Bulk user management using node-user command

The node-user suite of tools are used to modify the user database on managed console servers, allowing administrators to easily add, remove and modify local users in bulk, on all or on a range of their console server deployment.

The individual command names are:

          node-user-add

          node-user-del

          node-user-mod

Getting Started

The node-user tools are based on the node-command tool, and many basic arguments such as displaying help and selecting console servers are the same. Please refer to the node-command article for additional information.

Adding a User

Run node-user-add --help to display the arguments and syntax for adding a user:

            usage: node-user-add [options] username

            username                           Username to add

           -G --group-list list                 List of groups to give membership to for this user

           -C --port-list list                    List of ports numbers to give access for this user

           -T --description desc            User viewable description for this user

           -X --no-prompt  password    Set the user's password

           -P --password                       Prompt for a password

e.g. to create a new user with a username of myadmin, a description of My Administrator, a password of "Password" and membership of the admin group:

          node-user-add --all --group-list admin --description “My Administrator” myadmin ---no-prompt "Password"

Deleting a User

Run node-user-del --help to display the arguments and syntax for deleting a user:

usage: node-user-del [options] username [username ...]

          username [username ...] List of users to delete

e.g. to delete the user myadmin and myuser from all console servers:

           node-user-del --all myadmin myuser

Modifying a User

Run node-user-mod --help to display the arguments and syntax for modifying a user:

           usage: node-user-mod [options] username

           username                              Username to modify

           -G --group-list list                   List of groups to add membership to for this user

           -C --port-list list                      List of ports numbers to grant access for this user

           -T --description desc              User viewable description for this user

           -L --lock-user                          Lock this user from accessing the device

           -U --unlock-user                     Unlock this user from accessing the device

           -X --no-prompt password       Set the user’s password

           -P --password                         Prompt for a password

 Lock and unlock temporarily disables and re-enables a user’s ability to login to console server (establish sessions are not affected).

Port list is a list of serial ports a user account is explicitly permitted to access.  Each port number can be preceded by a + or a - character.  If a port number is preceded by a + the port is added to the user’s explicit permissions list.  If a port number is preceded by -, the port is removed from the user’s explicit permissions list.  Note that removed a port may not revoke access to a port, if the user has inherited permissions to access it by some other means (e.g. group permissions or admin group membership).

Similarly, the + and - syntax can be used when specifying the group list to add and remove group membership. If neither + nor - precedes a port or group, + is assumed.

e.g. to add myuser to the users group and grant permission to access serial port 1 on all console servers:

          node-user-mod --all --port-list 1 --group-list users myuser

e.g. to change the root user password on all console servers:

          node-user-mod --all --password root

e.g. to change the root user password on all ACM5500 model console servers:

          node-user-mod --select-match 'Model=ACM55*' --password root

e.g. to change the root user password on a single console server:

          node-user-mod --node-name=im7200-rack1 --password root

Passwords

For operations that require a password, such as node-user-add or node-user-mod with a -P or -X option, there are two ways that that password can be obtained.  By default, when a password is required, it interactively prompts the administrator running the command for the password.

Alternatively, specify the password on the command line with the -X option, but be aware this means that the user's password will appear in plaintext in any ps process listings.  The password is then encrypted before being sent across to the remote console server so that it does not appear in any logs in plaintext.

Synchronizing Console Servers

As users are added and deleted on the remote console servers, the user database on the Lighthouse CMS needs to keep in synchronicity with the remote user databases. At the end of each node-user-add, node-user-mod and node-user-del, the administrator is prompted to resynchronize the affected remote console servers.

The synchronization is equivalent to the administrator navigating to the Lighthouse-GUI: Configure > Managed Console Servers and performing a Retrieve Managed Devices step.  Alternatively, the behavior can be forced with either a -R (to always retrieve) or a -N (to not retrieve) option.