Server Farm Single Sign-on Overview
Server Farm Single Sign-on (SSO) is our method for centrally managing Unix users and access rights across the CIT server farm. We have simplified our account structure and employed user Roles and server Classes to streamline authorization.
Roles are used to assign access rights and sudo privileges to users with like job functions. Instead of giving a user access to hosts A, B, and C, we try to determine what function that user is performing and craft a role (or multiple roles) to encapsulate that function: PeopleSoft DBA, NetVigil Administrator, and so forth. The benefit of assigning roles comes when other users need to be added to an existing job function.
Classes tie roles to servers. In the same vein as roles, classes are assigned to servers based on what the servers do and what people need to do on the servers. You could have a broad class of PeopleSoft servers and something more specific like PeopleSoft Development. Each of these classes would have one or more roles associated with it, e.g. PeopleSoft DBA role could be assigned to servers in the class PeopleSoftOracle. A server can, and most likely will, fall into multiple classes.
Accounts in Server Farm SSO fall into one of three types:
User Accounts
- Interactive accounts with login, shell, and possibly sudo access.
- No shared access; each account is either a NetID or a vendor account tied back to a particular person.
File Transfer ID Accounts
- Access allowed via FTP, Microsoft File Sharing (SAMBA), SCP/SFTP
- No interactive (shell) access. No sudo. Process should not run under these IDs.
- Password or SSH keys likely to be shared knowledge or hard-coded into applications.
Holding ID Accounts
- No direct login allowed. These accounts have no passwords and should not have SSH keys.
- Users can "sudo su" to Holding ID accounts if temporary interactive access is needed.
- Password-less sudo may be granted to these users for limited commands.
- Processes are typically run under these accounts (Apache, MySQL, SourceForge, etc.).
To request accounts: