Re: Fedora @ Google Cloud

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Jun 24, 2014 at 7:37 AM, Renich Bon Ciric
<renich@xxxxxxxxxxxxxxxx> wrote:
> On Tue, Jun 24, 2014 at 8:33 AM, Filipe Brandenburger <filbranden@xxxxxxxxxx> wrote:
>> On Tue, Jun 24, 2014 at 6:27 AM, Renich Bon Ciric> <renich@xxxxxxxxxxxxxxxx> wrote:
>>> The reason they enable sudo and lock root is to keep better auditing
>>> options. But, hey, it's not like you're gonna create 20 keys in a
>>> single server for 20 admins to go in and do stuff.
>>
>> Huh, it kind of is... If you create a project and add many users to
>> it, all of them will get accounts created by google-compute-daemon, so
>> in effect every user of the project will be able to login to every
>> compute instance. I currently work on a project with 5 users and all
>> of us can log in to all instances. If someone else comes along to the
>> project, we just add them and they get access to all instances
>> automatically.
>
> My only problem with that is that it will create passwordless sudo for
> all of them. I don't think you want 20 admins in a 20 user server. My
> point is that, usually, one is admin and he delegates (through sudo,
> perms and gorups, ACL, SELinux, etc).

Yes, but currently there's no good way (that I know of) to specify
which users are admins and which users are not... That's not just a
problem with the Fedora image but with GCE in general. A possible way
to handle that would be to introduce a metadata key such as
"admin-users" with a list of users that should get sudo and then only
add those to sudoers. The problem, then, is that *all* users can go to
the GCE console and modify the metadata to add themselves to
"admin-users" so that defeats the purpose...

Unfortunately, right now I don't think there's a good way around it...
All users registered for a project in GCE are effectively root, so if
you want to keep that list short you should only keep a handful of
users registered *in GCE*.

Once your instances are up, you can of course activate some different
form of user management for additional users, for instance you can
hook it to a FreeIPA which contains a user database of your "mortal"
users and then you can manage the box as you'd usually do.

Does that make sense?

Cheers,
Filipe
_______________________________________________
cloud mailing list
cloud@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/cloud
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Big List of Linux Books]     [Yosemite News]     [Linux Apps]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux