Last modified: 2013-04-10 01:35:56 UTC
Individual projects may need individual UID and GID assigned to be available project-wide; a general method to manage those needs to be put in place. Use case: the Tools labs project(s) will need per-tool uid and gid to own the tool files, and to manage access control. Implementation: - reserve a prefix for usernames and group names ('local-' has been suggested) and a UID and GID range (20000-29999)? - Add those users into the Labs LDAP under a per-project OU (OU=theproject,OU=Projects)? - Add the per-project base DN to the nslcd config Also needed: - management tool (labsconsole, allow project admins to add/remove)
As an additional comment: initial information discussion raises the fact that authentication is not a necessary feature as no end-user is intended to authenticate as any of those service accounts -- they are intended only for suid/sgid and role usage, with sudo as the authorization mechanism.
Bumping importance up; this is a blocker for migration of tools to the labs and those who have already started working on it may end up having to redo part of their work (/way/ bad PR) if we change it later rather than sooner. (Not yet familiar with the relative importance level. If 'highest' means "OMG the machine room is on fire!" as opposed to just "We really, really need this" then lower accordingly) :-)
Deployed to wikitech.