aherman
/
the-bastion
mirror of https://github.com/ovh/the-bastion
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

chore: regenerate docs

Browse Source
pull/597/head
jon4hz 6 months ago
parent 66aa63883b
commit 03e435f07a
No known key found for this signature in database
GPG Key ID: 4B0AFE9E7118898E
11 changed files with 155 additions and 45 deletions
Show Stats Download Patch File Download Diff File

38
doc/sphinx/plugins/group-aclkeeper/groupAddServer.rst
Unescape View File

@ -22,24 +22,24 @@ Add an IP or IP block to a group's servers list
Host(s) to add access to, either a HOST which will be resolved to an IP immediately,
or an IP, or a whole subnet using the PREFIX/SIZE notation
--user USER|PATTERN|* Specify which remote user should be allowed to connect as.
Globbing characters '*' and '?' are supported, so you can specify a pattern
that will be matched against the actual remote user name.
To allow any user, use '--user *' (you might need to escape '*' from your shell)
--port PORT|* Remote port allowed to connect to
To allow any port, use '--port *' (you might need to escape '*' from your shell)
or an IP, or a whole subnet using the PREFIX/SIZE notation
--user USER|PATTERN|* Specify which remote user should be allowed to connect as.
Globbing characters '*' and '?' are supported, so you can specify a pattern
that will be matched against the actual remote user name.
To allow any user, use '--user *' (you might need to escape '*' from your shell)
--port PORT|* Remote port allowed to connect to
To allow any port, use '--port *' (you might need to escape '*' from your shell)
.. option:: --protocol PROTO
Specify that a special protocol should be allowed for this HOST:PORT tuple, note that you
must not specify --user in that case. However, for this protocol to be usable under a given
remote user, access to the USER@HOST:PORT tuple must also be allowed.
PROTO must be one of:
scpup allow SCP upload, you--bastion-->server
scpdown allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
must not specify --user in that case. However, for this protocol to be usable under a given
remote user, access to the USER@HOST:PORT tuple must also be allowed.
PROTO must be one of:
scpup allow SCP upload, you--bastion-->server
scpdown allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
.. option:: --force
Don't try the ssh connection, just add the host to the group blindly
@ -60,6 +60,16 @@ Add an IP or IP block to a group's servers list
Add a comment alongside this server. Quote it twice as shown if you're under a shell.
.. option:: --proxy-host HOST|IP
Use this host as a proxy/jump host to reach the target server
.. option:: --proxy-port PORT
Proxy host port to connect to (mandatory when --proxy-host is specified)
--proxy-user USER|PATTERN|* Proxy user to connect as (mandatory when --proxy-host is specified).
Globbing characters '*' and '?' are supported for pattern matching.
Examples::

10
doc/sphinx/plugins/group-aclkeeper/groupDelServer.rst
Unescape View File

@ -39,6 +39,16 @@ Remove an IP or IP block from a group's server list
scpdown allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
.. option:: --proxy-host HOST|IP
Specify which host was used as a proxy/jump host to reach the target server
.. option:: --proxy-port PORT
Proxy port that was used to reach the target server
--proxy-user USER|PATTERN|* Proxy user that was configured for this access (mandatory when --proxy-host is specified).
Globbing characters '*' and '?' are supported for pattern matching.
This command adds, to an existing bastion account, access to a given server, using the
egress keys of the group. The list of eligible servers for a given group is given by ``groupListServers``

42
doc/sphinx/plugins/group-gatekeeper/groupAddGuestAccess.rst
Unescape View File

@ -22,29 +22,29 @@ Add a specific group server access to an account
Group to add the guest access to, note that this group should already have access
to the USER/HOST/PORT tuple you'll specify with the options below.
to the USER/HOST/PORT tuple you'll specify with the options below.
.. option:: --host HOST|IP|SUBNET
Host(s) to add access to, either a HOST which will be resolved to an IP immediately,
or an IP, or a whole subnet using the PREFIX/SIZE notation
--user USER|PATTERN|* Specify which remote user should be allowed to connect as.
Globbing characters '*' and '?' are supported, so you can specify a pattern
that will be matched against the actual remote user name.
To allow any user, use '--user *' (you might need to escape '*' from your shell)
--port PORT|* Remote port allowed to connect to
To allow any port, use '--port *' (you might need to escape '*' from your shell)
or an IP, or a whole subnet using the PREFIX/SIZE notation
--user USER|PATTERN|* Specify which remote user should be allowed to connect as.
Globbing characters '*' and '?' are supported, so you can specify a pattern
that will be matched against the actual remote user name.
To allow any user, use '--user *' (you might need to escape '*' from your shell)
--port PORT|* Remote port allowed to connect to
To allow any port, use '--port *' (you might need to escape '*' from your shell)
.. option:: --protocol PROTO
Specify that a special protocol should be allowed for this HOST:PORT tuple, note that you
must not specify --user in that case. However, for this protocol to be usable under a given
remote user, access to the USER@HOST:PORT tuple must also be allowed.
PROTO must be one of:
scpupload allow SCP upload, you--bastion-->server
scpdownload allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
must not specify --user in that case. However, for this protocol to be usable under a given
remote user, access to the USER@HOST:PORT tuple must also be allowed.
PROTO must be one of:
scpupload allow SCP upload, you--bastion-->server
scpdownload allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
.. option:: --ttl SECONDS|DURATION
Specify a number of seconds after which the access will automatically expire
@ -53,7 +53,17 @@ Add a specific group server access to an account
Add a comment alongside this access. Quote it twice as shown if you're under a shell.
If omitted, we'll use the closest preexisting group access' comment as seen in groupListServers
If omitted, we'll use the closest preexisting group access' comment as seen in groupListServers
.. option:: --proxy-host HOST|IP
Use this host as a proxy/jump host to reach the target server
.. option:: --proxy-port PORT
Proxy host port to connect to (mandatory when --proxy-host is specified)
--proxy-user USER|PATTERN|* Proxy user to connect as (mandatory when --proxy-host is specified).
Globbing characters '*' and '?' are supported for pattern matching.
This command adds, to an existing bastion account, access to the egress keys of a group,
but only to accessing one or several given servers, instead of all the servers of this group.

38
doc/sphinx/plugins/group-gatekeeper/groupDelGuestAccess.rst
Unescape View File

@ -26,24 +26,34 @@ Remove a specific group server access from an account
Host(s) to remove access from, either a HOST which will be resolved to an IP immediately,
or an IP, or a whole subnet using the PREFIX/SIZE notation
--user USER|PATTERN|* Specify which remote user was allowed to connect as.
Globbing characters '*' and '?' are supported, so you can specify a pattern
that will be matched against the actual remote user name.
If any user was allowed, use '--user *' (you might need to escape '*' from your shell)
--port PORT|* Remote port that was allowed to connect to
If any user was allowed, use '--port *' (you might need to escape '*' from your shell)
or an IP, or a whole subnet using the PREFIX/SIZE notation
--user USER|PATTERN|* Specify which remote user was allowed to connect as.
Globbing characters '*' and '?' are supported, so you can specify a pattern
that will be matched against the actual remote user name.
If any user was allowed, use '--user *' (you might need to escape '*' from your shell)
--port PORT|* Remote port that was allowed to connect to
If any user was allowed, use '--port *' (you might need to escape '*' from your shell)
.. option:: --protocol PROTO
Specify that a special protocol was allowed for this HOST:PORT tuple, note that you
must not specify --user in that case. However, for this protocol to be usable under a given
remote user, access to the USER@HOST:PORT tuple must also be allowed.
PROTO must be one of:
scpupload allow SCP upload, you--bastion-->server
scpdownload allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
must not specify --user in that case. However, for this protocol to be usable under a given
remote user, access to the USER@HOST:PORT tuple must also be allowed.
PROTO must be one of:
scpupload allow SCP upload, you--bastion-->server
scpdownload allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
.. option:: --proxy-host HOST|IP
Use this host as a proxy/jump host to reach the target server
.. option:: --proxy-port PORT
Proxy host port to connect to (mandatory when --proxy-host is specified)
--proxy-user USER|PATTERN|* Proxy user to connect as (mandatory when --proxy-host is specified).
Globbing characters '*' and '?' are supported for pattern matching.
This command removes, from an existing bastion account, access to a given server, using the
egress keys of the group. The list of such servers is given by ``groupListGuestAccesses``

7
doc/sphinx/plugins/group-owner/groupModify.rst
Unescape View File

@ -9,7 +9,7 @@ Modify the configuration of a group
.. admonition:: usage
:class: cmdusage
--osh groupModify --group GROUP [--mfa-required password|totp|any|none] [--guest-ttl-limit DURATION]
--osh groupModify --group GROUP [--mfa-required password|totp|any|none] [--guest-ttl-limit DURATION] [--try-personal-keys yes|no]
.. program:: groupModify
@ -31,6 +31,11 @@ Modify the configuration of a group
This group will enforce TTL setting, on guest access creation, to be set, and not to a higher value than DURATION,
set to zero to allow guest accesses creation without any TTL set (default)
.. option:: --try-personal-keys yes|no
When a user accesses a server through his group permission, his personal access keys will also be added
to the connection attempt (default: no)
Note that `--idle-lock-timeout` and `--idle-kill-timeout` will NOT be applied for catch-all groups (having 0.0.0.0/0 in their server list).

12
doc/sphinx/plugins/open/selfListSessions.rst
Unescape View File

@ -68,6 +68,18 @@ List the few past sessions of your account
Only sessions that connected through bastion PORT
.. option:: --proxyuser USER
Only sessions that used proxy USER
.. option:: --proxyip HOST
Only sessions that used proxy IP
.. option:: --proxyport PORT
Only sessions that used proxy PORT
Note that only the sessions that happened on this precise bastion instance will be shown,
not the sessions from its possible cluster siblings.

10
doc/sphinx/plugins/restricted/accountAddPersonalAccess.rst
Unescape View File

@ -56,6 +56,16 @@ Add a personal server access to an account
Add a comment alongside this server. Quote it twice as shown if you're under a shell.
.. option:: --proxy-host HOST|IP
Use this host as a proxy/jump host to reach the target server
.. option:: --proxy-port PORT
Proxy host port to connect to (mandatory when --proxy-host is specified)
--proxy-user USER|PATTERN|* Proxy user to connect as (mandatory when --proxy-host is specified).
Globbing characters '*' and '?' are supported for pattern matching.
The access will work only if one of the account's personal egress public key has been copied to the remote server.
To get the list of an account's personal egress public keys, see ``accountListEgressKeyss`` and ``selfListEgressKeys``.

10
doc/sphinx/plugins/restricted/accountDelPersonalAccess.rst
Unescape View File

@ -39,3 +39,13 @@ Remove a personal server access from an account
scpdownload allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
.. option:: --proxy-host HOST|IP
Specify which host was used as a proxy/jump host to reach the target server
.. option:: --proxy-port PORT
Proxy port that was used to reach the target server
--proxy-user USER|PATTERN|* Proxy user that was configured for this access (mandatory when --proxy-host is specified).
Globbing characters '*' and '?' are supported for pattern matching.

11
doc/sphinx/plugins/restricted/selfAddPersonalAccess.rst
Unescape View File

@ -56,6 +56,17 @@ Add a personal server access to your account
Add a comment alongside this server. Quote it twice as shown if you're under a shell.
.. option:: --proxy-host HOST|IP
Use this host as a proxy/jump host to reach the target server
.. option:: --proxy-port PORT
Proxy host port to connect to (mandatory when --proxy-host is specified)
--proxy-user USER|PATTERN|* Proxy user to connect as (mandatory when --proxy-host is specified).
Globbing characters '*' and '?' are supported for pattern matching.
When connecting via SSH (not plugins), defaults to --user value for convenience.
Plugin configuration
====================

10
doc/sphinx/plugins/restricted/selfDelPersonalAccess.rst
Unescape View File

@ -35,3 +35,13 @@ Remove a personal server access from your account
scpdownload allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
.. option:: --proxy-host HOST|IP
Specify which host was used as a proxy/jump host to reach the target server
.. option:: --proxy-port PORT
Proxy port that was used to reach the target server
--proxy-user USER|PATTERN|* Proxy user that was configured for this access (mandatory when --proxy-host is specified).
Globbing characters '*' and '?' are supported for pattern matching.

12
doc/sphinx/plugins/restricted/whoHasAccessTo.rst
Unescape View File

@ -26,6 +26,18 @@ List the accounts that have access to a given server
Remote port allowed (if not specified, ignore port specifications)
.. option:: --proxy-user USER
Proxy user allowed (if egress connection goes through a proxyjump)
.. option:: --proxy-host HOST
Proxy host allowed (if egress connection goes through a proxyjump
.. option:: --proxy-port PORT
Proxy port allowed (if egress connection goes through a proxyjump)
.. option:: --ignore-personal
Don't check accounts' personal accesses (i.e. only check groups)

Write Preview
Loading…
Cancel
Save