142026-03-31 21:48:44ClintonEbadibugzilla admin user creation procedure132026-03-31 21:41:30ClintonEbadi122026-03-31 21:41:15ClintonEbadibasic notes on digital ocean admin role112022-03-05 20:22:28ClintonEbadiremove top level heading102022-03-05 20:20:20ClintonEbadiupdate instructions for creating new admin user for the modern era92022-02-17 01:17:50StephenMichelAdd notes based on ClintonEbadi's irc comments82012-09-06 06:56:34ClintonEbadilocal users are deprecated for the time being72012-03-22 07:17:16ClintonEbadioops, last despam for this page reverted to the wrong version62011-04-22 22:50:18ClintonEbadiRevert to revision 4.52011-04-21 17:09:42softbank126125063166.bbtec.netnAkOw0 <a href="http://qwfonhwtzxkl.com/">qwfonhwtzxkl</a>42011-04-21 09:30:17118.67.78.136Kudos to you! I hadn't tuhoght of that!32011-02-25 09:13:07ClintonEbadiremember to make admin users domtool admins as well22010-12-24 21:46:46DavorOcelic12010-12-24 21:46:17DavorOcelicGuide to creating a new administrative user with admin privileges for various services. TODO: Write a create-admin-user script that does this all automatically (add it to the scripts git repo) NAME = Member's non-administrative username. All commands should be run from ServerGibran (or the current administrative server).

Steps required to create a minimally functional admin user.

The user will now exist in Kerberos, AFS, and DomTool but have no administrative permissions.

In ~hcoop/.domtool/hcoop.net add the new admin users to the admin_emails list which will add them to the needed mail aliases to receive admin mail. Also add emailAlias "NAME_admin" "NAME"; so administrative emails are forward to the admin's normal mail account. TODO: update AdminArea with list of lists that admins are expected to not ignore.

In Puppet, modify modules/hcoop/manifests/init.pp and add the new admin user to the $admins list. This will allow them to connect to all servers and have sudo which will also grant access to locally administered services like Postgres and MySQL. This also grants them kerberos administrator privileges. FIXME: do we make that optional? MitKerberos admin powers are very broad, and perhaps not all admins will need them.

Create a puppet environment for the new admin as described in ConfigurationManagement#Personal_Environments which allows them to actually make changes to system configuration. All system changes are made through Puppet.

On the Portal Groups Management Page add the admin's member account to the root group. This enables full access to portal administrative features and allows the admin to view support requests.

Although not strictly needed, the admin will not be able to handle all support requests without these.

To grant full admin permissions: domtool-admin grant NAME_admin priv all DomTool/ArchitectureOverview#Standard_ACL_classes has a list of all valid values for priv which can be used instead of all if more limited administrative permissions are desired.

AFS administrative permissions are controlled by membership in the system:administrators group, so if a user is intended to have AFS admin privileges: pts adduser NAME_admin system:administrators.

WebServicesAdmin/BugZilla Admin access is required to edit groups, components, etc. The only common administrative option is likely to be changing group membership and the default assignee for various components (e.g. modifying board and financial default assignee after an election). Use the [edit users panel](), find the admin user account (they must login to bugzilla at least once for their account to exist), and add the admin flag. If the admin should be allowed to create further admin accounts then the "Can turn these bits on for other users" flag should also be set.

Add new admin's wiki account to the list on AdminGroup

If the admin requires access to the Digital Ocean hcoop project (e.g. for remote console access), they must first register directly with Digital Ocean as USER@hcoop.net. Then the board administrative account should be used to add the new admin at level "Modifier" or "Resource Viewer" to our project at Digital Ocean. This will allow them to view and interact with the project, use the remote console to access servers, provision new resources, and create/modify monitoring rules (at the "Modifier" level). The "Owner" level should only be assigned to the board account, and the "Member" level should be given only to very trusted admins since it allows destructive actions like deleting entire servers. CategorySystemAdministration