starlingx/docs
Code Issues Proposed changes
2e8a5f69b0
docs/doc/source/security/kubernetes/local-ldap-linux-user-accounts.rst
Elisamara Aoki Goncalves 2e8a5f69b0 Playbook for managing local ldap admin user 
Story: 2009759
Task: 45440

Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
Change-Id: Ic55e2a5852545b3921647ffa5e83833cad82c6cd
2022-06-06 17:29:42 -03:00

3.6 KiB
Raw Blame History

Local LDAP Linux User Accounts

You can create regular Linux user accounts using the LDAP service.

Local accounts are centrally managed on the active controller; all hosts in the cloud/cluster use the Local server on the active controller for and Console authentication.

The intended use of these accounts is to provide additional admin level user accounts (in addition to sysadmin) that can to the nodes of the .

Note

For security reasons, it is recommended that ONLY admin level users be allowed to to the nodes of the . Non-admin level users should strictly use remote or remote web GUIs.

Apart from being centrally managed, Local user accounts behave as any local user account. They can be added to the sudoers list, and can acquire Keystone administration credentials, Kubernetes kubectl, and helm administrative commands as the Kubernetes admin user, when executing on the active controller.

Local user accounts share the following set of attributes:

  • The initial password is the name of the account.
  • The initial password must be changed immediately upon first login.
  • For complete details on password rules, see System Account Password Rules <starlingx-system-accounts-system-account-password-rules>.
  • Login sessions are logged out automatically after about 15 minutes of inactivity.
  • The accounts are blocked following five consecutive unsuccessful login attempts. They are unblocked automatically after a period of about five minutes.
  • All authentication attempts are recorded on the file /var/log/auth.log of the target host.
  • Home directories and passwords are backed up and restored by the system backup utilities. Note that only passwords are synced across hosts (both users and sysadmin). Home directories are not automatically synced and are local to that host.

Default LDAP User Accounts

The following Local user accounts are available by default on newly deployed hosts, regardless of their personality:

operator

A cloud administrative account, comparable to the default admin account used in the web management interface.

This user account has access to all native Linux commands not requiring root or sudo privileges, and it's shell is preconfigured to have administrative access to StarlingX commands.

admin

A host administrative account. It has access to all native Linux commands and is included in the sudoers list.

For increased security, the admin and operator accounts must be used from the console ports of the hosts; no access is allowed.

  • These accounts serve as system access redundancies in the event that access is unavailable. In the event of any issues with connectivity, user lockout, or sysadmin passwords being forgotten or not getting propagated properly, the presence of these accounts can be essential in gaining access to the deployment and rectifying things. This is why these accounts are restricted to the console port only, as a form of “manual over-ride.” The operator account enables access to the cloud deployment only, without giving unabated sudo access to the entire system.

Create LDAP Linux Accounts <create-ldap-linux-accounts>