Last modified: 2013-04-10 01:35:56 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T47119, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 45119 - Add per-project service/role user accounts and groups
Add per-project service/role user accounts and groups
Status: RESOLVED FIXED
Product: Wikimedia Labs
Classification: Unclassified
Infrastructure (Other open bugs)
unspecified
All All
: Highest enhancement
: ---
Assigned To: Ryan Lane
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-02-18 14:18 UTC by Marc A. Pelletier
Modified: 2013-04-10 01:35 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marc A. Pelletier 2013-02-18 14:18:30 UTC 
Individual projects may need individual UID and GID assigned to be available project-wide; a general method to manage those needs to be put in place.

Use case:  the Tools labs project(s) will need per-tool uid and gid to own the tool files, and to manage access control.

Implementation:
- reserve a prefix for usernames and group names ('local-' has been suggested) and a UID and GID range (20000-29999)?
- Add those users into the Labs LDAP under a per-project OU (OU=theproject,OU=Projects)?
- Add the per-project base DN to the nslcd config

Also needed:
- management tool (labsconsole, allow project admins to add/remove)
Comment 1 Marc A. Pelletier 2013-02-18 14:21:00 UTC 
As an additional comment: initial information discussion raises the fact that authentication is not a necessary feature as no end-user is intended to authenticate as any of those service accounts -- they are intended only for suid/sgid and role usage, with sudo as the authorization mechanism.
Comment 2 Marc A. Pelletier 2013-02-19 13:56:57 UTC 
Bumping importance up; this is a blocker for migration of tools to the labs and those who have already started working on it may end up having to redo part of their work (/way/ bad PR) if we change it later rather than sooner.

(Not yet familiar with the relative importance level.  If 'highest' means "OMG the machine room is on fire!" as opposed to just "We really, really need this" then lower accordingly) :-)
Comment 3 Marc A. Pelletier 2013-04-10 01:35:56 UTC 
Deployed to wikitech.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links