<Krenair> basically we want a server in deployment-prep to be able to edit designate zones in deployment-prep <Krenair> which means we need a service user which has permissions to do so in openstack <Krenair> but we can't just give it projectadmin rights and then distribute the credentials to servers, because non-projectadmin users can SSH into those servers and sudo etc. <andrewbogott> Krenair: that's definitely a thing we can do. Can you make a phab task (or find the existing one) and assign it to me? <andrewbogott> It'll be a few weeks though because I'm mostly at conferences and on holiday
Description
Description
Details
Details
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| designate: support a new 'designatemanager' role | operations/puppet | production | +1 -1 |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Krenair | T182927 Get letsencrypt wildcard cert for *.beta.wmflabs.org domains | |||
| Resolved | Andrew | T184245 Create some mechanism for instances in projects to modify the project Designate records | |||
| Resolved | Andrew | T194998 Create custom deployment-prep role that allows editing of Designate records only |
Event Timeline
Comment Actions
I'm going to create a new role, 'designatemanager' and attach a patch here granting some DNS privs to that role. Then I think we should create a new user and give it 'observer' and 'designatemanager' on deployment-prep.
My only reservation here is that I'm unsure how to limit other inappropriate uses of the user account, e.g. in gerrit. I'm also not sure that I can easily add a user to keystone without having be a full-fledged developer account. I can ban or delete it from making wikitech edits but it still seems a bit complicated to have a user with public creds out in the world. Thoughts?
Comment Actions
Change 438057 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] designate: support a new 'designatemanager' role
Comment Actions
I already made one called deployment-prep-dns-manager as a normal account, but I see your point about other services. These aren't exactly public credentials (though they're not under NDA requirements either), this isn't a full-blown novaobserver thing, but maybe we can use the same trick that was used there anyway.
Comment Actions
I've issued deployment-prep-dns-manager the designateadmin role on deployment-prep.
I've changed deployment-prep-dns-manager's shell to /bin/false (and done the same for novaobserver while I'm at it.)
Let me know if this gets you what you need! Meanwhile, I'll see about closing wikitech and gerrit options for that user.
Comment Actions
Change 438057 merged by Andrew Bogott:
[operations/puppet@production] designate: support a new 'designatemanager' role
Comment Actions
andrew@labcontrol1001:~$ openstack role list +----------------------------------+----------------+ | ID | Name | +----------------------------------+----------------+ | 1102f4ff63c3435793d0e4340bf4b04e | glanceadmin | | 2cd63d467f754404bf3746fe63ee0698 | admin | | 47a8370618ea42d49f7047774e75d262 | observer | | 4d8cad783d6342efa8414d7d36fbc034 | projectadmin | | 906f1588626d4d0993629ea3928b6fb4 | designateadmin | | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | | f473273fac7146b3bdbf22e5d4504f95 | user | +----------------------------------+----------------+ andrew@labcontrol1001:~$ openstack role assignment list | grep deployment-prep-dns-manager | 47a8370618ea42d49f7047774e75d262 | deployment-prep-dns-manager | | deployment-prep | | False | | 906f1588626d4d0993629ea3928b6fb4 | deployment-prep-dns-manager | | deployment-prep | | False |