#30510: Share access to the Snowflake broker domain front CDN configuration
-------------------------------------+-----------------------------------
Reporter: dcf | Owner: (none)
Type: task | Status: needs_information
Priority: Medium | Milestone:
Component: Circumvention/Snowflake | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------+-----------------------------------
Changes (by dcf):
* status: new => needs_information
Old description:
> Currently dcf is the only one who can manage the CDN configuration used
> for domain fronting. If a change needs to be made, he's the only one who
> can do it. If he's not available for an extended time, the only
> workaround would be to set up a new CDN configuration and push out a new
> release that uses it.
>
> To reduce the risk, more people should have access to the CDN
> configuration. So either:
> 1. dcf figures out how to delegate admin access on Azure to other
> Microsoft accounts, or
> 2. we move the CDN configuration or set up a new one that allows shared
> access.
New description:
Currently dcf is the only one who can manage the CDN configuration used
for domain fronting the broker. (snowflake-broker.azureedge.net→snowflake-
broker.bamsoftware.com.) If a change needs to be made, he's the only one
who can do it. If he's not available for an extended time, the only
workaround would be to set up a new CDN configuration and push out a new
release that uses it.
To reduce the risk, more people should have access to the CDN
configuration. So either:
1. dcf figures out how to delegate admin access on Azure to other
Microsoft accounts, or
2. we move the CDN configuration or set up a new one that allows shared
access.
--
Comment:
I started looking into this. It is not easy to come to grips with all the
Azure documentation, but I think what I have to do is:
1. [https://docs.microsoft.com/en-us/azure/active-directory/fundamentals
/add-users-azure-active-directory Add a new user to Azure Active
Directory]
2. [https://docs.microsoft.com/en-us/azure/role-based-access-control
/role-assignments-portal Give the new user a role assignment]
I think the invited user can be any email address; it doesn't necessarily
have to be a Microsoft account.
What I need at this point: email addresses from Snowflake maintainers that
they want to use to manage the Azure CDN configuration. You can send it to
me in private signed email.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30510#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
