On Fri, 24 Aug 2012 17:25:34 +0200
Pierre-Yves Chibon <pingou(a)pingoured.fr> wrote:
On Fri, 2012-08-24 at 07:37 -0700, Toshio Kuratomi wrote:
> One of our apprentices was looking into how we use use the faswho
> adapter was going to look at how it's configured in raffle on the
> app servers. When he wasn't able to we discovered that
> fi-apprentice isn't allowed to login to the app servers. Discussed
> with nirik and we think that this is a simple oversight rather than
> a matter of policy.
> Since this applies to appRhel, the nodes that it will affect are:
How far are the stg machine from the production one ? I'm asking
thinking that this change, if it sounds fine, gives access to quite a
number of nodes to apprentices. Just giving apprentices access to stg
machines might be sufficient no ?
Perhaps. We already grant them access to most machines however.
I think the default should be to allow, and only restrict where there's
a need to restrict.
note also that this is read-only access. There's no sudo or the like
granted. This is just to allow them to login and look at processes and
files that are world readable so they can figure out how things work.
If our staging was more... expansive... I think we could look at
restricting to that, but there's a number of things we simply don't
have in staging or is setup differently/oddly.