Project:Infrastructure/Infra Role Based Access

From Gentoo Wiki
Jump to:navigation Jump to:search

Executive Summary



The followup action items from the GitHub incident post-mortem included reviewing Infra access controls, and retiring and/or restricting access of inactive infra members.


As a general principles:

  • Infra members should have the access necessary to do perform their role
  • Roles should be well-defined
  • Access required by roles should be well-defined
  • No access beyond what's required by roles


  • What constitutes inactive?
  • Disambiguate: working well enough that no interventions or changes are needed vs outstanding changes needed and overdue
  • Import this via the service catalog!



These are underlying things that apply to large numbers of systems/users

Core: @system

  • Responsibility for @system packages and non-service packages in all infra hosts
  • Repos: puppet, cfengine, infra-overlay

Core: LDAP

  • Repos: puppet, cfengine
  • Root access to all LDAP servers & clients
  • Local users on all systems to fix broken LDAP clients
  • Infra bits in LDAP users

Core: DNS

  • Repos: puppet, cfengine, dns
  • Root: DNS servers

Core: Kernel

  • Repos: puppet, infra-overlay
  • Can we make this usable without puppet rights, and fully de-privilege the kernel patching/building?
  • Root: kernel testing hosts?


These are clear services that Infra runs, either for internal consumption and/or developer consumption and/or public consumption

Service: VCS

  • Covers: gitolite, CVS, SVN**
  • Repos: puppet, cfengine, various hooks
  • Root: access on Git primary & replicas

Service: cgit.g.o

  • Distinct from VCS, covers the public-facing cgit web service & related webserver
  • Repos: puppet, cfengine
  • Root: access

Service: ganeti

  • Managing Ganeti health/provisioning VMs.
  • Repos: puppet, cfengine
  • Root: Ganeti nodes
  • What about root on the VMs?

Service: packages.g.o

  • Repos: puppet, site/packages

Service: bugs.g.o

Service: forums.g.o

Service: wiki.g.o

Service: planet.g.o