STNS pepabo_hatena_tech_con

1b838da2065660793d5b26f2cdc32de7?s=47 Kazuhiko Yamashita
July 09, 2016
Technology
0
4.5k

STNS pepabo_hatena_tech_con

ペパボはてな技術大会福岡編でのシンプルなLinuxユーザー管理システムSTNSの資料です

1b838da2065660793d5b26f2cdc32de7?s=128

Kazuhiko Yamashita

July 09, 2016
Tweet

More Decks by Kazuhiko Yamashita

See All by Kazuhiko Yamashita
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
11
7.1k
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
18
3.9k
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
9
9.5k
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
2
1.8k
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
3
1.1k
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
1
1.7k
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
0
120
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
0
120
1b838da2065660793d5b26f2cdc32de7?s=48 pyama86
2
1.1k

Other Decks in Technology

See All in Technology
B1dca90d4b3ffd2ccd918774e1ba170d?s=48 hmatsu47
3
1.2k
921515dc03f89bafe3d8f5d0b3ca0b74?s=48 mmarukaw
0
600
25325b405f9ca72c4c8024727c41cb98?s=48 hisayuki
1
280
B29f42636a5f1249b640473d49aa4514?s=48 linedevth
1
150
A35557d139d8d53246763a01ec847a3f?s=48 kichiemon
3
370
74948d1118cd84528f7861a3069dd8d9?s=48 qryuu
8
2.4k
7a0bc9670ff654b04d4361a9afd1bba8?s=48 hcrane
18
1.7k
467edb2e221a47426f19405f53aa51ca?s=48 nakaly
5
2.6k
0e742980c48d689f31700b208f22fd5a?s=48 k_koheyi
3
420
2cf373725ded741824c50fd571eda6e1?s=48 udzura
14
6.5k
6f36ff3943be908c5d2259f4aef09ea6?s=48 rela1470
1
540
0ced4f52ccc9e9b2644b4dd7f475e545?s=48 kkojima
1
210

Featured

See All Featured
D36d2c1821af9249b69ff7f5ed60529b?s=48 tammielis
236
23k
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
165
6.8k
Ba530e786553390f3fb271848485681c?s=48 3n
160
22k
Ef32e0b1ac5082450dc8c1fca3a26b5c?s=48 cherdarchuk
66
250k
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
55
5.3k
C4de88ea47538e4594750e3861a341c8?s=48 brettharned
91
2.8k
E190023b66e2b8aa73a842b106920c93?s=48 zenorocha
296
39k
9fa239b3154a0169d99ab7bf1422dd12?s=48 marcelosomers
220
14k
C51b39fa3c79ccb99dcb8a076bc98287?s=48 brianwarren
83
4.6k
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
184
14k
A415db3ac9e9668acbc1fb36eead84ac?s=48 mthomps
37
2.2k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
142
19k

Transcript

  1. QZBNB(.01&1"#0JOD ϖύϘɾ͸ͯͳٕज़େձʙΠϯϑϥٕज़ج൫ʙ 45/4

  2. IUUQTUFOTOBQPODPN γχΞɾΤϯδχΞ ࢁԼ࿨඙!QZBNB ϗεςΟϯάࣄۀ෦ϜʔϜʔυϝΠϯνʔϜ

  3. -JOVYϢʔβʔ؅ཧ 1.

  4. -JOVYͱ͸ʁ

  5. -JOVY

  6. -JOVYϢʔβʔ؅ཧ w -JOVYͰ͸ϑΝΠϧॴ༗ऀɺݖݶ؅ཧ͕Ϣʔβʔɾάϧʔϓ ΛݩʹߦΘΕΔ w ಛఆͷϢʔβʔݖݶͰίϚϯυΛ࣮ߦ͢Δ4VEPΛ࢝Ίɺ ଟ͘ͷίϚϯυͰϢʔβʔɾάϧʔϓͰ੍ޚ͞Ε͍ͯΔ

  7. -JOVYϢʔβʔ؅ཧ Ұͭͷ8&#αʔϏεͰ΋ ଟ͘ͷ-JOVY͕Քಇ͍ͯ͠Δ

  8. -JOVYϢʔβʔ؅ཧ ؤுΔ͘Μ

  9. None

  10. ͕Μ͹Εͳ͍܅ʁ

  11. None

  12. -JOVYϢʔβʔ؅ཧ

  13. 45/4 w (PMBOH w 5PNMܗࣜͷઃఆϑΝΠϧ w +40/ΠϯλʔϑΣʔεͷαʔόɾΫϥΠΞϯτ w 8SBQQFSΛࣗ༝ʹมߋͰ͖Δ ϓϥΨϒϧ

  14. ίϯηϓτ ໊લղܾɺެ։伴औಘɺΞΧ΢ϯτೝূͷΈΛఏڙ ͢Δɻଟ͘Λ΍Βͣɺγϯϓϧʹอͭ͜ͱͰ؅ཧɺ ૊Έ߹ΘͤΛ༰қʹɻ https://github.com/STNS/STNS

  15. -JOVYϢʔβʔάϧʔϓͷ໊લղܾ % ls -ltr -rw-r--r-- 1 pyama wheel 0 May

    8 00:09 hatena_pepabo.txt % ls -ltr -rw-r--r-- 1 1000 1000 0 May 8 00:09 hatena_pepabo.txt id:1000 is pyama

  16. ΞʔΩςΫνϟ STNS http(1104) ls libnss-stns libpam-stns query-wrapper key-wrapper /user/name/pyama {

    name:pyama, id: 1000, dir:/home/pyama … } αʔόɾΫϥΠΞϯτؒ͸httpΛར༻ͨ͠ JSONܗࣜͷΠϯλʔϑΣʔε

  17. ઃఆϑΝΠϧαʔό QPSU JODMVEFFUDTUOTDPOGE  TBMU@FOBCMFUSVF TUSFUDIJOH@OVNCFS VTFSlCBTJD@VTFS QBTTXPSECBTJD@QBTTXPSE <VTFSTFYBNQMF> JE

    HSPVQ@JE LFZT<TTISTB99999ʜ> <HSPVQTFYBNQMF> JE VTFST<FYBNQMF> <TVEPFSTFYBNQMF> QBTTXPSE GEDEBGFBBDBEBCGGCCCDEEDCGB

  18. stns.conf(αʔό) stns.conf user.conf group.conf deploy.conf ෳ਺ͷઃఆϑΝΠϧʹ෼ׂ͠ɺ ໾ׂ΍૊৫͝ͱʹ؅ཧ͢ΔͱΑ͍

  19. ઃఆϑΝΠϧΫϥΠΞϯτ api_end_point = ["http://<server-master>:1104", "http://<server-slave>:1104"] user = "basic_user" password =

    "basic_password" wrapper_path = "/usr/local/bin/stns-query-wrapper" chain_ssh_wrapper = "/usr/libexec/openssh/ssh-ldap-wrapper" ssl_verify = true

  20. ྫ͑͹͜͏͍͏͜ͱ΋ग़དྷΔ process libnss-stns libpam-stns query-wrapper key-wrapper /user/name/pyama { name:pyama, id:

    1000, dir:/home/pyama … } Linuxϓϩηεͱͷ΍ΓऔΓ͸STNSΛར༻͠ɺ Ϣʔβʔ৘ใ͸RailsͰ؅ཧ͢Δ

  21. σϓϩΠϢʔβʔͷ ؅ཧ

  22. σϓϩΠϢʔβʔͷ؅ཧ deploy@muumuu-domain.com deploy@muumuu-domain.com deploy@muumuu-domain.com /home/deploy/.ssh/authrized_keys ʹ֤Ϣʔβʔͷެ։伴Λొ࿥

  23. σϓϩΠϢʔβʔͷ؅ཧ ࡢࠓͷWebαʔϏεͰ͸σϓϩΠઐ༻ϢʔβʔΛઃ ͚ͯσϓϩΠ͢Δ͜ͱ͕ଟ͍ɻ ͔͠͠ɺطଘͷ࢓૊ΈͰ࣮ݱ͢Δʹ͸σϓϩΠϢʔ βʔͷ~/.ssh/authorized_keysʹσϓϩΠ͢ΔϢʔ βʔͷެ։伴Λฒ΂ͨΓ͢Δඞཁ͕͋ͬͨ

  24. σϓϩΠϢʔβʔͷ؅ཧ [users.deploy] id = 1000 group_id = 1000 link_users =

    [“foo","bar"] [users.foo] keys = ["ssh-rsa aaa”] [users.bar] keys = ["ssh-rsa bbb"] deployϢʔβʔͰSSHϩάΠϯ͢Δࡍʹɺlink_usersͰ ࢦఆͨ͠Ϣʔβʔͷެ։伴Λར༻ग़དྷΔ →authorized_keysʹॻ͔ͳͯ͘ྑ্͍ʹɺ ɹ୭͕σϓϩΠग़དྷΔͷ͔Ұ໨ྎવ

  25. ૊৫ߏ଄Λදݱ͢Δ

  26. ૊৫ߏ଄Λදݱ͢Δ ྫ͑͹ɺٕज़1՝ʹॴଐ͢ΔϢʔβʔ͸ɺٕज़෦ͷϢʔ βʔͰ΋͋Δɻͱ͋Δαʔόʹٕज़෦ͷϢʔβʔ͸ϩά Πϯग़དྷΔΑ͏ʹ͍ͨ͠ɻ

  27. ૊৫ߏ଄Λදݱ͢Δ [groups.tech] users = ["antipop"] link_groups = [“tech-1"] [groups.tech-1] users

    = ["pyama"] pyama͸tech-1ʹॴଐ͢ΔtechͷϢʔβʔͰ͋Δɻ ۩ମతͳར༻γʔϯ͸sshd_configͷAllowGroupsɺ sudoersͳͲɺάϧʔϓͰ؅ཧ͢Δ৔߹ʹศརɻ

  28. ಋೖ

  29. ಋೖ IUUQTUOTKQ

  30. PTT

  31. ಋೖ

  32. ಋೖ w SQN EFCڞʹCJU CJU൛ͷఏڙ SFQPTUOTKQ  DVSMGT4-IUUQTSFQPTUOTKQTDSJQUTZVNSFQPTIcTI ZVNJOTUBMMTUOTMJCOTTTUOTMJCQBNTUOT IUUQTHJUIVCDPN45/4TUOTDPPLCPPL

    IUUQTHJUIVCDPN45/4QVQQFUTUOT w $IFG 1VQQFUͷΫοΫϒοΫɺϚχϑΣετΛఏڙ  1VQQFUϚχϑΣετ͸!IGN͕։ൃͯ͘͠Εͨ 

  33. ಋೖ Πϯετʔϧʙ44)ެ։伴ೝূ·Ͱ෼ඵ

  34. ಋೖࣄྫ

  35. Ϣʔβʔ؅ཧ΋(JUIVC'MPX (JUIVC&OUFSQSJTF͔ΒϢʔβʔσʔλΛ࡞੒͠ɺ1VMM3FRVFTU %SPOFͰࣗಈςετɾਓͷ໨ʹΑΔϨϏϡʔ σϓϩΠ

  36. HFOFSBUFCZUIPS DPOpHZNM UFBNT UFDIBENJO˒(JUIVCͷνʔϜ໊ NVVBENJO NJOOFBENJO LJCBOˑMJOL@HSPVQΛར༻͠૊৫Λ࿈݁ εΫϦϓτͰ৘ใͷऔಘݩΛ()&ʹू໿͢Δ͜ͱʹΑΓɺϢʔβʔ ͷ௥Ճɺ࡟আΛ()&ʹҠৡ͢Δɻ ͦ͏͢Δ͜ͱͰγεςϜ͝ͱͷΞΧ΢ϯτࢄࡏΛ๷͙͜ͱ͕ग़དྷ·

    ͢ɻ

  37. ӡ༻Πϝʔδ 2.

  38. ӡ༻Πϝʔδ nginx stns nginx stns /HJOYͰ44-Λऴ୺ͭͭ͠ɺ$BQJTUSBOPͳͲͷσϓϩΠπʔϧͰ TUOTDPOGΛσϓϩΠ

  39. ӡ༻Πϝʔδ nginx stns nginx stns αʔόͷTUOTDPOGΛ௚઀ฤू͠ɺ4$1΍STZODͰಉظ

  40. ӡ༻Πϝʔδ ࢖͍౗͢ process libnss-stns libpam-stns query-wrapper key-wrapper FUDEΛར༻͠ɺαʔόϨεͳϢʔβʔ؅ཧ

  41. ͱΓ͋͑ͣ৮ͬͯΈΔ

  42. ͜Ε͔ΒϢʔβ؅ཧΛ࢝ΊΔ ΈΜͳ΁ 3.

  43. 45/4ϘΫ͕։ൃऀͩ͠࢖ͬͨ΄͏͕͍͍ w ൥ࡶԽͮ͠Β͍పఈͨ͠γϯϓϧ͞ w γϯϓϧ͕ނʹ֦ுੑ͕ߴ͍ w ಋೖͷख͕ؒগͳ͍

  44. 45/4ͰϢʔβʔ؅ཧΛ ࢝ΊΑ͏

  45. 5IBOLZPV

  46. ͜͜Ͱঁੑਞ͔Β ࣭໰͕ࡴ౸͢Δ