rewrite access guides

This commit is contained in:
2024-10-04 15:54:10 +02:00
parent 72616f2d85
commit 255035d0e3
2 changed files with 28 additions and 11 deletions
@@ -1,15 +1,29 @@
# Bastions
This parameter determines whether root logins are only possible from the hosts listed in bastions. Normally the value is taken from the network property of the same name, but this parameter allows overriding the network setting through Hiera.
# Bastion Hosts
Access for the `root` user can be limited to be only allowed from certain bastion hosts.
By default this is enabled except for a few networks, see [reponsible Puppet code](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/code/modules/profile/manifests/networking/params.pp) for details.
You may alternatively control the use of bastion hosts yourself by setting in Hiera:
### Use bastions
Boolean value
```
aaa::user_bastions: true
```
### Bastion host definitions
A list of FQDNs. If use_bastions is true, then root logins are only allowed from the hosts on this list. Note: If the list is empty, login is unrestricted again!
The bastion hosts can be listed in the Hiera key `aaa:bastions`:
```
aaa::bastions:
- 'x05la-gw.psi.ch'
```
which then will override the default value
```
aaa::bastions:
- 'wmgt01.psi.ch'
- '129.129.190.25' # IP of wmgt01.psi.ch
- 'wmgt02.psi.ch'
- '129.129.190.104' # IP of wmgt02.psi.ch
```
**Caution**: an empty list will allow unrestricted login again!
@@ -1,15 +1,16 @@
# User and admin access
A list of users and or groups that can access the system. Members of the groups `aaa:admins:` don't need to be members of `aaa::users:` to access a system.
# Normal and Administrative User Access
### Regular access
Access for ActiveDirectory (AD) user accounts or groups that are non Experiment accounts. (See e account section for that)
## Regular access
Access for ActiveDirectory (AD) user accounts or groups:
```
aaa::users:
- 'muster_h'
- '%unx-project_group'
```
### Sudo access
Note that administrative users (see below) always have normal access without being explicitely listed in `aaa::users`.
## Administrative (root/sudo) Access
To give root access for AD user accounts or groups via sudo.
```
aaa::admins:
@@ -17,3 +18,5 @@ aaa::admins:
- '%unx-project_group'
```