docs/doc/source/security/kubernetes/overview-of-system-accounts.rst


.. lgd1552571882796
.. _overview-of-system-accounts:

===================
Linux User Accounts
===================

A brief description of the system accounts available in a |prod| system.


**Sysadmin Local Linux Account**
    This is a local, per-host, sudo-enabled account created automatically when
    a new host is provisioned. It is used by the primary system administrator
    for |prod|, as it has extended privileges.

    See :ref:`The sysadmin Account <the-sysadmin-account>` for more details.

**Local Linux User Accounts**
    Local Linux User Accounts should NOT be created since they are used for
    internal system purposes.

**Local LDAP Linux User Accounts**
    These are local LDAP accounts that are centrally managed across all hosts
    in the cluster. These accounts are intended to provide additional admin
    level user accounts \(in addition to sysadmin\) that can SSH to the nodes
    of the |prod|.

    See :ref:`Local LDAP Linux User Accounts <local-ldap-linux-user-accounts>`
    and :ref:`Manage Composite Local LDAP Accounts at Scale
    <manage-local-ldap-39fe3a85a528>` for more details.

    .. note::
        For security reasons, it is recommended that ONLY admin level users be
        allowed to |SSH| to the nodes of the |prod|. Non-admin level users should
        strictly use remote |CLIs| or remote web GUIs.

For more information, refer to the following:

.. toctree::
   :maxdepth: 1

   the-sysadmin-account
   local-ldap-linux-user-accounts
   create-ldap-linux-accounts
   remote-access-for-linux-accounts
   password-recovery-for-linux-user-accounts
   estabilish-credentials-for-linux-user-accounts
   establish-keystone-credentials-from-a-linux-account
   starlingx-openstack-kubernetes-from-stsadmin-account-login
   kubernetes-cli-from-local-ldap-linux-account-login
   manage-local-ldap-39fe3a85a528
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`.. lgd1552571882796`
			`.. _overview-of-system-accounts:`

Editorial updates on Security Guide upstream Acted on Greg's comments Patch 1: Deleted duplicated docs and corrected references to fix build failure Patch 2: Acted on Greg's and Ron's comments. Patch 3: Acted on Greg's comment. Patch 4: Acted on Mary's comments. Patch 5: Solved merge conflict. Patch 6: Worked on Mary's comments. Patch 7: Fixed build conflict. Patch 8: Worked on Mary's comments. https://review.opendev.org/c/starlingx/docs/+/792461 Signed-off-by: egoncalv <elisamaraaoki.goncalves@windriver.com> Change-Id: I647711ac35f45bc9c79cc490269831770e98e2f4 2021-05-20 14:11:59 -03:00			`===================`
			`Linux User Accounts`
			`===================`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`A brief description of the system accounts available in a \|prod\| system.`


Update Security Fixed merge conflict (RS) Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I30b882a14196525f440db1108a56bbf862dfaf55 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-15 16:56:04 -03:00			`Sysadmin Local Linux Account`
			`This is a local, per-host, sudo-enabled account created automatically when`
			`a new host is provisioned. It is used by the primary system administrator`
			`for \|prod\|, as it has extended privileges.`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
Update Security Fixed merge conflict (RS) Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I30b882a14196525f440db1108a56bbf862dfaf55 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-15 16:56:04 -03:00			See :ref:`The sysadmin Account <the-sysadmin-account>` for more details.
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
Update Security Fixed merge conflict (RS) Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I30b882a14196525f440db1108a56bbf862dfaf55 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-15 16:56:04 -03:00			`Local Linux User Accounts`
			`Local Linux User Accounts should NOT be created since they are used for`
			`internal system purposes.`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
Update Security Fixed merge conflict (RS) Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I30b882a14196525f440db1108a56bbf862dfaf55 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-15 16:56:04 -03:00			`Local LDAP Linux User Accounts`
			`These are local LDAP accounts that are centrally managed across all hosts`
			`in the cluster. These accounts are intended to provide additional admin`
			`level user accounts \(in addition to sysadmin\) that can SSH to the nodes`
			`of the \|prod\|.`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
Update Security Fixed merge conflict (RS) Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I30b882a14196525f440db1108a56bbf862dfaf55 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-15 16:56:04 -03:00			See :ref:`Local LDAP Linux User Accounts <local-ldap-linux-user-accounts>`
Playbook for managing local ldap admin user Story: 2009759 Task: 45440 Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: Ic55e2a5852545b3921647ffa5e83833cad82c6cd 2022-05-20 10:32:15 -03:00			and :ref:`Manage Composite Local LDAP Accounts at Scale
			<manage-local-ldap-39fe3a85a528>` for more details.
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`.. note::`
Update Security Fixed merge conflict (RS) Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I30b882a14196525f440db1108a56bbf862dfaf55 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-15 16:56:04 -03:00			`For security reasons, it is recommended that ONLY admin level users be`
			`allowed to \|SSH\| to the nodes of the \|prod\|. Non-admin level users should`
			`strictly use remote \|CLIs\| or remote web GUIs.`
Editorial updates on Security Guide upstream Acted on Greg's comments Patch 1: Deleted duplicated docs and corrected references to fix build failure Patch 2: Acted on Greg's and Ron's comments. Patch 3: Acted on Greg's comment. Patch 4: Acted on Mary's comments. Patch 5: Solved merge conflict. Patch 6: Worked on Mary's comments. Patch 7: Fixed build conflict. Patch 8: Worked on Mary's comments. https://review.opendev.org/c/starlingx/docs/+/792461 Signed-off-by: egoncalv <elisamaraaoki.goncalves@windriver.com> Change-Id: I647711ac35f45bc9c79cc490269831770e98e2f4 2021-05-20 14:11:59 -03:00
			`For more information, refer to the following:`

			`.. toctree::`
			`:maxdepth: 1`

			`the-sysadmin-account`
			`local-ldap-linux-user-accounts`
			`create-ldap-linux-accounts`
			`remote-access-for-linux-accounts`
			`password-recovery-for-linux-user-accounts`
			`estabilish-credentials-for-linux-user-accounts`
			`establish-keystone-credentials-from-a-linux-account`
			`starlingx-openstack-kubernetes-from-stsadmin-account-login`
Playbook for managing local ldap admin user Story: 2009759 Task: 45440 Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: Ic55e2a5852545b3921647ffa5e83833cad82c6cd 2022-05-20 10:32:15 -03:00			`kubernetes-cli-from-local-ldap-linux-account-login`
			`manage-local-ldap-39fe3a85a528`