Brian
On Tue, Aug 31, 2010 at 7:56 PM, Brian LaMere <brian@xxxxxxxxxxxxxxxxxxxx> wrote:
Regardless how MirrorManager is made to work, the content itself will need to come from S3; I think that's in agreement, right?When I talked to Ben and Nathan at Amazon about it, Ben mentioned that it is best to have an S3 account per region for large sites; I agreed, and have already experienced why this is the case. I can go over the reasons more extensively if the group would like, but they can be summed with a single word: "security." I'll give two short examples, both based on what could happen between Matt and I working on getting MirrorManager in AWS.While working on the code to get MirrorManager to have an S3 back-end, say I accidentally send the keypair in an email, or worse - in an email to a list. Immediately failing over to the second keypair (accounts can only have two keypairs, and only one should be used at a time except for when you're changing the keys; the second allows for seamless switches to a new keypair, as you leave both active until the process is complete, then deactivate the old one). Having the keys be per-region minimizes the impact of this problem; there was a temporary exposure, but it wasn't a /global/ exposure, which means we can safely treat the contents of all the other regions as clean/untainted still, and either sync from one region to another to make sure nothing happened during the exposure, or at the very worst only have one repo to rebuild.As another example, to help Matt with getting S3 as a backend for MirrorManager, I would have my productivity greatly increased by having access to the keypair. Is the only thing on the official fedora account the S3-backed repositories? I wouldn't think so. However, that keypair allows access to *everything* at AWS. There is nothing sacred from that keypair; I can use it to put a pubkey in the authorized_keys file of root on all the ec2 instances then do things on the servers as root on the servers - as an example. That keypair is godmode for *all* of the AWS services. Making distinct per-region accounts that are used just to do S3 buckets protects you from this. Matt could give me a normal login account on an ec2 server so I could help test things, and I could use a keypair to work on S3 as a backend, without worrying that doing so meant I needed access to the god-mode keys.A key per role, per need, more or less. Ben started our convo by trying to sell me on multi-account setups, but didn't need to; I already work on a team that needs to insulate itself from mistakes, and from workers who may not be here next week (and who should therefore not have godmode keys). There are a number of other reasons for it, if I need to go on ;)Does that all make sense?Brian LaMere
_______________________________________________ cloud mailing list cloud@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/cloud