STNS pepabo_hatena_tech_con

QZBNB(.01&1"#0JOD ϖύϘɾ͸ͯͳٕज़େձʙΠϯϑϥٕज़ج൫ʙ 45/4

IUUQTUFOTOBQPODPN γχΞɾΤϯδχΞ ࢁԼ࿨඙!QZBNB ϗεςΟϯάࣄۀ෦ϜʔϜʔυϝΠϯνʔϜ

-JOVYϢʔβʔ؅ཧ 1.

-JOVYͱ͸ʁ

-JOVYϢʔβʔ؅ཧ w -JOVYͰ͸ϑΝΠϧॴ༗ऀɺݖݶ؅ཧ͕Ϣʔβʔɾάϧʔϓ ΛݩʹߦΘΕΔ w ಛఆͷϢʔβʔݖݶͰίϚϯυΛ࣮ߦ͢Δ4VEPΛ࢝Ίɺ ଟ͘ͷίϚϯυͰϢʔβʔɾάϧʔϓͰ੍ޚ͞Ε͍ͯΔ

-JOVYϢʔβʔ؅ཧ Ұͭͷ8&#αʔϏεͰ΋ ଟ͘ͷ-JOVY͕Քಇ͍ͯ͠Δ

-JOVYϢʔβʔ؅ཧ ؤுΔ͘Μ

͕Μ͹Εͳ͍܅ʁ

-JOVYϢʔβʔ؅ཧ

45/4 w (PMBOH w 5PNMܗࣜͷઃఆϑΝΠϧ w +40/ΠϯλʔϑΣʔεͷαʔόɾΫϥΠΞϯτ w 8SBQQFSΛࣗ༝ʹมߋͰ͖Δ ϓϥΨϒϧ

ίϯηϓτ ໊લղܾɺެ։伴औಘɺΞΧ΢ϯτೝূͷΈΛఏڙ ͢Δɻଟ͘Λ΍Βͣɺγϯϓϧʹอͭ͜ͱͰ؅ཧɺ ૊Έ߹ΘͤΛ༰қʹɻ https://github.com/STNS/STNS

-JOVYϢʔβʔάϧʔϓͷ໊લղܾ % ls -ltr -rw-r--r-- 1 pyama wheel 0 May
8 00:09 hatena_pepabo.txt % ls -ltr -rw-r--r-- 1 1000 1000 0 May 8 00:09 hatena_pepabo.txt id:1000 is pyama

ΞʔΩςΫνϟ STNS http(1104) ls libnss-stns libpam-stns query-wrapper key-wrapper /user/name/pyama {
name:pyama, id: 1000, dir:/home/pyama … } αʔόɾΫϥΠΞϯτؒ͸httpΛར༻ͨ͠ JSONܗࣜͷΠϯλʔϑΣʔε

ઃఆϑΝΠϧαʔό QPSU JODMVEFFUDTUOTDPOGE TBMU@FOBCMFUSVF TUSFUDIJOH@OVNCFS VTFSlCBTJD@VTFS QBTTXPSECBTJD@QBTTXPSE <VTFSTFYBNQMF> JE
HSPVQ@JE LFZT<TTISTB99999ʜ> <HSPVQTFYBNQMF> JE VTFST<FYBNQMF> <TVEPFSTFYBNQMF> QBTTXPSE GEDEBGFBBDBEBCGGCCCDEEDCGB

stns.conf(αʔό) stns.conf user.conf group.conf deploy.conf ෳ਺ͷઃఆϑΝΠϧʹ෼ׂ͠ɺ ໾ׂ΍૊৫͝ͱʹ؅ཧ͢ΔͱΑ͍

ઃఆϑΝΠϧΫϥΠΞϯτ api_end_point = ["http://<server-master>:1104", "http://<server-slave>:1104"] user = "basic_user" password =
"basic_password" wrapper_path = "/usr/local/bin/stns-query-wrapper" chain_ssh_wrapper = "/usr/libexec/openssh/ssh-ldap-wrapper" ssl_verify = true

ྫ͑͹͜͏͍͏͜ͱ΋ग़དྷΔ process libnss-stns libpam-stns query-wrapper key-wrapper /user/name/pyama { name:pyama, id:
1000, dir:/home/pyama … } Linuxϓϩηεͱͷ΍ΓऔΓ͸STNSΛར༻͠ɺ Ϣʔβʔ৘ใ͸RailsͰ؅ཧ͢Δ

σϓϩΠϢʔβʔͷ ؅ཧ

σϓϩΠϢʔβʔͷ؅ཧ [email protected] [email protected] [email protected] /home/deploy/.ssh/authrized_keys ʹ֤Ϣʔβʔͷެ։伴Λొ࿥

σϓϩΠϢʔβʔͷ؅ཧ ࡢࠓͷWebαʔϏεͰ͸σϓϩΠઐ༻ϢʔβʔΛઃ ͚ͯσϓϩΠ͢Δ͜ͱ͕ଟ͍ɻ ͔͠͠ɺطଘͷ࢓૊ΈͰ࣮ݱ͢Δʹ͸σϓϩΠϢʔ βʔͷ~/.ssh/authorized_keysʹσϓϩΠ͢ΔϢʔ βʔͷެ։伴Λฒ΂ͨΓ͢Δඞཁ͕͋ͬͨ

σϓϩΠϢʔβʔͷ؅ཧ [users.deploy] id = 1000 group_id = 1000 link_users =
[“foo","bar"] [users.foo] keys = ["ssh-rsa aaa”] [users.bar] keys = ["ssh-rsa bbb"] deployϢʔβʔͰSSHϩάΠϯ͢Δࡍʹɺlink_usersͰ ࢦఆͨ͠Ϣʔβʔͷެ։伴Λར༻ग़དྷΔ →authorized_keysʹॻ͔ͳͯ͘ྑ্͍ʹɺ ɹ୭͕σϓϩΠग़དྷΔͷ͔Ұ໨ྎવ

૊৫ߏ଄Λදݱ͢Δ

૊৫ߏ଄Λදݱ͢Δ ྫ͑͹ɺٕज़1՝ʹॴଐ͢ΔϢʔβʔ͸ɺٕज़෦ͷϢʔ βʔͰ΋͋Δɻͱ͋Δαʔόʹٕज़෦ͷϢʔβʔ͸ϩά Πϯग़དྷΔΑ͏ʹ͍ͨ͠ɻ

૊৫ߏ଄Λදݱ͢Δ [groups.tech] users = ["antipop"] link_groups = [“tech-1"] [groups.tech-1] users
= ["pyama"] pyama͸tech-1ʹॴଐ͢ΔtechͷϢʔβʔͰ͋Δɻ ۩ମతͳར༻γʔϯ͸sshd_conﬁgͷAllowGroupsɺ sudoersͳͲɺάϧʔϓͰ؅ཧ͢Δ৔߹ʹศརɻ

ಋೖ

ಋೖ IUUQTUOTKQ

ಋೖ

ಋೖ w SQN EFCڞʹCJU CJU൛ͷఏڙ SFQPTUOTKQ DVSMGT4-IUUQTSFQPTUOTKQTDSJQUTZVNSFQPTIcTI ZVNJOTUBMMTUOTMJCOTTTUOTMJCQBNTUOT IUUQTHJUIVCDPN45/4TUOTDPPLCPPL
IUUQTHJUIVCDPN45/4QVQQFUTUOT w $IFG 1VQQFUͷΫοΫϒοΫɺϚχϑΣετΛఏڙ 1VQQFUϚχϑΣετ͸!IGN͕։ൃͯ͘͠Εͨ

ಋೖ Πϯετʔϧʙ44)ެ։伴ೝূ·Ͱ෼ඵ

ಋೖࣄྫ

Ϣʔβʔ؅ཧ΋(JUIVC'MPX (JUIVC&OUFSQSJTF͔ΒϢʔβʔσʔλΛ࡞੒͠ɺ1VMM3FRVFTU %SPOFͰࣗಈςετɾਓͷ໨ʹΑΔϨϏϡʔ σϓϩΠ

HFOFSBUFCZUIPS DPOpHZNM UFBNT UFDIBENJO˒(JUIVCͷνʔϜ໊ NVVBENJO NJOOFBENJO LJCBOˑMJOL@HSPVQΛར༻͠૊৫Λ࿈݁ εΫϦϓτͰ৘ใͷऔಘݩΛ()&ʹू໿͢Δ͜ͱʹΑΓɺϢʔβʔ ͷ௥Ճɺ࡟আΛ()&ʹҠৡ͢Δɻ ͦ͏͢Δ͜ͱͰγεςϜ͝ͱͷΞΧ΢ϯτࢄࡏΛ๷͙͜ͱ͕ग़དྷ·
͢ɻ

ӡ༻Πϝʔδ 2.

ӡ༻Πϝʔδ nginx stns nginx stns /HJOYͰ44-Λऴ୺ͭͭ͠ɺ$BQJTUSBOPͳͲͷσϓϩΠπʔϧͰ TUOTDPOGΛσϓϩΠ

ӡ༻Πϝʔδ nginx stns nginx stns αʔόͷTUOTDPOGΛ௚઀ฤू͠ɺ4$1΍STZODͰಉظ

ӡ༻Πϝʔδ ࢖͍౗͢ process libnss-stns libpam-stns query-wrapper key-wrapper FUDEΛར༻͠ɺαʔόϨεͳϢʔβʔ؅ཧ

ͱΓ͋͑ͣ৮ͬͯΈΔ

͜Ε͔ΒϢʔβ؅ཧΛ࢝ΊΔ ΈΜͳ΁ 3.

45/4ϘΫ͕։ൃऀͩ͠࢖ͬͨ΄͏͕͍͍ w ൥ࡶԽͮ͠Β͍పఈͨ͠γϯϓϧ͞ w γϯϓϧ͕ނʹ֦ுੑ͕ߴ͍ w ಋೖͷख͕ؒগͳ͍

45/4ͰϢʔβʔ؅ཧΛ ࢝ΊΑ͏

5IBOLZPV

͜͜Ͱঁੑਞ͔Β ࣭໰͕ࡴ౸͢Δ

STNS pepabo_hatena_tech_con

STNS pepabo_hatena_tech_con

More Decks by Kazuhiko Yamashita

Other Decks in Technology

Featured

Transcript