nubisproject / nubis-bastionsshkey Goto Github PK
View Code? Open in Web Editor NEWManages nubis users
Manages nubis users
userCreationPath still hardcoded, need to pull from the config
Wouldn't something like this be clearer?
GroupMapping:
- groupNumber1:
IAMPath: /nubis/admins/
ConsulPath: global-admins
- groupNumber2:
LDAPGroup: groupNumber2
IAMPath: /nubis/foo/
ConsulPath: foo
Compared with:
IAMGroupMapping:
- Group1:
LDAPGroup: groupNumber1
IAMPath: /nubis/admin/
ConsulPath: global-admins
- Group2:
LDAPGroup: groupNumber2
IAMPath: /nubis/foo/
ConsulPath: foo
Tag a release of the nubis-bastionsshkey repository for the v1.5.1 release of the Nubis project.
When sending mail we should also display the account name so that we don't get confused where the IAM keys are coming from
Tag a release of the nubis-bastionsshkey repository for the v2.3.0 release of the Nubis project.
hardcoded us-west-2 found in aim.go
Copied from mozilla-itcloud/maintenance-project#31
With ldap moving the MDC1 the security team is not bringing over the ability to auth with client certificates which is how we auth to ldap to do our queries in AWS. Need to make sure that nubisproject/nubis-bastionsshkey is fixed to not use client certificates anymore.
Once we remove that we will need to provide jabba with a list of the NAT EIP's for every account so that they can IP whitelist the LDAP VIP on their end.
09:38:09 jabba | how hard would it be to get a static IP for your ldap client that I can whitelist so we can ditch the client cert?
10:11:46 jabba | I need to shut down the client cert vip in the next two weeks
Tag a release of the nubis-bastionsshkey repository for the v2.4.0 release of the Nubis project.
Tag a release of the nubis-bastionsshkey repository for the v2.3.1 release of the Nubis project.
Tag a release of the nubis-bastionsshkey repository for the v1.5.1 release of the Nubis project.
Tag a release of the nubis-bastionsshkey repository for the v2.3.0 release of the Nubis project.
Tag a release of the nubis-bastionsshkey repository for the v2.0.0 release of the Nubis project.
Tag a release of the nubis-bastionsshkey repository for the v2.4.0 release of the Nubis project.
Tag a release of the nubis-bastionsshkey repository for the v2.3.0 release of the Nubis project.
Tag a release of the nubis-bastionsshkey repository for the v2.0.0 release of the Nubis project.
Need a way to confirm that we have a usersSet worth comparing to what is being returned from LDAP.
There doesn't seem to be a good way to test if the LDAP connection is valid and connected.
Tag a release of the nubis-bastionsshkey repository for the v1.3.0 release of the Nubis project.
Tag a release of the nubis-bastionsshkey repository for the v1.4.2 release of the Nubis project.
If you are using a lambda function we shouldnt need to pass credentials to any IAM operations since this is all allowed via an IAM role
Tag a release of the nubis-bastionsshkey repository for the v2.1.0 release of the Nubis project.
Tag a release of the nubis-bastionsshkey repository for the v2.2.0 release of the Nubis project.
Tag a release of the nubis-bastionsshkey repository for the v1.5.1 release of the Nubis project.
Add support to provide a -c command line flag, if unprovided will just use config.yml
Tag a release of the nubis-bastionsshkey repository for the v1.5.1 release of the Nubis project.
Tag a release of the nubis-bastionsshkey repository for the v2.4.0 release of the Nubis project.
I'm seeing some weird issues with execType=consul, note that in my config i'm running with 2 different ldap groups. The GlobalAdmins
group has a different group than SudoUsers
Command ran:
$ ./nubis-bastionsshkey -execType=consul
Steps to reproduce:
/nubis-users
/nubis-users
followed by /nubis-users/global-admins/
followed by /nubis-users/sudo-users
./nubis-bastionsshkey -execType=consul
/nubis-users
folder/nubis-users/global-admins/<users>
and /nubis-users/sudo-users/<users>
folder however both the KV stores have the same users eventhough I have 2 different groups, it appears to be only taking the first groupExpected Outcome:
We shouldn't be wiping /nubis-users/globa-admins
and /nubis-users/sudo-users` if its pre-created we should just use whats there. And the actual ldap users should be placed in the proper KV store if ran
We need to be able to create roles, I propose in the config under the IAMGrouping section we have 1 addtional option, called "privilege" and it can only accept "admin" or "readonly". Based on these values we can decide what sort of policy to provide with the user.
When a user gets created it will create a IAM role with the same name and based on "admin" or "readonly" the IAM role will then get a particular IAM policy attached to it. I started a little bit of this which might help this process along and I'm working on it on this feature branch: https://github.com/limed/nubis-bastionsshkey/tree/roles
I can see a category of issues here. This tool doesn't really inspect a user's state and try to make it converge to what it should be, and that's a problem:
This feels like it's a category of issues. This tool currently basically does:
But once a user has been created, and stays created, it doesn't really touch it anymore.
Maybe use gh-release to make this happen?
Tag a release of the nubis-bastionsshkey repository for the v1.4.0 release of the Nubis project.
Tag a release of the nubis-bastionsshkey repository for the v2.3.0 release of the Nubis project.
Something to help me see what's going on, for instance.
Tag a release of the nubis-bastionsshkey repository for the v2.3.0 release of the Nubis project.
https://github.com/rtucker-mozilla/nubis-bastionsshkey/blob/master/main.go#L114-L118
These lines should be cleaned up a little bit, move line 116 &117 up to line 93 ish
Tag a release of the nubis-bastionsshkey repository for the v2.0.0 release of the Nubis project.
Right now we are not even printing out stdErr, should print this out so we know whats going on
Tag a release of the nubis-bastionsshkey repository for the v2.4.0 release of the Nubis project.
Tag a release of the nubis-bastionsshkey repository for the v2.3.0 release of the Nubis project.
Since we are now just referencing ldap group names we should no longer be using the ConsulPath option
Tag a release of the nubis-bastionsshkey repository for the v2.3.0 release of the Nubis project.
Tag a release of the nubis-bastionsshkey repository for the v1.5.0 release of the Nubis project.
Tag a release of the nubis-bastionsshkey repository for the v1.4.1 release of the Nubis project.
Tag a release of the nubis-bastionsshkey repository for the v1.4.2 release of the Nubis project.
Tag a release of the nubis-bastionsshkey repository for the v2.3.0 release of the Nubis project.
And I would try and report the version on run logs
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.