I completely forgot to bring this up at the meeting yesterday. Are there any thoughts on this? Do the powers-that-be understand the argument for having multiple accounts?
Brian On Tue, Aug 31, 2010 at 7:56 PM, Brian LaMere <[email protected]>wrote: > Regardless how MirrorManager is made to work, the content itself will need > to come from S3; I think that's in agreement, right? > > When I talked to Ben and Nathan at Amazon about it, Ben mentioned that it > is best to have an S3 account per region for large sites; I agreed, and have > already experienced why this is the case. I can go over the reasons more > extensively if the group would like, but they can be summed with a single > word: "security." I'll give two short examples, both based on what could > happen between Matt and I working on getting MirrorManager in AWS. > > While working on the code to get MirrorManager to have an S3 back-end, say > I accidentally send the keypair in an email, or worse - in an email to a > list. Immediately failing over to the second keypair (accounts can only > have two keypairs, and only one should be used at a time except for when > you're changing the keys; the second allows for seamless switches to a new > keypair, as you leave both active until the process is complete, then > deactivate the old one). Having the keys be per-region minimizes the impact > of this problem; there was a temporary exposure, but it wasn't a /global/ > exposure, which means we can safely treat the contents of all the other > regions as clean/untainted still, and either sync from one region to another > to make sure nothing happened during the exposure, or at the very worst only > have one repo to rebuild. > > As another example, to help Matt with getting S3 as a backend for > MirrorManager, I would have my productivity greatly increased by having > access to the keypair. Is the only thing on the official fedora account the > S3-backed repositories? I wouldn't think so. However, that keypair allows > access to *everything* at AWS. There is nothing sacred from that keypair; I > can use it to put a pubkey in the authorized_keys file of root on all the > ec2 instances then do things on the servers as root on the servers - as an > example. That keypair is godmode for *all* of the AWS services. Making > distinct per-region accounts that are used just to do S3 buckets protects > you from this. Matt could give me a normal login account on an ec2 server > so I could help test things, and I could use a keypair to work on S3 as a > backend, without worrying that doing so meant I needed access to the > god-mode keys. > > A key per role, per need, more or less. Ben started our convo by trying to > sell me on multi-account setups, but didn't need to; I already work on a > team that needs to insulate itself from mistakes, and from workers who may > not be here next week (and who should therefore not have godmode keys). > There are a number of other reasons for it, if I need to go on ;) > > Does that all make sense? > > Brian LaMere >
_______________________________________________ cloud mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/cloud
