etcdpasswd

package module

v1.1.1-rc.3 Latest Latest Go to latest Published: Apr 12, 2021 License: MIT Imports: 8 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

README ¶

etcdpasswd

etcdpasswd manages Linux users and groups with a central database on etcd. This repository provides following two programs:

ep-agent: a background service that watches etcd database and synchronize Linux users/groups.
etcdpasswd: CLI tool to edit the central database on etcd.

Build

$ go install github.com/cybozu-go/etcdpasswd/...

Installation

Prepare an etcd cluster.

Create /etc/etcdpasswd/config.yml.

This file provides parameters to connect to the etcd cluster. A sample configuration looks like this:

endpoints:
  - http://12.34.56.78:2379
username: cybozu
password: xxxxxxxx

tls-cert-file: /etc/etcdpasswd/etcd.crt
tls-key-file: /etc/etcdpasswd/etcd.key

Run ep-agent.

A sample systemd unit file is available at cmd/ep-agent/ep-agent.service. Use it to run ep-agent as a systemd service as follows:

$ sudo cp $GOPATH/bin/ep-agent /usr/local/sbin
$ sudo cp ep-agent.service /etc/systemd/system
$ sudo systemctl daemon-reload
$ sudo systemctl enable ep-agent.service
$ sudo systemctl start ep-agent.service

Use etcdpasswd to initialize the database.

$ etcdpasswd set start-uid 2000
$ etcdpasswd set start-gid 2000
$ etcdpasswd set default-group cybozu
$ etcdpasswd set default-groups sudo,adm

Usage

See pkg/etcdpasswd/USAGE.md.

Specifications

Read docs/spec.md.

License

MIT

Documentation ¶

Index ¶

Constants
func IsValidGroupName(name string) bool
func IsValidUserName(name string) bool
func NewEtcdConfig() *etcdutil.Config
type Client
type Config
type Database
- func GetDatabase(ctx context.Context, etcd *clientv3.Client, rev int64) (*Database, error)
type Group
type Syncer
type User
- func (u *User) Validate() error

Constants ¶

View Source

const (
	KeyConfig        = "config"
	KeyLastUID       = "last-uid"
	KeyLastGID       = "last-gid"
	KeyUsers         = "users/"
	KeyDeletedUsers  = "deleted-users/"
	KeyGroups        = "groups/"
	KeyDeletedGroups = "deleted-groups/"
	KeyLocked        = "locked/"
)

Internal schema keys.

View Source

const (
	// ErrCASFailure indicates compare-and-swap failure.
	ErrCASFailure = errString("conflicted")

	// ErrNotFound indicates an object was not found in the database.
	ErrNotFound = errString("not found")

	// ErrExists indicates that an object with the same key already exists.
	ErrExists = errString("already exists")
)

View Source

const (
	// DefaultShell is the default shell program.
	DefaultShell = "/bin/bash"
)

View Source

const (
	// Version of etcdpasswd
	Version = "1.1.1-rc.3"
)

Variables ¶

This section is empty.

Functions ¶

func IsValidGroupName ¶

func IsValidGroupName(name string) bool

IsValidGroupName returns true if name is valid for etcdpasswd managed group.

func IsValidUserName ¶

func IsValidUserName(name string) bool

IsValidUserName returns true if name is valid for etcdpasswd managed user.

func NewEtcdConfig ¶

func NewEtcdConfig() *etcdutil.Config

NewEtcdConfig creates Config with default prefix.

Types ¶

type Client ¶

type Client struct {
	*clientv3.Client
}

Client provides high-level API to edit etcd database.

func (Client) AddGroup ¶

func (c Client) AddGroup(ctx context.Context, name string) error

AddGroup adds a new managed group to the database. If a group having the same name already exists, ErrExists will be returned.

func (Client) AddUser ¶

func (c Client) AddUser(ctx context.Context, user *User) error

AddUser adds a new managed user to the database. If a user having the same name already exists, ErrExists will be returned.

func (Client) GetConfig ¶

func (c Client) GetConfig(ctx context.Context) (*Config, int64, error)

GetConfig retrieves *Config with revision.

func (Client) GetUser ¶

func (c Client) GetUser(ctx context.Context, name string) (*User, int64, error)

GetUser looks up named user from the database. If the user is not found, this returns ErrNotFound.

func (Client) ListGroups ¶

func (c Client) ListGroups(ctx context.Context) ([]Group, error)

ListGroups lists all groups registered in the database. The result is sorted alphabetically.

func (Client) ListLocked ¶

func (c Client) ListLocked(ctx context.Context) ([]string, error)

ListLocked lists all password-locked users. The result is sorted alphabetically.

func (Client) ListUsers ¶

func (c Client) ListUsers(ctx context.Context) ([]string, error)

ListUsers lists all user names registered in the database. The result is sorted alphabetically.

func (Client) Lock ¶

func (c Client) Lock(ctx context.Context, name string) error

Lock adds name to locked user database on etcd.

func (Client) RemoveGroup ¶

func (c Client) RemoveGroup(ctx context.Context, name string) error

RemoveGroup removes an existing managed group. If the group does not exist, ErrNotFound will be returned.

func (Client) RemoveUser ¶

func (c Client) RemoveUser(ctx context.Context, name string) error

RemoveUser removes an existing managed user. If the user does not exist, ErrNotFound will be returned.

func (Client) SetConfig ¶

func (c Client) SetConfig(ctx context.Context, cfg *Config, rev int64) error

SetConfig tries to update *Config. If update was conflicted, ErrCASFailure is returned.

func (Client) Unlock ¶

func (c Client) Unlock(ctx context.Context, name string) error

Unlock removes name from locked user database on etcd.

func (Client) UpdateUser ¶

func (c Client) UpdateUser(ctx context.Context, user *User, rev int64) error

UpdateUser updates an existing managed user in the database. This operation does compare-and-swap with rev. If CAS failed, ErrCASFailure will be returned.

type Config ¶

type Config struct {
	StartUID      int      `json:"start-uid"`
	StartGID      int      `json:"start-gid"`
	DefaultGroup  string   `json:"default-group"`
	DefaultGroups []string `json:"default-groups"`
	DefaultShell  string   `json:"default-shell"`
}

Config represents etcdpasswd configurations

type Database ¶

type Database struct {
	Users         []*User
	Groups        []Group
	DeletedUsers  []string
	DeletedGroups []string
	LockedUsers   []string
}

Database is a on-memory snapshot of users and groups in etcd database.

func GetDatabase ¶

func GetDatabase(ctx context.Context, etcd *clientv3.Client, rev int64) (*Database, error)

GetDatabase takes a snapshot of etcd database at revision rev. If rev is 0, the snapshot will be the latest one.

type Group ¶

type Group struct {
	Name string
	GID  int
}

Group represents attributes of a group.

type Syncer ¶

type Syncer interface {
	// LookupUser looks up the named user in the system.
	// If the user is not found, this should return (nil, nil).
	LookupUser(ctx context.Context, name string) (*User, error)

	// LookupGroup looks up the named group in the system.
	// If the group is not found, this should return (nil, nil).
	LookupGroup(ctx context.Context, name string) (*Group, error)

	// AddUser adds a user to the system.
	AddUser(ctx context.Context, user *User) error

	// RemoveUser removes a user from the system.
	RemoveUser(ctx context.Context, name string) error

	// SetDisplayName sets the display name of the user.
	SetDisplayName(ctx context.Context, name, displayName string) error

	// SetPrimaryGroup sets the primary group of the user.
	SetPrimaryGroup(ctx context.Context, name, group string) error

	// SetSupplementalGroups sets the supplemental groups of the user.
	SetSupplementalGroups(ctx context.Context, name string, groups []string) error

	// SetShell sets the login shell of the user.
	SetShell(ctx context.Context, name, shell string) error

	// SetPubKeys sets SSH authorized keys of the user.
	SetPubKeys(ctx context.Context, name string, pubkeys []string) error

	// LockPassword locks the password of the user to prohibit login attempts using password.
	LockPassword(ctx context.Context, name string) error

	// AddGroup adds a group to the system.
	AddGroup(ctx context.Context, group Group) error

	// RemoveGroup removes a group from the system.
	RemoveGroup(ctx context.Context, name string) error
}

Syncer is an interface for user and group synchronization.

type User ¶

type User struct {
	Name        string   `json:"name"`
	UID         int      `json:"uid"`
	DisplayName string   `json:"display-name"`
	Group       string   `json:"group"`
	Groups      []string `json:"groups"`
	Shell       string   `json:"shell"`
	PubKeys     []string `json:"public-keys"`
}

User represents a user managed by etcdpasswd.

func (*User) Validate ¶

func (u *User) Validate() error

Validate validates User attributes. If some attribute is not valid, a non-nil error is returned.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
agent
cli
pkg
ep-agent
etcdpasswd
syncer

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL