I'm glad many of these issues are resolved or on their way to getting resolved, but I worry that we're missing the bigger usability and security issue posed by having so many permission bits:
Not everyone with a Gerrit account has a Labs account; not everyone with a Labs account has shell access; not everyone with shell access has access to bastion; not everyone with access to bastion has access to Labs instances; not everyone with access to Labs instances is a sysadmin; not every sysadmin is a netadmin, and not every netadmin gets to have a public IP. Some of the distinctions above have been identified as bugs and fixed, but I wonder if the distinctions could not be collapsed even further, so that new Labs users do not experience the process of getting set up with a comfortable development instance as a series of "gotchas". There are oodles of usability studies online that have reproduced what appears to be a universal truth: that hurdles and quirks in a site's on-boarding experience will frustrate users and drive them away. -- Ori Livneh On Saturday, December 29, 2012 at 4:54 PM, Ryan Lane wrote: > On Sat, Dec 29, 2012 at 4:37 PM, Fran McCrory <[email protected] > (mailto:[email protected])> wrote: > > On Sat, Dec 29, 2012 at 5:13 PM, Ryan Lane <[email protected] > > (mailto:[email protected])> wrote: > > > You were added before <https://gerrit.wikimedia.org/r/#/c/25700/> was > > > implemented. Now when a user is given shell they are automatically added > > > to > > > the bastion. We should likely run a maintenance script to add everyone in > > > the shell group to the bastion project (added bug 43508), so that others > > > users in your situation don't run into this problem. > > > > How recently was this patch deployed? The patch was approved on > > October 2; my shell account was created only a week ago (December 23). > > > > Ah, I thought you meant the DC hackathon during Wikimania. > > I remember looking at your account when you were saying you didn't have > bastion access. I remember that your account was properly in the project. > > Of course, without having a working authorized_keys file, you wouldn't have > access to the project's instances via ssh. That issue was due to the ssh-key > bot being broken. > > - Ryan > _______________________________________________ > Labs-l mailing list > [email protected] (mailto:[email protected]) > https://lists.wikimedia.org/mailman/listinfo/labs-l > >
_______________________________________________ Labs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/labs-l
