ADCS
Introduction
This covers some tasks required for managing users and systems for ADCS.
Prerequisites
-
Knowledge of managing users in Linux
-
Knowledge of creating WUIT ServiceNow Catalog tickets
-
Access to servers below required to complete the tasks.
-
[OPTIONAL] Knowledge of SAS Management Console
-
ADCS Servers in accounts.ad.wustl.edu domain
Host Name OS Purpose wuit-s-00140 Linux SAS metadata server wuit-s-00141 Linux SAS worker node wuit-s-00142 Linux SAS worker node wuit-s-11217 Windows R wuit-s-11218 Windows SAS, ArcGIS, Anaconda, Stata
Step-by-Step Instructions for a recent request
NOTE: Most tasks below will need to be performed on all 3 Linux servers, except where indicated or otherwise illogical.
Request Requirements
- Dr. Ige George (igorge [at] wustl.edu) and Andrew Atkinson (aandrew [at] wustl.edu) need access to
- The ADCS Windows VM with R.
- The "george-mktscn" Project on the Linux SAS servers.
- Dr. Ige George and Andrew Atkinson should be the only ones with access to "george-mktscn" Project.
- Dr. Jonas Marschall should no longer have access to "george-mktscn" Project.
- The "george-mktscn" Project uses group SAS-Projects-GEORGE-MKTSCN (ref. "Determine the group name for george-mktscn" below).
Confirm users with access to group
-
Review users in group
[root@wuit-s-00140 ~]# getent group SAS-Projects-GEORGE-MKTSCN SAS-Projects-GEORGE-MKTSCN:x:5875:igeorge,yhamad,knickel -
Remove extraneous users from group
root@wuit-s-00140 ~]# gpasswd -d yhamad SAS-Projects-GEORGE-MKTSCN Removing user yhamad from group SAS-Projects-GEORGE-MKTSCN [root@wuit-s-00140 ~]# gpasswd -d knickel SAS-Projects-GEORGE-MKTSCN Removing user knickel from group SAS-Projects-GEORGE-MKTSCN
Create new user
-
Original email sent to users:
Hi <USER>, Would you please provide the below information so we can create your accounts? I believe you wanted to use R if I understand properly{, but asking about SAS as well, if needed}. 1. For access to the server to perform data analysis, please reply to this email with a password that is at least 8 characters, length, has at least 1 change in case, and 1 number: NO SPECIAL CHARACTERS. 2. What is your current network domain and login name (i.e., ACCOUNTS\<WUSTL_Key_User_Name>)? For SAS: 3. Do you use a Mac or a PC? 4. Do you have SAS Enterprise Guide already installed on your computer? If so, what version? 5. Do you have SAS Base/Foundation statistical software already installed on your computer? If so, what version? -
Add user
[root@wuit-s-00140 ~]# useradd -m -d /mnt/Home/aandrew -c "ANDREW ATKINSON - ACCOUNTS" -U -G "ID_SAS_DATA_USERS,SAS-Projects-GEORGE-MKTSCN" aandrew [root@wuit-s-00140 ~]# id aandrew uid=10005(aandrew) gid=50009(aandrew) groups=50009(aandrew),5512(ID_SAS_DATA_USERS),5875(SAS-Projects-GEORGE-MKTSCN)
Users need access to SAS Project in Linux
-
View george-mktscn access. Note: We will need to add SAS-Projects-GEORGE-MKTSCN to this directory because it is not shown below:
[root@wuit-s-00140 ~]# getfacl /mnt/Projects/george-mktscn/ getfacl: Removing leading '/' from absolute path names # file: mnt/Projects/george-mktscn/ # owner: mkeller # group: mkeller user::rwx group::--- group:ID_SAS_DATA_ADMINS:rwx group:ID_SAS_DATA_USERS:--- group:ID_SAS_PROJECTS_ADMINS:rwx mask::rwx other::--- default:user::rwx default:group::--- default:group:ID_SAS_DATA_ADMINS:rwx default:group:ID_SAS_DATA_USERS:--- default:group:ID_SAS_PROJECTS_ADMINS:rwx default:mask::rwx default:other::--- -
Set Project directory permissions
setfacl -R -d -m g:SAS-Projects-GEORGE-MKTSCN:rwx /mnt/Projects/george-mktscn setfacl -R -m g:SAS-Projects-GEORGE-MKTSCN:rwx /mnt/Projects/george-mktscn -
Confirm changes are as requested
[root@wuit-s-00140 ~]# getfacl /mnt/Projects/george-mktscn/ getfacl: Removing leading '/' from absolute path names # file: mnt/Projects/george-mktscn/ # owner: mkeller # group: mkeller user::rwx group::--- group:ID_SAS_DATA_ADMINS:rwx group:ID_SAS_DATA_USERS:--- group:ID_SAS_PROJECTS_ADMINS:rwx group:SAS-Projects-GEORGE-MKTSCN:rwx mask::rwx other::--- default:user::rwx default:group::--- default:group:ID_SAS_DATA_ADMINS:rwx default:group:ID_SAS_DATA_USERS:--- default:group:ID_SAS_PROJECTS_ADMINS:rwx default:group:SAS-Projects-GEORGE-MKTSCN:rwx default:mask::rwx default:other::---
Users need access to ADCS Windows VM with R
-
If they are using R, they need an SMB user account to access either raw data in /mnt/sasdata, or /mnt/Projects.
-
For this request we will add the password later. Only on wuit-s-00140:
# smbpasswd -a aandrew New SMB password: Retype new SMB password: Added user aandrew. -
Then add user to one or both of SMB_Projects and/or SMB_SASData (just on wuit-s-00140?):
usermod -a -G SMB_Projects <USERNAME> -
Send email "Accessing ADCS Stata and R virtual machines" email.
-
WUIT will have to add permissions for the user to access wuit-s-11217 or wuit-s-11218 using "the attached email" that tells WUIT exactly what AD groups they need to add the user to in their system. Now the user will have to request CyberArk login from service-now.
-
That ticket template:
Andrew Atkinson (aandrew [at] wustl.edu) needs Administrator level access to wuit-s-11217 for ADCS (formerly CADR). If I understand properly this will also require CyberArk access? Thank you.
-
-
General Tasks
-
Adding new projects
-
Create new Project directory. Get PROJECT_DIR_NAME and PROJECT_GROUP_NAME from Matt Keller/ADCS.
mkdir /mnt/Projects/<PROJECT_DIR_NAME> -
Create new Project group
groupadd <PROJECT_GROUP_NAME> -
Set Project directory permissions
setfacl -R -d -m g:<PROJECT_GROUP_NAME>:rwx /mnt/Projects/<PROJECT_DIR_NAME> setfacl -R -m g:<PROJECT_GROUP_NAME>:rwx /mnt/Projects/<PROJECT_DIR_NAME>
-
-
Adding new users
-
On each Linux server (yes...):
$ useradd -m -d /mnt/Home/<USERNAME> -c "<REAL NAME> - ACCOUNTS" -g ID_SAS_DATA_USERS,<PROJECTS> -p <YES...> <USERNAME> ``` -
If they are only using SAS, the user must be added in the SAS Management Console and be added to the appropriate groups.
- If they are to access raw data, those groups must be added in the SAS Management Console. Users only get Read access, those Linux groups end with '_R'.
- Send "Directions to Access ADCS Files for ..." email.
-
If they are using R, they need an SMB user account to access either raw data in /mnt/sasdata, or /mnt/Projects.
-
Only on wuit-s-00140
smbpasswd -a <USERNAME> -
Then add user to one or both of SMB_Projects and/or SMB_SASData (just on wuit-s-00140?):
usermod -a -G SMB_Projects <USERNAME> -
Send email "Accessing ADCS Stata and R virtual machines" email.
-
WUIT will have to add permissions for the user to access wuit-s-11217 or wuit-s-11218 using "the attached email" that tells WUIT exactly what AD groups they need to add the user to in their system. Now the user will have to request CyberArk login from service-now.
-
-
-
List users in a group
[root@wuit-s-00140 ~]# getent group SAS-Projects-GEORGE-MKTSCN SAS-Projects-GEORGE-MKTSCN:x:5875:igeorge,yhamad,knickel -
Modify Project access
-
Provide access to Windows VM with R
-
View george-mktscn access. Note: We will need to add SAS-Projects-GEORGE-MKTSCN to this directory because it is not shown below:
[root@wuit-s-00140 ~]# getfacl /mnt/Projects/george-mktscn/ getfacl: Removing leading '/' from absolute path names # file: mnt/Projects/george-mktscn/ # owner: mkeller # group: mkeller user::rwx group::--- group:ID_SAS_DATA_ADMINS:rwx group:ID_SAS_DATA_USERS:--- group:ID_SAS_PROJECTS_ADMINS:rwx mask::rwx other::--- default:user::rwx default:group::--- default:group:ID_SAS_DATA_ADMINS:rwx default:group:ID_SAS_DATA_USERS:--- default:group:ID_SAS_PROJECTS_ADMINS:rwx default:mask::rwx default:other::----
It needs the project group listed similar to how SAS-Projects-SILVIERA-COLORECTAL is shown below:
[root@wuit-s-00140 ~]# getfacl /mnt/Projects/silviera-colorectal/ getfacl: Removing leading '/' from absolute path names # file: mnt/Projects/silviera-colorectal/ # owner: root # group: root user::rwx group::--- group:ID_SAS_DATA_ADMINS:rwx group:ID_SAS_DATA_USERS:--- group:ID_SAS_PROJECTS_ADMINS:rwx group:SAS-Projects-SILVIERA-COLORECTAL:rwx mask::rwx other::--- default:user::rwx default:group::--- default:group:ID_SAS_DATA_ADMINS:rwx default:group:ID_SAS_DATA_USERS:--- default:group:ID_SAS_PROJECTS_ADMINS:rwx default:group:SAS-Projects-SILVIERA-COLORECTAL:rwx default:mask::rwx default:other::---
-
-
Determine the group name for george-mktscn:
[root@wuit-s-00140 ~]# grep SAS-Projects-GEORGE-MKTSCN /etc/group SAS-Projects-GEORGE-MKTSCN:x:5875:igeorge,yhamad,knickel -
Remove user from SAS-Projects-GEORGE-MKTSCN:
gpasswd -d <USERNAME> <GROUPNAME> -
Add user to SAS-Projects-GEORGE-MKTSCN
usermod -a -G SAS-Projects-GEORGE-MKTSCN <USERNAME> -
Removing users access from ADCS Linux servers
-
Lock the user account
passwd -l <USERNAME> -
Remove the user ID from the group account in SAS Management Console, leaving the user for auditing purposes (or if they come back later and need the access again),
-
-
Occasional Maintenance
-
Cleaning up storage space on the worker nodes.
-
Remove files older than 2 weeks.
cd /mnt/saswork
-
-
Restarting services after WUIT does monthly OS updates
- TODO: Automate service startup
- On all 3 Linux servers
-
Make sure all services are stopped. If not, stop them.:
/usr/local/sas/config/Lev1/sas.servers status /usr/local/sas/config/Lev1/sas.servers stop -
Start services beginning sequently on wuit-s-00140:
/usr/local/sas/config/Lev1/sas.servers start -
When service startup has completed and been confirmed on one server, move onto the next Linux server.
-
One service will not start on wuit-s-00142, which is expected and normal.
- All other services should have started successfully.
-
Check and possibly restart smb on wuit-s-00140.
-
Update SAS license annually. It expires in September (I think).
-