Linux Archive - Change Request: Allow fi-apprentice to log into app*

Linux Archive

Linux Archive (http://www.linux-archive.org/)

- Fedora Infrastructure (http://www.linux-archive.org/fedora-infrastructure/)

- - Change Request: Allow fi-apprentice to log into app* (http://www.linux-archive.org/fedora-infrastructure/697343-change-request-allow-fi-apprentice-log-into-app.html)

Toshio Kuratomi

08-24-2012 02:37 PM

Change Request: Allow fi-apprentice to log into app*

One of our apprentices was looking into how we use use the faswho adapter
was going to look at how it's configured in raffle on the app servers. When
he wasn't able to we discovered that fi-apprentice isn't allowed to login to
the app servers. Discussed with nirik and we think that this is a simple
oversight rather than a matter of policy.

As this is a minimal change and since alpha has slipped I'm asking for
a freeze break request to allow this. Here's the necessary puppet change to
enable this:

diff --git a/manifests/services/appRhel.pp b/manifests/services/appRhel.pp
index b8cecf5..58badbc 100644
--- a/manifests/services/appRhel.pp
+++ b/manifests/services/appRhel.pp
@@ -1,5 +1,5 @@
class appRhel {
- $fas_groups= [ "sysadmin-main", "sysadmin-web", "sysadmin-noc" ]
+ $fas_groups= [ "sysadmin-main", "sysadmin-web", "sysadmin-noc", "fi-apprentice" ]
include global
include fas::client
include xen-guest

Since this applies to appRhel, the nodes that it will affect are:

app0[1-68]
app0[12].stg
bapp02
value0[34]
value01.stg

-Toshio
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Kevin Fenzi

08-24-2012 03:19 PM

Change Request: Allow fi-apprentice to log into app*

On Fri, 24 Aug 2012 07:37:52 -0700
Toshio Kuratomi <a.badger@gmail.com> wrote:

> One of our apprentices was looking into how we use use the faswho
> adapter was going to look at how it's configured in raffle on the app
> servers. When he wasn't able to we discovered that fi-apprentice
> isn't allowed to login to the app servers. Discussed with nirik and
> we think that this is a simple oversight rather than a matter of
> policy.
>
> As this is a minimal change and since alpha has slipped I'm asking for
> a freeze break request to allow this. Here's the necessary puppet
> change to enable this:

+1

kevin
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Ricky Elrod

08-24-2012 03:23 PM

Change Request: Allow fi-apprentice to log into app*

On 08/24/2012 10:37 AM, Toshio Kuratomi wrote:
> - $fas_groups= [ "sysadmin-main", "sysadmin-web", "sysadmin-noc" ]
> + $fas_groups= [ "sysadmin-main", "sysadmin-web", "sysadmin-noc", "fi-apprentice" ]

+1

_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Pierre-Yves Chibon

08-24-2012 03:25 PM

Change Request: Allow fi-apprentice to log into app*

On Fri, 2012-08-24 at 07:37 -0700, Toshio Kuratomi wrote:
> One of our apprentices was looking into how we use use the faswho adapter
> was going to look at how it's configured in raffle on the app servers. When
> he wasn't able to we discovered that fi-apprentice isn't allowed to login to
> the app servers. Discussed with nirik and we think that this is a simple
> oversight rather than a matter of policy.
[...]
> Since this applies to appRhel, the nodes that it will affect are:
>
> app0[1-68]
> app0[12].stg
> bapp02
> value0[34]
> value01.stg

How far are the stg machine from the production one ? I'm asking
thinking that this change, if it sounds fine, gives access to quite a
number of nodes to apprentices. Just giving apprentices access to stg
machines might be sufficient no ?

Food for thought :)
Pierre
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Kevin Fenzi

08-24-2012 03:31 PM

Change Request: Allow fi-apprentice to log into app*

On Fri, 24 Aug 2012 17:25:34 +0200
Pierre-Yves Chibon <pingou@pingoured.fr> wrote:

> On Fri, 2012-08-24 at 07:37 -0700, Toshio Kuratomi wrote:
> > One of our apprentices was looking into how we use use the faswho
> > adapter was going to look at how it's configured in raffle on the
> > app servers. When he wasn't able to we discovered that
> > fi-apprentice isn't allowed to login to the app servers. Discussed
> > with nirik and we think that this is a simple oversight rather than
> > a matter of policy.
> [...]
> > Since this applies to appRhel, the nodes that it will affect are:
> >
> > app0[1-68]
> > app0[12].stg
> > bapp02
> > value0[34]
> > value01.stg
>
> How far are the stg machine from the production one ? I'm asking
> thinking that this change, if it sounds fine, gives access to quite a
> number of nodes to apprentices. Just giving apprentices access to stg
> machines might be sufficient no ?

Perhaps. We already grant them access to most machines however.

I think the default should be to allow, and only restrict where there's
a need to restrict.

note also that this is read-only access. There's no sudo or the like
granted. This is just to allow them to login and look at processes and
files that are world readable so they can figure out how things work.

If our staging was more... expansive... I think we could look at
restricting to that, but there's a number of things we simply don't
have in staging or is setup differently/oddly.

kevin
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Pierre-Yves Chibon

08-24-2012 03:35 PM

Change Request: Allow fi-apprentice to log into app*

On Fri, 2012-08-24 at 09:31 -0600, Kevin Fenzi wrote:
> On Fri, 24 Aug 2012 17:25:34 +0200
> Pierre-Yves Chibon <pingou@pingoured.fr> wrote:
>
> > On Fri, 2012-08-24 at 07:37 -0700, Toshio Kuratomi wrote:
> > > One of our apprentices was looking into how we use use the faswho
> > > adapter was going to look at how it's configured in raffle on the
> > > app servers. When he wasn't able to we discovered that
> > > fi-apprentice isn't allowed to login to the app servers. Discussed
> > > with nirik and we think that this is a simple oversight rather than
> > > a matter of policy.
> > [...]
> > > Since this applies to appRhel, the nodes that it will affect are:
> > >
> > > app0[1-68]
> > > app0[12].stg
> > > bapp02
> > > value0[34]
> > > value01.stg
> >
> > How far are the stg machine from the production one ? I'm asking
> > thinking that this change, if it sounds fine, gives access to quite a
> > number of nodes to apprentices. Just giving apprentices access to stg
> > machines might be sufficient no ?
>
> Perhaps. We already grant them access to most machines however.
>
> I think the default should be to allow, and only restrict where there's
> a need to restrict.
>
> note also that this is read-only access. There's no sudo or the like
> granted. This is just to allow them to login and look at processes and
> files that are world readable so they can figure out how things work.
>
> If our staging was more... expansive... I think we could look at
> restricting to that, but there's a number of things we simply don't
> have in staging or is setup differently/oddly.

Fair enough then :)

Pierre
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Toshio Kuratomi

08-24-2012 03:38 PM

Change Request: Allow fi-apprentice to log into app*

On Fri, Aug 24, 2012 at 05:25:34PM +0200, Pierre-Yves Chibon wrote:
> On Fri, 2012-08-24 at 07:37 -0700, Toshio Kuratomi wrote:
> > One of our apprentices was looking into how we use use the faswho adapter
> > was going to look at how it's configured in raffle on the app servers. When
> > he wasn't able to we discovered that fi-apprentice isn't allowed to login to
> > the app servers. Discussed with nirik and we think that this is a simple
> > oversight rather than a matter of policy.
> [...]
> > Since this applies to appRhel, the nodes that it will affect are:
> >
> > app0[1-68]
> > app0[12].stg
> > bapp02
> > value0[34]
> > value01.stg
>
> How far are the stg machine from the production one ? I'm asking
> thinking that this change, if it sounds fine, gives access to quite a
> number of nodes to apprentices. Just giving apprentices access to stg
> machines might be sufficient no ?
>
The platform is usually the same. We usually have the same services running
on it. Ideally we have different versions of the service running on it only
when we're queueing up a new release or testing a hotfix. Not always the
case though.

They probably can get most of the same information from stg as they
can in production most of the time. however, we do give apprentices access
to most other production machines so seems to fit in from that point of view:
http://fedoraproject.org/wiki/Infrastructure_Apprentice#Access_to_many_infrastru cture_machines

-Toshio
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

All times are GMT. The time now is 12:44 PM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.