Administrator Credentials

How to make an admin hat

Kerberos

This is similar to the procedure in Using Multiple Instances. Create a prinicpal on the kdc via kadmin:

addprinc ${USER}/admin
pts createuser ${USER}.admin

Note that as per Kerberos KDC admin hats automatically have full access to the Kerberos database through kadmin. You should probably update /afs/acm.jhu.edu/group/admins.pub/k5login file to include the new admin; see The Special Case of admins.pub. Don’t forget to vos release group.admins.pub afterwards.

LDAP

For LDAP to consider this user an administrator, a new entry must be created:

dn: cn=admin,uid=${USER},ou=People,dc=acm,dc=jhu,dc=edu
cn: admin
uid: ${USER}
objectClass: jhuacmKerberosInstance

For details, consult LDAP.

AFS

For AFS to consider this user an adminstrator, this user must be put in the system:administrators group and by convention we keep the non-admin hats of administrator users in a separate group:

pts add ${USER}.admin system:administrators
pts add ${USER} system:non-admin-hats

Note

No non-.admin credentials should ever be present in system:administrators.

To make the user an AFS superuser, which grants ability to manage the AFS servers, the file:///afs/acm.jhu.edu/group/admins.pub/UserList file must be updated. Update the .annotated file beside it, then derive the UserList by running ./scripts/afs-UserList.pl < ./UserList.annotated. Then release the volume (which will suffice to update the machines which are AFS file servers) and inform the ubik servers by hand:

for i in root@typhon.acm.jhu.edu root@echidna.acm.jhu.edu root@chicago.acm.jhu.edu; do
  echo $i
  ssh -t $i sudo cp /afs/acm.jhu.edu/group/admins.pub/UserList /etc/openafs/server/UserList
done

Note

We have to do the latter stage separately because the release will break callbacks, and the Ubik servers will attempt to read the UserList after the callback is broken, and will time out. This is sad. Ideally, the VLDB should be a client of the PRDB for these operations (unless a flag is given?) and the PRDB should interrogate itself rather than UserList (again, unless a flag is given?)...

SSH

Probably the new admin should also give an SSH key to the pool in file:///afs/acm.jhu.edu/group/admins.pub/authorized_keys . See The Special Case of admins.pub.

Table Of Contents

Previous topic

ACM Authorization Mechanisms

Next topic

LDAP

This Page