I would like to add/improve the .json info for various toolforge tools in Striker.
Please add me as a temporary toolsadmin, so that I can edit this info.
For anything I change, I will let the maintainers know what I've done, and remind them to edit/improve it further themselves.
For the future (better solution) we have T179510: Create a new basic ContentAdmin role in Striker.
This right in Striker is tied to maintainership of the admin tool. In addition to advanced rights in Striker, this membership also grants sudo on Toolforge servers. I personally trust @Quiddity's judgement and expect that he would not abuse this user right. I will bring this up for discussion with the cloud-services-team for approval or denial.
Do the two rights need to be tied together? Could we have a psuedo-tool called "striker-admins" or something?
Yes, this definitely an option that we could look into. The current Striker codebase awkwardly hard codes return user.ldap_dn in Tool.objects.get(cn='tools.admin').members, so we would need a code change rather than just a configuration change to make this happen. Implementing T179510: Create a new basic ContentAdmin role in Striker would also be reasonable.
The non-obvious elevated privileges that come from tools.admin maintainership is something that @chasemp has brought up before as an anti-pattern. It might be better to create a group hierarchy in our LDAP directory that is explicitly tied to Striker rather than making more "magic" tools just to get easier group membership management.
I poked around a bit more and I think that I was wrong about maintainership in the 'admin' tool actually granting sudo rights. This seems to properly be a separate sudo policy managed in Horizon just like it would be for any other Cloud VPS project.
Mentioned in SAL (#wikimedia-cloud) [2017-11-28T22:05:12Z] <bd808> Added Quiddity as a maintainer (T179511)