On Wed, Apr 29, 2020 at 02:02:08PM +0100, Mark O'Brien wrote: > On Tue, Apr 28, 2020 at 9:27 PM Kevin Fenzi <kevin@xxxxxxxxx> wrote: > I think a lot of places use an atypical set up from what I read. Heh. Yeah. The big thing about ours is that we have just one account for all our community acitivites, which amazon picks up the tab for. :) So, thats great on one hand, but on the other we have a bunch of different groups that all want to use it and we don't want them to step on each other or cause problems for one another. > A possible way to give limited access going forward would be to federate > access to a redhat account of some sort (gmail/fedora) that way you could > set a generic limited access policy for new users. We already do. All access to the account is via our ipsilon instance using SAML2. ipsilon in turn gets information from fas (fedora account system). When you login via SAML2, your group information is passed along and if you are in specific groups you are logged in with that groups role. So, we have a master role (all access), a copr role (for the copr team), a fedora-ci role (for fedora-ci, etc). Some teams need programatic access also, so for them we create users that have the same IAM policy as the roles and use a token. The IAM policies are setup so roles have limited access to most things, and then full access to things that are tagged with their group. When they spin up new resources, they tag them as belonging to their group and then they can do whatever they need to with them and other roles can't. It's not great, but it does work. > > We also have: > > > > https://pagure.io/fedora-infrastructure/issue/8436 > > > > which I keep never getting around to, and perhaps you could script the > > needed steps for me there. > > > > I have left a comment on the ticket about potentially using a daily lambda > function to take care of this. > I will put together a bash script which can make use of the aws cli for the > initial clean up. So, most of these are really old. I don't know who made them or why they are there, so I think if we could just mark them all unavailable or something, wait a few weeks to make sure no one comes asking about them, then delete them, that would likely do. We do upload Fedora images... but that process is controlled by a application called fedimg and it has it's own cleanup scripts to cleanup things. I can dig up more details... but we are hoping to replace this with a new app from the coreos folks. If you are interested in drving that forward that would be great! https://pagure.io/fedora-infrastructure/issue/7702 is the old ticket on this. > > > > > > Let me know when a good morning might be and we can try and get > > together. IRC would be best for me, then we could also add in anyone > > else who was interested. > > > > I can do Today or tomorrow at 16:30 IST/ 08:30PDT or 21:00 IST/13:00 PDT > whichever would suit you best. Today is no good. ;) Tomorrow the infra meeting is at 8-9PDT. I'm free at 13pdt tomorrow tho, so that works fine, or between 9-11pdt. > I am off Friday so if neither of these times suit you we could try next > week. > We can use whichever IRC channel you think appropriate How about #fedora-admin... kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
