= User Management =
[[TracNav]]

[[TOC(inline)]]

Quattor and QWG templates allow to manage different aspects of user configuration, including :
 * Local account creation and modification
 * Configuration of authentication methods
 * Configuration SSH keys
 * Configuration of user privileges (e.g. sudo)
 
The main NCM components related to user management are :
 * `ncm-accounts` : creation and modification of local accounts
 * `ncm-authconfig` : configuration of authentication methods. Most of the mechanisms supported by `authconfig` command can be managed by this component.
 * `ncm-sudo` : management of SUDO configuration
 * `ncm-useraccess` : configuration of SSH keys for users and rights to access applications

== Bulk Creation of Local Accounts ==
 
In addition, QWG Templates provide a template, [source:templates/trunk/standard/users/config.tpl standard/users/config.tpl] that allows efficient creation of users and groups on a large number of machine. The goal of this template is to create a consistent set of users on several machines with flexible configuration options providing the following features :
 * A unique list of user and group definitions so that if a user or group exists on several machines, it will have the same account characteristics (uid, gid...).
 * For each user, ability to define an optional public SSH key.
 * For each machine, ability to select the subset of users and groups to create.
 * Ability to define named subsets of users that are assigned to machines rather than giving the explicit list of users.
 * Support for a default list of users to create on all machines, either in addition to machine specific users or as a default list when no other users are defined.
 
This template takes its input from a site template whose name must be passed in variable `USER_CONFIG_SITE`. This site template may define the following variables (whose default value is an empty list or nlist according to variables) :
 * `USER_LIST`: a nlist defining user account characteristics with one entry per user. Key is userid, value is a nlist corresponding to a valid set of `ncm-accounts` user properties. Example:
{{{
variable USER_LIST ?= nlist(
    'userex', nlist('uid',711,
                    'groups',list('groupex'),
                   ),
    'userex2', nlist('uid',712,
                     'groups',list('groupex2'),
                    ),
);
}}}
 * `USER_SSH_KEYS`: a nlist defining an optional user's public SSH key with one entry per user. Key is the userid, value is a URL where the public key can be downloaded from. Example:
{{{
variable USER_SSH_KEYS ?= nlist(
    'userex', USER_LIST_SSHKEY_URL_PREFIX+'userex.pub',
    'userex2', USER_LIST_SSHKEY_URL_PREFIX+'userex2.pub',
);
}}}
 * `GROUP_LIST` : a nlist defining group characteristics with one entry per group. Key is the group name, value is a nlist corresponding to a valid set of `ncm-accounts` group properties. There is no need to define a group in this list if it is dedicated to one user and uses as gid user's uid. Example:
{{{
variable GROUP_LIST ?= nlist(
    'groupex', nlist('gid',800),
);
}}}
 * `DB_MACHINE_GROUPS`: a nlist defining the groups to create on a specific machine. Key is a machine name, value is a list of groups which must exist in `GROUP_LIST`. When adding a group to a machine, all users accounts belonging to the group will be created also, thus it is generally more convenient to add user accounts through this variable rather than through DB_MACHINE_USERS. Groups implicitly created with a gid equals to user's gid should not be listed in this nlist. Example:
{{{
variable DB_MACHINE_GROUPS ?= nlist(
    'mynode.example.com', list('groupex'),
);
}}}
 * `DB_MACHINE_USERS`: a nlist defining the users to create on a specific machine. Key is a machine name, value is a list of users which must exist in `USER_LIST`. This list is often empty as it is more generally convenient to add user accounts through group list (see `DB_MACHINE_GROUPS` description). Example:
{{{
variable DB_MACHINE_USERS ?= nlist(
    'mynode.example.com', list('userex2'),
);
}}}
 * `DB_MACHINE_DEFAULT_ENTRIES`: nlist allowing to define accounts that must be created by default on a subset of machines. Key is a regexp matching one or more machine names. Value is a nlist with 2 possible entries (keys) :
   * `entries` (mandatory): a string (if only one value) or a list of string referencing entries in `DB_MACHINE_USERS` or `DB_MACHINE_GROUPS`.
   * `alwaysAdd` (optional): when true, add the entries even if there is an explicit entry for the machine in `DB_MACHINE_USERS` or `DB_MACHINE_GROUPS`. Default is false (entries are defined only if there is no explicit entry for the machine).
{{{
variable DB_MACHINE_DEFAULT_ENTRIES ?= nlist(
    escape('^grid.*\.example\.com$'), nlist('entries', 'userex2',
                                            'alwaysAdd', true),
);
}}}


Look at [source:templates/trunk/standard/users/config.tpl template]  header for more details.