Upgrade to Pro — share decks privately, control downloads, hide ads and more …

STNS pepabo_hatena_tech_con

1b838da2065660793d5b26f2cdc32de7?s=47 Kazuhiko Yamashita
July 09, 2016
Technology
0
4.6k

STNS pepabo_hatena_tech_con

ペパボはてな技術大会福岡編でのシンプルなLinuxユーザー管理システムSTNSの資料です

1b838da2065660793d5b26f2cdc32de7?s=128

Kazuhiko Yamashita

July 09, 2016
Tweet

More Decks by Kazuhiko Yamashita

See All by Kazuhiko Yamashita
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
4
420
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
11
7.5k
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
18
4.1k
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
9
10k
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
2
1.9k
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
3
1.2k
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
1
1.9k
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
0
130
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
0
150

Other Decks in Technology

See All in Technology
Beafdc24782daf082834d6722cc97c8f?s=48 andysumi
0
160
E97091ac0d2c69ce9f9e8a8d0a2ea066?s=48 torisoup
11
6k
0e8fbeb3dc2da3e502483edea80be7d6?s=48 htomine
0
110
56ae61a2631362f985e4c1fa4548a7ac?s=48 yuzutas0
8
3k
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
240
D7df6557c6b98f29ac546911e2b1a4d4?s=48 tnmt
2
240
59fbf50f41bdd0ed0e3bbf27859bf99d?s=48 pg0084
1
130
08672189228a165c14ed8d896f9a4d3a?s=48 akitok_
1
690
9a883e4b99553b96d3ecf5a47aa6f233?s=48 khrd
1
620
3dfba21f12b674371e38d9535e0ea6df?s=48 udonyuya
1
490
8bf5ef27f515041b93d3211571a7ed46?s=48 yasuyukiyamasaki
1
170
2c68dc672293cc3f8a7a57d3af86f15b?s=48 koukyo1994
3
500

Featured

See All Featured
282d599b414022eba5096510f675b6e2?s=48 chrislema
231
16k
79acae287842acf29084005533a7fb3b?s=48 hursman
106
9.3k
F383c6a4dc55e331bbe2987b622cee6b?s=48 stephaniewalter
260
11k
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
93
14k
Fde6c3a50ca518a909ef35c22c0ee0e4?s=48 destraynor
146
19k
A16eb159db895e3b01d3dc95767ad595?s=48 jonyablonski
19
1.2k
B47b288784fda77a94aeb234ca743c24?s=48 keavy
107
14k
6804f1775cb4babfcc3851298566fbce?s=48 tanoku
86
8.6k
E190023b66e2b8aa73a842b106920c93?s=48 zenorocha
296
40k
5b9fe87ec1faa67a4599782930f45ec9?s=48 sstephenson
145
12k
1519587b1a0febb658c36c94f6272b0d?s=48 roundedbygravity
242
21k
E43f8dfd01057f8304f5f8fb9a294d7d?s=48 jeffersonlam
329
15k

Transcript

  1. QZBNB(.01&1"#0JOD ϖύϘɾ͸ͯͳٕज़େձʙΠϯϑϥٕज़ج൫ʙ 45/4

  2. IUUQTUFOTOBQPODPN γχΞɾΤϯδχΞ ࢁԼ࿨඙!QZBNB ϗεςΟϯάࣄۀ෦ϜʔϜʔυϝΠϯνʔϜ

  3. -JOVYϢʔβʔ؅ཧ 1.

  4. -JOVYͱ͸ʁ

  5. -JOVY

  6. -JOVYϢʔβʔ؅ཧ w -JOVYͰ͸ϑΝΠϧॴ༗ऀɺݖݶ؅ཧ͕Ϣʔβʔɾάϧʔϓ ΛݩʹߦΘΕΔ w ಛఆͷϢʔβʔݖݶͰίϚϯυΛ࣮ߦ͢Δ4VEPΛ࢝Ίɺ ଟ͘ͷίϚϯυͰϢʔβʔɾάϧʔϓͰ੍ޚ͞Ε͍ͯΔ

  7. -JOVYϢʔβʔ؅ཧ Ұͭͷ8&#αʔϏεͰ΋ ଟ͘ͷ-JOVY͕Քಇ͍ͯ͠Δ

  8. -JOVYϢʔβʔ؅ཧ ؤுΔ͘Μ

  9. None

  10. ͕Μ͹Εͳ͍܅ʁ

  11. None

  12. -JOVYϢʔβʔ؅ཧ

  13. 45/4 w (PMBOH w 5PNMܗࣜͷઃఆϑΝΠϧ w +40/ΠϯλʔϑΣʔεͷαʔόɾΫϥΠΞϯτ w 8SBQQFSΛࣗ༝ʹมߋͰ͖Δ ϓϥΨϒϧ

  14. ίϯηϓτ ໊લղܾɺެ։伴औಘɺΞΧ΢ϯτೝূͷΈΛఏڙ ͢Δɻଟ͘Λ΍Βͣɺγϯϓϧʹอͭ͜ͱͰ؅ཧɺ ૊Έ߹ΘͤΛ༰қʹɻ https://github.com/STNS/STNS

  15. -JOVYϢʔβʔάϧʔϓͷ໊લղܾ % ls -ltr -rw-r--r-- 1 pyama wheel 0 May

    8 00:09 hatena_pepabo.txt % ls -ltr -rw-r--r-- 1 1000 1000 0 May 8 00:09 hatena_pepabo.txt id:1000 is pyama

  16. ΞʔΩςΫνϟ STNS http(1104) ls libnss-stns libpam-stns query-wrapper key-wrapper /user/name/pyama {

    name:pyama, id: 1000, dir:/home/pyama … } αʔόɾΫϥΠΞϯτؒ͸httpΛར༻ͨ͠ JSONܗࣜͷΠϯλʔϑΣʔε

  17. ઃఆϑΝΠϧαʔό QPSU JODMVEFFUDTUOTDPOGE  TBMU@FOBCMFUSVF TUSFUDIJOH@OVNCFS VTFSlCBTJD@VTFS QBTTXPSECBTJD@QBTTXPSE <VTFSTFYBNQMF> JE

    HSPVQ@JE LFZT<TTISTB99999ʜ> <HSPVQTFYBNQMF> JE VTFST<FYBNQMF> <TVEPFSTFYBNQMF> QBTTXPSE GEDEBGFBBDBEBCGGCCCDEEDCGB

  18. stns.conf(αʔό) stns.conf user.conf group.conf deploy.conf ෳ਺ͷઃఆϑΝΠϧʹ෼ׂ͠ɺ ໾ׂ΍૊৫͝ͱʹ؅ཧ͢ΔͱΑ͍

  19. ઃఆϑΝΠϧΫϥΠΞϯτ api_end_point = ["http://<server-master>:1104", "http://<server-slave>:1104"] user = "basic_user" password =

    "basic_password" wrapper_path = "/usr/local/bin/stns-query-wrapper" chain_ssh_wrapper = "/usr/libexec/openssh/ssh-ldap-wrapper" ssl_verify = true

  20. ྫ͑͹͜͏͍͏͜ͱ΋ग़དྷΔ process libnss-stns libpam-stns query-wrapper key-wrapper /user/name/pyama { name:pyama, id:

    1000, dir:/home/pyama … } Linuxϓϩηεͱͷ΍ΓऔΓ͸STNSΛར༻͠ɺ Ϣʔβʔ৘ใ͸RailsͰ؅ཧ͢Δ

  21. σϓϩΠϢʔβʔͷ ؅ཧ

  22. σϓϩΠϢʔβʔͷ؅ཧ deploy@muumuu-domain.com deploy@muumuu-domain.com deploy@muumuu-domain.com /home/deploy/.ssh/authrized_keys ʹ֤Ϣʔβʔͷެ։伴Λొ࿥

  23. σϓϩΠϢʔβʔͷ؅ཧ ࡢࠓͷWebαʔϏεͰ͸σϓϩΠઐ༻ϢʔβʔΛઃ ͚ͯσϓϩΠ͢Δ͜ͱ͕ଟ͍ɻ ͔͠͠ɺطଘͷ࢓૊ΈͰ࣮ݱ͢Δʹ͸σϓϩΠϢʔ βʔͷ~/.ssh/authorized_keysʹσϓϩΠ͢ΔϢʔ βʔͷެ։伴Λฒ΂ͨΓ͢Δඞཁ͕͋ͬͨ

  24. σϓϩΠϢʔβʔͷ؅ཧ [users.deploy] id = 1000 group_id = 1000 link_users =

    [“foo","bar"] [users.foo] keys = ["ssh-rsa aaa”] [users.bar] keys = ["ssh-rsa bbb"] deployϢʔβʔͰSSHϩάΠϯ͢Δࡍʹɺlink_usersͰ ࢦఆͨ͠Ϣʔβʔͷެ։伴Λར༻ग़དྷΔ →authorized_keysʹॻ͔ͳͯ͘ྑ্͍ʹɺ ɹ୭͕σϓϩΠग़དྷΔͷ͔Ұ໨ྎવ

  25. ૊৫ߏ଄Λදݱ͢Δ

  26. ૊৫ߏ଄Λදݱ͢Δ ྫ͑͹ɺٕज़1՝ʹॴଐ͢ΔϢʔβʔ͸ɺٕज़෦ͷϢʔ βʔͰ΋͋Δɻͱ͋Δαʔόʹٕज़෦ͷϢʔβʔ͸ϩά Πϯग़དྷΔΑ͏ʹ͍ͨ͠ɻ

  27. ૊৫ߏ଄Λදݱ͢Δ [groups.tech] users = ["antipop"] link_groups = [“tech-1"] [groups.tech-1] users

    = ["pyama"] pyama͸tech-1ʹॴଐ͢ΔtechͷϢʔβʔͰ͋Δɻ ۩ମతͳར༻γʔϯ͸sshd_configͷAllowGroupsɺ sudoersͳͲɺάϧʔϓͰ؅ཧ͢Δ৔߹ʹศརɻ

  28. ಋೖ

  29. ಋೖ IUUQTUOTKQ

  30. PTT

  31. ಋೖ

  32. ಋೖ w SQN EFCڞʹCJU CJU൛ͷఏڙ SFQPTUOTKQ  DVSMGT4-IUUQTSFQPTUOTKQTDSJQUTZVNSFQPTIcTI ZVNJOTUBMMTUOTMJCOTTTUOTMJCQBNTUOT IUUQTHJUIVCDPN45/4TUOTDPPLCPPL

    IUUQTHJUIVCDPN45/4QVQQFUTUOT w $IFG 1VQQFUͷΫοΫϒοΫɺϚχϑΣετΛఏڙ  1VQQFUϚχϑΣετ͸!IGN͕։ൃͯ͘͠Εͨ 

  33. ಋೖ Πϯετʔϧʙ44)ެ։伴ೝূ·Ͱ෼ඵ

  34. ಋೖࣄྫ

  35. Ϣʔβʔ؅ཧ΋(JUIVC'MPX (JUIVC&OUFSQSJTF͔ΒϢʔβʔσʔλΛ࡞੒͠ɺ1VMM3FRVFTU %SPOFͰࣗಈςετɾਓͷ໨ʹΑΔϨϏϡʔ σϓϩΠ

  36. HFOFSBUFCZUIPS DPOpHZNM UFBNT UFDIBENJO˒(JUIVCͷνʔϜ໊ NVVBENJO NJOOFBENJO LJCBOˑMJOL@HSPVQΛར༻͠૊৫Λ࿈݁ εΫϦϓτͰ৘ใͷऔಘݩΛ()&ʹू໿͢Δ͜ͱʹΑΓɺϢʔβʔ ͷ௥Ճɺ࡟আΛ()&ʹҠৡ͢Δɻ ͦ͏͢Δ͜ͱͰγεςϜ͝ͱͷΞΧ΢ϯτࢄࡏΛ๷͙͜ͱ͕ग़དྷ·

    ͢ɻ

  37. ӡ༻Πϝʔδ 2.

  38. ӡ༻Πϝʔδ nginx stns nginx stns /HJOYͰ44-Λऴ୺ͭͭ͠ɺ$BQJTUSBOPͳͲͷσϓϩΠπʔϧͰ TUOTDPOGΛσϓϩΠ

  39. ӡ༻Πϝʔδ nginx stns nginx stns αʔόͷTUOTDPOGΛ௚઀ฤू͠ɺ4$1΍STZODͰಉظ

  40. ӡ༻Πϝʔδ ࢖͍౗͢ process libnss-stns libpam-stns query-wrapper key-wrapper FUDEΛར༻͠ɺαʔόϨεͳϢʔβʔ؅ཧ

  41. ͱΓ͋͑ͣ৮ͬͯΈΔ

  42. ͜Ε͔ΒϢʔβ؅ཧΛ࢝ΊΔ ΈΜͳ΁ 3.

  43. 45/4ϘΫ͕։ൃऀͩ͠࢖ͬͨ΄͏͕͍͍ w ൥ࡶԽͮ͠Β͍పఈͨ͠γϯϓϧ͞ w γϯϓϧ͕ނʹ֦ுੑ͕ߴ͍ w ಋೖͷख͕ؒগͳ͍

  44. 45/4ͰϢʔβʔ؅ཧΛ ࢝ΊΑ͏

  45. 5IBOLZPV

  46. ͜͜Ͱঁੑਞ͔Β ࣭໰͕ࡴ౸͢Δ