 362af54d37
			
		
	
	362af54d37
	
	
	
		
			
			Added documentation for optional parameter "user_role" in "manage_local_ldap_account.yml" playbook. Story: 2010149 Task: 46351 Depends-on: https://review.opendev.org/c/starlingx/ansible-playbooks/+/857982 Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com> Change-Id: I29df15ab403f213e5bd328155ad907251b7b56d6
		
			
				
	
	
	
		
			5.3 KiB
		
	
	
	
	
	
	
	
			
		
		
	
	Manage Composite Local LDAP Accounts at Scale
The purpose of this playbook is to simplify and automate the
management of composite Local accounts across multiple systems or
standalone systems. A composite Local account is defined as a Local
account that also has a unique keystone account with admin role
credentials and access to a K8S serviceAccount with
cluster-admin role credentials.
A user with such a composite Local account can to systems' controllers and subclouds and:
- execute Linux commands (with local account credentials; with or without sudo capabilities),
- execute commands (with its keystone account (admin role) credentials) and
- execute K8S commands (with credentials of a
cluster-adminK8S serviceAccount).
A unique Local account and unique keystone account enables user-specific command audit logging for security and tracking purposes.
Besides creating the required Local , Keystone and K8S accounts, the playbook also fully sets up Keystone and K8S credentials in the Local user's home directory on all controllers of all systems (i.e. standalone systems, SystemControllers and Subclouds).
The playbook can be used to create or delete such composite Local Accounts, manage access to sudo capabilities and manage password change parameters.
Create inventory file using Ansible-Vault
Users are required to create an inventory file to specify playbook
parameters. Using ansible-vault is highly recommended for
improved security. An ansible-vault password needs to be
created during this step, which is required for subsequent access to the
ansible-vault and ansible-playbook commands.
Create a secure inventory file:
~(keystone_admin)]$ ansible-vault create secure-inventoryThis will open a text editor where you can fill the inventory parameters as shown on the example below:
[all:vars]
ansible_user=sysadmin
ansible_password=<sysadmin-password>
ansible_become_pass=<sysadmin-password>
[systemcontroller]
systemcontroller-0 ansible_host=127.0.0.1The inventory parameters are:
- ansible_user
- 
Specify the sysadminuser for ansible to use.
- ansible_password
- 
The sysadminpassword.
- ansible_become_pass
- 
The sysadminpassword for using sudo.
- systemcontroller-0 ansible_host
- 
The target /Standalone system controller IP Address or to create/delete the composite Local account. Use 127.0.0.1, loopback address, if running the ansible playbook locally on the target /Standalone system controller. 
Run the playbook
After the inventory file is created, the ansible playbook can be run
to perform the user creation or removal process. The previously created
ansible-vault password will be prompted during runtime.
~(keystone_admin)]$ ansible-playbook --inventory secure-inventory --ask-vault-pass --extra-vars='user_id=na-admin mode=create' \ /usr/share/ansible/stx-ansible/ playbooks/manage_local_ldap_account.yml- Extra-vars parameter options:
- user_id
- 
Username that will be used for both the Local account and the Keystone account on the target /Standalone system and associated Subclouds. 
 
- mode:
- create
- 
Creates users within Local and Keystone. This is the default value when not specified. 
- delete
- 
Removes existing users from Local and Keystone. 
 
- sudo_permission(optional):- yes
- 
The created Local user will have sudocapabilities to execute commands with root privileges on the /Standalone system and associated Subclouds.
- no
- 
The created Local user will NOT have sudocapabilities to execute commands with root privileges on the /Standalone system and associated Subclouds.
 
- user_role(optional):- admin
- 
Set the keystone role of the user to be created as admin. This role has permissions to execute all StarlingX CLI commands. This is the default value when not specified.
- member
- 
Set the keystone role of the user to be created as member. This role is for future use, currently it has the same permissions as keystonereaderrole.
- reader
- 
Set the keystone role of the user to be created as reader. This role has permissions to only execute passive display-type (e.g. list, get) StarlingX CLI commands.
 
- password_change_period:- <int>
- 
Related to the /etc/shadow file, this attribute specifies the maximum number of days that the Local account's is valid. 
 
- password_warning_period:- <int>
- 
Related to the /etc/shadow file, this attribute specifies the number of days before password expiration that the Local user is warned.