-
Notifications
You must be signed in to change notification settings - Fork 27
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #632 from rstudio/new-examples
Update Workbench Examples
- Loading branch information
Showing
3 changed files
with
86 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
12 changes: 12 additions & 0 deletions
12
examples/workbench/auth-user-provisioning/pam-security.qmd
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| --- | ||
| category: Authentication | ||
| --- | ||
|
|
||
| # Configuring Posit Workbench with Secure Home Directories | ||
|
|
||
| This example deploys Posit Workbench using pam to create user home directories with more secure permissions, in this example 700 | ||
|
|
||
| {{< include ../_prereqs.qmd >}} | ||
|
|
||
| ```{.yaml include="rstudio-workbench-pam-homedirectory-permissions.yaml" filename="values.yaml"} | ||
| ``` |
69 changes: 69 additions & 0 deletions
69
...les/workbench/auth-user-provisioning/rstudio-workbench-pam-homedirectory-permissions.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| # Using a license file with the helm chart: | ||
| # https://github.com/rstudio/helm/tree/main/charts/rstudio-workbench#license-file | ||
| # If you would like to use a license key see this documentation: | ||
| # https://github.com/rstudio/helm/tree/main/charts/rstudio-workbench#license-key | ||
| license: | ||
| file: | ||
| secret: posit-licenses # TODO: Change to the secret name in your cluster | ||
| secretKey: workbench.lic # TODO: Change to the secret key containing your Workbench license | ||
|
|
||
| # Configures user home directory shared storage | ||
| homeStorage: | ||
| create: true | ||
| mount: true | ||
| storageClassName: nfs-sc-rwx # TODO: Change to a RWX StorageClass available in your cluster | ||
| # volumeName: wb-home-pv-name # Only needed if PVs have been statically provisioned, in which case this will need to match the PV name. | ||
| requests: | ||
| storage: 100G | ||
|
|
||
| # Configures Workbench shared storage | ||
| sharedStorage: | ||
| create: true | ||
| mount: true | ||
| storageClassName: nfs-sc-rwx # TODO: Change to a RWX StorageClass available in your cluster | ||
| # volumeName: wb-shared-pv-name # Only needed if PVs have been statically provisioned, in which case this will need to match the PV name. | ||
| requests: | ||
| storage: 1G | ||
|
|
||
| config: | ||
| pam: | ||
| common-session: | | ||
| # ------------------------------------------------------------------------ | ||
| # /etc/pam.d/common-session - session-related modules common to all services | ||
| # ------------------------------------------------------------------------ | ||
| # | ||
| # This file is included from other service-specific PAM config files, | ||
| # and should contain a list of modules that define tasks to be performed | ||
| # at the start and end of interactive sessions. | ||
| # | ||
| # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. | ||
| # To take advantage of this, it is recommended that you configure any | ||
| # local modules either before or after the default block, and use | ||
| # pam-auth-update to manage selection of other modules. See | ||
| # pam-auth-update(8) for details. | ||
| # here are the per-package modules (the "Primary" block) | ||
| session [default=1] pam_permit.so | ||
| # here's the fallback if no module succeeds | ||
| session requisite pam_deny.so | ||
| # prime the stack with a positive return value if there isn't one already; | ||
| # this avoids us returning an error just because nothing sets a success code | ||
| # since the modules above will each just jump around | ||
| session required pam_permit.so | ||
| # The pam_umask module will set the umask according to the system default in | ||
| # /etc/login.defs and user settings, solving the problem of different | ||
| # umask settings with different shells, display managers, remote sessions etc. | ||
| # See "man pam_umask". | ||
| session optional pam_umask.so | ||
| # and here are more per-package modules (the "Additional" block) | ||
| session required pam_unix.so | ||
| session optional pam_sss.so | ||
| # end of pam-auth-update config | ||
| # allow home directory creation, with user access only home directories | ||
| session required pam_mkhomedir.so skel=/etc/skel umask=0077 | ||
| # ------------------------------------------------------------------------ | ||
| # Example for running a custom script | ||
| # ------------------------------------------------------------------------ | ||
| # session required pam_exec.so log=/tmp/sams-pam-logs-2.0.log /tmp/symlink-homedirs.sh |