Skip to content

Latest commit

 

History

History
100 lines (82 loc) · 6.19 KB

Administer-Users-on-CCAO-Services.md

File metadata and controls

100 lines (82 loc) · 6.19 KB

CCAO Services

Nearly all the services used by the Data Department are administered either by the County's Bureau of Technology (BoT) or the CCAO's in-house IT. Below is a list of commonly-used services along with contact information for their respective user account administrators.

Owner Service Contact
Cook County Web Clock Admins
Cook County Office 365 Admins
Cook County VPN Admins
Cook County iasWorld Backend Mirella
Cook County iasWorld Frontend Mirella/Admins
CCAO SQL Server Derrick S
CCAO Tableau Nicole/Admins
CCAO Nearmap Admins
IAAO IAAO Resources Isalia/Admins

Data Department Services

A few services are administered directly by the Data Department and must therefore be managed manually. Most of this manual management involves provisioning (and deleting) new user accounts for interns and staff. This section will walk through that process for each of Data's self-managed services.

Data Server

The Data Department uses an on-premise Linux server for compute, scheduled jobs, and running applications. Two applications on the server use PAM (local user accounts) to authenticate users:

To add new users to the Data server (and these applications), complete the following steps:

  1. SSH into the Data server. $YOUR_USER is your existing username on the server: 
    ssh $YOUR_USER@datascience.cookcountyassessor.com
  2. Create a new user. $THEIR_USER should be the same username as their Windows login (e.g. dfsnow). NOTE: You must be a super-user to create a new user. If you are not a super-user, ask Mike F. or Dan (@dfsnow) to add you to the sudoers group. 
    sudo adduser $THEIR_USER
  3. Follow the prompts for user creation. Ask the user to create a password (if they are present) or generate a random one and share it with them securely.
  4. Test the new account. Visit the RStudio login page and test the new account credentials. The account should work immediately.
  5. Add the new user to the data Linux group to give them access to the renv global cache. 
    sudo usermod -aG data $THEIR_USER
  6. (Optional) Use systemd and cgroups to limit the resources available to a user (to prevent them from using 100% of the server's memory or CPU). To do so:
    1. Create a slice configuration file for each user: 
      sudo mkdir /etc/systemd/system/user-<uid>.slice.d
sudo vim /etc/systemd/system/user-<uid>.slice.d/override.conf
    2. Use vim to configure resource controls, for example: 
      [Slice]
MemoryHigh=48G
MemoryMax=64G
CPUQuota=1000%
    3. Apply changes: 
      systemctl daemon-reload
    4. (Optional) Alternatively, you can set a default limit per user using drop-in search truncation

To delete users on the Data server, complete the following steps:

  1. SSH to the Data server, same as above.
  2. If the user has significant/valuable work in their home directory, first backup the directory. Backups can be stored in the CCAODATA directory on the O: shared drive. 
    sudo tar -czvf $THEIR_USER.tar.gz /home/$THEIR_USER
  3. Delete the user account. This will remove their user and group but not their home directory. 
    sudo deluser $THEIR_USER
  4. (Optional) Delete their home directory. This is only really necessary if their home directory is consuming a lot of space. 
    sudo rmdir /home/$THEIR_USER

AWS

The Data Department stores most of its active data on AWS. Reading this data requires an authenticated AWS user account. Most users, such as interns and analysts, only require read access. To add a read-only user, complete the following steps:

  1. Login to the CCAO's AWS Console using an account with an administrator role.
  2. Visit the IAM service, click Users in the sidebar, then click Add users in the top-right corner.
  3. Create a user following the prompts:
    • The user name should be a Cook County email address.
    • Access type should be both programmatic and console.
    • Add the user to the cookcounty-readonly user group.
    • Ignore tags and click Create user on the final screen.
  4. The new account will be unable to access resources until an MFA device is added. Users must have their device manually added by an administrator. To add a device:
    • Return to the Users tab of the IAM service. Click the username you just created.
    • Click the Security credentials, scroll down to Multi-factor authentication (MFA), then click Assign MFA device and follow the prompts.
  5. Login to the AWS Console with the new user account. Run a test query in Athena to ensure that MFA and all permissions are correctly configured.

Open Data Portal

The Data Department also administers the CCAO account on the Cook County Data Portal. The main administrator account can delegate permissions to other user accounts on the portal.

Ask a core team member for administrator account credentials. For any issues, contact the current main administrator of the portal Josh K.