Hackeriet

User Tools

Site Tools

You are here: start » infra » services » hacker-id
infra:services:hacker-id

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
infra:services:hacker-id [2025/07/26 01:48] – [ACL structure] d404d_idp.hackeriet.noinfra:services:hacker-id [2025/08/13 21:24] (current) – [System setup] d404d_idp.hackeriet.no
Line 12: Line 12:
 Regards, 404'd Regards, 404'd
 </WRAP> </WRAP>
- 
  
 A simple self-service portal on https://idp.hackeriet.no provides basic account management features, together with a list of any Hacker-ID web applications you have access to. A simple self-service portal on https://idp.hackeriet.no provides basic account management features, together with a list of any Hacker-ID web applications you have access to.
  
 Access control is currently managed through the Kanidm CLI. [[https://kanidm.github.io/kanidm/stable/installing_client_tools.html|See the official docs for further details.]] Administrative UI for groups etc. will be added at a later date, either through Kanidm upgrades or using a separate companion service (like Hula). Access control is currently managed through the Kanidm CLI. [[https://kanidm.github.io/kanidm/stable/installing_client_tools.html|See the official docs for further details.]] Administrative UI for groups etc. will be added at a later date, either through Kanidm upgrades or using a separate companion service (like Hula).
 +
 +===== Onboarding =====
 +Hackeriet members can begin onboarding by visiting the Hacker-ID section in Hula:
 +
 +https://hackeriet.no/hula/idp/
 +
 +===== Hacker-ID capable services =====
 +All services enrolled into Hacker-ID are documented using tags in Netbox:
 +  * [[https://ip.hackeriet.no/extras/tags/10/|Hacker-ID: LDAP]] -- Not currently implemented
 +  * [[https://ip.hackeriet.no/extras/tags/8/|Hacker-ID: RADIUS]] -- Not currently implemented
 +  * [[https://ip.hackeriet.no/extras/tags/6/|Hacker-ID: SSH]] -- SSH daemon reads authorized keys from Hacker-ID
 +  * [[https://ip.hackeriet.no/extras/tags/7/|Hacker-ID: SSO]] -- OpenID/OAuth2 authentication flow
 +  * [[https://ip.hackeriet.no/extras/tags/9/|Hacker-ID: Unix]] -- Integrated into the user database for the host (UIDs/GIDs, sudo, passwd, VTY consoles...)
  
 ===== Managing your account ===== ===== Managing your account =====
Line 26: Line 38:
 Implementation of Hacker-ID onboarding is discussed in this Github ticket: https://github.com/hackeriet/hackerhula/pull/43 Implementation of Hacker-ID onboarding is discussed in this Github ticket: https://github.com/hackeriet/hackerhula/pull/43
  
-==== Changing account name ==== +==== Changing account name/display name/email ==== 
-All users are able to change their own account name.+All users are able to change their personal information. 
 + 
 +This includes the login name used for both the web portal, and any Unix accounts used on servers. 
 +This can be done from the profile section of the self-service portal: https://idp.hackeriet.no/ui/profile 
 + 
 +Unless noted otherwise here, all services consuming Hacker-ID supports account renames/email changes. 
 + 
 +<WRAP center round alert 60%> 
 +Mobilizon (events.hackeriet.no) uses your EMAIL for account bindings. It does not seem like we can change this.
  
-This is the login name used for both the web portal, and any Unix accounts used on servers. +Please get someone to help you with updating your email in Mobilizon in order to avoid losing access to your account.
-Unless noted otherwise here, all services consuming Hacker-ID supports account renames.+
  
-You can rename your account using the CLIThe following example renames the account ''d404d'' to ''testlmao'':+When changing emails, you should keep your old primary email on-account as a secondary email. 
 +</WRAP>
  
-<code>kanidm person update d404d --newname testlmao</code>+<WRAP center round important 60%> 
 +Note that some applications (e.g. Netbox and Wiki) will not automatically update your profile data (e.g. username/email), but they WILL give you the same account on logon through SSO after such IDP changes. 
 +</WRAP>
  
 +You can also rename and update your account profile using the CLI:
  
 +  * Account name: <code>kanidm person update d404d --newname testlmao</code>
 +  * Display name: <code>kanidm person update d404d --displayname "Epic New Hacker Name"</code>
 +  * Email: <code>kanidm person update d404d --email "<somehandle>@hackeriet.no"</code>
 ===== ACL structure ===== ===== ACL structure =====
 During the draft phase, the following groups have been configured: During the draft phase, the following groups have been configured:
  
 ^ Name ^ Entry manager ^ Description ^ ^ Name ^ Entry manager ^ Description ^
-| ''hackeriet-members'' | ''hackeriet-styret'' | All currently active members | +| ''hackeriet-members'' | ''svc-hackerhula'' | All currently active members | 
-| ''hackeriet-styret'' | ''hackeriet-styret'' | Current board members | +| ''hackeriet-styret'' | ''svc-hackerhula'' | Current board members | 
-| ''hackeriet-alumni'' | ''hackeriet-styret'' | Members who are no longer active | +| ''hackeriet-alumni'' | ''svc-hackerhula'' | Members who are no longer active | 
-| ''nettlaug-tenants'' | ''nettlaug-operators'' | People renting space/resources within nettlauget's infrastructure | +| ''nettlaug-tenants'' | ''svc-hackerhula'' | People renting space/resources within nettlauget's infrastructure | 
-| ''nettlaug-operators'' | ''nettlaug-operators'' | Core networking group, for infrastructure, switches, routing etc. |+| ''nettlaug-operators'' | ''svc-hackerhula'' | Core networking group, for infrastructure, switches, routing etc. |
 | ''project-hackradio'' | ''d404d@idp.hackeriet.no'' | SSH + sudo for the AzuraCast test host (which currently does not run AzuraCast) | | ''project-hackradio'' | ''d404d@idp.hackeriet.no'' | SSH + sudo for the AzuraCast test host (which currently does not run AzuraCast) |
 | ''service-apphost-sysops'' | ''kfh@idp.hackeriet.no'' | SSH + sudo + docker for ''app-01'' | | ''service-apphost-sysops'' | ''kfh@idp.hackeriet.no'' | SSH + sudo + docker for ''app-01'' |
 +| ''service-dokuwiki-admins'' | ''hackeriet-styret'' | Administrative access to Dokuwiki |
 | ''service-dokuwiki-users'' | ''hackeriet-styret'' | Login as regular users to Dokuwiki | | ''service-dokuwiki-users'' | ''hackeriet-styret'' | Login as regular users to Dokuwiki |
 +| ''service-hedgedoc-users'' | ''nettlaug-operators'' | Logon rights to pad.hackeriet.no |
 | ''service-idp-sysops'' | ''d404d@idp.hackeriet.no'' | Administrative privileges to Hacker-ID (Kanidm, SSH, sudo, and docker) | | ''service-idp-sysops'' | ''d404d@idp.hackeriet.no'' | Administrative privileges to Hacker-ID (Kanidm, SSH, sudo, and docker) |
 +| ''service-librenms-users'' | ''nettlaug-operators'' | Logon rights to nms.hackeriet.no |
 | ''service-netbox-staff'' | ''nettlaug-operators'' | Django staff rights in Netbox | | ''service-netbox-staff'' | ''nettlaug-operators'' | Django staff rights in Netbox |
 | ''service-netbox-superusers'' | ''nettlaug-operators'' | Django superuser rights in Netbox | | ''service-netbox-superusers'' | ''nettlaug-operators'' | Django superuser rights in Netbox |
 | ''service-netbox-users'' | ''nettlaug-operators'' | Login, view and edit data in Netbox | | ''service-netbox-users'' | ''nettlaug-operators'' | Login, view and edit data in Netbox |
 +| ''service-webingress-sysops'' | ''kfh@idp.hackeriet.no'' | SSH + sudo + docker for ''ingress'' |
  
 IDP admins may always step in to assist, shall any of the groups be orphaned (no active/reachable members). IDP admins may always step in to assist, shall any of the groups be orphaned (no active/reachable members).
Line 127: Line 157:
   * Located in ''/srv/kanidm''   * Located in ''/srv/kanidm''
     * One docker compose stack with Traefik (for certificate issuance as LE needs this in-line) and Kanidm     * One docker compose stack with Traefik (for certificate issuance as LE needs this in-line) and Kanidm
 +    * [[https://ip.hackeriet.no/ipam/prefixes/48/prefixes/|Dedicated v6 subnet]] defined in compose and in /etc/docker/daemon.json in order for XFF mapping to work properly
     * Communication between the two are encrypted using a self-signed certificate (Kanidm requires last-hop encryption)     * Communication between the two are encrypted using a self-signed certificate (Kanidm requires last-hop encryption)
     * Created user and group "kanidm" in the host, which will represent the kanidm container's resources. Rights configured according to https://kanidm.github.io/kanidm/stable/security_hardening.html#security-hardening     * Created user and group "kanidm" in the host, which will represent the kanidm container's resources. Rights configured according to https://kanidm.github.io/kanidm/stable/security_hardening.html#security-hardening
/srv/hackeriet-wiki/dokuwiki/data/attic/infra/services/hacker-id.1753494507.txt.gz · Last modified: by d404d_idp.hackeriet.no