forked from Controls/gitea-pages
rewrite access guides
This commit is contained in:
@@ -1,15 +1,29 @@
|
||||
# Bastions
|
||||
This parameter determines whether root logins are only possible from the hosts listed in bastions. Normally the value is taken from the network property of the same name, but this parameter allows overriding the network setting through Hiera.
|
||||
# Bastion Hosts
|
||||
|
||||
Access for the `root` user can be limited to be only allowed from certain bastion hosts.
|
||||
|
||||
By default this is enabled except for a few networks, see [reponsible Puppet code](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/code/modules/profile/manifests/networking/params.pp) for details.
|
||||
|
||||
You may alternatively control the use of bastion hosts yourself by setting in Hiera:
|
||||
|
||||
### Use bastions
|
||||
Boolean value
|
||||
```
|
||||
aaa::user_bastions: true
|
||||
```
|
||||
|
||||
### Bastion host definitions
|
||||
A list of FQDNs. If use_bastions is true, then root logins are only allowed from the hosts on this list. Note: If the list is empty, login is unrestricted again!
|
||||
The bastion hosts can be listed in the Hiera key `aaa:bastions`:
|
||||
|
||||
```
|
||||
aaa::bastions:
|
||||
- 'x05la-gw.psi.ch'
|
||||
```
|
||||
|
||||
which then will override the default value
|
||||
```
|
||||
aaa::bastions:
|
||||
- 'wmgt01.psi.ch'
|
||||
- '129.129.190.25' # IP of wmgt01.psi.ch
|
||||
- 'wmgt02.psi.ch'
|
||||
- '129.129.190.104' # IP of wmgt02.psi.ch
|
||||
```
|
||||
|
||||
**Caution**: an empty list will allow unrestricted login again!
|
||||
|
||||
@@ -1,15 +1,16 @@
|
||||
# User and admin access
|
||||
A list of users and or groups that can access the system. Members of the groups `aaa:admins:` don't need to be members of `aaa::users:` to access a system.
|
||||
# Normal and Administrative User Access
|
||||
|
||||
### Regular access
|
||||
Access for ActiveDirectory (AD) user accounts or groups that are non Experiment accounts. (See e account section for that)
|
||||
## Regular access
|
||||
Access for ActiveDirectory (AD) user accounts or groups:
|
||||
```
|
||||
aaa::users:
|
||||
- 'muster_h'
|
||||
- '%unx-project_group'
|
||||
```
|
||||
|
||||
### Sudo access
|
||||
Note that administrative users (see below) always have normal access without being explicitely listed in `aaa::users`.
|
||||
|
||||
## Administrative (root/sudo) Access
|
||||
To give root access for AD user accounts or groups via sudo.
|
||||
```
|
||||
aaa::admins:
|
||||
@@ -17,3 +18,5 @@ aaa::admins:
|
||||
- '%unx-project_group'
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user