[Labs-l] RFC: Webtools setup

[Tim Landscheidt]

Ryan Lane <rlane32 at gmail.com> wrote:

>> > I'm not sure about what you mean. The tools uids should not collision
>> > with the LDAP users, and we should have a central store of them. We
>> > talked about this in irc some time ago, with no clear results. Although
>> > I think it would be safe to start tool uids with eg. 50000.

>> The problem I see is that user TOOL on instance A creates a
>> file on /data/project, and on instance B it must appear that
>> this file belongs to user TOOL on that machine.  So either
>> glusterfs must somehow handle this with some magic, or we
>> have to synchronize users and groups project-wide so that
>> user TOOL has uid 50000 on all instances.  The latter should
>> be possible by changing the puppet module to check that
>> "user TOOL exists with uid 50000", but if glusterfs had some
>> automatic mapping that would be even greater.

> Well, it's just NSS handling the mapping. The filesystem is just a normal
> posix filesystem and knows about uids and gids, not the mappings. If the
> users/groups are created as system accounts on the instances then it would
> need to occur on all of the instances. LDAP accounts are automatically
> accessible between all projects, but I'm not sure if we want to create LDAP
> accounts for this.

I think LDAP accounts would open up lots of new security
questions.  The users only need to exist on the instances of
the Webtools project, and so local accounts should be
enough.

> Note that project groups are 50000+ right now. Maybe we should have some
> ranges defined somewhere in puppet?

(Locally) usable not only by Webtools I suppose?  Sure.  How
many uids are used now and in what range?  Assuming we need
one uid/one gid per tool, a range of 1000 should be suffi-
cient for quite some time.

Tim