On 7 May 2012 08:08, Michael Hudson-Doyle <[email protected]> wrote: > Hi all, > > Suppose there is a LAVA user, and to avoid taxing my imagination let's > call him Alexandros. He wants to have some jobs submitted automatically > from ci.linaro.org to lava that deposit results in a bundle stream that > only members of linaro can see, which all seems reasonable enough. > > Currently though, the story for tokens around this is a bit horrible. > To be able to submit to the a /private/team/linaro/... bundle, you have > to submit the job as a member of the linaro group in v.l.o. > > I can think of a few ways of doing this, but I don't really like any of > them: > > 1) jenkins on ci.linaro.org could use one of alf's tokens, but that > seems a little tied to him (what if he leaves linaro, etc)
We have a process for leavers. If we choose this option, we should add an action to disable/remove those accounts. > 2) Another way is to create a user that does not correspond to a user on > LP (gfx-daily-job-submitter or somethign) and add it to the linaro > group on v.l.o. This feels a bit better, but it's not very 'self > service' -- the only way to create such a user is via the admin panel > afaik. > > 3) A third way is to create a fake user on LP and add it to the ~linaro > team there. This also seems a bit horrible. > > There is a fourth way that is actually happening but doesn't help -- > create a user on LP and do _not_ add it ~linaro: > https://launchpad.net/~ciadmin [1]. This option isn't 'self service' either. A CI admin should add the credential on Jenkins and a v.l.o admin should create the user. > I don't really have a suggestion for what would be better here. It > feels a bit like the model we have for access and handling tokens is > perhaps a bit too simple currently. What do you guys think? I don't have better to propose but the issue to resolve isn't for Validation only imo. It should involve Infrastructure to get a really safe [2] self service system and a better story for the end user. > Cheers, > mwh > > [1] this is why ci.linaro.org lost the job-submitting permission -- I > didn't realize ciadmin on v.l.o corresponded to a user on LP! [2] avoid leaking lava user/token _______________________________________________ linaro-validation mailing list [email protected] http://lists.linaro.org/mailman/listinfo/linaro-validation
