Managing Customers

Modified: 15 Mar 2016 19:21 UTC
                <table class="sectionMacro" border="0" cellpadding="5" cellspacing="0" width="100%"><tbody><tr>

The Customer Database maintains information about all of the SmartDataCenter customers. For the purposes of SDC, a customer is a SmartMachine owner. Several Data Centers can share a single customer database. Every SmartMachine is associated with one customer.

For this topic, keep the following definitions in mind:

Term Definition
customer account An account created by an SDC operator using the Operations Portal or by a customer using the customer portal. A customer is the owner of a SmartMachine.
user account A POSIX user account on a SmartMachine; the login name a SmartMachine user uses to log in to a SmartMachine

In this page:

Customer Account Creation and Management

Customers can use the customer portal to create their own customer accounts. These accounts are identified by a user name, password, and UUID. SmartDataCenter administrators can use the Operations Portal to create customer accounts.

Each customer account also contains zero or more SSH public keys. SmartDataCenter uses these keys to give customers access to user accounts on their machines.

The customer account name and password are used only to access the customer's account, not to log in to a user account on a SmartMachine.

Using SmartLogin to Access SmartMachines

Instead of generating user accounts and passwords on each newly provisioned SmartMachine, SmartDataCenter uses an extension of SSH to give customers access to user accounts on SmartMachines.

In addition to root, SmartMachines provisioned with the smartos dataset are configured with the user account admin. SmartMachines provisioned with the nodejs dataset have the admin user account as well as a node user account for the Node.js service.

When a customer tries to log in to a SmartMachine with one of these user accounts using SSH, SmartLogin looks for a public key that corresponds to a private key in the client machine in the following places:

  1. The account's ~/.ssh/authorized_keys file. This is the typical way that SSH works.
  2. The compute node's in-memory cache of the SmartMachine's owner's customer record.
  3. The public SSH keys in the SmartMachine's owner's customer record.

On both the smartos and nodejs datasets, password authentication is disabled, so if there is no matching private/public key, login is denied.

Note that this means that the owner of a SmartMachine can log into any account on that SmartMachine.

SmartLogin uses the in-memory cache of SSH keys on the compute node that hosts the SmartMachine. If the SSH key is not in the cache, and if the customer database is not available (for example the head node is down), the customer will not be able to log in to any user account on his or her SmartMachine.

To disable SmartLogin, comment out the following line in the /etc/ssh/sshd_config file of the head node and compute node:

/etc/ssh/sshd_config
# comment out this line to disable SmartLogin
PubKeyPlugin libsmartsshd.so

User Accounts on SmartMachines

The SmartMachine owner can create user accounts by logging in to the SmartMachine as root and using the useradd tool. This command creates a user account for the user jill:

[root@smartos ~]# useradd -d /home/jill -m -c "Jill Joyent" jill

By default, new user accounts are locked. Mark the user account as "no login" to unlock it. This means that the user cannot log in to the user account with a password. She will be able to log in to the user account using SmartLogin. Use the passwd command like this to mark the account "no login":

[root@smartos ~]# passwd -N jill
passwd: password information changed for jill

You will need to store the users public key in her ~/.ssh/authorized_keys file.

Another option is to use the passwd command to give the user account a password:

[root@smartos ~]# passwd jill
New Password:
Re-enter new Password:
passwd: password successfully changed for jill

One reason you may want to give a user account a password even though password logins are disabled is to allow her to use sudo. If you want to enable password logins, you can do so in /etc/ssh/sshd_config.

Do not put the SmartMachine user's public key in the SmartMachine's owner's customer record unless you want to grant her access to every user account on the machine.

User Accounts and sudo

For both the smartos and nodejs datasets, the admin account can use sudo without a password.

As noted above, if you want to give individual SmartMachine users sudo privileges, you can assign them passwords and add them to the /etc/sudoers file. See man sudo to learn more about sudo.

At a Glance

This topic is about managing customer accounts and user accounts. A customer is someone who owns a SmartMachine. A user is someone who has access to as POSIX account on a SmartMachine.