This is an internal documentation. There is a good chance you’re looking for something else. See Disclaimer.

User Accounts

Who get what Account?

Where

Role / Group

Dev

Ops/Admins

Gerrit

-

x

Gerrit

Administrators

x

Teamcity

developers

x

Teamcity

admins

x

VSHN

-

x

x

VSHN SSH

tocco

x

VSHN SSH

toccoroot and tocco

x

SSH Server Access

@user

x

SSH Server Access

@root

x

SSH Emergency Access

@root

x

GitHub

Member

x

GitHub

Owner

x

GitLab

Maintainer

x

GitLab

Owner

x

Docker Hub

Owner

x

S3

-

x

x

Nine Cockpit

Cockpit Access

x

Nine Cockpit

Administrator

x

Gerrit

Create User

${USERNAME} is the username (e.g. jdoe for Jane Doe)

  1. Generate password:

    pwgen -s 20 1
    
  2. Create user:

    ssh -t tadm@git.tocco.ch sudo htpasswd /etc/nginx/.htpasswd ${USERNAME}
    
  3. If admin access should be granted (see table above), go to go to the group Administrators and add the user as a member.

Deactivate User

ssh -p 29418 ${OWN_USERNAME}@git.tocco.ch "gerrit set-account --inactive ${USERNAME}"

TeamCity

Permissions are granted via the admins and developers groups. New permission should generally be granted to those groups rather than individual users.

Create User

  1. Go to Users.

  2. Create User Account

  3. Enter Username (e.g. jdoe for Jane Doe)

  4. Enter full name as Name

  5. Enter Email address (e.g. jdoe@tocco.ch)

  6. Generate a password (pwgen -s 20 1)

  7. Select newly created user (click on username)

  8. Select Groups tab.

  9. Add user to group admins or developers according to the table above.

Remove User

  1. Go to Users.

  2. Remove user

SSH Server Access / Emergency Access (Ansible)

Allow Access

Access can be granted via roles/ssh-key-sync/files/ssh_keys in the Ansible repository. For DevOps / Admin employees also add the key to the emergency key file roles/ssh-server/files/authorized_keys_emergency.

Changes can be deployed via Ansible:

cd ${ANSIBLE_GIT_ROOT}
ansible-playbook -i inventory playbook.yml -t ssh-keys

Hint

Users with role @user have access as user tocco on some hosts. User with role @root have access as tadm and tocco on all hosts. For users that should only have access to Pseudo-VPN using SOCKS5 over SSH, use role @remote.

Revoke Access

See Allow Access above and do the opposite.

VSHN

Create Account

Customer Admins can create accounts at https://control.vshn.net/users/tocco

Select the following Portal Roles:

  • Customer Admin (ops)

  • Customer Developer (dev)

  • Customer Ticket (everybody)

And the following Service Aceess:

  • Customer Portal (everybody)

  • GitLab (ops / root user)

  • Icinga Web 2 (everybody)

  • Tocco OpenShift OCP4 (dev/ops)

OpenShift:

  • Have user added to group tocco-dev (dev)

  • Have user added to group tocco-admin (ops / root users)

Create a ticket to have user added to group. See TOCO-575.

Remove Account

Customer Admins can remove accounts at https://control.vshn.net/users/tocco

VSHN SSH

Grant Access

Puppet configuration can be found in the tocco_hieradata repository. Access is defined in the users section within the different config files (e.g. in database.yml for database servers and infrastructure/solr.yml for Solr servers).

Hint

Users that are part of the group toccoroot can use sudo to obtain root priviledges.

Once the user has been created on the server — this can take up to 1h — roles on Postgres have to be updated:

$ cd ${ANSIBLE_REPO}/servers
$ ansible-playbook playbook.yml -t postgres

Revoke Access

To remove an account, add an ensure: absent.

GitHub

Add User to Organization

Go to the People page and Invite member.

Remove User from Organization

Go to the People page and select Convert to outside collaborator….

GitLab

Add User to Group

Go to the Members page and add the user.

Remove User from Group

Go to the Members page and remove the user.

Docker Hub

Add User to Organization

Go to the Docker Hub’s Members page and add the user.

Remove User from Organization

Go to the Docker Hub’s Members page and remove the user.

S3

Create User

  1. User name should be dev-${SHORT_NAME}. For Instance, the user name for Jane Doe would be dev-jado:

    tco s3 create-user dev-${SHORT_NAME}
    

    Printed access_key and secret_key need to be handed to user and configured in ~/.aws/credentials

  2. Grant permissions:

    cd ${ANSIBLE_GIT_REPO}/tocco
    ansible-playbook playbook.yml -t s3
    

Remove User

tco s3 create-user dev-${SHORT_NAME}

Nine Cockpit

Add User

  1. Login at https://cockpit.nine.ch

  2. Click “tocco” in Switch Account section

  3. Open AccountContacts

  4. Send invite to @tocco.ch mail address

    Select Administrator (ops/admin) or Cockpit Access (dev) as role.

Remove User

  1. Login at https://cockpit.nine.ch

  2. Click “tocco” in Switch Account section

  3. Open AccountContacts

  4. Open Permissions for user

  5. Remove all permissions