starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/kubernetes/overview-of-system-accounts.rst
Keane Lim 3c5fa979a4 Security guide update 
Re-organized topic hierarchy

Tiny edit to restart review workflow.

Squashed with Resolved index.rst conflict commit

Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5
Signed-off-by: Keane Lim <keane.lim@windriver.com>
Signed-off-by: MCamp859 <maryx.camp@intel.com>
2021-03-12 15:10:40 -05:00

2.9 KiB
Raw Blame History

Overview of StarlingX System Accounts

A brief description of the system accounts available in a system.

Types of System Accounts

  • sysadmin Local Linux Account This is a local, per-host, account created automatically when a new host is provisioned. This account has extended privileges and is used by the system administrator.

  • Local Linux User Accounts These are local, regular Linux user accounts that are typically used for internal system purposes and generally should not be created by an end user.

    If the administrator wants to provision additional access to the system, it is better to configure local LDAP Linux accounts.

  • Local LDAP Linux User Accounts provides support for Local Ldap Linux User Accounts. Local LDAP accounts are centrally managed; changes to local LDAP accounts made on any host are propagated automatically to all hosts on the cluster.

    includes a set of scripts for creating LDAP Linux accounts with support for providing Keystone user account credentials. (The scripts do not create Keystone accounts for you. The scripts allow for sourcing or accessing the Keystone user account credentials.)

    The intended use of these accounts is to provide additional admin level user accounts (in addition to sysadmin) that can SSH to the nodes of the .

    Note

    For security reasons, it is recommended that ONLY admin level users be allowed to SSH to the nodes of the . Non-admin level users should strictly use remote CLIs or remote web GUIs..

    These Local LDAP Linux user accounts can be associated with a Keystone account. You can use the provided scripts to create these Local LDAP Linux user accounts and synchronize them with the credentials of an associated Keystone account, so that the Linux user can leverage StarlingX CLI commands.

  • Kubernetes Service Accounts uses Kubernetes service accounts and policies for authentication and authorization of users of the Kubernetes API, CLI, and Dashboard.

  • Keystone Accounts uses Keystone for authentication and authorization of users of the StarlingX REST APIs, the CLI, the Horizon Web interface and the Local Docker Registry. 's Keystone uses the default local SQL Backend.

  • Remote Windows Active Directory Accounts can optionally be configured to use remote Windows Active Directory Accounts and native Kubernetes policies for authentication and authorization of users of the Kubernetes API, CLI, and Dashboard.