Regardless how MirrorManager is made to work, the content itself will need to come from S3; I think that's in agreement, right?<div><br></div><div>When I talked to Ben and Nathan at Amazon about it, Ben mentioned that it is best to have an S3 account per region for large sites; I agreed, and have already experienced why this is the case. I can go over the reasons more extensively if the group would like, but they can be summed with a single word: "security." I'll give two short examples, both based on what could happen between Matt and I working on getting MirrorManager in AWS.</div>
<div><br></div><div>While working on the code to get MirrorManager to have an S3 back-end, say I accidentally send the keypair in an email, or worse - in an email to a list. Immediately failing over to the second keypair (accounts can only have two keypairs, and only one should be used at a time except for when you're changing the keys; the second allows for seamless switches to a new keypair, as you leave both active until the process is complete, then deactivate the old one). Having the keys be per-region minimizes the impact of this problem; there was a temporary exposure, but it wasn't a /global/ exposure, which means we can safely treat the contents of all the other regions as clean/untainted still, and either sync from one region to another to make sure nothing happened during the exposure, or at the very worst only have one repo to rebuild.</div>
<div><br></div><div>As another example, to help Matt with getting S3 as a backend for MirrorManager, I would have my productivity greatly increased by having access to the keypair. Is the only thing on the official fedora account the S3-backed repositories? I wouldn't think so. However, that keypair allows access to *everything* at AWS. There is nothing sacred from that keypair; I can use it to put a pubkey in the authorized_keys file of root on all the ec2 instances then do things on the servers as root on the servers - as an example. That keypair is godmode for *all* of the AWS services. Making distinct per-region accounts that are used just to do S3 buckets protects you from this. Matt could give me a normal login account on an ec2 server so I could help test things, and I could use a keypair to work on S3 as a backend, without worrying that doing so meant I needed access to the god-mode keys.</div>
<div><br></div><div>A key per role, per need, more or less. Ben started our convo by trying to sell me on multi-account setups, but didn't need to; I already work on a team that needs to insulate itself from mistakes, and from workers who may not be here next week (and who should therefore not have godmode keys). There are a number of other reasons for it, if I need to go on ;)</div>
<meta http-equiv="content-type" content="text/html; charset=utf-8"><div><br></div><div>Does that all make sense? </div><div><br></div><div>Brian LaMere</div>