Re: debian.org organisation on GCP [was: Re: Vagrant box CI/CD]
On Fri, Jun 29, 2018 at 08:38:06PM -0400, Jimmy Kaplowitz wrote: > Last step before I proceed with registering within G Suite is to do a > bit more research on how to differentiate between the two domains in > Google Cloud IAM, even if they share a G Suite account. Currently making > inquiries with people who would know. I think I've realized how I can test this before we've committed too extensively to the path I'm proposing. I've followed up on the thread with DSA, making the one technical request I need to verify the domain with Google, and asking their input on some policy questions like who should create @debian.org Google accounts under what criteria while the process remains manual in the short term. Stay tuned - though it turns out you're already CCed on the thread with DSA, so you have the full context already. - Jimmy Kaplowitz ji...@debian.org
Re: debian.org organisation on GCP [was: Re: Vagrant box CI/CD]
Hi Bastian, On Fri, Jun 29, 2018 at 04:08:44PM -0400, Jimmy Kaplowitz wrote: > On Fri, Jun 29, 2018 at 12:47:12PM +0200, Bastian Blank wrote: > > On Fri, Jun 29, 2018 at 01:26:39AM -0400, Jimmy Kaplowitz wrote: > > > There are other constraints: You can't create your own organization > > > without a G Suite account, which can't be free without SPI's 501(c)(3) > > > nonprofit status or some foreign equivalent. > > > > There is the Cloud Identity product, which creates an organization as > > well. And the last time I looked at it, this worked pretty well. > > I'm glad they seeem to have added this option - DSA and I were already > planning to use Cloud Identity, but last time I checked, standalone > Cloud Identity without G Suite couldn't create a GCP organization. This > is now possible. > > Anyway, Debian doesn't neeed or want most of the proprietary G Suite > services, so starting debian.org with Cloud Identity (through SPI's G > Suite or otherwise) makes sense. I just had an odd conversation with G Suite support, to make sure I wasn't going to set things up in an irreversible way that we'd regret later. And indeed, from looking at the G Suite admin console, the truth seems to be as bizarre as they said: With SPI's G Suite for Nonprofits account, we can add debian.org as a secondary domain with the G Suite feature set, and then disable the individual G Suite services to make it roughly the same as Cloud Identity. We can also set up a G Suite organizational unit to make this easy for all new accounts. However our free account type doesn't actually let us make the more limited Cloud Identity type of account that lacks official G Suite license. My guess is that they didn't think to set that up because Cloud Identity is actually a subset of G Suite, so the only reason to want less would be ideologies like Debian's. :) We can still achieve a similar result through the option to disable features, as I noted. Aside from the paid editions of G Suite, they did say that Cloud Identity's free edition is only available through Google Cloud Platform with a billing account enabled. How were you planning to handle billing for that, if done separately from SPI? If Google wants to provide a gratis billing account, this could work, but otherwise we shouldn't be using personal credit cards for this. If we're at least sometimes paying, we should stick with the G Suite option that both Debian and SPI can control and keep track of, with any non-sponsored usage paid by SPI from the funds held for Debian. Projects which are partially or fully sponsored by Google could have promotional coupons applied to normal billing accounts, or special gratis billing accounts could be provided for us to link with those projects. Last step before I proceed with registering within G Suite is to do a bit more research on how to differentiate between the two domains in Google Cloud IAM, even if they share a G Suite account. Currently making inquiries with people who would know. - Jimmy Kaplowitz ji...@debian.org
Re: debian.org organisation on GCP [was: Re: Vagrant box CI/CD]
On Fri, Jun 29, 2018 at 12:47:12PM +0200, Bastian Blank wrote: > On Fri, Jun 29, 2018 at 01:26:39AM -0400, Jimmy Kaplowitz wrote: > > There are other constraints: You can't create your own organization > > without a G Suite account, which can't be free without SPI's 501(c)(3) > > nonprofit status or some foreign equivalent. > > There is the Cloud Identity product, which creates an organization as > well. And the last time I looked at it, this worked pretty well. I'm glad they seeem to have added this option - DSA and I were already planning to use Cloud Identity, but last time I checked, standalone Cloud Identity without G Suite couldn't create a GCP organization. This is now possible. Anyway, Debian doesn't neeed or want most of the proprietary G Suite services, so starting debian.org with Cloud Identity (through SPI's G Suite or otherwise) makes sense. > > Shall I take your reply as a request to follow up with DSA on getting > > the debian.org domain registered with SPI's G Suite and a GCP > > organization created? I've been waiting on such a reply for the last two > > weeks after you said you dropped the project that motivated the work, > > but it's still easy to do if desired. > > This are two different projects. I have more or less dropped the mirror > project. This would be a new one directly for Salsa. And this time we > may want to do it right and not opt-in for the easy solution of a GCP > project within google.com. Interesting. Can you say more about why the mirror project got dropped and how Google is now planning to handle Debian mirror access for GCP? As for Salsa: having an official Debian/SPI arrangement gives Google some additional ways to do this sponsorship. They could give a coupon which we could apply to a billing account that is used by the Salsa project, or they could directly cover the costs of such a billing account through making it directly paid by the appropriate internal Google cost center. Note that a single billing account can be used by multiple GCP projects, so you can still separate on useful boundaries like development vs production instances of Salsa. Since SPI is a 501(c)(3) public charity, they might be able to treat this coupon or the Google-paid billing account as a charitable donation, which in turn might make them more willing to say yes or to offer a larger sponsorship. Whatever GCP projects get used for Salsa, they can be put inside Debian's GCP organization, which would give DSA visibility but wouldn't have to block direct access for the people doing the work. > However I don't even know if using anything of that would work. DSA has > choosen to ignore me. Either they have no time, which means they need > to shed responsibilities and should not be tasked with more stuff. Or > they explicitely ignore me, which means that I'am reluctant to use it, > if it means everything takes ages to accomplish. When Chris Lamb forwarded your email to me mid-February, I emailed DSA very soon after that (maybe the next day?) proposing options. The time between then and early May was DSA deciding how they wanted to react. It was a novel request with an organization considered controversial within Debian and where most of DSA had been unfamiliar with the context. By Debian standards, taking under 3 months to decide to proceed is fast! :-) Their email to me in early May was at a time when I was juggling lots of housing and career things as a new immigrant, hence the ~1 month of delay I did add. But I signed a lease last week and now mostly know how I plan to proceed with my career! I will get things unblocked quite quickly, with only a little bit of DSA involvement needed. > So yes, please follow up to get the domain registered. But please make > sure the responsibility does not solely lie with DSA. SPI currently has 3-4 G Suite administrators, of whom I'm only one and of whom only one overlaps with DSA. Involving SPI actually reduces the technical bottleneck here, surprisingly. :) That said, there's still the question of what role different Debian teams, including DSA, ought to have. I view this differently for policy and implementation. Policy: As Debian's systems administrators, DSA needs to have visibility into and oversight of Debian's GCP activities. Debian's policies like DMUP still need to apply, and any decision by DAM to admit or expel someone should be able to affect their access to Debian's GCP resources. Guest access should be treated similarly to how it is on other Debian resources. Implementation: There's no need for DSA or DAM to be the only ones who can twiddle the GCP bits in Google's systems, unless they want that. They didn't insist on that for Alioth, and DebConf had separate systems for a long time. Right now I think we can probably work out some agreed parameters within which cloud team members manually grant access, until it subsequently gets automated via something like SAML SSO to Debian LDAP. Merely having it in the Debian GCP
Re: debian.org organisation on GCP [was: Re: Vagrant box CI/CD]
On 2018-06-29 12:47:12, Bastian Blank wrote: > On Fri, Jun 29, 2018 at 01:26:39AM -0400, Jimmy Kaplowitz wrote: > > There are other constraints: You can't create your own organization > > without a G Suite account, which can't be free without SPI's 501(c)(3) > > nonprofit status or some foreign equivalent. > > There is the Cloud Identity product, which creates an organization as > well. And the last time I looked at it, this worked pretty well. As far as I know CloudID is a commercial product and is billed 4pcm per user[1] in which case sponsoring and SP involvement will be required. But pricing information in this regards is a bit mixed as I think that I also saw somewhere info that it's free. Anyway having CloudId for debian.org and linking it over SAML to our LDAP would make sense IMO. 1. https://cloud.google.com/identity/ -- |_|0|_| | |_|_|0| "Panta rei" | |0|0|0| kuLa | gpg --keyserver pgp.mit.edu --recv-keys 0x686930DD58C338B3 3DF1 A4DF C732 4688 38BC F121 6869 30DD 58C3 38B3 signature.asc Description: PGP signature
Re: debian.org organisation on GCP [was: Re: Vagrant box CI/CD]
On Fri, Jun 29, 2018 at 01:26:39AM -0400, Jimmy Kaplowitz wrote: > There are other constraints: You can't create your own organization > without a G Suite account, which can't be free without SPI's 501(c)(3) > nonprofit status or some foreign equivalent. There is the Cloud Identity product, which creates an organization as well. And the last time I looked at it, this worked pretty well. > Shall I take your reply as a request to follow up with DSA on getting > the debian.org domain registered with SPI's G Suite and a GCP > organization created? I've been waiting on such a reply for the last two > weeks after you said you dropped the project that motivated the work, > but it's still easy to do if desired. This are two different projects. I have more or less dropped the mirror project. This would be a new one directly for Salsa. And this time we may want to do it right and not opt-in for the easy solution of a GCP project within google.com. However I don't even know if using anything of that would work. DSA has choosen to ignore me. Either they have no time, which means they need to shed responsibilities and should not be tasked with more stuff. Or they explicitely ignore me, which means that I'am reluctant to use it, if it means everything takes ages to accomplish. So yes, please follow up to get the domain registered. But please make sure the responsibility does not solely lie with DSA. Regars, Bastian -- The sooner our happiness together begins, the longer it will last. -- Miramanee, "The Paradise Syndrome", stardate 4842.6
Re: debian.org organisation on GCP [was: Re: Vagrant box CI/CD]
On Wed, Jun 27, 2018 at 09:06:22PM +0200, Bastian Blank wrote: > On Wed, Jun 13, 2018 at 07:01:17PM -0400, Jimmy Kaplowitz wrote: > > Is there still useful demand such that this is worth pushing forward? If > > so, I'll still proceed as above. Otherwise I'll hold off on wasting > > DSA's time until a use case arises, such that it wouldn't be a waste for > > them. > > I think we'll just create our own organization if the time comes that we > need one and there are no other constraints. > > We currently try to get Google to sponsor stuff for Salsa. If we can do > that without getting SPI involved, then we'll just do that on our own. > It's not nice, but works. There are other constraints: You can't create your own organization without a G Suite account, which can't be free without SPI's 501(c)(3) nonprofit status or some foreign equivalent. Out of the nearly 5 months since your original email requesting help, roughly 80% of the delay has been from non-SPI people. The substantive work is done by the same human beings from DSA + Debian cloud team + other interested Debian teams, who would still be involved whatever the umbrella sponsor is. There's no reason to avoid SPI here. And indeed, we should avoid a situation where DSA has to wrangle many disconnected GCP projects to keep track of what Debian is officially doing in Google's cloud. That's exactly what the point of GCP organizations is. If the people doing the work want me to proceed with the part that SPI needs to do, I'll do that and it's faster than any possible other alternative. After that, there will be roughly zero ongoing SPI bottleneck since DSA will have the access they need to do what they want to do. Shall I take your reply as a request to follow up with DSA on getting the debian.org domain registered with SPI's G Suite and a GCP organization created? I've been waiting on such a reply for the last two weeks after you said you dropped the project that motivated the work, but it's still easy to do if desired. - Jimmy Kaplowitz ji...@debian.org
Re: debian.org organisation on GCP [was: Re: Vagrant box CI/CD]
On Wed, Jun 13, 2018 at 07:01:17PM -0400, Jimmy Kaplowitz wrote: > Is there still useful demand such that this is worth pushing forward? If > so, I'll still proceed as above. Otherwise I'll hold off on wasting > DSA's time until a use case arises, such that it wouldn't be a waste for > them. I think we'll just create our own organization if the time comes that we need one and there are no other constraints. We currently try to get Google to sponsor stuff for Salsa. If we can do that without getting SPI involved, then we'll just do that on our own. It's not nice, but works. Bastian -- Star Trek Lives!
Re: debian.org organisation on GCP [was: Re: Vagrant box CI/CD]
On Thu, Jun 07, 2018 at 11:10:17PM +0200, Bastian Blank wrote: > On Thu, Jun 07, 2018 at 09:53:02PM +0100, Marcin Kulisz wrote: > > On 2018-05-17 22:02:28, Bastian Blank wrote: > > > On Thu, May 17, 2018 at 07:48:28PM +0100, Marcin Kulisz wrote: > > > > Thx Jimmy for this update, I wasn't sure if anything is happening > > > > around this > > > > and now it looks like it is, that's great. > > > > Who is coordinating this? > > > It is coordinated between SPI and DSA as part of the SPI G Suite > > > subscription. > > Thx Waldi, do you know if there are transcripts for meetings related to the > > subject? > > Nope, there where just mails. Jimmy would know. > > But given that I dropped the project that was in need for it, I don't > care any more. Just mails indeed. I did get a response from DSA unblocking things last month, since which I've been the bottleneck but was actually planning to proceed with the first technical steps this month. Settling into a new country takes more time and energy than I'd ever have thought... Is there still useful demand such that this is worth pushing forward? If so, I'll still proceed as above. Otherwise I'll hold off on wasting DSA's time until a use case arises, such that it wouldn't be a waste for them. - Jimmy Kaplowitz ji...@debian.org
Re: debian.org organisation on GCP [was: Re: Vagrant box CI/CD]
On Thu, Jun 07, 2018 at 09:53:02PM +0100, Marcin Kulisz wrote: > On 2018-05-17 22:02:28, Bastian Blank wrote: > > On Thu, May 17, 2018 at 07:48:28PM +0100, Marcin Kulisz wrote: > > > Thx Jimmy for this update, I wasn't sure if anything is happening around > > > this > > > and now it looks like it is, that's great. > > > Who is coordinating this? > > It is coordinated between SPI and DSA as part of the SPI G Suite > > subscription. > Thx Waldi, do you know if there are transcripts for meetings related to the > subject? Nope, there where just mails. Jimmy would know. But given that I dropped the project that was in need for it, I don't care any more. Bastian -- Warp 7 -- It's a law we can live with.
Re: debian.org organisation on GCP [was: Re: Vagrant box CI/CD]
On 2018-05-17 22:02:28, Bastian Blank wrote: > On Thu, May 17, 2018 at 07:48:28PM +0100, Marcin Kulisz wrote: > > Thx Jimmy for this update, I wasn't sure if anything is happening around > > this > > and now it looks like it is, that's great. > > Who is coordinating this? > > It is coordinated between SPI and DSA as part of the SPI G Suite > subscription. Thx Waldi, do you know if there are transcripts for meetings related to the subject? -- |_|0|_| | |_|_|0| "Panta rei" | |0|0|0| kuLa | gpg --keyserver pgp.mit.edu --recv-keys 0x686930DD58C338B3 3DF1 A4DF C732 4688 38BC F121 6869 30DD 58C3 38B3 signature.asc Description: PGP signature
Re: debian.org organisation on GCP [was: Re: Vagrant box CI/CD]
On Thu, May 17, 2018 at 07:48:28PM +0100, Marcin Kulisz wrote: > Thx Jimmy for this update, I wasn't sure if anything is happening around this > and now it looks like it is, that's great. > Who is coordinating this? It is coordinated between SPI and DSA as part of the SPI G Suite subscription. Bastian -- A little suffering is good for the soul. -- Kirk, "The Corbomite Maneuver", stardate 1514.0
debian.org organisation on GCP [was: Re: Vagrant box CI/CD]
On 2018-05-15 01:43:12, Jimmy Kaplowitz wrote: snip > Work is underway such that, some time later this year or next, Debian > itself will be able to provision Google accounts for our GCP work > through the Google Cloud Identity system and to take ownership of its > GCP projects as an organization. SPI is assisting DSA and the cloud team > with this due to its eligibility for G Suite for Nonprofits, which in > turn allows Debian to use Cloud Identity with debian.org. DSA will start > out with a manual process but may automate it later. > > To be clear: none of this requires Debian to migrate its primary > accounts system to Google and no such migation is planned. Current > thinking is that we won't be enabling the broader G Suite feature set for > debian.org Google accounts either, since that's proprietary SaaS. Cloud > Identity is just identity-as-a-service. > > Cloud Identity can tie in nicely to whatever permissions management and > auditing is desired for the various Debian-linked GCP projects and > resources. It would also help with billing of paid GCP usage and/or > tracking of sponsored GCP credit. Thx Jimmy for this update, I wasn't sure if anything is happening around this and now it looks like it is, that's great. Who is coordinating this? -- |_|0|_| | |_|_|0| "Panta rei" | |0|0|0| kuLa | gpg --keyserver pgp.mit.edu --recv-keys 0x686930DD58C338B3 3DF1 A4DF C732 4688 38BC F121 6869 30DD 58C3 38B3 signature.asc Description: PGP signature