Executive Summary

TODO

Background

The followup action items from the GitHub incident post-mortem included reviewing Infra access controls, and retiring and/or restricting access of inactive infra members.

Principles

As a general principles:

• Infra members should have the access necessary to do perform their role
• Roles should be well-defined
• Access required by roles should be well-defined
• No access beyond what's required by roles

TODO

• What constitutes inactive?
• Disambiguate: working well enough that no interventions or changes are needed vs outstanding changes needed and overdue
• Import this via the service catalog!

Roles

Core

These are underlying things that apply to large numbers of systems/users

Core: @system

• Responsibility for @system packages and non-service packages in all infra hosts
• Repos: puppet, cfengine, infra-overlay

Core: LDAP

• Repos: puppet, cfengine
• Root access to all LDAP servers & clients
• Local users on all systems to fix broken LDAP clients
• Infra bits in LDAP users

Core: DNS

• Repos: puppet, cfengine, dns
• Root: DNS servers

Core: Kernel

• Repos: puppet, infra-overlay
• Can we make this usable without puppet rights, and fully de-privilege the kernel patching/building?
• Root: kernel testing hosts?

Services

These are clear services that Infra runs, either for internal consumption and/or developer consumption and/or public consumption

Service: VCS

• Covers: gitolite, CVS, SVN**
• Repos: puppet, cfengine, various hooks
• Root: access on Git primary & replicas

Service: cgit.g.o

• Distinct from VCS, covers the public-facing cgit web service & related webserver
• Repos: puppet, cfengine
• Root: access

Service: ganeti

• Managing Ganeti health/provisioning VMs.
• Repos: puppet, cfengine
• Root: Ganeti nodes
• What about root on the VMs?

Service: packages.g.o

• Repos: puppet, site/packages

Service: bugs.g.o

Service: forums.g.o

Service: wiki.g.o

Service: planet.g.o