wiki:Doc/OS/UserMgt

Version 3 (modified by jouvin, 16 years ago) (diff)

Describe bulk user creation

User Management

Quattor and QWG templates allow to manage different aspects of user configuration, including :

  • Local account creation and modification
  • Configuration of authentication methods
  • Configuration SSH keys
  • Configuration of user privileges (e.g. sudo)

The main NCM components related to user management are :

  • ncm-accounts : creation and modification of local accounts
  • ncm-authconfig : configuration of authentication methods. Most of the mechanisms supported by authconfig command can be managed by this component.
  • ncm-sudo : management of SUDO configuration
  • ncm-useraccess : configuration of SSH keys for users and rights to access applications

Bulk Creation of Local Accounts

In addition, QWG Templates provide a template, standard/users/config.tpl that allows efficient creation of users and groups on a large number of machine. The goal of this template is to create a consistent set of users on several machines with flexible configuration options providing the following features :

  • A unique list of user and group definitions so that if a user or group exists on several machines, it will have the same account characteristics (uid, gid...).
  • For each user, ability to define an optional public SSH key.
  • For each machine, ability to select the subset of users and groups to create.
  • Ability to define named subsets of users that are assigned to machines rather than giving the explicit list of users.
  • Support for a default list of users to create on all machines, either in addition to machine specific users or as a default list when no other users are defined.

This template takes its input from a site template whose name must be passed in variable USER_CONFIG_SITE. This site template may define the following variables (whose default value is an empty list or nlist according to variables) :

  • USER_LIST: a nlist defining user account characteristics with one entry per user. Key is userid, value is a nlist corresponding to a valid set of ncm-accounts user properties. Example:
    variable USER_LIST ?= nlist(
        'userex', nlist('uid',711,
                        'groups',list('groupex'),
                       ),
        'userex2', nlist('uid',712,
                         'groups',list('groupex2'),
                        ),
    );
    
  • USER_SSH_KEYS: a nlist defining an optional user's public SSH key with one entry per user. Key is the userid, value is a URL where the public key can be downloaded from. Example:
    variable USER_SSH_KEYS ?= nlist(
        'userex', USER_LIST_SSHKEY_URL_PREFIX+'userex.pub',
        'userex2', USER_LIST_SSHKEY_URL_PREFIX+'userex2.pub',
    );
    
  • GROUP_LIST : a nlist defining group characteristics with one entry per group. Key is the group name, value is a nlist corresponding to a valid set of ncm-accounts group properties. There is no need to define a group in this list if it is dedicated to one user and uses as gid user's uid. Example:
    variable GROUP_LIST ?= nlist(
        'groupex', nlist('gid',800),
    );
    
  • DB_MACHINE_GROUPS: a nlist defining the groups to create on a specific machine. Key is a machine name, value is a list of groups which must exist in GROUP_LIST. When adding a group to a machine, all users accounts belonging to the group will be created also, thus it is generally more convenient to add user accounts through this variable rather than through DB_MACHINE_USERS. Groups implicitly created with a gid equals to user's gid should not be listed in this nlist. Example:
    variable DB_MACHINE_GROUPS ?= nlist(
        'mynode.example.com', list('groupex'),
    );
    
  • DB_MACHINE_USERS: a nlist defining the users to create on a specific machine. Key is a machine name, value is a list of users which must exist in USER_LIST. This list is often empty as it is more generally convenient to add user accounts through group list (see DB_MACHINE_GROUPS description). Example:
    variable DB_MACHINE_USERS ?= nlist(
        'mynode.example.com', list('userex2'),
    );
    
  • DB_MACHINE_DEFAULT_ENTRIES: nlist allowing to define accounts that must be created by default on a subset of machines. Key is a regexp matching one or more machine names. Value is a nlist with 2 possible entries (keys) :
    • entries (mandatory): a string (if only one value) or a list of string referencing entries in DB_MACHINE_USERS or DB_MACHINE_GROUPS.
    • alwaysAdd (optional): when true, add the entries even if there is an explicit entry for the machine in DB_MACHINE_USERS or DB_MACHINE_GROUPS. Default is false (entries are defined only if there is no explicit entry for the machine).
      variable DB_MACHINE_DEFAULT_ENTRIES ?= nlist(
          escape('^grid.*\.example\.com$'), nlist('entries', 'userex2',
                                                  'alwaysAdd', true),
      );
      

Look at template header for more details.