On Fri, 2012-08-24 at 09:31 -0600, Kevin Fenzi wrote:
> On Fri, 24 Aug 2012 17:25:34 +0200
> Pierre-Yves Chibon <firstname.lastname@example.org> wrote:
> > On Fri, 2012-08-24 at 07:37 -0700, Toshio Kuratomi wrote:
> > > One of our apprentices was looking into how we use use the faswho
> > > adapter was going to look at how it's configured in raffle on the
> > > app servers. When he wasn't able to we discovered that
> > > fi-apprentice isn't allowed to login to the app servers. Discussed
> > > with nirik and we think that this is a simple oversight rather than
> > > a matter of policy.
> > [...]
> > > Since this applies to appRhel, the nodes that it will affect are:
> > >
> > > app0[1-68]
> > > app0.stg
> > > bapp02
> > > value0
> > > value01.stg
> > How far are the stg machine from the production one ? I'm asking
> > thinking that this change, if it sounds fine, gives access to quite a
> > number of nodes to apprentices. Just giving apprentices access to stg
> > machines might be sufficient no ?
> Perhaps. We already grant them access to most machines however.
> I think the default should be to allow, and only restrict where there's
> a need to restrict.
> note also that this is read-only access. There's no sudo or the like
> granted. This is just to allow them to login and look at processes and
> files that are world readable so they can figure out how things work.
> If our staging was more... expansive... I think we could look at
> restricting to that, but there's a number of things we simply don't
> have in staging or is setup differently/oddly.
Fair enough then
infrastructure mailing list