On Fri, 2012-08-24 at 09:31 -0600, Kevin Fenzi wrote: > On Fri, 24 Aug 2012 17:25:34 +0200 > Pierre-Yves Chibon <pingou@xxxxxxxxxxxx> wrote: > > > On Fri, 2012-08-24 at 07:37 -0700, Toshio Kuratomi wrote: > > > One of our apprentices was looking into how we use use the faswho > > > adapter was going to look at how it's configured in raffle on the > > > app servers. When he wasn't able to we discovered that > > > fi-apprentice isn't allowed to login to the app servers. Discussed > > > with nirik and we think that this is a simple oversight rather than > > > a matter of policy. > > [...] > > > Since this applies to appRhel, the nodes that it will affect are: > > > > > > app0[1-68] > > > app0[12].stg > > > bapp02 > > > value0[34] > > > value01.stg > > > > How far are the stg machine from the production one ? I'm asking > > thinking that this change, if it sounds fine, gives access to quite a > > number of nodes to apprentices. Just giving apprentices access to stg > > machines might be sufficient no ? > > Perhaps. We already grant them access to most machines however. > > I think the default should be to allow, and only restrict where there's > a need to restrict. > > note also that this is read-only access. There's no sudo or the like > granted. This is just to allow them to login and look at processes and > files that are world readable so they can figure out how things work. > > If our staging was more... expansive... I think we could look at > restricting to that, but there's a number of things we simply don't > have in staging or is setup differently/oddly. Fair enough then :) Pierre _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
