[Labs-l] Per-project service users and groups

Ryan Lane rlane at wikimedia.org
Sat Mar 16 21:34:07 UTC 2013 

In support of the ongoing tools project work, we're proposing a new feature
in Labs: per-project service users and groups. Feedback is welcome. Here's
how it'll work:

We're going to start by formalizing our uid and gid ranges. I'll leave the
range specifics out for brevity. We'll be assigning a range of uids that
can overlap between projects for the service users and groups.

Next, we're going to add an interface for managing users and groups within
a project. projectadmins will be able to create new users, which will
automatically create groups with the same names as the user names. The
users and groups will automatically be prefixed with local-, as to avoid
clashing with global users and groups (we've already disabled the creation
of local-.* global users). So, mwbot would be: user: local-mwbot, group:
local-mwbot. projectadmins will optionally select an initial member of the
group.

When the user and group are created, a sudo rule will automatically be
added to the project's sudo policy as well. This rule will allow anyone in
the service group to sudo to the service user without authentication.

>From a technical point of view, we're going to extend our abstraction of
project trees in LDAP. Note, here's a shortened version of our DIT:

dc=wikimedia,dc=org
    our base

ou=people,dc=wikimedia,dc=org
    global user accounts

ou=groups,dc=wikimedia,dc=org
    global groups

ou=projects,dc=wikimedia,dc=org
    openstack projects

cn=<project>,ou=projects,dc=wikimedia,dc=org
    a specific openstack project

ou=sudoers,cn=<project>,ou=projects,dc=wikimedia,dc=org
    a sudo policy in a project

cn=default,ou=sudoers,cn=<project>,ou=projects,dc=wikimedia,dc=org
    a rule in a sudo policy

cn=projectadmin,cn=<project>,ou=projects,dc=wikimedia,dc=org
    a projectadmin role in a project

We'll be adding two OUs, each will hold a set of objects:

ou=people,<project>,ou=projects,dc=wikimedia,dc=org
    a set of service users in a project

uid=local-<user>,ou=people,<project>,ou=projects,dc=wikimedia,dc=org
    a service user in a project

ou=groups,<project>,ou=projects,dc=wikimedia,dc=org
    a set of service groups in a project

cn=local-<group>,ou=groups,<project>,ou=projects,dc=wikimedia,dc=org
    a service group in a project

We'll pull these in using nslcd.conf. It has support for multiple base
entries per record type.

The service users will not be accessible via ssh, only via sudo. This will
be our recommended use for shared applications, and will likely be our
default for tools and bots.

- Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wikimedia.org/pipermail/labs-l/attachments/20130316/ca934ff2/attachment.html>

More information about the Labs-l mailing list