Change Request: Allow fi-apprentice to log into app*
Kevin Fenzi
kevin at scrye.com
Fri Aug 24 15:31:36 UTC 2012
On Fri, 24 Aug 2012 17:25:34 +0200
Pierre-Yves Chibon <pingou at pingoured.fr> wrote:
> On Fri, 2012-08-24 at 07:37 -0700, Toshio Kuratomi wrote:
> > One of our apprentices was looking into how we use use the faswho
> > adapter was going to look at how it's configured in raffle on the
> > app servers. When he wasn't able to we discovered that
> > fi-apprentice isn't allowed to login to the app servers. Discussed
> > with nirik and we think that this is a simple oversight rather than
> > a matter of policy.
> [...]
> > Since this applies to appRhel, the nodes that it will affect are:
> >
> > app0[1-68]
> > app0[12].stg
> > bapp02
> > value0[34]
> > value01.stg
>
> How far are the stg machine from the production one ? I'm asking
> thinking that this change, if it sounds fine, gives access to quite a
> number of nodes to apprentices. Just giving apprentices access to stg
> machines might be sufficient no ?
Perhaps. We already grant them access to most machines however.
I think the default should be to allow, and only restrict where there's
a need to restrict.
note also that this is read-only access. There's no sudo or the like
granted. This is just to allow them to login and look at processes and
files that are world readable so they can figure out how things work.
If our staging was more... expansive... I think we could look at
restricting to that, but there's a number of things we simply don't
have in staging or is setup differently/oddly.
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20120824/c7216c5b/attachment.sig>
More information about the infrastructure
mailing list