Showing posts with label automation. Show all posts
Showing posts with label automation. Show all posts

Thursday, 9 July 2020

Linux Authentication and Access - A different approach

A small briefing that covers the basic points of creating a new user in a Linux host. We start with a simple username/password old and insecure authentication method and then we add RSA certificate to make the user authentication modern and more robust. In the second section, we copy the private key to our windows machine and we configure windows PuTTY so that we connect to the Linux server using RSA certificates.
In the second part of the article, we make a very short introduction to Chef Technology and how this can be used in order to automate user provisioning on a host. This example does exactly the same user provisioning operations shown in the first part but this time with Chef.
In the last section we introduce we introduce a simple Jenkins pipeline that demonstrates the use of the sftp and ssh commands for the linux user we previously created. 
Just 10 minutes reading.

Read the full article here:

Tuesday, 15 July 2014

Pattern to Deliver Different Automation Templates per server group

The Problem: 
I have 3 groups servers that utilize different settings like LDAP, Apache config, Splunk. Each group has around 30 servers. Each of the configuration file for LDAP, Apache and Splunk does NOT have the same format, so a general automation Ruby template cannot be used for all three groups of servers. 

For example I cannot have a Splunk authentication.conf.erb for all groups like:
[default]

[Corporate AD]
bindDN = <%= @node['splunk']['ldap-bindDN'] %>
charset = utf8
bindDNpassword = <%= @node['splunk']['ldap-bindDNpassword'] %>
SSLEnabled = 0
port = 389
userBaseDN =  <%= @node['splunk']['ldap-userBaseDN'] %>
host =  <%= @node['splunk']['ldap-binddn'] %>

[authentication]
authType = LDAP
authSettings = <%= @node['splunk']['ldap-authSettings'] %>

# Here the splunk Stanga is always different for all 4 group of servers!!!
[roleMap_Corporate]
admin = wewvffsf3f
myreporting = 0110052012E
power = 0110052012E;0110052012E;0110052012E;0110052012E;

Question: 
How to apply automation for all four server groups by having templates of different formats ?

Solution:
 I give each server group a group id as an attribute:
node['splunk']['group-id'] = groupA or groupB or groupC 

Then in my Chef project I organize my templates folder as follows:

Contents of  my-chef-project/templates/default
  • groupA-authentication.conf.erb : describes LDAP settings for Group A
  • groupA-authorization.conf.erb : describes Splunk Authorization settings for Group A
  • groupB-authentication.conf.erb : describes LDAP settings for Group B
  • groupB-authorization.conf.erb : describes Splunk Authorization settings for Group B
  • groupC-authentication.conf.erb : describes LDAP settings for Group C
  • groupC-authorization.conf.erb : describes Splunk Authorization settings for Group C
Each of those templates is bare simple text without any parameters or anything else except perhaps node IP, hostname... See an example groupA-authentication.conf.erb :
[default]

[Corporate Settings]
bindDN = CN=splunk,OU=Services,OU=Company Page,OU=Resources,DC=illumine,DC=gr
SSLEnabled = 1
port = 437
host = ldap.illumine.com
client =  <%= @node['ip'] %>

[authentication]
authType = LDAP
authSettings = Corporate Settings

[roleMap_Corporate kl]
admin = nottellingya
blog = 0110341333450057252012E
puser = 0110003532234123412342012E;0110003532234123412342012E;0110003532234122412342012E

In my automated delivery chef recipe for any type of those templates I do something like the following chef ruby illustrates:

  template "/opt/splunk/etc/system/local/authentication.conf" do
    source "#{node['splunk']['group-id']}_authentication.conf.erb"
    owner 'splunk'
    group 'splunk'
    mode 0600
    variables()
    ignore_failure true
  end

Note that:

  • The template that is sourced is bound to the server´s group ID. 
  • Any server is the group will take the same group template. 
  • The parameter ignore_failure true denotes that if a template is not found for this group-id then no configuration is delivered and Chef automation will continue without brake.