###############################
Egg Shell (JHED AD Integration)
###############################

.. _egg_for-users:

For Users
#########

We run a special shell machine named "egg" (get it? get it? Ow!  OK, you got
it.) which allows *anyone at JHU* to avail themselves of our services, even if
they are not members.  It integrates with JHU's JHED system, so there are no
new passwords for you to memorize or anything.

Run ``ssh YOURJHED@egg.acm.jhu.edu`` replacing ``YOURJHED`` with, well, your
JHED ID.  Once there, you will be able to browse ``/afs/acm.jhu.edu`` with
whatever rights have been given to your JHED account.

You can directly copy files in or out by using ``scp myfile.txt
YOURJHED@egg.acm.jhu.edu:/afs/acm.jhu.edu/group/foo/``, for example.

.. _egg_for-admins:

For Administrators
##################

Thanks to some help from the wonderful folks at WSE IT, we now have a shell
server that can authenticate users using their JHED passwords and get them AFS
tokens in our cell.

Likewise
--------

Egg runs http://www.beyondtrust.com/ PowerBroker Identity Services Open "AD
Bridge" http://www.powerbrokeropen.org/ .  Roughly, this meant that we:

* Grabbed http://download.beyondtrust.com/PBISO/8.2.2/linux.deb.x64/pbis-open-8.2.2.2993.linux.x86_64.deb.sh

* Ran it, letting it rain packages down from the sky.

* Joined to the domain using a WSE IT admin account::

     domainjoin-cli join --ou WSE/Computers/CS/Servers win.ad.jhu.edu rabakae1

  Note that WSE went and created a CS OU just for us. :)
  Cross-reference :ref:`jhu-upstreams_ldap`.

* Ran some additional configuration commands::

     cd /opt/pbis/bin
     ./config LoginShellTemplate /bin/bash
     ./config Local_HomeDirTemplate "%H/JHED/%U"
     ./config HomeDirTemplate "%H/JHED/%U"
     ./config AssumeDefaultDomain
     ./config AssumeDefaultDomain "true"

That was astoundingly painless.

Note that PBIS Open is, in fact, open source --
http://www.powerbrokeropen.org/licensing/ has the details and the URL for git
clone.

OpenStack
---------

While the machine was being set up, it was in the default security group.  Subsequently,
I have created the "eggish" security group which permits only:

* DNS access to openstack's resolver

* Egress to 128.220.70.0/24 TCP and UDP

* Egress to 10.0.0.0/8 TCP and UDP

* Arbitrary egress to UDP ports 7000-7010

* Arbitrary egress to TCP ports 80 and 443

* Arbitrary ingress on UDP 7001

* Arbitrary ingress on TCP 22

Other
-----

Just installed libpam-afs-session and set up AFS as usual.  Everything seems fine.