-
Notifications
You must be signed in to change notification settings - Fork 46
UserAdmin
At some point support staff in your organization will need to retrieve recovery keys for a machine. App Engine handles the authentication of the user when they login to the Google sign-in page. Cauliflower Vest then applies permissions to authenticated users to determine their rights to operate on the escrow database.
For admin users: Any Google Account with the Developer or Owner
App Engine role will automatically be granted the REGULAR permissions set.
These permissions are appropriate for admin users.
For normal users: There is a setting in server/settings.py named
ALLOW_ALL_DOMAIN_USERS_TO_ESCROW. If this value is set to True, any user
who is authenticated to App Engine with an account domain matching
server/settings.py AUTH_DOMAIN may escrow a key, whether or not they
have a CV user account, and regardless of whether their CV user account has the
ESCROW permission.
If you are authenticating with gmail.com accounts, it is not recommended that you enable this setting.
Cauliflower Vest has a permission set of 5 flags:
-
RETRIEVE- User may retrieve recovery keys for hosts. -
ESCROW- User may escrow recover keys for hosts. -
SEARCH- User may search for hosts via owner, host properties, etc. -
MASTER- User may see logs at/logsURL. -
SILENT_RETRIEVE- User may request the recovery key for a host without an email being generated to the host owner informing them that the key was retrieved.
Each Google Account that logs into Cauliflower Vest can have any set made of these permissions.
Cauliflower Vest has two predefined permissions sets:
-
REGULAR = [RETRIEVE, ESCROW, SEARCH, MASTER]- Generally useful for admins. All privileges. -
SILENT = REGULAR + [SILENT_RETRIEVE]- SeeSILENT_RETRIEVEpermission. A silent admin account.
We do not have any open source code to automatically import large databases of your users into Cauliflower Vest and create accounts for them. At the time of writing this wiki one must create or update a new account in Cauliflower Vest by hand. Regrettably we do not have a user admin tool for your use.
If your Cauliflower Vest app is located at MYSITE.appspot.com, visit the
interactive console page at the following URL:
https://MYSITE.appspot.com/ahadmin/interactive
Here one can enter Python code and run it immediately on the server.
Note that these instructions assume that user@example.com already has a
Google account.
To create or update users, consider the following code template:
from cauliflowervest.server import models
from cauliflowervest.server import permissions
from google.appengine.api import users
full_email = 'user@example.com'
u = models.User.get_or_insert(full_email)
# To grant the user admin access to FileVault secrets:
u.SetPerms(permissions.SET_REGULAR, permissions.TYPE_FILEVAULT)
# To grant the user only escrow access to BitLocker secrets:
u.SetPerms([permissions.ESCROW], permissions.TYPE_BITLOCKER)
# To grant the user some other unique combination to Luks secrets:
u.SetPerms([permissions.SEARCH, permissions.MASTER], permissions.TYPE_LUKS)
u.user = users.User(full_email)
u.put()
print 'User successfully created!'
This code snippet will update or create a new user and set their permissions as defined. The code could be adapted to obtain a user database from another source and populate user entries automatically. Consider the urlfetch API if you wish to retrieve user accounts from some source and populate accounts in bulk.
Note that the App Engine 30 second transaction timeout will apply to any code you run in the interactive console. Processing a large number of users will require batching them, perhaps by making use of the information in the next section.
Look at the cauliflowervest/server/cron/group_sync.py code to see an example
of how a cron can be used to pull user data from another source and update it on
a timed interval defined by cauliflowervest/server/cron.yaml.
The App Engine cron API docs are
here.