On Mon, May 7, 2012 at 8:20 AM, Fathi Boudra <[email protected]> wrote: > On 7 May 2012 08:08, Michael Hudson-Doyle <[email protected]> wrote: >> Hi all, >> >> Suppose there is a LAVA user, and to avoid taxing my imagination let's >> call him Alexandros. He wants to have some jobs submitted automatically >> from ci.linaro.org to lava that deposit results in a bundle stream that >> only members of linaro can see, which all seems reasonable enough. >> >> Currently though, the story for tokens around this is a bit horrible. >> To be able to submit to the a /private/team/linaro/... bundle, you have >> to submit the job as a member of the linaro group in v.l.o. >> >> I can think of a few ways of doing this, but I don't really like any of >> them: >> >> 1) jenkins on ci.linaro.org could use one of alf's tokens, but that >> seems a little tied to him (what if he leaves linaro, etc) > > We have a process for leavers. If we choose this option, we should add > an action to disable/remove those accounts. > >> 2) Another way is to create a user that does not correspond to a user on >> LP (gfx-daily-job-submitter or somethign) and add it to the linaro >> group on v.l.o. This feels a bit better, but it's not very 'self >> service' -- the only way to create such a user is via the admin panel >> afaik. >> >> 3) A third way is to create a fake user on LP and add it to the ~linaro >> team there. This also seems a bit horrible. >> >> There is a fourth way that is actually happening but doesn't help -- >> create a user on LP and do _not_ add it ~linaro: >> https://launchpad.net/~ciadmin [1]. > > This option isn't 'self service' either. A CI admin should add the > credential on Jenkins and a v.l.o admin should create the user. > >> I don't really have a suggestion for what would be better here. It >> feels a bit like the model we have for access and handling tokens is >> perhaps a bit too simple currently. What do you guys think? > > I don't have better to propose but the issue to resolve isn't for > Validation only imo. It should involve Infrastructure to get a really > safe [2] self service system and a better story for the end user. >
I anticipated that setting up jobs (recurring and one off jobs) would be done as a service by the infrastructure team. They could ensure that the users etc. are all ok etc. I believe option 2 should be fine. We would need just one special user that is shared by all jobs that submit to @linaro.org protected bundlestreams. Is that a problem? -- Alexander Sack Technical Director, Linaro Platform Teams http://www.linaro.org | Open source software for ARM SoCs http://twitter.com/#!/linaroorg - http://www.linaro.org/linaro-blog _______________________________________________ linaro-validation mailing list [email protected] http://lists.linaro.org/mailman/listinfo/linaro-validation
