welcome: please sign in

The following 217 words could not be found in the dictionary of 7 words (including 7 LocalSpellingWords) and are highlighted below:
able   Access   access   account   actually   add   Add   adduser   admin   Admin   administered   Administration   administrative   Administrative   Administrator   administrator   administrators   admins   afs   Alias   aliases   all   All   allow   allows   Also   also   Although   and   Architecture   are   Area   as   automatically   Basic   be   broad   but   by   can   Category   changes   classes   commands   common   Configuration   configuration   connect   Contents   controlled   cpw   Create   create   creating   Creating   current   described   desired   do   does   Dom   domtool   Email   email   emails   enables   environment   Environment   Environments   etc   exist   expected   features   for   forward   from   full   functional   generated   Gibran   git   grant   grants   Group   group   groups   Groups   Guide   handle   has   have   hcoop   https   if   ignore   in   In   init   initial   instead   intended   is   it   kadmin   kerberos   Kerberos   like   limited   list   lists   Lists   local   locally   made   mail   make   Management   manifests   Member   member   members   membership   minimally   Mit   modify   modules   more   My   need   needed   net   new   no   non   normal   not   now   Of   of   On   on   Only   optional   or   Overview   Page   perhaps   permissions   Personal   Portal   portal   Postgres   powers   pp   priv   privileges   pts   puppet   Puppet   pw   randomly   receive   repo   requests   required   root   run   script   scripts   server   Server   Servers   servers   Services   services   set   Setup   should   so   Standard   Steps   strictly   Sudo   sudo   support   system   System   Table   that   The   the   them   these   This   this   through   to   To   Tool   update   used   user   username   users   valid   values   various   very   view   we   which   wiki   Wiki   will   with   without   Write  

Clear message


Guide to creating a new administrative user with admin privileges for various services.

TODO: Write a create-admin-user script that does this all automatically (add it to the scripts git repo)

NAME = Member's non-administrative username. All commands should be run from ServerGibran (or the current administrative server).

1. Basic Setup

Steps required to create a minimally functional admin user.

1.1. Creating the user

/afs/hcoop.net/common/etc/scripts/create-user-new NAME_admin
sudo kadmin.local cpw NAME_admin # set randomly generated initial pw

The user will now exist in Kerberos, AFS, and DomTool but have no administrative permissions.

1.2. Administrative Email Lists

In ~hcoop/.domtool/hcoop.net add the new admin users to the admin_emails list which will add them to the needed mail aliases to receive admin mail.

Also add emailAlias "NAME_admin" "NAME"; so administrative emails are forward to the admin's normal mail account.

TODO: update AdminArea with list of lists that admins are expected to not ignore.

1.3. SSH Access, Sudo On Administrator-Only Servers, and Kerberos Admin

In Puppet, modify modules/hcoop/manifests/init.pp and add the new admin user to the $admins list. This will allow them to connect to all servers and have sudo which will also grant access to locally administered services like Postgres and MySQL.

This also grants them kerberos administrator privileges. FIXME: do we make that optional? MitKerberos admin powers are very broad, and perhaps not all admins will need them.

1.4. Puppet Environment

Create a puppet environment for the new admin as described in ConfigurationManagement#Personal_Environments which allows them to actually make changes to system configuration. All system changes are made through Puppet.

1.5. Portal Admin

On the Portal Groups Management Page add the admin's member account to the root group. This enables full access to portal administrative features and allows the admin to view support requests.

2. Services

Although not strictly needed, the admin will not be able to handle all support requests without these.

2.1. DomTool Administrator

To grant full admin permissions: domtool-admin grant NAME_admin priv all

DomTool/ArchitectureOverview#Standard_ACL_classes has a list of all valid values for priv which can be used instead of all if more limited administrative permissions are desired.

2.2. AFS Administrator

AFS administrative permissions are controlled by membership in the system:administrators group, so if a user is intended to have AFS admin privileges: pts adduser NAME_admin system:administrators.

2.3. Wiki administrator

Add new admin's wiki account to the list on AdminGroup


AddingNewAdmins (last edited 2022-03-05 20:22:28 by ClintonEbadi)