From b1ff418523526fbe5f3aff7dd6ee946bbb058892 Mon Sep 17 00:00:00 2001 From: Ngairangbam Mili Date: Thu, 8 May 2025 05:44:07 +0000 Subject: [PATCH] User Management GUI/CLI/RESTAPI Enhancements --- Deletion Restriction Story: 2011239 Task: 52131 Change-Id: I1b2c67dab5cf6b913dc4575d3c2cc5a2da86feb0 Signed-off-by: Ngairangbam Mili --- .../security/kubernetes/keystone-accounts.rst | 28 +++++++++++++++++++ .../local-ldap-linux-user-accounts.rst | 13 +++++++++ 2 files changed, 41 insertions(+) diff --git a/doc/source/security/kubernetes/keystone-accounts.rst b/doc/source/security/kubernetes/keystone-accounts.rst index f5e1b833e..d8f96b56b 100644 --- a/doc/source/security/kubernetes/keystone-accounts.rst +++ b/doc/source/security/kubernetes/keystone-accounts.rst @@ -9,3 +9,31 @@ Keystone Accounts |prod-long| uses Keystone for authentication and authorization of users of the StarlingX REST APIs, the |CLI|, the Horizon Web interface and the Local Docker Registry. |prod|'s Keystone uses the default local SQL Backend. + +-------------------------------------- +System-Critical Keystone User Accounts +-------------------------------------- + +The following Keystone user accounts are system-critical and cannot be deleted: + +- ``admin`` +- ``mtce`` +- ``fm`` +- ``barbican`` +- ``sysinv`` +- ``patching`` +- ``dcorch`` +- ``vim`` +- ``dcagent`` +- ``dcmanager`` +- ``dcdbsync`` +- ``smapi`` +- ``usm`` + +.. note:: + + These Keystone user accounts are essential for the operation and management of the + platform. Deleting or modifying these accounts could lead to unexpected + behavior or system instability. + + diff --git a/doc/source/security/kubernetes/local-ldap-linux-user-accounts.rst b/doc/source/security/kubernetes/local-ldap-linux-user-accounts.rst index 9c6d0fa02..e6702a06d 100644 --- a/doc/source/security/kubernetes/local-ldap-linux-user-accounts.rst +++ b/doc/source/security/kubernetes/local-ldap-linux-user-accounts.rst @@ -121,3 +121,16 @@ from the console ports of the hosts; no |SSH| access is allowed. .. seealso:: :ref:`Create LDAP Linux Accounts ` + +--------------------------------------------------------- +Configure Restricted Sudo Capability for Local LDAP Users +--------------------------------------------------------- + +You can grant restricted sudo capability to the local |LDAP| users by assigning +them to the sys_admin group. This can be configured using the |PAM| configuration method. + +Add ``sudo;*;*;Al0000-2400;sys_admin`` to ``/etc/security/group.conf``. + +Ensure that the pam_group module is enabled in the |PAM| stack (example: by +modifying ``/etc/pam.d/sudo``) with ``auth required pam_group.so``. +