#!/bin/ksh # File : cdot_modify_users.sh # By : Maarten de Boer, 180419 # Subject : Script to modify users (role & comments) at cDOT clusters #(0.2),180419 : Mod: ASC -> CSV # set -x # PGM="`basename $0|cut -d\. -f1`" VER="0.2" TMP="/tmp/${PGM}.$$" CLUSTERS="${HOME}/etc/clusters" MAILTO="maarten.deboer@atos.net" SSH="/usr/bin/ssh" HOSTNAME="`hostname | cut -d\. -f1`" LOG="${HOME}/log/${PGM}.log" FILTER="[?]*" MAIL="" USERS="${HOME}/etc/${PGM}.users" CSV="/tmp/${PGM}.csv" NOROLES="" PUBKEYS="${HOME}/etc/${PGM}.pub-keys" SSHCMD() # 1: Filername 2:Command-string # When issue with connection to cluster, try the nodes (-01 & -02) # "There are no entries matching your query." => EC=255 # "no connection" is also EC=255 { TMPERR="/tmp/${PGM}.$$.err" touch ${TMPERR} /usr/bin/ssh -n ${1} "${2}" 2> ${TMPERR} EC=${?} # Check if "ssh: connect to host 10.192.109.202 port 22: Connection refused" If so (EC2=0), the 2nd grep 'Connection refused' ${TMPERR} EC2=${?} if [ ${EC} -ne 0 ] && [ ${EC2} -eq 0 ]; then sleep 1 /usr/bin/ssh -n ${1}-01 "${2}" 2> ${TMPERR} EC=${?} grep 'Connection refused' ${TMPERR} EC2=${?} if [ ${EC} -ne 0 ] && [ ${EC2} -eq 0 ]; then sleep 1 /usr/bin/ssh -n ${1}-02 "${2}" 2> ${TMPERR} EC=${?} grep 'Connection refused' ${TMPERR} EC2=${?} if [ ${EC} -ne 0 ] && [ ${EC2} -eq 0 ]; then sleep 1 /usr/bin/ssh -n ${1}-03 "${2}" 2> ${TMPERR} EC=${?} grep 'Connection refused' ${TMPERR} EC2=${?} if [ ${EC} -ne 0 ] && [ ${EC2} -eq 0 ]; then sleep 1 /usr/bin/ssh -n ${1}-04 "${2}" 2> ${TMPERR} EC=${?} grep 'Connection refused' ${TMPERR} EC2=${?} if [ ${EC} -ne 0 ] && [ ${EC2} -eq 0 ]; then sleep 1 /usr/bin/ssh -n ${1}-05 "${2}" 2> ${TMPERR} EC=${?} grep 'Connection refused' ${TMPERR} EC2=${?} if [ ${EC} -ne 0 ] && [ ${EC2} -eq 0 ]; then sleep 1 /usr/bin/ssh -n ${1}-06 "${2}" 2> ${TMPERR} EC=${?} grep 'Connection refused' ${TMPERR} EC2=${?} if [ ${EC} -ne 0 ] && [ ${EC2} -eq 0 ]; then echo "`date` ${PGM} ERROR with communication to ${1}. Connection to -01 - -06 failed too."|tee -a ${LOG} fi # EC=0 & EC2=0 fi # -06 fi # -05 fi # -04 fi # -03 fi # -02 fi # -01 rm ${TMPERR} } USAGE() { echo "Usage: ${PGM} []" echo " Version: ${VER}" echo " options :" echo " -e|--etc : Etc/clusters-file (${CLUSTERS})" echo " -f : Filter filername (${FILTER})" echo " -h|--help : this Help" echo " -m|--mail : do send Mail" echo " -V : show Version" echo " -x : set -x" echo " --mailto : change MAILTO address & do send mail (${MAILTO})" echo " --noroles : do not create / modify the roles" } # Check options while [ $# -gt 0 ] do case $1 in -e | --etc) CLUSTERS=$2; shift ;; -f) FILTER=$2; shift ;; -p) VPREFIX=$2; shift ;; -m | --mail) MAIL=1 ;; --mailto) MAILTO=$2; MAIL=1; shift ;; --noroles) NOROLES=1 ;; -h | --help) USAGE; exit 1 ;; -V) echo "${PGM}: v${VER}"; exit 3 ;; -x) set -x ;; *) echo "Option ${1} not known. Exiting..."; echo; USAGE; exit 1 ;; esac shift done # case # MAIN echo "`date` ${PGM} v${VER} started (CLUSTERS=${CLUSTERS},FILTER=${FILTER},MAIL=${MAIL})"|tee -a ${LOG} touch ${TMP} if [ ! -f ${USERS} ]; then echo " NO users-file (${USERS}). So exiting ..."|tee -a ${LOG} exit 3 fi if [ ! -f ${PUBKEY} ]; then echo " NO pub-keys-file (${PUBKEYS}). So adding SSH-keys can not be done !"|tee -a ${LOG} sleep 2 fi CURUSER=`whoami` echo " Running script as user: ${CURUSER}" sleep 1 cat "${CLUSTERS}"|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"|while read CLUSTER do echo " ${CLUSTER} ..."|tee -a ${LOG} if [ ! ${NOROLES} ]; then # 1. Create & modify roles (stor-admin & applic) ROLE="stor-admin" echo " Creating & modifying role ${ROLE} ..."|tee -a ${LOG} SSHCMD ${CLUSTER} "security login role create -vserver ${CLUSTER} -role ${ROLE} -cmddirname DEFAULT" SSHCMD ${CLUSTER} "security login role config modify -vserver ${CLUSTER} -role ${ROLE} -passwd-expiry-time 90" SSHCMD ${CLUSTER} "security login role config modify -vserver ${CLUSTER} -role ${ROLE} -max-failed-login-attempts 10" SSHCMD ${CLUSTER} "security login role config modify -vserver ${CLUSTER} -role ${ROLE} -passwd-alphanum enable" SSHCMD ${CLUSTER} "security login role config modify -vserver ${CLUSTER} -role ${ROLE} -passwd-minlength 15" SSHCMD ${CLUSTER} "security login role config modify -vserver ${CLUSTER} -role ${ROLE} -passwd-min-digits 1" SSHCMD ${CLUSTER} "security login role config modify -vserver ${CLUSTER} -role ${ROLE} -passwd-min-special-chars 0" SSHCMD ${CLUSTER} "security login role config modify -vserver ${CLUSTER} -role ${ROLE} -passwd-min-lowercase-chars 1" SSHCMD ${CLUSTER} "security login role config modify -vserver ${CLUSTER} -role ${ROLE} -passwd-min-uppercase-chars 1" SSHCMD ${CLUSTER} "security login role config modify -vserver ${CLUSTER} -role ${ROLE} -require-initial-passwd-update enable" SSHCMD ${CLUSTER} "security login role config modify -vserver ${CLUSTER} -role ${ROLE} -disallowed-reuse 5" SSHCMD ${CLUSTER} "security login role config modify -vserver ${CLUSTER} -role ${ROLE} -change-delay 1" SSHCMD ${CLUSTER} "set -showseparator \";\" ;security login role config show -vserver ${CLUSTER} -role ${ROLE} -field vserver,passwd-expiry-time,max-failed-login-attempts,passwd-alphanum,passwd-minlength,passwd-min-digits,passwd-min-special-chars,passwd-min-lowercase-chars,passwd-min-uppercase-chars,require-initial-passwd-update,disallowed-reuse,change-delay"|tee -a ${TMP} ROLE="applic" echo " Creating & modifying role ${ROLE} ..."|tee -a ${LOG} SSHCMD ${CLUSTER} "security login role create -vserver ${CLUSTER} -role ${ROLE} -cmddirname DEFAULT" SSHCMD ${CLUSTER} "security login role config modify -vserver ${CLUSTER} -role ${ROLE} -passwd-expiry-time 365" SSHCMD ${CLUSTER} "security login role config modify -vserver ${CLUSTER} -role ${ROLE} -max-failed-login-attempts 10" SSHCMD ${CLUSTER} "security login role config modify -vserver ${CLUSTER} -role ${ROLE} -passwd-alphanum enable" SSHCMD ${CLUSTER} "security login role config modify -vserver ${CLUSTER} -role ${ROLE} -passwd-minlength 15" SSHCMD ${CLUSTER} "security login role config modify -vserver ${CLUSTER} -role ${ROLE} -passwd-min-digits 1" SSHCMD ${CLUSTER} "security login role config modify -vserver ${CLUSTER} -role ${ROLE} -passwd-min-special-chars 0" SSHCMD ${CLUSTER} "security login role config modify -vserver ${CLUSTER} -role ${ROLE} -passwd-min-lowercase-chars 1" SSHCMD ${CLUSTER} "security login role config modify -vserver ${CLUSTER} -role ${ROLE} -passwd-min-uppercase-chars 1" SSHCMD ${CLUSTER} "security login role config modify -vserver ${CLUSTER} -role ${ROLE} -require-initial-passwd-update enable" SSHCMD ${CLUSTER} "security login role config modify -vserver ${CLUSTER} -role ${ROLE} -disallowed-reuse 5" SSHCMD ${CLUSTER} "security login role config modify -vserver ${CLUSTER} -role ${ROLE} -change-delay 1" SSHCMD ${CLUSTER} "set -showseparator \";\" ;security login role config show -vserver ${CLUSTER} -role ${ROLE} -field vserver,passwd-expiry-time,max-failed-login-attempts,passwd-alphanum,passwd-minlength,passwd-min-digits,passwd-min-special-chars,passwd-min-lowercase-chars,passwd-min-uppercase-chars,require-initial-passwd-update,disallowed-reuse,change-delay"|tee -a ${TMP} fi # NOROLES # 2. Create users with the role ROLE2BE="stor-admin" cat ${USERS}|grep -v ^#|sort|while read LINE do USER=`echo ${LINE}|awk -F\; '{print $1}'` COMMENT=`echo ${LINE}|awk -F\; '{print $2}'` ROLE=`echo ${LINE}|awk -F\; '{print $3}'|egrep '^stor-admin|^applic'` # If no role in ETC-file, then use ROLE2BE # Otherwise use role from ETC-file. If "stor-admin" of "applic". Otherwise is empty and ROLE2BE is used. if [ "${ROLE}" = "" ]; then ROLE="${ROLE2BE}" else echo " Modifying ${USER} (${ROLE}) ${COMMENT} ..."|tee -a ${LOG} # SSHCMD ${CLUSTER} "security login create -user ${USER} -role ${ROLE} -application ssh -authentication-method publickey" SSHCMD ${CLUSTER} "security login modify -user ${USER} -role ${ROLE} -application ssh -authentication-method publickey -comment ${COMMENT}" # For adding SSHkey admin rights are needed. So switch curuser to admin and back SSHKEY=`grep ${USER} ${PUBKEYS}|head -1` if [ "${SSHKEY}" != "" ]; then CURROLE=`SSHCMD ${CLUSTER} "set -showseparator \";\" ;security login show -user ${CURUSER} -field role -application ssh -authentication-method publickey"|grep ${CLUSTER} |awk '{print $5}'` # Set admin role, so `security login publickey create` can be done SSHCMD ${CLUSTER} "security login modify -username ${CURUSER} -role admin -application ssh -authentication-method publickey " SSHCMD ${CLUSTER} "security login publickey create -username ${USER} -index 0 -publickey \"${SSHKEY}\" " # Change back to previour role SSHCMD ${CLUSTER} "security login modify -username ${CURUSER} -role ${CURROLE} -application ssh -authentication-method publickey " fi # "${SSHKEY}" != "" fi # "${ROLE}" != "${ROLE2BE}" SSHCMD ${CLUSTER} "set -showseparator \";\" ;security login show -user ${USER} -role ${ROLE} -application * -authentication-method * -field vserver,user,role,application,authentication-method,comment"|tee -a ${TMP} SSHCMD ${CLUSTER} "set -showseparator \";\" ;security login publickey show -user ${USER} -field vserver,username,index,comment,fingerprint"|tee -a ${TMP} done # read LINE done # CLUSTER if [ ${MAIL} ]; then cp ${TMP} ${CSV} date | mailx -a ${CSV} -s ":${HOSTNAME}: List of creates users [${PGM} v${VER}]" ${MAILTO} rm ${ASC} fi # MAIL rm ${TMP} echo "`date` ${PGM} v${VER} finished."|tee -a ${LOG} exit 0