User management with hashman - ghomem/legacy_puppet_infrastructure GitHub Wiki

Adding a user

DO NOT USE FOR USERS WITH ENCRYPTED HOME. Refer to this document instead.

1.add the user

sudo /opt/puppet-infrastructure/bin/pp_auth.sh useradd USER EMAIL NAME COMPANY DEVOPSEMAIL|SILENT

Result: the user created with this command receives e-mail at EMAIL given.

Note: For the last parameter, you must provide your email that will be linked in the message sent to the user. Upon confirmation by the user, an email will be sent to you (via DEVOPSMAIL) confirming the reception of the message. If SILENT is chosen instead no message will be sent to the user.

2.set user SSH public key (if necessary)

sudo /opt/puppet-infrastructure/bin/pp_auth.sh setpubkey USER 'PUBKEY'

3.once the human that will use it confirms by mail that the message was received send him his temporary credentials and link to change them to final ones:

sudo /opt/puppet-infrastructure/bin/pp_auth.sh inform USER

4.do a puppet run on nodes / or use the plugin to auto do that

Locking / unlocking a user

Locking a user prevents the user from logging in to any nodes or services, once the puppet agent is executed there.

sudo /opt/puppet-infrastructure/bin/pp_auth.sh lock USER

The user can be given access again, keeping the same password, by running

sudo /opt/puppet-infrastructure/bin/pp_auth.sh unlock USER REASON

Expiring / unexpiring a user

A user can be "forced" to change his password by being set to a state where login is only possible via the Hashman Web Interface. That state is the expired state and can be forced with:

sudo /opt/puppet-infrastructure/bin/pp_auth.sh expire USER

This operation can be reversed with

sudo /opt/puppet-infrastructure/bin/pp_auth.sh unexpire USER

After using creation and unlocking the user is in expired state. It gets automatically unexpired upon the password change, performer by the user, from the temporary password to a final one.

Triggering password changes

DO NOT USE FOR USERS WITH ENCRYPTED HOME. Refer to this document instead.

A user can be allowed to change password by means of the reset command:

sudo /opt/puppet-infrastructure/bin/pp_auth.sh reset USER

Once this command is executed the user will receive an email and will be able to perform the password change via the Hashman Web Interface, which is linked from that email.

Exporting / importing a user

To export a user you need to run on the source environment:

sudo /opt/puppet-infrastructure/bin/pp_auth.sh export USER

This command will output a long copy/pastable base64 encoded string with the user data.

To import the user to the target environment the following command needs to be run:

sudo /opt/puppet-infrastructure/hashman/common/pp_auth.py import USER LONGSTRINGOFB64USERDATA

For the user to become active is is necessary to unlock it:

sudo /opt/puppet-infrastructure/hashman/common/pp_auth.py unlock USER 'unlocking after import'