Page MenuHomePhabricator
Create Task
Maniphest T121721

ssh as system users not allowed in labs
Closed, ResolvedPublic
Actions

Description

scap3 uses puppetized system users and keyholder to do deployments. The local posix user and the ssh keys are all managed by puppet.

However, labs has special pam settings that keep ANY users not in the labs project from sshing. deployment-prep gets around this by adding exceptions for individual system users that need to be able to deploy.

This is not ideal, because it complicates the process of setting up new deployment targets and users in any labs project. It would be nice if systemusers with properly configured keys were allowed to ssh, even if they aren't in the labs project group.

Details

SubjectRepoBranchLines +/-
Remove beta::deployaccess as it's no longer needed.operations/puppetproduction+0 -12
scap access.conf entries for labs deploymentsoperations/puppetproduction+2 -2
Add beta-specific access.conf exceptions in scap::targetoperations/puppetproduction+15 -6
Customize query in gerrit

Revisions and Commits

rOPUP Wikimedia Puppet
rOPUP078eb285b2ac Add beta-specific access.conf exceptions in scap::target

Related Objects

Event Timeline

Ottomata created this task.Dec 16 2015, 11:05 PM
Ottomata raised the priority of this task from to Needs Triage.
Ottomata updated the task description. (Show Details)
Ottomata added a project: Cloud-Services.
Ottomata added subscribers: Ottomata, bd808, thcipriani and 2 others.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptDec 16 2015, 11:05 PM
mmodell triaged this task as Medium priority.May 3 2016, 7:56 PM
mmodell added a project: Scap.
mmodell subscribed.

I'm going to figure out how to manage this from scap::target

mmodell claimed this task.May 3 2016, 7:56 PM
gerritbot subscribed.May 3 2016, 8:31 PM

Change 286754 had a related patch set uploaded (by 20after4):
Add beta-specific access.conf exceptions in scap::target

https://gerrit.wikimedia.org/r/286754

gerritbot added a project: Patch-For-Review.May 3 2016, 8:31 PM
gerritbot added a comment.May 3 2016, 10:25 PM

Change 286754 merged by Rush:
Add beta-specific access.conf exceptions in scap::target

https://gerrit.wikimedia.org/r/286754

mmodell added a commit: rOPUP078eb285b2ac: Add beta-specific access.conf exceptions in scap::target.May 3 2016, 10:30 PM
chasemp added a comment.May 3 2016, 11:24 PM

Close?

mmodell added a comment.May 3 2016, 11:27 PM

seems to be working. deployment-tin crashed and burned right around the same time as this patch merged but it seems to be unrelated.

mmodell closed this task as Resolved.May 3 2016, 11:27 PM

Thanks @chasemp

gerritbot added a comment.May 4 2016, 2:32 PM

Change 286852 had a related patch set uploaded (by Rush):
scap access.conf entries for labs deployments

https://gerrit.wikimedia.org/r/286852

gerritbot added a comment.May 4 2016, 9:35 PM

Change 286852 merged by Rush:
scap access.conf entries for labs deployments

https://gerrit.wikimedia.org/r/286852

chasemp mentioned this in rOPUP1651e4317862: scap access.conf entries for labs deployments.Jun 17 2016, 6:10 PM
gerritbot added a comment.Oct 3 2016, 9:11 PM

Change 313903 had a related patch set uploaded (by Andrew Bogott):
Remove beta::deployaccess as it's no longer needed.

https://gerrit.wikimedia.org/r/313903

gerritbot added a comment.Oct 3 2016, 9:42 PM

Change 313903 merged by Andrew Bogott:
Remove beta::deployaccess as it's no longer needed.

https://gerrit.wikimedia.org/r/313903

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL