On Tue, Apr 10, 2012 at 12:36 AM, Petr Bena <[email protected]> wrote: > No one responded on wiki: >
I didn't know it existed for a while. heh. It's better to enter bugs in bugzilla, using the Wikimedia Labs product. > Can you create a new group "System operator" and revoke root access > from all users who aren't members of this group? The group should be > edited only by members of sysadmin group, it should appear just as > other groups (Net admin) etc. petrb 12:08, 3 April 2012 (UTC) > > I discussed on irc with mutante and we decided it would be best if > renamed current sysadmin to project admin and created a sysadmin as > group of people who have root. Just as netadmin is group which control > firewall. petrb 12:45, 3 April 2012 (UTC) > > Just to summarize it: > > Project admin - can manage instances, and groups > System admin - has root on instances > Net admin - can manage firewall > Members - can access instances but have no root > > I think this scheme makes it much easier petrb 12:47, 3 April 2012 (UTC) > This isn't terribly easy to do, as the sysadmin, netadmin, etc are roles, and not groups. The instances have no clue who is in a role, and as such, sudo can't limit access based on them. Also, puppet doesn't know who the members of the roles are either, so we have to come up with another way. I think I've come up with a somewhat reasonable approach using sudo-ldap: https://bugzilla.wikimedia.org/show_bug.cgi?id=35850 - Ryan _______________________________________________ Labs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/labs-l
