On Wed, Apr 29, 2020 at 5:41 PM Kevin Fenzi <[email protected]> wrote: > On Wed, Apr 29, 2020 at 02:02:08PM +0100, Mark O'Brien wrote: > > On Tue, Apr 28, 2020 at 9:27 PM Kevin Fenzi <[email protected]> wrote: > > > I think a lot of places use an atypical set up from what I read. > > Heh. Yeah. > > The big thing about ours is that we have just one account for all our > community acitivites, which amazon picks up the tab for. :) > > So, thats great on one hand, but on the other we have a bunch of > different groups that all want to use it and we don't want them to step > on each other or cause problems for one another. > > > A possible way to give limited access going forward would be to federate > > access to a redhat account of some sort (gmail/fedora) that way you could > > set a generic limited access policy for new users. > > We already do. > > All access to the account is via our ipsilon instance using SAML2. > ipsilon in turn gets information from fas (fedora account system). > When you login via SAML2, your group information is passed along and if > you are in specific groups you are logged in with that groups role. > > So, we have a master role (all access), a copr role (for the copr team), > a fedora-ci role (for fedora-ci, etc). Some teams need programatic > access also, so for them we create users that have the same IAM policy > as the roles and use a token. > > The IAM policies are setup so roles have limited access to most things, > and then full access to things that are tagged with their group. When > they spin up new resources, they tag them as belonging to their group > and then they can do whatever they need to with them and other roles > can't. > > It's not great, but it does work. > > > > We also have: > > > > > > https://pagure.io/fedora-infrastructure/issue/8436 > > > > > > which I keep never getting around to, and perhaps you could script the > > > needed steps for me there. > > > > > > > I have left a comment on the ticket about potentially using a daily > lambda > > function to take care of this. > > I will put together a bash script which can make use of the aws cli for > the > > initial clean up. > > So, most of these are really old. I don't know who made them or why they > are there, so I think if we could just mark them all unavailable or > something, wait a few weeks to make sure no one comes asking about them, > then delete them, that would likely do. > > We do upload Fedora images... but that process is controlled by a > application called fedimg and it has it's own cleanup scripts to cleanup > things. I can dig up more details... but we are hoping to replace this > with a new app from the coreos folks. If you are interested in drving > that forward that would be great! > https://pagure.io/fedora-infrastructure/issue/7702 > is the old ticket on this. > > > > > > > > > > > Let me know when a good morning might be and we can try and get > > > together. IRC would be best for me, then we could also add in anyone > > > else who was interested. > > > > > > > I can do Today or tomorrow at 16:30 IST/ 08:30PDT or 21:00 IST/13:00 PDT > > whichever would suit you best. > > Today is no good. ;) Tomorrow the infra meeting is at 8-9PDT. > I'm free at 13pdt tomorrow tho, so that works fine, or between 9-11pdt. > > > I am off Friday so if neither of these times suit you we could try next > > week. > > We can use whichever IRC channel you think appropriate > > How about #fedora-admin... >
Ok I'll ping you at about 13pdt on #fedora-admin and if you are free we can try go through some of this. I appreciate you are busy so no worries if you need to put me off. Mark
_______________________________________________ infrastructure mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
