[Labs-l] Per-project service users and groups
Marc A. Pelletier
marc at uberbox.org
Tue Mar 19 20:19:27 UTC 2013
On 03/19/2013 04:09 PM, Andrew Bogott wrote:
> I'm starting to write the php code to create/delete groups and
> and/remove members, and I think I don't have all the info I need here.
> Can you run down an example or two? Specifically, I'm not clear how a
> given user is given membership in a specific group.
Any current member of the group can add a project user to the group, and
the user who created the group gets automatically added.
Removing is an interesting question. I would say that anyone can remove
oneself, and project admins can remove anyone; but that nobody can
remove the last user. The service user itself is always a member of the
group and can never be removed (and should probably not even be
displayed in the interface).
Deleting a service group/user should be restricted to project admins.
I'm not sure if we want to restrict service group/user *creation*. If
we do, it has to be project admins.
> Also: If there's going to be a 1:1 relationship between service
> users and service groups, do we really need to keep track of service
> users in ldap at all? That is: if there's a 'local-superbot' group,
> then we can take for granted that there will be a 'local-superbot' user,
> right?
We can take it for granted, but the user nevertheless has to be there in
LDAP for getent() to find.
Incidentally, the service user's primary group should be configurable in
some manner, or at the very least fixed to a global-group that is
distinct from humans'.
-- Marc
More information about the Labs-l
mailing list