Re: AWS infrastructure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Apr 29, 2020 at 02:02:08PM +0100, Mark O'Brien wrote:
> On Tue, Apr 28, 2020 at 9:27 PM Kevin Fenzi <kevin@xxxxxxxxx> wrote:

> I think a lot of places use an atypical set up from what I read.

Heh. Yeah. 

The big thing about ours is that we have just one account for all our
community acitivites, which amazon picks up the tab for. :) 

So, thats great on one hand, but on the other we have a bunch of
different groups that all want to use it and we don't want them to step
on each other or cause problems for one another. 

> A possible way to give limited access going forward would be to federate
> access to a redhat account of some sort (gmail/fedora) that way you could
> set a generic limited access policy for new users.

We already do. 

All access to the account is via our ipsilon instance using SAML2. 
ipsilon in turn gets information from fas (fedora account system). 
When you login via SAML2, your group information is passed along and if
you are in specific groups you are logged in with that groups role. 

So, we have a master role (all access), a copr role (for the copr team),
a fedora-ci role (for fedora-ci, etc). Some teams need programatic
access also, so for them we create users that have the same IAM policy
as the roles and use a token. 

The IAM policies are setup so roles have limited access to most things,
and then full access to things that are tagged with their group. When
they spin up new resources, they tag them as belonging to their group
and then they can do whatever they need to with them and other roles
can't.

It's not great, but it does work. 

> > We also have:
> >
> > https://pagure.io/fedora-infrastructure/issue/8436
> >
> > which I keep never getting around to, and perhaps you could script the
> > needed steps for me there.
> >
> 
> I have left a comment on the ticket about potentially using a daily lambda
> function to take care of this.
> I will put together a bash script which can make use of the aws cli for the
> initial clean up.

So, most of these are really old. I don't know who made them or why they
are there, so I think if we could just mark them all unavailable or
something, wait a few weeks to make sure no one comes asking about them,
then delete them, that would likely do. 

We do upload Fedora images... but that process is controlled by a
application called fedimg and it has it's own cleanup scripts to cleanup
things. I can dig up more details... but we are hoping to replace this
with a new app from the coreos folks. If you are interested in drving
that forward that would be great!
https://pagure.io/fedora-infrastructure/issue/7702
is the old ticket on this. 

> 
> 
> >
> > Let me know when a good morning might be and we can try and get
> > together. IRC would be best for me, then we could also add in anyone
> > else who was interested.
> >
> 
> I can do Today or tomorrow at 16:30 IST/ 08:30PDT or 21:00 IST/13:00 PDT
> whichever would suit you best.

Today is no good. ;) Tomorrow the infra meeting is at 8-9PDT. 
I'm free at 13pdt tomorrow tho, so that works fine, or between 9-11pdt. 

> I am off Friday so if neither of these times suit you we could try next
> week.
> We can use whichever IRC channel you think appropriate

How about #fedora-admin... 

kevin

Attachment: signature.asc
Description: PGP signature

_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux