个人中心
gpt4 book ai didi

google-cloud-platform - GCP OS 登录创建 user_domain 帐户

转载 作者:行者123 更新时间:2023-12-03 22:00:13 25 4
gpt4 key购买 nike

我正在测试操作系统登录并创建了一个带有元数据“enable-oslogin=TRUE”的实例。然后我将操作系统登录角色添加到我的帐户(user@mydomainname.com)。当我尝试:

user@original_host$ gcloud compute ssh my_instance --project my_project --zone my_zone

GCP 允许我登录,但作为用户 user_mydomainname 而不是我的原始帐户“user”

当我尝试:
user@original_host$ ssh my_instance, it denied my login .

当我尝试: 
user@original_host$ ssh user_mydomainname@my_instance, it allowed me login, but as user_mydomainname of course.

我从谷歌读了一堆操作系统登录文档,但找不到原因。在一个文档中: https://cloud.google.com/compute/docs/instances/managing-instance-access#login_messages

Expected login behaviors部分,它显示“如果用户名不是由 G Suite 管理员设置的,OS Login 会通过将用户名和域与用户的 Google 个人资料相关联的电子邮件中的用户名和域相结合来生成默认的 Linux 用户名。此命名约定可确保唯一性。例如,如果与 Google 个人资料关联的用户电子邮件是 user@example.com,那么他们生成的用户名是 user_example_com。”

这看起来像我得到的,但我已将操作系统登录角色设置为我的帐户。

我期待使用操作系统登录角色设置,我可以以我的原始帐户登录到实例:用户

我在这里错过了什么,或者这确实是预期的行为?是否可以让我的帐户“用户”在不获取 user_mydomainname 的情况下使用 OS Login?

谢谢,
菲利普

最佳答案

起初,我尝试通过关注 documentation 在我的测试虚拟机上检查它的操作系统登录功能。 :

  • 创建虚拟机实例:
    $ gcloud compute instances create os-login-instance-1 --machine-type=n1-standard-1 --zone=europe-west3-a              
    Created [https://www.googleapis.com/compute/v1/projects/test-prj/zones/europe-west3-a/instances/os-login-instance-1].
    NAME                 ZONE            MACHINE_TYPE   PREEMPTIBLE  INTERNAL_IP    EXTERNAL_IP     STATUS
    os-login-instance-1  europe-west3-a  n1-standard-1               10.156.15.226  35.XXX.236.XXX  RUNNING
  • 为虚拟机启用操作系统登录功能:
    $ cloud compute instances add-metadata os-login-instance-1 --metadata enable-oslogin=TRUE --zone=europe-west3-a              
    Updated [https://www.googleapis.com/compute/v1/projects/test-prj/zones/europe-west3-a/instances/os-login-instance-1].
  • 添加角色 roles/compute.osAdminLogin为 username@domain.com 使其能够使用 sudo命令:
    $ gcloud projects add-iam-policy-binding test-prj \
     --member='user:username@domain.com' \
     --role='roles/compute.osAdminLogin'
    Updated IAM policy for project [test-prj].

    • 您可以使用 roles/compute.osLogin用于非root访问。
  • 创建用于连接的 SSH key :
    $ ssh-keygen
    Generating public/private rsa key pair.
  • 将 SSH key 上传到项目:
    gcloud compute os-login ssh-keys add --key-file .ssh/id_rsa.pub
  • 连接到您的实例:
    $ ssh username_domain_com@35.242.236.114                          

    Linux os-login-instance-1 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64

    The programs included with the Debian GNU/Linux system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.

    Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    permitted by applicable law.
    Creating directory '/home/username_domain_com'.
    username_domain_com@os-login-instance-1:~$ 

    $ gcloud compute ssh os-login-instance-1
    Linux os-login-instance-1 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64

    The programs included with the Debian GNU/Linux system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.

    Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    permitted by applicable law.
    Last login: Mon Feb 17 12:32:56 2020 from 104.132.189.65
    username_domain_com@os-login-instance-1:~$ whoami
    username_domain_com

    • 或者您可以使用 FQDN 名称(应解析)而不是 IP。

    正如我们预期的那样,完整的电子邮件地址被转换,所有的点和特殊字符都被替换为下划线,对应于 documentation :

    If a username is not set by a G Suite administrator, OS Login generates a default Linux username by combining the username and domain from the email associated with the user's Google profile. This naming convention ensures uniqueness. For example, if the user email associated with the Google profile is user@example.com, then their generated username is user_example_com.


    username@domain.com becomes -> username_domain_com

    我能够连接到虚拟机,但使用 username_domain_com姓名。

    我们来看看文档如何更改 username_domain_com 进入 username在同一 document :

    G Suite organizations can optionally change their default to remove the domain suffix for newly generated usernames. For example, if the user email associated with the Google profile is user@example.com, then their generated username is user. For more information, see Managing the OS Login API.



    here您可以找到更多详细信息,为什么它会以这种方式工作:

    OS Login ties your Linux user account to your Google identity so that you have a consistent username, UID, and other posix information, in every VM you log into. This allows the VM to authorize your login using IAM permissions so that you can easily revoke access. The posix information is immutable for consumer identities (non-G Suite users). This prevents a bad actor from setting information in a malicious way that a project owner cannot manage. In order to prevent uniqueness conflicts across different organizations (user@gmail.com and user@example.com) the domain name is included by default.



    因此,您可以使用 username而不是 username_domain.com对于您的 G Suite 组织,如果您是个人客户,则不能。

    关于google-cloud-platform - GCP OS 登录创建 user_domain 帐户,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60118538/

    25 4 0
    文章推荐: google-chrome - 如何清除 Google Chrome iPad 应用程序上的应用程序缓存?
    文章推荐: Swift get vs _read
    文章推荐: SwiftUI - 通过嵌套引用类型传播更改通知
    文章推荐: eslint - 如何在 ESLint 中将标签大小定义为 4?
    行者123
    个人简介

    我是一名优秀的程序员,十分优秀!

    滴滴打车优惠券免费领取
    滴滴打车优惠券
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com