[Labs-l] Create a new group
Ryan Lane
rlane32 at gmail.com
Tue Apr 10 08:07:59 UTC 2012
On Tue, Apr 10, 2012 at 12:36 AM, Petr Bena <benapetr at gmail.com> wrote:
> No one responded on wiki:
>
I didn't know it existed for a while. heh. It's better to enter bugs
in bugzilla, using the Wikimedia Labs product.
> Can you create a new group "System operator" and revoke root access
> from all users who aren't members of this group? The group should be
> edited only by members of sysadmin group, it should appear just as
> other groups (Net admin) etc. petrb 12:08, 3 April 2012 (UTC)
>
> I discussed on irc with mutante and we decided it would be best if
> renamed current sysadmin to project admin and created a sysadmin as
> group of people who have root. Just as netadmin is group which control
> firewall. petrb 12:45, 3 April 2012 (UTC)
>
> Just to summarize it:
>
> Project admin - can manage instances, and groups
> System admin - has root on instances
> Net admin - can manage firewall
> Members - can access instances but have no root
>
> I think this scheme makes it much easier petrb 12:47, 3 April 2012 (UTC)
>
This isn't terribly easy to do, as the sysadmin, netadmin, etc are
roles, and not groups. The instances have no clue who is in a role,
and as such, sudo can't limit access based on them. Also, puppet
doesn't know who the members of the roles are either, so we have to
come up with another way. I think I've come up with a somewhat
reasonable approach using sudo-ldap:
https://bugzilla.wikimedia.org/show_bug.cgi?id=35850
- Ryan
More information about the Labs-l
mailing list