
616
+  _test_ssh_keys     ${USERNAME3} "${USERNAME2_SSHKEY3}"
617
+  _test_user_enabled ${USERNAME4} true
618
+  _test_sudo_enabled ${USERNAME4} ${USERNAME4_SUDO}
619
+  _test_ssh_keys     ${USERNAME4} false
620
+  echo '[SUCCESS] uamlite test2 passed successfully' >> "${TEST_RESULTS}"
621
+
622
+  # Test revert/rollback functionality
623
+  install_base
624
+  get_container_status uamlite
625
+  _test_user_enabled ${USERNAME1} false
626
+  _test_sudo_enabled ${USERNAME1} false
627
+  _test_user_enabled ${USERNAME2} false
628
+  _test_sudo_enabled ${USERNAME2} false
629
+  _test_user_enabled ${USERNAME3} false
630
+  _test_sudo_enabled ${USERNAME3} false
631
+  _test_user_enabled ${USERNAME4} false
632
+  _test_sudo_enabled ${USERNAME4} false
633
+  echo '[SUCCESS] uamlite test3 passed successfully' >> "${TEST_RESULTS}"
634
+}
635
+
478 636
 # test daemonset value overrides for hosts and labels
479 637
 test_overrides(){
480 638
   overrides_yaml=${LOGS_SUBDIR}/${FUNCNAME}-dryrun.yaml
@@ -752,6 +910,7 @@ install_base
752 910
 test_sysctl
753 911
 test_mounts
754 912
 test_ethtool
913
+test_uamlite
755 914
 purge_containers
756 915
 test_overrides
757 916
 

+ 13
- 3
docs/source/index.rst View File

@@ -112,10 +112,20 @@ packages
112 112
 
113 113
 Not implemented
114 114
 
115
-users
116
-^^^^^
115
+uamlite
116
+^^^^^^^
117 117
 
118
-Not implemented
118
+Used to manage host level local user accounts, their SSH keys, and their sudo
119
+access. Ex::
120
+
121
+    conf:
122
+      uamlite:
123
+        users:
124
+        - user_name: testuser
125
+          user_sudo: True
126
+          user_sshkeys:
127
+          - ssh-rsa AAAAB3N... key1-comment
128
+          - ssh-rsa AAAAVY6... key2-comment
119 129
 
120 130
 Node specific configurations
121 131
 ----------------------------

Loading…
Cancel
Save