Page MenuHomePhabricator

Discussions around having a Ganeti RAPI R/W User
Closed, ResolvedPublic

Description

This ticket is for discussing the implications of deploying a Ganeti write-capable user. There may be some issues with having this in the wild even if it's in Spicerack which is already semi-cordoned, but it gives anyone with sudo ability in spicerack the ability to manipulate Ganeti things which may present an issue.

Discuss!

Event Timeline

crusnov created this task.Mar 19 2019, 8:12 PM
crusnov moved this task from Backlog to In Progress on the User-crusnov board.Mar 21 2019, 9:44 PM

I'd start with the RO user and see where we're going with the spicerack Ganeti module and when we start feeling blocked by this re-evaluate.
Having all RO operations done via the API and just the RW via ssh might also be an option as final solution if we have concerns for the security of the RW API user.

My 2 cents.

Incidentally this is the strategy we're pursuing anyway. For the time being write operations will take the form of remote execution in the cookbook while the ganeti module will provide information to said cookbooks.

crusnov closed this task as Resolved.Mar 28 2019, 4:36 PM