Limit server logins

Application servers can be configured so that only members of certain teams can login to the application server.

This is useful if the application server has SSH-access to provisioning servers where only specific people or teams should be able to execute actions from.

Enabling per-team access

This feature can be enabled through a configuration file on the application server. Multiple servers can have the same name so that further configuration clustered instances have the same configuration.

Open /opt/infraxys/config/env for editing.

export SERVER_NAME="INFRAXYS-PROD";
export SERVER_REQUIRES_TEAM="true";

SERVER_NAME: a recognizable name for the server, like SALES-PROD, FINANCE-DEV, or just PROD, DEV, … for smaller organizations.

SERVER_REQUIRES_TEAM: “true” or “false”. Set to “true” to enable this feature.

ONLY ADMINISTRATORS OF THE ROOT-PROJECT WILL BE ABLE TO LOGIN TO THIS APPLICATION SERVER INITIALLY!!!

When an Infraxys application server starts, it will check if the SERVER_NAME is already registered in the database. If it isn’t, it will add itself. Otherwise, if SERVER_REQUIRES_TEAM is true, it will only allow members of the registered teams to login.

Adding teams

Only administrators of the root-project are allowed to grant and revoke teams to login through the current application server. To allow a team of any project to login, do the following:

  • Login as an administrator of the root-project.
  • Open the project where the team that should be enabled (or revoked) access.
  • Open the “Teams”-tab.
  • Right click the desired team.
  • click “Grant login …” to enable access
  • or “Revoke login …” to disable access to members of the team (unless an account is a member of another team that has access)

Listing enabled teams

To see if the current application server is team-protected and to see the list of teams that have access to the current application server:

  • Open the context-menu at the top-left.
  • Click “Tools”
  • Click “Settings”
  • If the environment variable “SERVER_REQUIRES_TEAM” is “true”, then “Login only by teams” will be checked. This field is always read-only because it’s determined at the OS-level.
  • The “Team access”-tab will be there if team-level access is enabled. Clicking it shows a list with the path to the teams.
  • Team access can be removed through the context-menu: