4.6 KiB
Infrastructure Administration
How to Grant a Access to bob/sysdb
bob is making http calls to the sysdb app. Authorization (https://git.psi.ch/linux-infra/sysdb#authentication-and-authorization) is done via krb5 tokens. Operations outside of environments (creating/changing the owner of/deleting environments) needs to be done by a sysdb admin, ie someone who is a member of the group sysdb-admins. Group membership of the authenticated users is evaluated on the OS level on sysdb.psi.ch. So group memberships can be set both locally or in the AD. This makes it a bit confusing, but both are used.
For the envs (bob env list), only adding and listing are implemented in bob, any other operation, like deletion or modification can only be performed in the sysdb sqlite database itself.
Each env can only have one user and one group assigned to it.
To grant access to different environments data-xxx repositories normal Git access control is used. Nothing overrides the access control of the git server.
SSH Certificates / Signing Public User Keys
Generate a ssh key e.g. as follows:
ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/linux_id_ed25519
Use the user ca certificate, but this is automated by pasting below function into your shell
function sign-user-ssh-key {
(
name="$1"
pubkey="$2"
# let the private key flow through a named pipe
# so it never ends up on the file system
umask 077
pipe_base="$(mktemp)" # MacOS does not know about --dry-run
pipe="${pipe_base}.pipe"
echo "mkfifo '$pipe'"
mkfifo "$pipe" || return 1
[ -p "$pipe" ] || return 1
echo "pass ssh-ca/user-ca > '$pipe' &"
pass ssh-ca/user-ca > "$pipe" &
echo "ssh-keygen -s '$pipe' -I '$name' -n '$name' -V +55w '$pubkey'"
ssh-keygen -s "$pipe" -I "$name" -n "$name" -V +55w "$pubkey"
echo "rm '$pipe' '$pipe_base'"
rm "$pipe" "$pipe_base"
)
}
and run it with the user name as principal and the public key file
sign-user-ssh-key $PRINCIPAL $PUBKEY_FILE
More details on how this works can be found in this article: https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/
Unix Groups
Currently we have following AD groups to grant access to certain services/systems:
| Group | Notes |
|---|---|
| unx-lx_eng | Member of linux engineering - used to give access to management NFS filesystem, sysdb, ... |
| unx-lx_support | used to give Linux supporters access to systems/services |
| unx-puppet_adm - | associated with lxdev environment/systems |
| unx-puppet_dev | developer of puppet code |
| unx-puppet_usr | user of puppet (i.e. need access to linux-infra group/repos) |
| unx-lx_users | all personal linux accounts at PSI (directly updated from SAP) |
| unx-lx_grafana_adm | Grafana Administrators |
| unx-lx_grafana_edi | Group with Grafana editor rights |
These two groups are used within Service now to assign tickets:
| Group |
|---|
| itsm-linux |
| itsm-linux_2nd |
Access VM infrastructure for linux core employees:
| Group | Notes |
|---|---|
| VC_Admins_Linux | Access to the PSI VM Infrastructure |
AD Users
| Group | Notes |
|---|---|
| lx-netops-api | (keytab) Used to access the netops api |
| lx_ad_join | (keytab) Used to join a machine to AD |
| linux_ldap ???? | was registered by Derek (he is noted as responsible in AD) - used for ???? |
linux.psi.ch
linux.psi.ch is hosted from this git repo as git pages. There is a proxy entry for the domain name linux.psi.ch on the F5 reverse proxy, that is managed by the network team, to reach the git pages by https://linux.psi.ch
The HTTPS certificates of the domain linux.psi.ch is managed by the network team.
Email Lists
linux@psi.ch
Right now following people are on the list:
- Marc Caubet
- Derek Feichtinger
- Peter Huesser
- Rene Kapeller
- Gilles Martin
- Leonardo Sala
- Ivano Talamo
- Alvise Dorigo
- Joshua Taylor
- Simon Ebner
- Konrad Bucheli
This email list is administered by Outlook in the following way (if you have manager right):
- Open outlook and go to the address book
- Search for the PSI.Linux mailing list and double click
- Go to modify members (you only see this if you are a manager)
- Click on Add and add a new email address



