nubisproject / nubis-bastionsshkey Goto Github PK

userCreationPath still hardcoded, need to pull from the config

Wouldn't something like this be clearer?

  GroupMapping:
    - groupNumber1:
      IAMPath: /nubis/admins/
      ConsulPath: global-admins
    - groupNumber2:
      LDAPGroup: groupNumber2
      IAMPath: /nubis/foo/
      ConsulPath: foo

Compared with:

  IAMGroupMapping:
    - Group1:
      LDAPGroup: groupNumber1
      IAMPath: /nubis/admin/
      ConsulPath: global-admins
    - Group2:
      LDAPGroup: groupNumber2
      IAMPath: /nubis/foo/
      ConsulPath: foo

Tag a release of the nubis-bastionsshkey repository for the v1.5.1 release of the Nubis project.

When sending mail we should also display the account name so that we don't get confused where the IAM keys are coming from

Tag a release of the nubis-bastionsshkey repository for the v2.3.0 release of the Nubis project.

hardcoded us-west-2 found in aim.go

Copied from mozilla-itcloud/maintenance-project#31

With ldap moving the MDC1 the security team is not bringing over the ability to auth with client certificates which is how we auth to ldap to do our queries in AWS. Need to make sure that nubisproject/nubis-bastionsshkey is fixed to not use client certificates anymore.

Once we remove that we will need to provide jabba with a list of the NAT EIP's for every account so that they can IP whitelist the LDAP VIP on their end.

09:38:09 jabba | how hard would it be to get a static IP for your ldap client that I can whitelist so we can ditch the client cert?
10:11:46 jabba | I need to shut down the client cert vip in the next two weeks

Tag a release of the nubis-bastionsshkey repository for the v2.4.0 release of the Nubis project.

Tag a release of the nubis-bastionsshkey repository for the v2.3.1 release of the Nubis project.

Tag a release of the nubis-bastionsshkey repository for the v1.5.1 release of the Nubis project.

Tag a release of the nubis-bastionsshkey repository for the v2.3.0 release of the Nubis project.

Tag a release of the nubis-bastionsshkey repository for the v2.0.0 release of the Nubis project.

Tag a release of the nubis-bastionsshkey repository for the v2.4.0 release of the Nubis project.

Tag a release of the nubis-bastionsshkey repository for the v2.3.0 release of the Nubis project.

Tag a release of the nubis-bastionsshkey repository for the v2.0.0 release of the Nubis project.

Need a way to confirm that we have a usersSet worth comparing to what is being returned from LDAP.

There doesn't seem to be a good way to test if the LDAP connection is valid and connected.

Tag a release of the nubis-bastionsshkey repository for the v1.3.0 release of the Nubis project.

Tag a release of the nubis-bastionsshkey repository for the v1.4.2 release of the Nubis project.

If you are using a lambda function we shouldnt need to pass credentials to any IAM operations since this is all allowed via an IAM role

Tag a release of the nubis-bastionsshkey repository for the v2.1.0 release of the Nubis project.

Tag a release of the nubis-bastionsshkey repository for the v2.2.0 release of the Nubis project.

Tag a release of the nubis-bastionsshkey repository for the v1.5.1 release of the Nubis project.

Add support to provide a -c command line flag, if unprovided will just use config.yml

Tag a release of the nubis-bastionsshkey repository for the v1.5.1 release of the Nubis project.

Tag a release of the nubis-bastionsshkey repository for the v2.4.0 release of the Nubis project.

I'm seeing some weird issues with execType=consul, note that in my config i'm running with 2 different ldap groups. The GlobalAdmins group has a different group than SudoUsers

Command ran:

$ ./nubis-bastionsshkey -execType=consul

Steps to reproduce:

1. Clear our you consul KV store under /nubis-users
2. Create /nubis-users followed by /nubis-users/global-admins/ followed by /nubis-users/sudo-users
3. Run script ./nubis-bastionsshkey -execType=consul
4. Once you run the script and looked at the KV store what you get is just an empty /nubis-users folder
5. Once you run the script again it actually creates the /nubis-users/global-admins/<users> and /nubis-users/sudo-users/<users> folder however both the KV stores have the same users eventhough I have 2 different groups, it appears to be only taking the first group

Expected Outcome:
We shouldn't be wiping /nubis-users/globa-admins and /nubis-users/sudo-users` if its pre-created we should just use whats there. And the actual ldap users should be placed in the proper KV store if ran

We need to be able to create roles, I propose in the config under the IAMGrouping section we have 1 addtional option, called "privilege" and it can only accept "admin" or "readonly". Based on these values we can decide what sort of policy to provide with the user.

When a user gets created it will create a IAM role with the same name and based on "admin" or "readonly" the IAM role will then get a particular IAM policy attached to it. I started a little bit of this which might help this process along and I'm working on it on this feature branch: https://github.com/limed/nubis-bastionsshkey/tree/roles

I can see a category of issues here. This tool doesn't really inspect a user's state and try to make it converge to what it should be, and that's a problem:

• User's attached policy is edited by an admin
• User's group membership is changed
• User's API keys are deleted

This feels like it's a category of issues. This tool currently basically does:

• find missing users (comparing with ldap)
• create users
  • create user
  • create API keys
  • group membership
  • policies
  • etc

But once a user has been created, and stays created, it doesn't really touch it anymore.

Maybe use gh-release to make this happen?

Tag a release of the nubis-bastionsshkey repository for the v1.4.0 release of the Nubis project.

Tag a release of the nubis-bastionsshkey repository for the v2.3.0 release of the Nubis project.

Something to help me see what's going on, for instance.

Tag a release of the nubis-bastionsshkey repository for the v2.3.0 release of the Nubis project.

https://github.com/rtucker-mozilla/nubis-bastionsshkey/blob/master/main.go#L114-L118

These lines should be cleaned up a little bit, move line 116 &117 up to line 93 ish

Tag a release of the nubis-bastionsshkey repository for the v2.0.0 release of the Nubis project.

Right now we are not even printing out stdErr, should print this out so we know whats going on

Tag a release of the nubis-bastionsshkey repository for the v2.4.0 release of the Nubis project.

Tag a release of the nubis-bastionsshkey repository for the v2.3.0 release of the Nubis project.

Since we are now just referencing ldap group names we should no longer be using the ConsulPath option

Tag a release of the nubis-bastionsshkey repository for the v2.3.0 release of the Nubis project.

Tag a release of the nubis-bastionsshkey repository for the v1.5.0 release of the Nubis project.

Tag a release of the nubis-bastionsshkey repository for the v1.4.1 release of the Nubis project.

Tag a release of the nubis-bastionsshkey repository for the v1.4.2 release of the Nubis project.

Tag a release of the nubis-bastionsshkey repository for the v2.3.0 release of the Nubis project.

And I would try and report the version on run logs