summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCraig Anderson <craig.anderson@att.com>2018-03-15 06:13:56 +0000
committerCraig Anderson <craig.anderson@att.com>2018-03-16 23:30:27 +0000
commit9e7028416e8b6798c1b2bf04770bd165e398b5c1 (patch)
treee348fc8af461d389dfb7ff9342cd680d9484f2f9
parentb4c7160aa67490175f90204828f5baf80a59fdfd (diff)
[US367408] Add support for user & ssh key mgmt
-rw-r--r--Makefile8
-rw-r--r--divingbell/templates/bin/_uamlite.sh.tpl181
-rw-r--r--divingbell/templates/configmap-uamlite.yaml30
-rw-r--r--divingbell/templates/daemonset-uamlite.yaml65
-rwxr-xr-xdivingbell/tools/gate/test.sh171
-rw-r--r--docs/source/index.rst16
6 files changed, 461 insertions, 10 deletions
diff --git a/Makefile b/Makefile
index aa86e6f..be00a53 100644
--- a/Makefile
+++ b/Makefile
@@ -15,8 +15,9 @@
15HELM := helm 15HELM := helm
16TASK := build 16TASK := build
17 17
18EXCLUDES := helm-toolkit doc tests tools logs 18EXCLUDES := helm-toolkit docs tests tools logs
19CHARTS := helm-toolkit $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.))) 19CHARTS := helm-toolkit $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
20CHART := divingbell
20 21
21all: $(CHARTS) 22all: $(CHARTS)
22 23
@@ -42,3 +43,8 @@ clean:
42 rm -rf */templates/_globals.tpl 43 rm -rf */templates/_globals.tpl
43 44
44.PHONY: $(EXCLUDES) $(CHARTS) 45.PHONY: $(EXCLUDES) $(CHARTS)
46
47.PHONY: charts
48charts: clean
49 $(HELM) dep up $(CHART)
50 $(HELM) package $(CHART)
diff --git a/divingbell/templates/bin/_uamlite.sh.tpl b/divingbell/templates/bin/_uamlite.sh.tpl
new file mode 100644
index 0000000..adbf4b6
--- /dev/null
+++ b/divingbell/templates/bin/_uamlite.sh.tpl
@@ -0,0 +1,181 @@
1#!/bin/bash
2
3{{/*
4# Copyright 2018 AT&T Intellectual Property. All other rights reserved.
5#
6# Licensed under the Apache License, Version 2.0 (the "License");
7# you may not use this file except in compliance with the License.
8# You may obtain a copy of the License at
9#
10# http://www.apache.org/licenses/LICENSE-2.0
11#
12# Unless required by applicable law or agreed to in writing, software
13# distributed under the License is distributed on an "AS IS" BASIS,
14# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15# See the License for the specific language governing permissions and
16# limitations under the License.
17*/}}
18
19set -e
20
21cat <<'EOF' > {{ .Values.conf.chroot_mnt_path | quote }}/tmp/uamlite_host.sh
22{{ include "divingbell.shcommon" . }}
23
24keyword='divingbell'
25builtin_acct='ubuntu'
26
27add_user(){
28 die_if_null "${user_name}" ", 'user_name' env var not initialized"
29 : ${user_sudo:=false}
30
31 # Create user if user does not already exist
32 getent passwd ${user_name} && \
33 log.INFO "User '${user_name}' already exists" || \
34 (useradd --create-home --shell /bin/bash --comment ${keyword} ${user_name} && \
35 log.INFO "User '${user_name}' successfully created")
36
37 # Unexpire the user (if user had been previously expired)
38 if [ "$(chage -l ${user_name} | grep 'Account expires' | cut -d':' -f2 |
39 tr -d '[:space:]')" != "never" ]; then
40 usermod --expiredate "" ${user_name}
41 log.INFO "User '${user_name}' has been unexpired"
42 fi
43
44 # Add sudoers entry if requested for user
45 if [ "${user_sudo}" = 'true' ]; then
46 # Add sudoers entry if it does not already exist
47 user_sudo_file=/etc/sudoers.d/${keyword}-${user_name}-sudo
48 if [ -f "${user_sudo_file}" ] ; then
49 log.INFO "User '${user_name}' already added to sudoers: ${user_sudo_file}"
50 else
51 echo "${user_name} ALL=(ALL) NOPASSWD:ALL" > "${user_sudo_file}"
52 log.INFO "User '${user_name}' added to sudoers: ${user_sudo_file}"
53 fi
54 curr_sudoers="${curr_sudoers}${user_sudo_file}"$'\n'
55 else
56 log.INFO "User '${user_name}' was not requested sudo access"
57 fi
58
59 curr_userlist="${curr_userlist}${user_name}"$'\n'
60}
61
62add_sshkeys(){
63 die_if_null "${user_name}" ", 'user_name' env var not initialized"
64 user_sshkeys="$@"
65
66 sshkey_dir="/home/${user_name}/.ssh"
67 sshkey_file="${sshkey_dir}/authorized_keys"
68 if [ -z "${user_sshkeys}" ]; then
69 log.INFO "User '${user_name}' has no SSH keys defined"
70 if [ -f "${sshkey_file}" ]; then
71 rm "${sshkey_file}"
72 log.INFO "User '${user_name}' has had its authorized_keys file wiped"
73 fi
74 else
75 sshkey_file_contents='# NOTE: This file is managed by divingbell'$'\n'
76 for sshkey in "$@"; do
77 sshkey_file_contents="${sshkey_file_contents}${sshkey}"$'\n'
78 done
79 write_file=false
80 if [ -f "${sshkey_file}" ]; then
81 if [ "$(cat "${sshkey_file}")" = \
82 "$(echo "${sshkey_file_contents}" | head -n-1)" ]; then
83 log.INFO "User '${user_name}' has no new SSH keys"
84 else
85 write_file=true
86 fi
87 else
88 write_file=true
89 fi
90 if [ "${write_file}" = "true" ]; then
91 mkdir -p "${sshkey_dir}"
92 chmod 700 "${sshkey_dir}"
93 echo -e "${sshkey_file_contents}" > "${sshkey_file}"
94 chown -R ${user_name}:${user_name} "${sshkey_dir}" || \
95 (rm "${sshkey_file}" && die "Error setting ownership on ${sshkey_dir}")
96 log.INFO "User '${user_name}' has had SSH keys deployed: ${user_sshkeys}"
97 fi
98 custom_sshkeys_present=true
99 fi
100
101}
102
103{{- if hasKey .Values.conf "uamlite" }}
104{{- if hasKey .Values.conf.uamlite "users" }}
105{{- range $item := .Values.conf.uamlite.users }}
106 {{- range $key, $value := . }}
107 {{ $key }}={{ $value | quote }} \
108 {{- end }}
109 add_user
110
111 {{- range $key, $value := . }}
112 {{ $key }}={{ $value | quote }} \
113 {{- end }}
114 add_sshkeys {{ range $ssh_key := .user_sshkeys }}{{ $ssh_key | quote }} {{end}}
115{{- end }}
116{{- end }}
117{{- end }}
118
119# TODO: This should be done before applying new settings rather than after
120# Expire any previously defined users that are no longer defined
121users="$(getent passwd | grep ${keyword} | cut -d':' -f1)"
122echo "$users" | sort > /tmp/prev_users
123echo "$curr_userlist" | sort > /tmp/curr_users
124revert_list="$(comm -23 /tmp/prev_users /tmp/curr_users)"
125IFS=$'\n'
126for user in ${revert_list}; do
127 # We expire rather than delete the user to maintain local UID FS consistency
128 usermod --expiredate 1 ${user}
129 log.INFO "User '${user}' has been disabled (expired)"
130done
131
132# Delete any previous user sudo access that is no longer defined
133sudoers="$(find /etc/sudoers.d | grep ${keyword})"
134echo "$sudoers" | sort > /tmp/prev_sudoers
135echo "$curr_sudoers" | sort > /tmp/curr_sudoers
136revert_list="$(comm -23 /tmp/prev_sudoers /tmp/curr_sudoers)"
137IFS=$'\n'
138for sudo_file in ${revert_list}; do
139 rm "${sudo_file}"
140 log.INFO "Sudoers file '${sudo_file}' has been deleted"
141done
142
143if [ -n "${builtin_acct}" ] && [ -n "$(getent passwd ${builtin_acct})" ]; then
144 # Disable built-in account as long as there was at least one account defined
145 # in this chart with a ssh key present
146 if [ "${custom_sshkeys_present}" = "true" ]; then
147 if [ "$(chage -l ${builtin_acct} | grep 'Account expires' | cut -d':' -f2 |
148 tr -d '[:space:]')" = "never" ]; then
149 usermod --expiredate 1 ${builtin_acct}
150 fi
151 # Re-enable built-in account as a fallback in the event that are no other
152 # accounts defined in this chart with a ssh key present
153 else
154 if [ "$(chage -l ${builtin_acct} | grep 'Account expires' | cut -d':' -f2 |
155 tr -d '[:space:]')" != "never" ]; then
156 usermod --expiredate "" ${builtin_acct}
157 fi
158 fi
159fi
160
161if [ -n "${curr_userlist}" ]; then
162 log.INFO 'All uamlite data successfully validated on this node.'
163else
164 log.WARN 'No uamlite overrides defined for this node.'
165fi
166
167exit 0
168EOF
169
170chmod 755 {{ .Values.conf.chroot_mnt_path | quote }}/tmp/uamlite_host.sh
171chroot {{ .Values.conf.chroot_mnt_path | quote }} /tmp/uamlite_host.sh
172
173sleep 1
174echo 'INFO Putting the daemon to sleep.'
175
176while [ 1 ]; do
177 sleep 300
178done
179
180exit 0
181
diff --git a/divingbell/templates/configmap-uamlite.yaml b/divingbell/templates/configmap-uamlite.yaml
new file mode 100644
index 0000000..3302c48
--- /dev/null
+++ b/divingbell/templates/configmap-uamlite.yaml
@@ -0,0 +1,30 @@
1{{/*
2Copyright 2018 AT&T Intellectual Property. All other rights reserved.
3
4Licensed under the Apache License, Version 2.0 (the "License");
5you may not use this file except in compliance with the License.
6You may obtain a copy of the License at
7
8 http://www.apache.org/licenses/LICENSE-2.0
9
10Unless required by applicable law or agreed to in writing, software
11distributed under the License is distributed on an "AS IS" BASIS,
12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13See the License for the specific language governing permissions and
14limitations under the License.
15*/}}
16
17{{- define "divingbell.configmap.uamlite" }}
18{{- $configMapName := index . 0 }}
19{{- $envAll := index . 1 }}
20{{- with $envAll }}
21---
22apiVersion: v1
23kind: ConfigMap
24metadata:
25 name: {{ $configMapName }}
26data:
27 uamlite: |+
28{{ tuple "bin/_uamlite.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
29{{- end }}
30{{- end }}
diff --git a/divingbell/templates/daemonset-uamlite.yaml b/divingbell/templates/daemonset-uamlite.yaml
new file mode 100644
index 0000000..453e636
--- /dev/null
+++ b/divingbell/templates/daemonset-uamlite.yaml
@@ -0,0 +1,65 @@
1{{/*
2# Copyright 2018 AT&T Intellectual Property. All other rights reserved.
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15*/}}
16
17{{- define "divingbell.daemonset.uamlite" }}
18 {{- $daemonset := index . 0 }}
19 {{- $configMapName := index . 1 }}
20 {{- $envAll := index . 2 }}
21 {{- with $envAll }}
22---
23apiVersion: extensions/v1beta1
24kind: DaemonSet
25metadata:
26 name: {{ $daemonset }}
27spec:
28 template:
29 metadata:
30 labels:
31{{ list $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
32 spec:
33 hostNetwork: true
34 hostPID: true
35 hostIPC: true
36 containers:
37 - name: {{ $daemonset }}
38 image: {{ .Values.images.divingbell }}
39 imagePullPolicy: {{ .Values.images.pull_policy }}
40 command:
41 - /tmp/{{ $daemonset }}.sh
42 volumeMounts:
43 - name: rootfs-{{ $daemonset }}
44 mountPath: {{ .Values.conf.chroot_mnt_path }}
45 - name: {{ $configMapName }}
46 mountPath: /tmp/{{ $daemonset }}.sh
47 subPath: {{ $daemonset }}
48 readOnly: true
49 securityContext:
50 privileged: true
51 volumes:
52 - name: rootfs-{{ $daemonset }}
53 hostPath:
54 path: /
55 - name: {{ $configMapName }}
56 configMap:
57 name: {{ $configMapName }}
58 defaultMode: 0555
59 {{- end }}
60{{- end }}
61{{- $daemonset := "uamlite" }}
62{{- $configMapName := "divingbell-uamlite" }}
63{{- $daemonset_yaml := list $daemonset $configMapName . | include "divingbell.daemonset.uamlite" | toString | fromYaml }}
64{{- $configmap_include := "divingbell.configmap.uamlite" }}
65{{- list $daemonset $daemonset_yaml $configmap_include $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
diff --git a/divingbell/tools/gate/test.sh b/divingbell/tools/gate/test.sh
index 117f4f5..10a19f0 100755
--- a/divingbell/tools/gate/test.sh
+++ b/divingbell/tools/gate/test.sh
@@ -33,6 +33,18 @@ ETHTOOL_KEY4=tx-nocache-copy
33ETHTOOL_VAL4_DEFAULT=off 33ETHTOOL_VAL4_DEFAULT=off
34ETHTOOL_KEY5=tx-checksum-ip-generic 34ETHTOOL_KEY5=tx-checksum-ip-generic
35ETHTOOL_VAL5_DEFAULT=on 35ETHTOOL_VAL5_DEFAULT=on
36USERNAME1=userone
37USERNAME1_SUDO=true
38USERNAME1_SSHKEY1="ssh-rsa abc123 comment"
39USERNAME2=usertwo
40USERNAME2_SUDO=false
41USERNAME2_SSHKEY1="ssh-rsa xyz456 comment"
42USERNAME2_SSHKEY2="ssh-rsa qwe789 comment"
43USERNAME2_SSHKEY3="ssh-rsa rfv000 comment"
44USERNAME3=userthree
45USERNAME3_SUDO=true
46USERNAME4=userfour
47USERNAME4_SUDO=false
36nic_info="$(lshw -class network)" 48nic_info="$(lshw -class network)"
37physical_nic='' 49physical_nic=''
38IFS=$'\n' 50IFS=$'\n'
@@ -96,6 +108,14 @@ _write_ethtool(){
96 fi 108 fi
97} 109}
98 110
111_reset_account(){
112 if [ -n "$1" ]; then
113 sudo deluser $1 >& /dev/null || true
114 sudo rm -r /home/$1 >& /dev/null || true
115 sudo rm /etc/sudoers.d/*$1* >& /dev/null || true
116 fi
117}
118
99init_default_state(){ 119init_default_state(){
100 if [ "${1}" = 'make' ]; then 120 if [ "${1}" = 'make' ]; then
101 (cd ../../../; make) 121 (cd ../../../; make)
@@ -112,6 +132,11 @@ init_default_state(){
112 _write_ethtool ${DEVICE} ${ETHTOOL_KEY3} ${ETHTOOL_VAL3_DEFAULT} 132 _write_ethtool ${DEVICE} ${ETHTOOL_KEY3} ${ETHTOOL_VAL3_DEFAULT}
113 _write_ethtool ${DEVICE} ${ETHTOOL_KEY4} ${ETHTOOL_VAL4_DEFAULT} 133 _write_ethtool ${DEVICE} ${ETHTOOL_KEY4} ${ETHTOOL_VAL4_DEFAULT}
114 _write_ethtool ${DEVICE} ${ETHTOOL_KEY5} ${ETHTOOL_VAL5_DEFAULT} 134 _write_ethtool ${DEVICE} ${ETHTOOL_KEY5} ${ETHTOOL_VAL5_DEFAULT}
135 # Remove any created accounts, SSH keys
136 _reset_account ${USERNAME1}
137 _reset_account ${USERNAME2}
138 _reset_account ${USERNAME3}
139 _reset_account ${USERNAME4}
115} 140}
116 141
117install(){ 142install(){
@@ -134,9 +159,9 @@ get_container_status(){
134 local log_connect_sleep_interval=2 159 local log_connect_sleep_interval=2
135 local wait_time=0 160 local wait_time=0
136 while : ; do 161 while : ; do
137 kubectl logs "${container}" --namespace="${NAME}" > /dev/null && break || 162 kubectl logs "${container}" --namespace="${NAME}" > /dev/null && break || \
138 echo "Waiting for container logs..." && 163 echo "Waiting for container logs..." && \
139 wait_time=$((${wait_time} + ${log_connect_sleep_interval})) && 164 wait_time=$((${wait_time} + ${log_connect_sleep_interval})) && \
140 sleep ${log_connect_sleep_interval} 165 sleep ${log_connect_sleep_interval}
141 if [ ${wait_time} -ge ${log_connect_timeout} ]; then 166 if [ ${wait_time} -ge ${log_connect_timeout} ]; then
142 echo "Hit timeout while waiting for container logs to become available." 167 echo "Hit timeout while waiting for container logs to become available."
@@ -149,7 +174,8 @@ get_container_status(){
149 while : ; do 174 while : ; do
150 CLOGS="$(kubectl logs --namespace="${NAME}" "${container}" 2>&1)" 175 CLOGS="$(kubectl logs --namespace="${NAME}" "${container}" 2>&1)"
151 local status="$(echo "${CLOGS}" | tail -1)" 176 local status="$(echo "${CLOGS}" | tail -1)"
152 if [[ ${status} = *ERROR* ]] || [[ ${status} = *TRACE* ]]; then 177 if [[ $(echo -e ${status} | tr -d '[:cntrl:]') = *ERROR* ]] ||
178 [[ $(echo -e ${status} | tr -d '[:cntrl:]') = *TRACE* ]]; then
153 if [ "${2}" = 'expect_failure' ]; then 179 if [ "${2}" = 'expect_failure' ]; then
154 echo 'Pod exited as expected' 180 echo 'Pod exited as expected'
155 break 181 break
@@ -159,8 +185,8 @@ get_container_status(){
159 echo "${CLOGS}" 185 echo "${CLOGS}"
160 exit 1 186 exit 1
161 fi 187 fi
162 elif [ "${status}" = 'INFO Putting the daemon to sleep.' ] || 188 elif [[ $(echo -e ${status} | tr -d '[:cntrl:]') = *'INFO Putting the daemon to sleep.'* ]] ||
163 [ "${status}" = 'DEBUG + exit 0' ]; then 189 [[ $(echo -e ${status} | tr -d '[:cntrl:]') = *'DEBUG + exit 0'* ]]; then
164 if [ "${2}" = 'expect_failure' ]; then 190 if [ "${2}" = 'expect_failure' ]; then
165 echo 'Expected pod to die with error, but pod completed successfully' 191 echo 'Expected pod to die with error, but pod completed successfully'
166 echo 'pod logs:' 192 echo 'pod logs:'
@@ -475,6 +501,138 @@ test_ethtool(){
475 echo '[SUCCESS] ethtool test7 passed successfully' >> "${TEST_RESULTS}" 501 echo '[SUCCESS] ethtool test7 passed successfully' >> "${TEST_RESULTS}"
476} 502}
477 503
504_test_user_enabled(){
505 username=$1
506 user_enabled=$2
507
508 if [ "${user_enabled}" = "true" ]; then
509 # verify the user is there and not set to expire
510 getent passwd $username >& /dev/null
511 test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 |
512 tr -d '[:space:]')" = "never"
513 else
514 # If the user exists, verify it's not non-expiring
515 if [ -n "$(getent passwd $username)" ]; then
516 test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 |
517 tr -d '[:space:]')" != "never"
518 fi
519 fi
520}
521
522_test_sudo_enabled(){
523 username=$1
524 sudo_enable=$2
525 sudoers_file=/etc/sudoers.d/*$username*
526
527 if [ "${sudo_enable}" = "true" ]; then
528 test -f $sudoers_file
529 else
530 test ! -f $sudoers_file
531 fi
532}
533
534_test_ssh_keys(){
535 username=$1
536 sshkey=$2
537 ssh_file=/home/$username/.ssh/authorized_keys
538
539 if [ "$sshkey" = "false" ]; then
540 test ! -f "${ssh_file}"
541 else
542 grep "$sshkey" "${ssh_file}"
543 fi
544}
545
546test_uamlite(){
547 # Test the first set of values
548 local overrides_yaml=${LOGS_SUBDIR}/${FUNCNAME}-set1.yaml
549 echo "conf:
550 uamlite:
551 users:
552 - user_name: ${USERNAME1}
553 user_sudo: ${USERNAME1_SUDO}
554 user_sshkeys:
555 - ${USERNAME1_SSHKEY1}
556 - user_name: ${USERNAME2}
557 user_sudo: ${USERNAME2_SUDO}
558 user_sshkeys:
559 - ${USERNAME2_SSHKEY1}
560 - ${USERNAME2_SSHKEY2}
561 - ${USERNAME2_SSHKEY3}
562 - user_name: ${USERNAME3}
563 user_sudo: ${USERNAME3_SUDO}
564 - user_name: ${USERNAME4}" > "${overrides_yaml}"
565 install_base "--values=${overrides_yaml}"
566 get_container_status uamlite
567 _test_user_enabled ${USERNAME1} true
568 _test_sudo_enabled ${USERNAME1} ${USERNAME1_SUDO}
569 _test_ssh_keys ${USERNAME1} "${USERNAME1_SSHKEY1}"
570 _test_user_enabled ${USERNAME2} true
571 _test_sudo_enabled ${USERNAME2} ${USERNAME2_SUDO}
572 _test_ssh_keys ${USERNAME2} "${USERNAME2_SSHKEY1}"
573 _test_ssh_keys ${USERNAME2} "${USERNAME2_SSHKEY2}"
574 _test_ssh_keys ${USERNAME2} "${USERNAME2_SSHKEY3}"
575 _test_user_enabled ${USERNAME3} true
576 _test_sudo_enabled ${USERNAME3} ${USERNAME3_SUDO}
577 _test_ssh_keys ${USERNAME3} false
578 _test_user_enabled ${USERNAME4} true
579 _test_sudo_enabled ${USERNAME4} ${USERNAME4_SUDO}
580 _test_ssh_keys ${USERNAME4} false
581 echo '[SUCCESS] uamlite test1 passed successfully' >> "${TEST_RESULTS}"
582
583 # Test an updated set of values
584 overrides_yaml=${LOGS_SUBDIR}/${FUNCNAME}-set2.yaml
585 uname1_sudo=false
586 uname2_sudo=true
587 uname3_sudo=false
588 echo "conf:
589 uamlite:
590 users:
591 - user_name: ${USERNAME1}
592 user_sudo: ${uname1_sudo}
593 - user_name: ${USERNAME2}
594 user_sudo: ${uname2_sudo}
595 user_sshkeys:
596 - ${USERNAME2_SSHKEY1}
597 - ${USERNAME2_SSHKEY2}
598 - user_name: ${USERNAME3}
599 user_sudo: ${uname3_sudo}
600 user_sshkeys:
601 - ${USERNAME1_SSHKEY1}
602 - ${USERNAME2_SSHKEY3}
603 - user_name: ${USERNAME4}" > "${overrides_yaml}"
604 install_base "--values=${overrides_yaml}"
605 get_container_status uamlite
606 _test_user_enabled ${USERNAME1} true
607 _test_sudo_enabled ${USERNAME1} ${uname1_sudo}
608 _test_ssh_keys ${USERNAME1} false
609 _test_user_enabled ${USERNAME2} true
610 _test_sudo_enabled ${USERNAME2} ${uname2_sudo}
611 _test_ssh_keys ${USERNAME2} "${USERNAME2_SSHKEY1}"
612 _test_ssh_keys ${USERNAME2} "${USERNAME2_SSHKEY2}"
613 _test_user_enabled ${USERNAME3} true
614 _test_sudo_enabled ${USERNAME3} ${uname3_sudo}
615 _test_ssh_keys ${USERNAME3} "${USERNAME1_SSHKEY1}"
616 _test_ssh_keys ${USERNAME3} "${USERNAME2_SSHKEY3}"
617 _test_user_enabled ${USERNAME4} true
618 _test_sudo_enabled ${USERNAME4} ${USERNAME4_SUDO}
619 _test_ssh_keys ${USERNAME4} false
620 echo '[SUCCESS] uamlite test2 passed successfully' >> "${TEST_RESULTS}"
621
622 # Test revert/rollback functionality
623 install_base
624 get_container_status uamlite
625 _test_user_enabled ${USERNAME1} false
626 _test_sudo_enabled ${USERNAME1} false
627 _test_user_enabled ${USERNAME2} false
628 _test_sudo_enabled ${USERNAME2} false
629 _test_user_enabled ${USERNAME3} false
630 _test_sudo_enabled ${USERNAME3} false
631 _test_user_enabled ${USERNAME4} false
632 _test_sudo_enabled ${USERNAME4} false
633 echo '[SUCCESS] uamlite test3 passed successfully' >> "${TEST_RESULTS}"
634}
635
478# test daemonset value overrides for hosts and labels 636# test daemonset value overrides for hosts and labels
479test_overrides(){ 637test_overrides(){
480 overrides_yaml=${LOGS_SUBDIR}/${FUNCNAME}-dryrun.yaml 638 overrides_yaml=${LOGS_SUBDIR}/${FUNCNAME}-dryrun.yaml
@@ -752,6 +910,7 @@ install_base
752test_sysctl 910test_sysctl
753test_mounts 911test_mounts
754test_ethtool 912test_ethtool
913test_uamlite
755purge_containers 914purge_containers
756test_overrides 915test_overrides
757 916
diff --git a/docs/source/index.rst b/docs/source/index.rst
index 762d645..2af7f0e 100644
--- a/docs/source/index.rst
+++ b/docs/source/index.rst
@@ -112,10 +112,20 @@ packages
112 112
113Not implemented 113Not implemented
114 114
115users 115uamlite
116^^^^^ 116^^^^^^^
117 117
118Not implemented 118Used to manage host level local user accounts, their SSH keys, and their sudo
119access. Ex::
120
121 conf:
122 uamlite:
123 users:
124 - user_name: testuser
125 user_sudo: True
126 user_sshkeys:
127 - ssh-rsa AAAAB3N... key1-comment
128 - ssh-rsa AAAAVY6... key2-comment
119 129
120Node specific configurations 130Node specific configurations
121---------------------------- 131----------------------------