From fc969f5256b8d46d13e55246a1aeeb83605b875e Mon Sep 17 00:00:00 2001 From: Jeff Ohrstrom Date: Thu, 30 Nov 2023 15:06:30 -0500 Subject: [PATCH] highlight the ability to disable users --- source/customizations.rst | 2 ++ source/customizations/disabling-users.inc | 10 ++++++++++ source/reference/files/nginx-stage-yml.rst | 17 +++++++++++++---- 3 files changed, 25 insertions(+), 4 deletions(-) create mode 100644 source/customizations/disabling-users.inc diff --git a/source/customizations.rst b/source/customizations.rst index 1a0bbff7f..dd4104666 100644 --- a/source/customizations.rst +++ b/source/customizations.rst @@ -364,6 +364,8 @@ We recommend setting this environment variable in ``/etc/ood/config/nginx_stage. .. warning:: This allowlist is not enforced across every action a user can take in an app (including the developer views in the Dashboard). Also, it is enforced via the apps themselves, which is not as robust as using cgroups on the PUN. +.. include:: customizations/disabling-users.inc + .. _set-default-ssh-host: Set Default SSH Host diff --git a/source/customizations/disabling-users.inc b/source/customizations/disabling-users.inc new file mode 100644 index 000000000..e26617b39 --- /dev/null +++ b/source/customizations/disabling-users.inc @@ -0,0 +1,10 @@ +.. _disabling-users-guide: + +Disabling Users +--------------- + +You can use the :ref:`nginx stage configuration for disabling users ` +to disable access to specific users based on the users' default ``shell``. + +For example you could disable access to Open OnDemand for any user with the ``/usr/bin/false`` +default shell. diff --git a/source/reference/files/nginx-stage-yml.rst b/source/reference/files/nginx-stage-yml.rst index 0729eddbc..985a9d131 100644 --- a/source/reference/files/nginx-stage-yml.rst +++ b/source/reference/files/nginx-stage-yml.rst @@ -776,17 +776,26 @@ Configuration Options For RHEL6 and CentOS 6 the user id's begin at ``500``. +.. _disabled_shell: + .. describe:: disabled_shell (String) - restrict starting a per-user NGINX process as a user with the given shell + Restrict starting a per-user NGINX process as a user with the given shell. - Default - For OSC restrictions + Default + Do not start a per-user NGINX for anyone with ``/access/denied`` shell. - .. code-block:: yaml + .. code-block:: yaml disabled_shell: "/access/denied" + Example + Do not start a per-user NGINX for anyone with ``/usr/bin/false`` shell. + + .. code-block:: yaml + + disabeled_shell: "/usr/bin/false" + .. note:: This will only restrict access to a per-user NGINX process started with