You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
> Please note this process is used in emergency situations when all other troubleshooting options via Azure have been exhausted. SSH access to these bare metal machines is restricted to users managed via this method from the specified jump host list.
16
16
17
-
There are rare situations where a user needs to investigate & resolve issues with a bare metal machine and all other ways using Azure have been exhausted. Operator Nexus provides the `az networkcloud cluster bmckeyset` command so users can manage SSH access to the baseboard management controller (BMC) on these bare metal machines.
17
+
There are rare situations where a user needs to investigate & resolve issues with a bare metal machine and all other ways using Azure have been exhausted. Operator Nexus provides the `az networkcloud cluster bmckeyset` command so users can manage SSH access to the baseboard management controller (BMC) on these bare metal machines. On keyset creation, users are validated against Microsoft Entra ID for proper authorization by cross referencing the User Principal Name provided for a user against the supplied Azure Group ID `--azure-group-id <Entra Group ID>`.
18
+
19
+
If the User Principal Name for a user isn't a member of the supplied group, the user's status is set to 'Invalid', and their status message will say "Invalid because userPrincipal isn't a member of AAD group." If the Azure Group ID is invalid, each user in the keyset has their status set to 'Invalid' and their status message will say "AAD group doesn't exist." Invalid users remain in the keyset but their key won't be enabled for SSH access.
20
+
21
+
> [!NOTE]
22
+
> There is currently a transitional period where specifying User Principal Names is optional. In a future release, it will become mandatory and Microsoft Entra ID validation will be enforced for all users. Users are encouraged to add User Principal Names to their keysets before the transitional period ends (planned for July 2024) to avoid keysets being invalidated. Note that if any User Principal Names are added to a keyset, even if they are not added for all users, Microsoft Entra ID validation will be enabled, and this will result in the entire keyset being invalidated if the Group ID specified is not valid.
18
23
19
24
When the command runs, it executes on each bare metal machine in the Cluster with an active Kubernetes node. There's a reconciliation process that runs periodically that retries the command on any bare metal machine that wasn't available at the time of the original command. Also, any bare metal machine that returns to the cluster via an `az networkcloud baremetalmachine actionreimage` or `az networkcloud baremetalmachine actionreplace` command (see [BareMetal functions](./howto-baremetal-functions.md)) sends a signal causing any active keysets to be sent to the machine as soon as it returns to the cluster. Multiple commands execute in the order received.
20
25
@@ -51,8 +56,9 @@ az networkcloud cluster bmckeyset create \
51
56
--expiration <Expiration Timestamp> \
52
57
--jump-hosts-allowed <List of jump server IP addresses> \
53
58
--privilege-level <"Administrator" or "ReadOnly"> \
> Please note this process is used in emergency situations when all other troubleshooting options using Azure have been exhausted. SSH access to these bare metal machines is restricted to users managed via this method from the specified jump host list.
16
16
17
-
There are rare situations where a user needs to investigate & resolve issues with a bare metal machine and all other ways have been exhausted via Azure. Azure Operator Nexus provides the `az networkcloud cluster baremetalmachinekeyset` command so users can manage SSH access to these bare metal machines.
17
+
There are rare situations where a user needs to investigate & resolve issues with a bare metal machine and all other ways have been exhausted via Azure. Azure Operator Nexus provides the `az networkcloud cluster baremetalmachinekeyset` command so users can manage SSH access to these bare metal machines. On keyset creation, users are validated against Microsoft Entra ID for proper authorization by cross referencing the User Principal Name provided for a user against the supplied Microsoft Entra ID `--azure-group-id <Entra Group ID>`.
18
+
19
+
If the User Principal Name for a user isn't a member of the supplied group, the user's status is set to 'Invalid', and their status message will say "Invalid because userPrincipal isn't a member of AAD group." If the Azure Group ID is invalid, each user in the keyset will have their status set to 'Invalid' and their status message will say "AAD group doesn't exist." Invalid users remain in the keyset but their key won't be enabled for SSH access.
20
+
21
+
> [!NOTE]
22
+
> There is currently a transitional period where specifying User Principal Names is optional. In a future release, it will become mandatory and Microsoft Entra ID validation will be enforced for all users. Users are encouraged to add User Principal Names to their keysets before the transitional period ends (planned for July 2024) to avoid keysets being invalidated. Note that if any User Principal Names are added to a keyset, even if they are not added for all users, Microsoft Entra ID validation will be enabled, and this will result in the entire keyset being invalidated if the Group ID specified is not valid.
18
23
19
24
When the command runs, it executes on each bare metal machine in the Cluster with an active Kubernetes node. There's a reconciliation process that runs periodically that retries the command on any bare metal machine that wasn't available at the time of the original command. Also, any bare metal machine that returns to the cluster via an `az networkcloud baremetalmachine actionreimage` or `az networkcloud baremetalmachine actionreplace` command (see [BareMetal functions](./howto-baremetal-functions.md)) sends a signal causing any active keysets to be sent to the machine as soon as it returns to the cluster. Multiple commands execute in the order received.
20
25
@@ -24,7 +29,7 @@ There's no limit to the number of users in a group.
24
29
> Notes for jump host IP addresses
25
30
26
31
- The keyset create/update process adds the jump host IP addresses to the IP tables for each machine in the Cluster. This restricts SSH access to be allowed only from those jump hosts.
27
-
- It's important to specify the Cluster facing IP addresses for the jump hosts. These IP addresses may be different than the public facing IP address used to access the jump host.
32
+
- It's important to specify the Cluster facing IP addresses for the jump hosts. These IP addresses might be different than the public facing IP address used to access the jump host.
28
33
- Once added, users are able to access bare metal machines from any specified jump host IP including a jump host IP defined in another bare metal machine keyset group.
29
34
- Existing SSH access remains when adding the first bare metal machine keyset. However, the keyset command limits an existing user's SSH access to the specified jump host IPs in the keyset commands.
30
35
@@ -55,13 +60,14 @@ az networkcloud cluster baremetalmachinekeyset create \
55
60
--extended-location name=<Extended Location ARM ID> \
56
61
type="CustomLocation" \
57
62
--location <Azure Region> \
58
-
--azure-group-id <Azure AAD Group ID> \
63
+
--azure-group-id <Azure Group ID> \
59
64
--expiration <Expiration Timestamp> \
60
65
--jump-hosts-allowed <List of jump server IP addresses> \
61
66
--os-group-name <Name of the Operating System Group> \
62
67
--privilege-level <"Standard" or "Superuser"> \
63
68
--user-list '[{"description":"<User List Description>","azureUserName":"<User Name>",\
64
-
"sshPublicKey":{"keyData":"<SSH Public Key>"}}]' \
69
+
"sshPublicKey":{"keyData":"<SSH Public Key>"}, \
70
+
"userPrincipalName":""}]', \
65
71
--tags key1=<Key Value> key2=<Key Value> \
66
72
--cluster-name <Cluster Name> \
67
73
--resource-group <Resource Group>
@@ -102,6 +108,7 @@ az networkcloud cluster baremetalmachinekeyset create \
102
108
azure-user-name: Required. User name used to login to the server.
103
109
description: The free-form description for this user.
104
110
key-data: Required. The public ssh key of the user.
111
+
userPrincipalName: Optional. The User Principal Name of the User.
105
112
106
113
Multiple users can be specified by using more than one --user-list argument.
107
114
--os-group-name : The name of the group that users are assigned
@@ -150,8 +157,8 @@ az networkcloud cluster baremetalmachinekeyset create \
150
157
--jump-hosts-allowed "192.0.2.1" "192.0.2.5" \
151
158
--os-group-name "standardAccessGroup" \
152
159
--privilege-level "Standard" \
153
-
--user-list '[{"description":"Needs access for troubleshooting as a part of the support team","azureUserName":"userABC", "sshPublicKey":{"keyData":"ssh-rsa AAtsE3njSONzDYRIZv/WLjVuMfrUSByHp+jfaaOLHTIIB4fJvo6dQUZxE20w2iDHV3tEkmnTo84eba97VMueQD6OzJPEyWZMRpz8UYWOd0IXeRqiFu1lawNblZhwNT/ojNZfpB3af/YDzwQCZgTcTRyNNhL4o/blKUmug0daSsSXISTRnIDpcf5qytjs1XoyYyJMvzLL59mhAyb3p/cD+Y3/s3WhAx+l0XOKpzXnblrv9d3q4c2tWmm/SyFqthaqd0= admin@vm"}},\
154
-
{"description":"Needs access for troubleshooting as a part of the support team","azureUserName":"userXYZ","sshPublicKey":{"keyData":"ssh-rsa AAtsE3njSONzDYRIZv/WLjVuMfrUSByHp+jfaaOLHTIIB4fJvo6dQUZxE20w2iDHV3tEkmnTo84eba97VMueQD6OzJPEyWZMRpz8UYWOd0IXeRqiFu1lawNblZhwNT/ojNZfpB3af/YDzwQCZgTcTRyNNhL4o/blKUmug0daSsSXTSTRnIDpcf5qytjs1XoyYyJMvzLL59mhAyb3p/cD+Y3/s3WhAx+l0XOKpzXnblrv9d3q4c2tWmm/SyFqthaqd0= admin@vm"}}]' \
160
+
--user-list '[{"description":"Needs access for troubleshooting as a part of the support team","azureUserName":"userABC", "sshPublicKey":{"keyData":"ssh-rsa AAtsE3njSONzDYRIZv/WLjVuMfrUSByHp+jfaaOLHTIIB4fJvo6dQUZxE20w2iDHV3tEkmnTo84eba97VMueQD6OzJPEyWZMRpz8UYWOd0IXeRqiFu1lawNblZhwNT/ojNZfpB3af/YDzwQCZgTcTRyNNhL4o/blKUmug0daSsSXISTRnIDpcf5qytjs1XoyYyJMvzLL59mhAyb3p/cD+Y3/s3WhAx+l0XOKpzXnblrv9d3q4c2tWmm/SyFqthaqd0= admin@vm"},"userPrincipalName":"[email protected]"},\
161
+
{"description":"Needs access for troubleshooting as a part of the support team","azureUserName":"userXYZ","sshPublicKey":{"keyData":"ssh-rsa AAtsE3njSONzDYRIZv/WLjVuMfrUSByHp+jfaaOLHTIIB4fJvo6dQUZxE20w2iDHV3tEkmnTo84eba97VMueQD6OzJPEyWZMRpz8UYWOd0IXeRqiFu1lawNblZhwNT/ojNZfpB3af/YDzwQCZgTcTRyNNhL4o/blKUmug0daSsSXTSTRnIDpcf5qytjs1XoyYyJMvzLL59mhAyb3p/cD+Y3/s3WhAx+l0XOKpzXnblrv9d3q4c2tWmm/SyFqthaqd0= admin@vm"}, "userPrincipalName":"[email protected]"}]' \
155
162
--tags key1="myvalue1" key2="myvalue2" \
156
163
--cluster-name "clusterName"
157
164
--resource-group "resourceGroupName"
@@ -207,7 +214,8 @@ az networkcloud cluster baremetalmachinekeyset update \
207
214
--jump-hosts-allowed <List of jump server IP addresses> \
208
215
--privilege-level <"Standard" or "Superuser"> \
209
216
--user-list '[{"description":"<User List Description>","azureUserName":"<User Name>",\
210
-
"sshPublicKey":{"keyData":"<SSH Public Key>"}}]' \
217
+
"sshPublicKey":{"keyData":"<SSH Public Key>"}, \
218
+
"userPrincipalName":""}]', \
211
219
--tags key1=<Key Value> key2=<Key Value> \
212
220
--cluster-name <Cluster Name> \
213
221
--resource-group <Resource Group>
@@ -234,6 +242,7 @@ az networkcloud cluster baremetalmachinekeyset update \
234
242
azure-user-name: Required. User name used to login to the server.
235
243
description: The free-form description for this user.
236
244
key-data: Required. The public SSH key of the user.
245
+
userPrincipalName: Optional. The User Principal Name of the User.
237
246
238
247
Multiple users can be specified by using more than one --user-list argument.
239
248
--resource-group -g [Required] : Name of resource group. Optional if
@@ -253,9 +262,13 @@ az networkcloud cluster baremetalmachinekeyset update \
253
262
--name "bareMetalMachineKeySetName" \
254
263
--expiration "2023-12-31T23:59:59.008Z" \
255
264
--user-list '[{"description":"Needs access for troubleshooting as a part of the support team",\
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments