Upgrade to Pro — share decks privately, control downloads, hide ads and more …

STNS pepabo_hatena_tech_con

STNS pepabo_hatena_tech_con

ペパボはてな技術大会福岡編でのシンプルなLinuxユーザー管理システムSTNSの資料です

Kazuhiko Yamashita

July 09, 2016
Tweet

More Decks by Kazuhiko Yamashita

Other Decks in Technology

Transcript

  1. QZBNB(.01&1"#0JOD
    ϖύϘɾ͸ͯͳٕज़େձʙΠϯϑϥٕज़ج൫ʙ
    45/4

    View Slide

  2. IUUQTUFOTOBQPODPN
    γχΞɾΤϯδχΞ
    ࢁԼ࿨඙!QZBNB
    ϗεςΟϯάࣄۀ෦ϜʔϜʔυϝΠϯνʔϜ

    View Slide

  3. -JOVYϢʔβʔ؅ཧ
    1.

    View Slide

  4. -JOVYͱ͸ʁ

    View Slide

  5. -JOVY

    View Slide

  6. -JOVYϢʔβʔ؅ཧ
    w -JOVYͰ͸ϑΝΠϧॴ༗ऀɺݖݶ؅ཧ͕Ϣʔβʔɾάϧʔϓ
    ΛݩʹߦΘΕΔ
    w ಛఆͷϢʔβʔݖݶͰίϚϯυΛ࣮ߦ͢Δ4VEPΛ࢝Ίɺ
    ଟ͘ͷίϚϯυͰϢʔβʔɾάϧʔϓͰ੍ޚ͞Ε͍ͯΔ

    View Slide

  7. -JOVYϢʔβʔ؅ཧ
    Ұͭͷ8αʔϏεͰ΋
    ଟ͘ͷ-JOVY͕Քಇ͍ͯ͠Δ

    View Slide

  8. -JOVYϢʔβʔ؅ཧ
    ؤுΔ͘Μ

    View Slide

  9. View Slide

  10. ͕Μ͹Εͳ͍܅ʁ

    View Slide

  11. View Slide

  12. -JOVYϢʔβʔ؅ཧ

    View Slide

  13. 45/4
    w (PMBOH
    w 5PNMܗࣜͷઃఆϑΝΠϧ
    w +40/ΠϯλʔϑΣʔεͷαʔόɾΫϥΠΞϯτ
    w 8SBQQFSΛࣗ༝ʹมߋͰ͖Δ ϓϥΨϒϧ

    View Slide

  14. ίϯηϓτ
    ໊લղܾɺެ։伴औಘɺΞΧ΢ϯτೝূͷΈΛఏڙ
    ͢Δɻଟ͘Λ΍Βͣɺγϯϓϧʹอͭ͜ͱͰ؅ཧɺ
    ૊Έ߹ΘͤΛ༰қʹɻ
    https://github.com/STNS/STNS

    View Slide

  15. -JOVYϢʔβʔάϧʔϓͷ໊લղܾ
    % ls -ltr
    -rw-r--r-- 1 pyama wheel 0 May 8 00:09 hatena_pepabo.txt
    % ls -ltr
    -rw-r--r-- 1 1000 1000 0 May 8 00:09 hatena_pepabo.txt
    id:1000 is pyama

    View Slide

  16. ΞʔΩςΫνϟ
    STNS
    http(1104)
    ls
    libnss-stns
    libpam-stns
    query-wrapper
    key-wrapper
    /user/name/pyama
    {
    name:pyama,
    id: 1000,
    dir:/home/pyama

    }
    αʔόɾΫϥΠΞϯτؒ͸httpΛར༻ͨ͠
    JSONܗࣜͷΠϯλʔϑΣʔε

    View Slide

  17. ઃఆϑΝΠϧαʔό
    QPSU
    JODMVEFFUDTUOTDPOGE
    [email protected]
    [email protected]
    [email protected]
    [email protected]

    JE
    [email protected]
    LFZT<TTISTB99999ʜ>

    JE
    VTFST<FYBNQMF>

    QBTTXPSE
    GEDEBGFBBDBEBCGGCCCDEEDCGB

    View Slide

  18. stns.conf(αʔό)
    stns.conf user.conf
    group.conf
    deploy.conf
    ෳ਺ͷઃఆϑΝΠϧʹ෼ׂ͠ɺ
    ໾ׂ΍૊৫͝ͱʹ؅ཧ͢ΔͱΑ͍

    View Slide

  19. ઃఆϑΝΠϧΫϥΠΞϯτ
    api_end_point = ["http://:1104", "http://:1104"]
    user = "basic_user"
    password = "basic_password"
    wrapper_path = "/usr/local/bin/stns-query-wrapper"
    chain_ssh_wrapper = "/usr/libexec/openssh/ssh-ldap-wrapper"
    ssl_verify = true

    View Slide

  20. ྫ͑͹͜͏͍͏͜ͱ΋ग़དྷΔ
    process
    libnss-stns
    libpam-stns
    query-wrapper
    key-wrapper
    /user/name/pyama
    {
    name:pyama,
    id: 1000,
    dir:/home/pyama

    }
    Linuxϓϩηεͱͷ΍ΓऔΓ͸STNSΛར༻͠ɺ
    Ϣʔβʔ৘ใ͸RailsͰ؅ཧ͢Δ

    View Slide

  21. σϓϩΠϢʔβʔͷ
    ؅ཧ

    View Slide

  22. σϓϩΠϢʔβʔͷ؅ཧ
    [email protected]
    [email protected]
    [email protected]
    /home/deploy/.ssh/authrized_keys
    ʹ֤Ϣʔβʔͷެ։伴Λొ࿥

    View Slide

  23. σϓϩΠϢʔβʔͷ؅ཧ
    ࡢࠓͷWebαʔϏεͰ͸σϓϩΠઐ༻ϢʔβʔΛઃ
    ͚ͯσϓϩΠ͢Δ͜ͱ͕ଟ͍ɻ
    ͔͠͠ɺطଘͷ࢓૊ΈͰ࣮ݱ͢Δʹ͸σϓϩΠϢʔ
    βʔͷ~/.ssh/authorized_keysʹσϓϩΠ͢ΔϢʔ
    βʔͷެ։伴Λฒ΂ͨΓ͢Δඞཁ͕͋ͬͨ

    View Slide

  24. σϓϩΠϢʔβʔͷ؅ཧ
    [users.deploy]
    id = 1000
    group_id = 1000
    link_users = [“foo","bar"]
    [users.foo]
    keys = ["ssh-rsa aaa”]
    [users.bar]
    keys = ["ssh-rsa bbb"]
    deployϢʔβʔͰSSHϩάΠϯ͢Δࡍʹɺlink_usersͰ
    ࢦఆͨ͠Ϣʔβʔͷެ։伴Λར༻ग़དྷΔ
    →authorized_keysʹॻ͔ͳͯ͘ྑ্͍ʹɺ
    ɹ୭͕σϓϩΠग़དྷΔͷ͔Ұ໨ྎવ

    View Slide

  25. ૊৫ߏ଄Λදݱ͢Δ

    View Slide

  26. ૊৫ߏ଄Λදݱ͢Δ
    ྫ͑͹ɺٕज़1՝ʹॴଐ͢ΔϢʔβʔ͸ɺٕज़෦ͷϢʔ
    βʔͰ΋͋Δɻͱ͋Δαʔόʹٕज़෦ͷϢʔβʔ͸ϩά
    Πϯग़དྷΔΑ͏ʹ͍ͨ͠ɻ

    View Slide

  27. ૊৫ߏ଄Λදݱ͢Δ
    [groups.tech]
    users = ["antipop"]
    link_groups = [“tech-1"]
    [groups.tech-1]
    users = ["pyama"]
    pyama͸tech-1ʹॴଐ͢ΔtechͷϢʔβʔͰ͋Δɻ
    ۩ମతͳར༻γʔϯ͸sshd_configͷAllowGroupsɺ
    sudoersͳͲɺάϧʔϓͰ؅ཧ͢Δ৔߹ʹศརɻ

    View Slide

  28. ಋೖ

    View Slide

  29. ಋೖ
    IUUQTUOTKQ

    View Slide

  30. PTT

    View Slide

  31. ಋೖ

    View Slide

  32. ಋೖ
    w SQN EFCڞʹCJU CJU൛ͷఏڙ SFQPTUOTKQ

    DVSMGT4-IUUQTSFQPTUOTKQTDSJQUTZVNSFQPTIcTI
    ZVNJOTUBMMTUOTMJCOTTTUOTMJCQBNTUOT
    IUUQTHJUIVCDPN45/4TUOTDPPLCPPL
    IUUQTHJUIVCDPN45/4QVQQFUTUOT
    w $IFG 1VQQFUͷΫοΫϒοΫɺϚχϑΣετΛఏڙ
    1VQQFUϚχϑΣετ͸!IGN͕։ൃͯ͘͠Εͨ

    View Slide

  33. ಋೖ
    Πϯετʔϧʙ44)ެ։伴ೝূ·Ͱ෼ඵ

    View Slide

  34. ಋೖࣄྫ

    View Slide

  35. Ϣʔβʔ؅ཧ΋(JUIVC'MPX
    (JUIVC&OUFSQSJTF͔ΒϢʔβʔσʔλΛ࡞੒͠ɺ1VMM3FRVFTU
    %SPOFͰࣗಈςετɾਓͷ໨ʹΑΔϨϏϡʔ
    σϓϩΠ

    View Slide

  36. HFOFSBUFCZUIPS
    DPOpHZNM
    UFBNT
    UFDIBENJO˒(JUIVCͷνʔϜ໊
    NVVBENJO
    NJOOFBENJO
    LJCBOˑ[email protected]Λར༻͠૊৫Λ࿈݁
    εΫϦϓτͰ৘ใͷऔಘݩΛ()&ʹू໿͢Δ͜ͱʹΑΓɺϢʔβʔ
    ͷ௥Ճɺ࡟আΛ()&ʹҠৡ͢Δɻ
    ͦ͏͢Δ͜ͱͰγεςϜ͝ͱͷΞΧ΢ϯτࢄࡏΛ๷͙͜ͱ͕ग़དྷ·
    ͢ɻ

    View Slide

  37. ӡ༻Πϝʔδ
    2.

    View Slide

  38. ӡ༻Πϝʔδ
    nginx
    stns
    nginx
    stns
    /HJOYͰ44-Λऴ୺ͭͭ͠ɺ$BQJTUSBOPͳͲͷσϓϩΠπʔϧͰ
    TUOTDPOGΛσϓϩΠ

    View Slide

  39. ӡ༻Πϝʔδ
    nginx
    stns
    nginx
    stns
    αʔόͷTUOTDPOGΛ௚઀ฤू͠ɺ4$1΍STZODͰಉظ

    View Slide

  40. ӡ༻Πϝʔδ ࢖͍౗͢

    process
    libnss-stns
    libpam-stns
    query-wrapper
    key-wrapper
    FUDEΛར༻͠ɺαʔόϨεͳϢʔβʔ؅ཧ

    View Slide

  41. ͱΓ͋͑ͣ৮ͬͯΈΔ

    View Slide

  42. ͜Ε͔ΒϢʔβ؅ཧΛ࢝ΊΔ
    ΈΜͳ΁
    3.

    View Slide

  43. 45/4ϘΫ͕։ൃऀͩ͠࢖ͬͨ΄͏͕͍͍
    w ൥ࡶԽͮ͠Β͍పఈͨ͠γϯϓϧ͞
    w γϯϓϧ͕ނʹ֦ுੑ͕ߴ͍
    w ಋೖͷख͕ؒগͳ͍

    View Slide

  44. 45/4ͰϢʔβʔ؅ཧΛ
    ࢝ΊΑ͏

    View Slide

  45. 5IBOLZPV

    View Slide

  46. ͜͜Ͱঁੑਞ͔Β
    ࣭໰͕ࡴ౸͢Δ

    View Slide