Pro Yearly is on sale from $80 to $50! »

STNS pepabo_hatena_tech_con

1b838da2065660793d5b26f2cdc32de7?s=47 Kazuhiko Yamashita
July 09, 2016
Technology
0
4.6k

STNS pepabo_hatena_tech_con

ペパボはてな技術大会福岡編でのシンプルなLinuxユーザー管理システムSTNSの資料です

1b838da2065660793d5b26f2cdc32de7?s=128

Kazuhiko Yamashita

July 09, 2016
Tweet

More Decks by Kazuhiko Yamashita

See All by Kazuhiko Yamashita
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
11
7.3k
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
18
4k
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
9
9.8k
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
2
1.9k
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
3
1.2k
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
1
1.8k
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
0
120
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
0
140
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
2
1.2k

Other Decks in Technology

See All in Technology
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
1k
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
140
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
270
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
120
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
110
5ad0bb268dd2605b09165d464308cb7e?s=48 igaiga
4
870
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
180
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
130
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
190
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
390
C9ab1175a6981a2f67ce8d08aa17c15a?s=48 mpilquist
0
210
7cd783377515bdf8207062840b7b2f4e?s=48 soracom
0
170

Featured

See All Featured
E13c31390e0369fcd5972292ce0e7b92?s=48 jnunemaker
PRO
40
4.5k
B6a8f005f39d23ffc930508ac9da68b9?s=48 vanstee
116
4.8k
5ce91fa49a613cbc3e20d5f96856473f?s=48 edds
55
9.3k
F57e2136eb9895eb95ff5dc8a1c02677?s=48 zakiwarfel
87
3.3k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
683
180k
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
16
580
E837d2996f52008ace055a08fbfff992?s=48 frogandcode
125
20k
56c4053438af8e8b90d6f53cbb7573be?s=48 jakevdp
773
190k
11c84dff30266b907714802088852677?s=48 jasonvnalue
82
8k
C4de88ea47538e4594750e3861a341c8?s=48 brettharned
92
2.9k
F29327647a9cff5c69618bae420792ea?s=48 tenderlove
49
3.3k
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
92
13k

Transcript

  1. QZBNB(.01&1"#0JOD ϖύϘɾ͸ͯͳٕज़େձʙΠϯϑϥٕज़ج൫ʙ 45/4

  2. IUUQTUFOTOBQPODPN γχΞɾΤϯδχΞ ࢁԼ࿨඙!QZBNB ϗεςΟϯάࣄۀ෦ϜʔϜʔυϝΠϯνʔϜ

  3. -JOVYϢʔβʔ؅ཧ 1.

  4. -JOVYͱ͸ʁ

  5. -JOVY

  6. -JOVYϢʔβʔ؅ཧ w -JOVYͰ͸ϑΝΠϧॴ༗ऀɺݖݶ؅ཧ͕Ϣʔβʔɾάϧʔϓ ΛݩʹߦΘΕΔ w ಛఆͷϢʔβʔݖݶͰίϚϯυΛ࣮ߦ͢Δ4VEPΛ࢝Ίɺ ଟ͘ͷίϚϯυͰϢʔβʔɾάϧʔϓͰ੍ޚ͞Ε͍ͯΔ

  7. -JOVYϢʔβʔ؅ཧ Ұͭͷ8&#αʔϏεͰ΋ ଟ͘ͷ-JOVY͕Քಇ͍ͯ͠Δ

  8. -JOVYϢʔβʔ؅ཧ ؤுΔ͘Μ

  9. None

  10. ͕Μ͹Εͳ͍܅ʁ

  11. None

  12. -JOVYϢʔβʔ؅ཧ

  13. 45/4 w (PMBOH w 5PNMܗࣜͷઃఆϑΝΠϧ w +40/ΠϯλʔϑΣʔεͷαʔόɾΫϥΠΞϯτ w 8SBQQFSΛࣗ༝ʹมߋͰ͖Δ ϓϥΨϒϧ

  14. ίϯηϓτ ໊લղܾɺެ։伴औಘɺΞΧ΢ϯτೝূͷΈΛఏڙ ͢Δɻଟ͘Λ΍Βͣɺγϯϓϧʹอͭ͜ͱͰ؅ཧɺ ૊Έ߹ΘͤΛ༰қʹɻ https://github.com/STNS/STNS

  15. -JOVYϢʔβʔάϧʔϓͷ໊લղܾ % ls -ltr -rw-r--r-- 1 pyama wheel 0 May

    8 00:09 hatena_pepabo.txt % ls -ltr -rw-r--r-- 1 1000 1000 0 May 8 00:09 hatena_pepabo.txt id:1000 is pyama

  16. ΞʔΩςΫνϟ STNS http(1104) ls libnss-stns libpam-stns query-wrapper key-wrapper /user/name/pyama {

    name:pyama, id: 1000, dir:/home/pyama … } αʔόɾΫϥΠΞϯτؒ͸httpΛར༻ͨ͠ JSONܗࣜͷΠϯλʔϑΣʔε

  17. ઃఆϑΝΠϧαʔό QPSU JODMVEFFUDTUOTDPOGE  TBMU@FOBCMFUSVF TUSFUDIJOH@OVNCFS VTFSlCBTJD@VTFS QBTTXPSECBTJD@QBTTXPSE <VTFSTFYBNQMF> JE

    HSPVQ@JE LFZT<TTISTB99999ʜ> <HSPVQTFYBNQMF> JE VTFST<FYBNQMF> <TVEPFSTFYBNQMF> QBTTXPSE GEDEBGFBBDBEBCGGCCCDEEDCGB

  18. stns.conf(αʔό) stns.conf user.conf group.conf deploy.conf ෳ਺ͷઃఆϑΝΠϧʹ෼ׂ͠ɺ ໾ׂ΍૊৫͝ͱʹ؅ཧ͢ΔͱΑ͍

  19. ઃఆϑΝΠϧΫϥΠΞϯτ api_end_point = ["http://<server-master>:1104", "http://<server-slave>:1104"] user = "basic_user" password =

    "basic_password" wrapper_path = "/usr/local/bin/stns-query-wrapper" chain_ssh_wrapper = "/usr/libexec/openssh/ssh-ldap-wrapper" ssl_verify = true

  20. ྫ͑͹͜͏͍͏͜ͱ΋ग़དྷΔ process libnss-stns libpam-stns query-wrapper key-wrapper /user/name/pyama { name:pyama, id:

    1000, dir:/home/pyama … } Linuxϓϩηεͱͷ΍ΓऔΓ͸STNSΛར༻͠ɺ Ϣʔβʔ৘ใ͸RailsͰ؅ཧ͢Δ

  21. σϓϩΠϢʔβʔͷ ؅ཧ

  22. σϓϩΠϢʔβʔͷ؅ཧ deploy@muumuu-domain.com deploy@muumuu-domain.com deploy@muumuu-domain.com /home/deploy/.ssh/authrized_keys ʹ֤Ϣʔβʔͷެ։伴Λొ࿥

  23. σϓϩΠϢʔβʔͷ؅ཧ ࡢࠓͷWebαʔϏεͰ͸σϓϩΠઐ༻ϢʔβʔΛઃ ͚ͯσϓϩΠ͢Δ͜ͱ͕ଟ͍ɻ ͔͠͠ɺطଘͷ࢓૊ΈͰ࣮ݱ͢Δʹ͸σϓϩΠϢʔ βʔͷ~/.ssh/authorized_keysʹσϓϩΠ͢ΔϢʔ βʔͷެ։伴Λฒ΂ͨΓ͢Δඞཁ͕͋ͬͨ

  24. σϓϩΠϢʔβʔͷ؅ཧ [users.deploy] id = 1000 group_id = 1000 link_users =

    [“foo","bar"] [users.foo] keys = ["ssh-rsa aaa”] [users.bar] keys = ["ssh-rsa bbb"] deployϢʔβʔͰSSHϩάΠϯ͢Δࡍʹɺlink_usersͰ ࢦఆͨ͠Ϣʔβʔͷެ։伴Λར༻ग़དྷΔ →authorized_keysʹॻ͔ͳͯ͘ྑ্͍ʹɺ ɹ୭͕σϓϩΠग़དྷΔͷ͔Ұ໨ྎવ

  25. ૊৫ߏ଄Λදݱ͢Δ

  26. ૊৫ߏ଄Λදݱ͢Δ ྫ͑͹ɺٕज़1՝ʹॴଐ͢ΔϢʔβʔ͸ɺٕज़෦ͷϢʔ βʔͰ΋͋Δɻͱ͋Δαʔόʹٕज़෦ͷϢʔβʔ͸ϩά Πϯग़དྷΔΑ͏ʹ͍ͨ͠ɻ

  27. ૊৫ߏ଄Λදݱ͢Δ [groups.tech] users = ["antipop"] link_groups = [“tech-1"] [groups.tech-1] users

    = ["pyama"] pyama͸tech-1ʹॴଐ͢ΔtechͷϢʔβʔͰ͋Δɻ ۩ମతͳར༻γʔϯ͸sshd_configͷAllowGroupsɺ sudoersͳͲɺάϧʔϓͰ؅ཧ͢Δ৔߹ʹศརɻ

  28. ಋೖ

  29. ಋೖ IUUQTUOTKQ

  30. PTT

  31. ಋೖ

  32. ಋೖ w SQN EFCڞʹCJU CJU൛ͷఏڙ SFQPTUOTKQ  DVSMGT4-IUUQTSFQPTUOTKQTDSJQUTZVNSFQPTIcTI ZVNJOTUBMMTUOTMJCOTTTUOTMJCQBNTUOT IUUQTHJUIVCDPN45/4TUOTDPPLCPPL

    IUUQTHJUIVCDPN45/4QVQQFUTUOT w $IFG 1VQQFUͷΫοΫϒοΫɺϚχϑΣετΛఏڙ  1VQQFUϚχϑΣετ͸!IGN͕։ൃͯ͘͠Εͨ 

  33. ಋೖ Πϯετʔϧʙ44)ެ։伴ೝূ·Ͱ෼ඵ

  34. ಋೖࣄྫ

  35. Ϣʔβʔ؅ཧ΋(JUIVC'MPX (JUIVC&OUFSQSJTF͔ΒϢʔβʔσʔλΛ࡞੒͠ɺ1VMM3FRVFTU %SPOFͰࣗಈςετɾਓͷ໨ʹΑΔϨϏϡʔ σϓϩΠ

  36. HFOFSBUFCZUIPS DPOpHZNM UFBNT UFDIBENJO˒(JUIVCͷνʔϜ໊ NVVBENJO NJOOFBENJO LJCBOˑMJOL@HSPVQΛར༻͠૊৫Λ࿈݁ εΫϦϓτͰ৘ใͷऔಘݩΛ()&ʹू໿͢Δ͜ͱʹΑΓɺϢʔβʔ ͷ௥Ճɺ࡟আΛ()&ʹҠৡ͢Δɻ ͦ͏͢Δ͜ͱͰγεςϜ͝ͱͷΞΧ΢ϯτࢄࡏΛ๷͙͜ͱ͕ग़དྷ·

    ͢ɻ

  37. ӡ༻Πϝʔδ 2.

  38. ӡ༻Πϝʔδ nginx stns nginx stns /HJOYͰ44-Λऴ୺ͭͭ͠ɺ$BQJTUSBOPͳͲͷσϓϩΠπʔϧͰ TUOTDPOGΛσϓϩΠ

  39. ӡ༻Πϝʔδ nginx stns nginx stns αʔόͷTUOTDPOGΛ௚઀ฤू͠ɺ4$1΍STZODͰಉظ

  40. ӡ༻Πϝʔδ ࢖͍౗͢ process libnss-stns libpam-stns query-wrapper key-wrapper FUDEΛར༻͠ɺαʔόϨεͳϢʔβʔ؅ཧ

  41. ͱΓ͋͑ͣ৮ͬͯΈΔ

  42. ͜Ε͔ΒϢʔβ؅ཧΛ࢝ΊΔ ΈΜͳ΁ 3.

  43. 45/4ϘΫ͕։ൃऀͩ͠࢖ͬͨ΄͏͕͍͍ w ൥ࡶԽͮ͠Β͍పఈͨ͠γϯϓϧ͞ w γϯϓϧ͕ނʹ֦ுੑ͕ߴ͍ w ಋೖͷख͕ؒগͳ͍

  44. 45/4ͰϢʔβʔ؅ཧΛ ࢝ΊΑ͏

  45. 5IBOLZPV

  46. ͜͜Ͱঁੑਞ͔Β ࣭໰͕ࡴ౸͢Δ