Version 3 (modified by 16 years ago) (diff) | ,
---|
User Management
Table of Contents
Quattor and QWG templates allow to manage different aspects of user configuration, including :
- Local account creation and modification
- Configuration of authentication methods
- Configuration SSH keys
- Configuration of user privileges (e.g. sudo)
The main NCM components related to user management are :
ncm-accounts
: creation and modification of local accountsncm-authconfig
: configuration of authentication methods. Most of the mechanisms supported byauthconfig
command can be managed by this component.ncm-sudo
: management of SUDO configurationncm-useraccess
: configuration of SSH keys for users and rights to access applications
Bulk Creation of Local Accounts
In addition, QWG Templates provide a template, standard/users/config.tpl that allows efficient creation of users and groups on a large number of machine. The goal of this template is to create a consistent set of users on several machines with flexible configuration options providing the following features :
- A unique list of user and group definitions so that if a user or group exists on several machines, it will have the same account characteristics (uid, gid...).
- For each user, ability to define an optional public SSH key.
- For each machine, ability to select the subset of users and groups to create.
- Ability to define named subsets of users that are assigned to machines rather than giving the explicit list of users.
- Support for a default list of users to create on all machines, either in addition to machine specific users or as a default list when no other users are defined.
This template takes its input from a site template whose name must be passed in variable USER_CONFIG_SITE
. This site template may define the following variables (whose default value is an empty list or nlist according to variables) :
USER_LIST
: a nlist defining user account characteristics with one entry per user. Key is userid, value is a nlist corresponding to a valid set ofncm-accounts
user properties. Example:variable USER_LIST ?= nlist( 'userex', nlist('uid',711, 'groups',list('groupex'), ), 'userex2', nlist('uid',712, 'groups',list('groupex2'), ), );
USER_SSH_KEYS
: a nlist defining an optional user's public SSH key with one entry per user. Key is the userid, value is a URL where the public key can be downloaded from. Example:variable USER_SSH_KEYS ?= nlist( 'userex', USER_LIST_SSHKEY_URL_PREFIX+'userex.pub', 'userex2', USER_LIST_SSHKEY_URL_PREFIX+'userex2.pub', );
GROUP_LIST
: a nlist defining group characteristics with one entry per group. Key is the group name, value is a nlist corresponding to a valid set ofncm-accounts
group properties. There is no need to define a group in this list if it is dedicated to one user and uses as gid user's uid. Example:variable GROUP_LIST ?= nlist( 'groupex', nlist('gid',800), );
DB_MACHINE_GROUPS
: a nlist defining the groups to create on a specific machine. Key is a machine name, value is a list of groups which must exist inGROUP_LIST
. When adding a group to a machine, all users accounts belonging to the group will be created also, thus it is generally more convenient to add user accounts through this variable rather than through DB_MACHINE_USERS. Groups implicitly created with a gid equals to user's gid should not be listed in this nlist. Example:variable DB_MACHINE_GROUPS ?= nlist( 'mynode.example.com', list('groupex'), );
DB_MACHINE_USERS
: a nlist defining the users to create on a specific machine. Key is a machine name, value is a list of users which must exist inUSER_LIST
. This list is often empty as it is more generally convenient to add user accounts through group list (seeDB_MACHINE_GROUPS
description). Example:variable DB_MACHINE_USERS ?= nlist( 'mynode.example.com', list('userex2'), );
DB_MACHINE_DEFAULT_ENTRIES
: nlist allowing to define accounts that must be created by default on a subset of machines. Key is a regexp matching one or more machine names. Value is a nlist with 2 possible entries (keys) :entries
(mandatory): a string (if only one value) or a list of string referencing entries inDB_MACHINE_USERS
orDB_MACHINE_GROUPS
.alwaysAdd
(optional): when true, add the entries even if there is an explicit entry for the machine inDB_MACHINE_USERS
orDB_MACHINE_GROUPS
. Default is false (entries are defined only if there is no explicit entry for the machine).variable DB_MACHINE_DEFAULT_ENTRIES ?= nlist( escape('^grid.*\.example\.com$'), nlist('entries', 'userex2', 'alwaysAdd', true), );
Look at template header for more details.