Infrastructure Administration

How to Grant a Access to bob/sysdb

bob is making http calls to the sysdb app. Authorization (https://git.psi.ch/linux-infra/sysdb#authentication-and-authorization) is done via krb5 tokens. Operations outside of environments (creating/changing the owner of/deleting environments) needs to be done by a sysdb admin, ie someone who is a member of the group sysdb-admins. Group membership of the authenticated users is evaluated on the OS level on sysdb.psi.ch. So group memberships can be set both locally or in the AD. This makes it a bit confusing, but both are used.

For the envs (bob env list), only adding and listing are implemented in bob, any other operation, like deletion or modification can only be performed in the sysdb sqlite database itself.

Each env can only have one user and one group assigned to it.

To grant access to different environments data-xxx repositories normal Git access control is used. Nothing overrides the access control of the git server.

SSH Certificates / Signing Public User Keys

Generate a ssh key e.g. as follows:

ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/linux_id_ed25519

Use the user ca certificate, but this is automated by pasting below function into your shell

function sign-user-ssh-key {
    (
        name="$1"
        pubkey="$2"

        # let the private key flow through a named pipe
        # so it never ends up on the file system

        umask 077
        pipe_base="$(mktemp)" # MacOS does not know about --dry-run
        pipe="${pipe_base}.pipe"
        echo "mkfifo '$pipe'"
        mkfifo "$pipe" || return 1
        [ -p "$pipe" ] || return 1
        echo "pass ssh-ca/user-ca > '$pipe' &"
        pass ssh-ca/user-ca > "$pipe" &
        echo "ssh-keygen -s '$pipe' -I '$name' -n '$name' -V +55w '$pubkey'"
        ssh-keygen -s "$pipe" -I "$name" -n "$name" -V +55w "$pubkey"
        echo "rm '$pipe' '$pipe_base'"
        rm "$pipe" "$pipe_base"
    )
}

and run it with the user name as principal and the public key file

sign-user-ssh-key $PRINCIPAL $PUBKEY_FILE

More details on how this works can be found in this article: https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/

Unix Groups

Currently we have following AD groups to grant access to certain services/systems:

Group	Notes
unx-lx_eng	Member of linux engineering - used to give access to management NFS filesystem, sysdb, ...
unx-lx_support	used to give Linux supporters access to systems/services
unx-puppet_adm -	associated with lxdev environment/systems
unx-puppet_dev	developer of puppet code
unx-puppet_usr	user of puppet (i.e. need access to linux-infra group/repos)
unx-lx_users	all personal linux accounts at PSI (directly updated from SAP)
unx-lx_grafana_adm	Grafana Administrators
unx-lx_grafana_edi	Group with Grafana editor rights

These two groups are used within Service now to assign tickets:

Group
itsm-linux
itsm-linux_2nd

Access VM infrastructure for linux core employees:

Group	Notes
VC_Admins_Linux	Access to the PSI VM Infrastructure

AD Users

Group	Notes
lx-netops-api	(keytab) Used to access the netops api
lx_ad_join	(keytab) Used to join a machine to AD
linux_ldap ????	was registered by Derek (he is noted as responsible in AD) - used for ????

linux.psi.ch

linux.psi.ch is hosted from this git repo as git pages. There is a proxy entry for the domain name linux.psi.ch on the F5 reverse proxy, that is managed by the network team, to reach the git pages by https://linux.psi.ch

The HTTPS certificates of the domain linux.psi.ch is managed by the network team.