Environment
Websites with files that reside in AFS where the website needs Continuous Integration / Continuous Delivery (CI/CD) or any other type of automatic updates without requiring Duo multi-factor authentication. This can include ITS Web Virtual Hosting websites (also known as "ITS Web Application Hosting" websites) as well as AFS Group Websites.
Issue
A website owner is not able to set up CI/CD some other another type of automatic update for their website due to the need for Duo multi-factor authentication on sftp.itd.umich.edu, login.itd.umich.edu, or umpire.dsc.umich.edu; or due to sftp.web.itd.umich.edu (which does not require Duo multi-factor authentication) being accessible only from university-owned networks.
Resolution
Overview
This is a high-level conceptual outline. Refer to the next section for detailed steps.
- Obtain a Type I sponsored uniqname ("regular uniqname plus UMID") to use for automatic website updates.
- Grant the sponsored uniqname write access to your website's files.
- Submit a request to the ITS Web Hosting team for the sponsored uniqname be able to update the website without using Duo.
- Configure your CI/CD script or other automatic update mechanism to use:
- Protocol: either SSH or SFTP
- Server / hostname: umpire.dsc.umich.edu
- Port: 22
- Username: the sponsored uniqname you obtained
- Password: the sponsored uniqname's UMICH Kerberos password
- You will need to regularly renew the sponsored uniqname in order to keep it active.
Detailed steps
- Obtain a Type I sponsored uniqname ("regular uniqname plus UMID") to use for automatic website updates.
- If you have multiple websites, you can opt to use a single sponsored uniqname for all the websites that your unit manages, or you can obtain a separate sponsored uniqname for each website.
- Read the instructions at https://its.umich.edu/accounts-access/getting-access/uniqnames-accounts/mcommunity-sponsorship for details on how to request a sponsored uniqname.
- Fill out the sponsored uniqname request form at the link in the second bullet point on the web page above.
- Type of Request: Individual
- Reason for Sponsorship: Other University Affiliate. Only Type 1 sponsored uniqnames ("regular uniqname with UMID") will work with AFS. Type 1 sponsored uniqnames include "Other University Affiliate" and "Academic Affiliate".
- Sponsored Individual: Save this information in your unit's password manager app, as you will need to provide it to the ITS Service Center to verify the sponsored uniqname identity if you call to reset the password for the sponsored uniqname.
- Names: Make up a name that identifies your team. For example, if you are on the web team in the Department of Example Studies, you could choose "Example" as a first name and "StudiesWeb" for a last name.
- Non-UMICH email address: Use one of your unit's MCommunity email addresses or make up a new one. The address must be able to receive email from non-members.
- Date of Birth and Gender: Make something up.
- Home Address and Telephone Number: Use your unit's campus address and phone number.
- Email Notices: check all eight checkboxes.
- Sponsored Affiliate Relationship to Unit: "This is a non-person uniqname to automate AFS workflows for websites as described in Team Dynamix Knowledge Article 9854."
- After the sponsored uniqname is created, you will need to set a new password for it and enroll it in Duo. You will need to do this in a Incognito / Private Browsing window or in a separate web browser where you are not already logged in using your regular uniqname.
- You must enroll the sponsored uniqname in Duo even through it will be used without Duo to automatically update websites.
- The Duo smartphone app can be used for multiple uniqnames simultaneously.
- Save an encrypted copy of the password and Duo enrollment information in your unit's password manager app in case you need it for other devices later.
- Grant the sponsored uniqname write access to your website's files.
- In a Incognito / Private Browsing window or in a separate web browser where you are not already logged in using your regular uniqname, request an AFS (IFS) home directory for the sponsored uniqname by going to https://ifsprovisioning.its.umich.edu/ifs_storage/request Be sure to log in as the sponsored uniqname, not as yourself. Once you have requested the AFS home directory, it may take up to an hour before it becomes usable. Continue with the other steps below while you are waiting for the AFS home directory to become available.
- Use SSH client software on your local computer to log in to either umpire.dsc.umich.edu (the ITS Web Hosting login server) as yourself (use your regular uniqname, not the sponsored uniqname) and add the sponsored uniqname to the PTS group that controls access to your website's files. If you have multiple websites that use different PTS groups, you will need to repeat this for each PTS group. If you encounter problems, contact webmaster@umich.edu for assistance.
- Navigate to the AFS directory that contains your website's files. If you know the name of your AFS group, then the command is usually
cd ~GROUPNAME where GROUPNAME is the short name of your AFS group directory.
- Verify which PTS group has full access ("rlidwka") to your AFS group directory by running the command
fs listacl The PTS group that controls access to your website will usually be the same as the short name of the AFS group directory.
- Run the command
pts membership GROUPNAME where GROUPNAME is the PTS group name from the previous step in order to see who is able to modify the files for your website.
- Add the sponsored uniqname to the PTS group by running the command
pts adduser UNIQNAME GROUPNAME where UNIQNAME is the sponsored uniqname and GROUPNAME is the PTS group name.
- Run
pts membership GROUPNAME again to verify that the sponsored uniqname was successfully added to the PTS group.
- For additional details, please see the knowledge article Managing Access to AFS Group Directories for Websites.
- Submit a request to the ITS Web Hosting team for the sponsored uniqname be able to update the website without using Duo. This only needs to be done once for each sponsored uniqname, even if a particular uniqname is used with multiple websites.
- Send an email to webmaster@umich.edu saying that you want to use a sponsored uniqname to automate tasks for an AFS-based website. Include the sponsored uniqname and the URL(s) of the website(s).
- The ITS Web Hosting team will respond and let you know once Duo has been turned off for the sponsored uniqname only on umpire.dsc.umich.edu. Duo will remain enabled for the sponsored uniqname in all other places. umpire.dsc.umich.edu is the ITS Web Hosting login server and has web development software including PHP, Composer, WP CLI, and database clients.
- Use SSH client software on your local computer to make sure that the sponsored uniqname is able to log in to umpire.dsc.umich.edu without being prompted for Duo. Be sure to explicitly specify the sponsored uniqname as the username. If this does not work, please let the ITS Web Hosting team know so they can investigate the problem.
- Configure your CI/CD script or other automatic update mechanism to use the following. NOTE: SSH public/private key pairs are not available as an option as they will not work with AFS.
- Protocol: either SSH or SFTP
- Server / hostname: umpire.dsc.umich.edu
- Port: 22
- Username: the sponsored uniqname you obtained
- Password: the sponsored uniqname's UMICH Kerberos password
- You will need to regularly renew the sponsored uniqname in order to keep it active. You will receive notifications/reminders on the schedule you selected on the uniqname sponsorship form in step 1.
Additional Information
For assistance with AFS-based websites, contact webmaster@umich.edu.