Slide 1
Slide 1 text
QZBNB(.01&1"#0JOD
ϖύϘɾͯͳٕज़େձʙΠϯϑϥٕज़ج൫ʙ
45/4
Slide 2
Slide 2 text
IUUQTUFOTOBQPODPN
γχΞɾΤϯδχΞ
ࢁԼ!QZBNB
ϗεςΟϯάࣄۀ෦ϜʔϜʔυϝΠϯνʔϜ
Slide 3
Slide 3 text
-JOVYϢʔβʔཧ
1.
Slide 4
Slide 4 text
-JOVYͱʁ
Slide 5
Slide 5 text
-JOVY
Slide 6
Slide 6 text
-JOVYϢʔβʔཧ
w -JOVYͰϑΝΠϧॴ༗ऀɺݖݶཧ͕Ϣʔβʔɾάϧʔϓ
ΛݩʹߦΘΕΔ
w ಛఆͷϢʔβʔݖݶͰίϚϯυΛ࣮ߦ͢Δ4VEPΛ࢝Ίɺ
ଟ͘ͷίϚϯυͰϢʔβʔɾάϧʔϓͰ੍ޚ͞Ε͍ͯΔ
Slide 7
Slide 7 text
-JOVYϢʔβʔཧ
Ұͭͷ8αʔϏεͰ
ଟ͘ͷ-JOVY͕Քಇ͍ͯ͠Δ
Slide 8
Slide 8 text
-JOVYϢʔβʔཧ
ؤுΔ͘Μ
Slide 9
Slide 9 text
No content
Slide 10
Slide 10 text
͕ΜΕͳ͍܅ʁ
Slide 11
Slide 11 text
No content
Slide 12
Slide 12 text
-JOVYϢʔβʔཧ
Slide 13
Slide 13 text
45/4
w (PMBOH
w 5PNMܗࣜͷઃఆϑΝΠϧ
w +40/ΠϯλʔϑΣʔεͷαʔόɾΫϥΠΞϯτ
w 8SBQQFSΛࣗ༝ʹมߋͰ͖Δ ϓϥΨϒϧ
Slide 14
Slide 14 text
ίϯηϓτ
໊લղܾɺެ։伴औಘɺΞΧϯτೝূͷΈΛఏڙ
͢Δɻଟ͘ΛΒͣɺγϯϓϧʹอͭ͜ͱͰཧɺ
Έ߹ΘͤΛ༰қʹɻ
https://github.com/STNS/STNS
Slide 15
Slide 15 text
-JOVYϢʔβʔάϧʔϓͷ໊લղܾ
% ls -ltr
-rw-r--r-- 1 pyama wheel 0 May 8 00:09 hatena_pepabo.txt
% ls -ltr
-rw-r--r-- 1 1000 1000 0 May 8 00:09 hatena_pepabo.txt
id:1000 is pyama
Slide 16
Slide 16 text
ΞʔΩςΫνϟ
STNS
http(1104)
ls
libnss-stns
libpam-stns
query-wrapper
key-wrapper
/user/name/pyama
{
name:pyama,
id: 1000,
dir:/home/pyama
…
}
αʔόɾΫϥΠΞϯτؒhttpΛར༻ͨ͠
JSONܗࣜͷΠϯλʔϑΣʔε
Slide 17
Slide 17 text
ઃఆϑΝΠϧαʔό
QPSU
JODMVEFFUDTUOTDPOGE
TBMU@FOBCMFUSVF
TUSFUDIJOH@OVNCFS
VTFSlCBTJD@VTFS
QBTTXPSECBTJD@QBTTXPSE
JE
HSPVQ@JE
LFZT<TTISTB99999ʜ>
JE
VTFST<FYBNQMF>
QBTTXPSE
GEDEBGFBBDBEBCGGCCCDEEDCGB
Slide 18
Slide 18 text
stns.conf(αʔό)
stns.conf user.conf
group.conf
deploy.conf
ෳͷઃఆϑΝΠϧʹׂ͠ɺ
ׂ৫͝ͱʹཧ͢ΔͱΑ͍
Slide 19
Slide 19 text
ઃఆϑΝΠϧΫϥΠΞϯτ
api_end_point = ["http://:1104", "http://:1104"]
user = "basic_user"
password = "basic_password"
wrapper_path = "/usr/local/bin/stns-query-wrapper"
chain_ssh_wrapper = "/usr/libexec/openssh/ssh-ldap-wrapper"
ssl_verify = true
Slide 20
Slide 20 text
ྫ͑͜͏͍͏͜ͱग़དྷΔ
process
libnss-stns
libpam-stns
query-wrapper
key-wrapper
/user/name/pyama
{
name:pyama,
id: 1000,
dir:/home/pyama
…
}
LinuxϓϩηεͱͷΓऔΓSTNSΛར༻͠ɺ
ϢʔβʔใRailsͰཧ͢Δ
Slide 21
Slide 21 text
σϓϩΠϢʔβʔͷ
ཧ
Slide 22
Slide 22 text
σϓϩΠϢʔβʔͷཧ
[email protected]
[email protected]
[email protected]
/home/deploy/.ssh/authrized_keys
ʹ֤Ϣʔβʔͷެ։伴Λొ
Slide 23
Slide 23 text
σϓϩΠϢʔβʔͷཧ
ࡢࠓͷWebαʔϏεͰσϓϩΠઐ༻ϢʔβʔΛઃ
͚ͯσϓϩΠ͢Δ͜ͱ͕ଟ͍ɻ
͔͠͠ɺطଘͷΈͰ࣮ݱ͢ΔʹσϓϩΠϢʔ
βʔͷ~/.ssh/authorized_keysʹσϓϩΠ͢ΔϢʔ
βʔͷެ։伴ΛฒͨΓ͢Δඞཁ͕͋ͬͨ
Slide 24
Slide 24 text
σϓϩΠϢʔβʔͷཧ
[users.deploy]
id = 1000
group_id = 1000
link_users = [“foo","bar"]
[users.foo]
keys = ["ssh-rsa aaa”]
[users.bar]
keys = ["ssh-rsa bbb"]
deployϢʔβʔͰSSHϩάΠϯ͢Δࡍʹɺlink_usersͰ
ࢦఆͨ͠Ϣʔβʔͷެ։伴Λར༻ग़དྷΔ
→authorized_keysʹॻ͔ͳͯ͘ྑ্͍ʹɺ
ɹ୭͕σϓϩΠग़དྷΔͷ͔Ұྎવ
Slide 25
Slide 25 text
৫ߏΛදݱ͢Δ
Slide 26
Slide 26 text
৫ߏΛදݱ͢Δ
ྫ͑ɺٕज़1՝ʹॴଐ͢ΔϢʔβʔɺٕज़෦ͷϢʔ
βʔͰ͋Δɻͱ͋Δαʔόʹٕज़෦ͷϢʔβʔϩά
Πϯग़དྷΔΑ͏ʹ͍ͨ͠ɻ
Slide 27
Slide 27 text
৫ߏΛදݱ͢Δ
[groups.tech]
users = ["antipop"]
link_groups = [“tech-1"]
[groups.tech-1]
users = ["pyama"]
pyamatech-1ʹॴଐ͢ΔtechͷϢʔβʔͰ͋Δɻ
۩ମతͳར༻γʔϯsshd_configͷAllowGroupsɺ
sudoersͳͲɺάϧʔϓͰཧ͢Δ߹ʹศརɻ
Slide 28
Slide 28 text
ಋೖ
Slide 29
Slide 29 text
ಋೖ
IUUQTUOTKQ
Slide 30
Slide 30 text
PTT
Slide 31
Slide 31 text
ಋೖ
Slide 32
Slide 32 text
ಋೖ
w SQN
EFCڞʹCJU
CJU൛ͷఏڙ SFQPTUOTKQ
DVSMGT4-IUUQTSFQPTUOTKQTDSJQUTZVNSFQPTIcTI
ZVNJOTUBMMTUOTMJCOTTTUOTMJCQBNTUOT
IUUQTHJUIVCDPN45/4TUOTDPPLCPPL
IUUQTHJUIVCDPN45/4QVQQFUTUOT
w $IFG
1VQQFUͷΫοΫϒοΫɺϚχϑΣετΛఏڙ
1VQQFUϚχϑΣετ!IGN͕։ൃͯ͘͠Εͨ
Slide 33
Slide 33 text
ಋೖ
Πϯετʔϧʙ44)ެ։伴ೝূ·Ͱඵ
Slide 34
Slide 34 text
ಋೖࣄྫ
Slide 35
Slide 35 text
Ϣʔβʔཧ(JUIVC'MPX
(JUIVC&OUFSQSJTF͔ΒϢʔβʔσʔλΛ࡞͠ɺ1VMM3FRVFTU
%SPOFͰࣗಈςετɾਓͷʹΑΔϨϏϡʔ
σϓϩΠ
Slide 36
Slide 36 text
HFOFSBUFCZUIPS
DPOpHZNM
UFBNT
UFDIBENJO˒(JUIVCͷνʔϜ໊
NVVBENJO
NJOOFBENJO
LJCBOˑMJOL@HSPVQΛར༻͠৫Λ࿈݁
εΫϦϓτͰใͷऔಘݩΛ()&ʹू͢Δ͜ͱʹΑΓɺϢʔβʔ
ͷՃɺআΛ()&ʹҠৡ͢Δɻ
ͦ͏͢Δ͜ͱͰγεςϜ͝ͱͷΞΧϯτࢄࡏΛ͙͜ͱ͕ग़དྷ·
͢ɻ
Slide 37
Slide 37 text
ӡ༻Πϝʔδ
2.
Slide 38
Slide 38 text
ӡ༻Πϝʔδ
nginx
stns
nginx
stns
/HJOYͰ44-Λऴͭͭ͠ɺ$BQJTUSBOPͳͲͷσϓϩΠπʔϧͰ
TUOTDPOGΛσϓϩΠ
Slide 39
Slide 39 text
ӡ༻Πϝʔδ
nginx
stns
nginx
stns
αʔόͷTUOTDPOGΛฤू͠ɺ4$1STZODͰಉظ
Slide 40
Slide 40 text
ӡ༻Πϝʔδ ͍͢
process
libnss-stns
libpam-stns
query-wrapper
key-wrapper
FUDEΛར༻͠ɺαʔόϨεͳϢʔβʔཧ
Slide 41
Slide 41 text
ͱΓ͋͑ͣ৮ͬͯΈΔ
Slide 42
Slide 42 text
͜Ε͔ΒϢʔβཧΛ࢝ΊΔ
ΈΜͳ
3.
Slide 43
Slide 43 text
45/4ϘΫ͕։ൃऀͩͬͨ͠΄͏͕͍͍
w ࡶԽͮ͠Β͍పఈͨ͠γϯϓϧ͞
w γϯϓϧ͕ނʹ֦ுੑ͕ߴ͍
w ಋೖͷख͕ؒগͳ͍
Slide 44
Slide 44 text
45/4ͰϢʔβʔཧΛ
࢝ΊΑ͏
Slide 45
Slide 45 text
5IBOLZPV
Slide 46
Slide 46 text
͜͜Ͱঁੑਞ͔Β
࣭͕ࡴ౸͢Δ