Currently people who need access to stat* or other boxes need to be added manually to the particular target group and also to the bastiononly group, and a lot of times people trip up on the latter. Why is this manual addition required? Shouldn't giving access to any other group automatically imply access to bastion? If not why not?
Description
Details
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Open | None | T142815 Enhance account handling (meta bug) | |||
Resolved | • AlexMonk-WMF | T114161 Do not require people to be explicitly added to the bastiononly group |
Event Timeline
Change 227327 had a related patch set uploaded (by Alex Monk):
Add all groups to general bastions, mostly empty bastiononly group
The main challenge with this is ensuring that while (almost?) all groups imply bastion access, only ops gets their sudo rules applied on bastions. Most users shouldn't have root access on bastions just because their group is intended to give them full sudo access on other machines.
Change 244471 had a related patch set uploaded (by Alex Monk):
admin: allow all active users to be applied
Change 227327 abandoned by Alex Monk:
Add all groups to general bastions, mostly empty bastiononly group
Reason:
in favour of I8f984e51
Change 301149 had a related patch set uploaded (by Alex Monk):
Replace manually-maintained bastiononly group with the new 'all-users'
Change 301149 merged by Dzahn:
Replace manually-maintained bastiononly group with the new 'all-users'
Merged that one after it had a couple +1, checked on bastions. It really just created the "dkg" user as expected. No other change. And now there is no more "bastiononly" group.
I think that resolves the ticket.
Change 244471 abandoned by Rush:
admin: allow all active users to be applied
Reason:
hooray, already done