Last modified: 2012-04-14 23:29:36 UTC
It's problematic that project names are also group names, since a project could be named "admin" or "staff", which would give users higher permissions on other projects accidentally. We should have projects, and project groups that are named after projects, but prefixed. The groups should be virtual, and should get their membership from the project. Here's an LDAP example for creating a virtual group for a project based on the project's membership: dn: cn=project-ganglia,ou=instance-groups,dc=wikimedia,dc=org objectClass: groupOfNames objectClass: posixGroup objectClass: ds-virtual-static-group objectClass: top ds-target-group-dn: cn=ganglia,ou=groups,dc=wikimedia,dc=org gidNumber: 1064 cn: project-ganglia Instances will need to be reconfigured to use ou=instance-groups as a base, rather than ou=groups, also we'll need to modify puppet to configure access.conf and a few other things to use the prefixed group name, rather than the project name.
Should also add a maintenance script that can be used to combine and/or split groups, in case someone sets things up one way and wants to set them up the opposite way later (like us).
