This is an internal documentation. There is a good chance you’re looking for something else. See Disclaimer.
User Accounts¶
Who get what Account?¶
Where |
Role / Group |
Dev |
Ops/Admins |
---|---|---|---|
Gerrit |
- |
x |
|
Gerrit |
Administrators |
x |
|
Teamcity |
developers |
x |
|
Teamcity |
admins |
x |
|
VSHN |
- |
x |
x |
VSHN SSH |
tocco |
x |
|
VSHN SSH |
toccoroot and tocco |
x |
|
SSH Server Access |
@user |
x |
|
SSH Server Access |
@root |
x |
|
GitHub |
Member |
x |
|
GitHub |
Owner |
x |
|
GitLab |
Maintainer |
x |
|
GitLab |
Owner |
x |
|
Docker Hub |
Owner |
x |
|
S3 |
- |
x |
x |
Gerrit¶
Create User¶
${USERNAME} is the username (e.g. jdoe for Jane Doe)
Generate password:
pwgen -s 20 1
Create user:
ssh -t tadm@git.tocco.ch sudo htpasswd /etc/nginx/.htpasswd ${USERNAME}
If admin access should be granted (see table above), go to go to the group Administrators and add the user as a member.
Deactivate User¶
ssh -p 29418 ${OWN_USERNAME}@git.tocco.ch "gerrit set-account --inactive ${USERNAME}"
TeamCity¶
Permissions are granted via the admins and developers groups. New permission should generally be granted to those groups rather than individual users.
Create User¶
Go to Users.
Create User Account
Enter Username (e.g. jdoe for Jane Doe)
Enter full name as Name
Enter Email address (e.g. jdoe@tocco.ch)
Generate a password (
pwgen -s 20 1
)Select newly created user (click on username)
Select Groups tab.
Add user to group admins or developers according to the table above.
SSH Server Access (Ansible)¶
Allow Access¶
Access can be granted via roles/ssh-key-sync/files/ssh_keys in the Ansible repository.
Changes can be deployed via Ansible:
cd ${ANSIBLE_GIT_ROOT} ansible-playbook -i inventory playbook.yml -t ssh-keysHint
Users with role
@user
have access as user tocco on some hosts. User with role@root
have access as tadm and tocco on all hosts. For users that should only have access to Pseudo-VPN using SOCKS5 over SSH, use role@remote
.
Revoke Access¶
See Allow Access above and do the opposite.
VSHN¶
Create Account¶
Customer Admins can create accounts at https://control.vshn.net/users/tocco
Select the following Portal Roles:
Customer Admin (ops)
Customer Developer (dev)
Customer Ticket (everybody)
And the following Service Aceess:
Customer Portal (everybody)
GitLab (ops / root user)
Icinga Web 2 (everybody)
Tocco OpenShift OCP4 (dev/ops)
OpenShift:
Have user added to group tocco-dev (dev)
Have user added to group tocco-admin (ops / root users)
Create a ticket to have user added to group. See TOCO-575.
Remove Account¶
Customer Admins can remove accounts at https://control.vshn.net/users/tocco
VSHN SSH¶
Grant Access¶
Puppet configuration can be found in the tocco_hieradata repository. Access is defined in the
users
section within the different config files (e.g. indatabase.yml
for database servers andinfrastructure/solr.yml
for Solr servers).Hint
Users that are part of the group
toccoroot
can use sudo to obtain root priviledges.Once the user has been created on the server — this can take up to 1h — roles on Postgres have to be updated:
$ cd ${ANSIBLE_REPO}/servers $ ansible-playbook playbook.yml -t postgres
Revoke Access¶
To remove an account, add an
ensure: absent
.
GitHub¶
Add User to Organization¶
Go to the People page and Invite member.
Remove User from Organization¶
Go to the People page and select Convert to outside collaborator….
GitLab¶
Add User to Group¶
Go to the Members page and add the user.
Remove User from Group¶
Go to the Members page and remove the user.
Docker Hub¶
Add User to Organization¶
Go to the Docker Hub’s Members page and add the user.
Remove User from Organization¶
Go to the Docker Hub’s Members page and remove the user.
S3¶
Create User¶
Add user as described in S3 User for Developers.
User name should be dev-${SHORT_NAME}. For Instance, the user name for Jane Doe would be dev-jado.
Grant permissions:
cd ${ANSIBLE_GIT_REPO}/tocco ansible-playbook playbook.yml -t s3
Remove User¶
Remove user via web interface. See also S3 User for Developers.