This ticket is for discussing the implications of deploying a Ganeti write-capable user. There may be some issues with having this in the wild even if it's in Spicerack which is already semi-cordoned, but it gives anyone with sudo ability in spicerack the ability to manipulate Ganeti things which may present an issue.
Discuss!
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | • crusnov | T218709 Add Spicerack module for Ganeti | |||
| Resolved | • crusnov | T218736 Discussions around having a Ganeti RAPI R/W User |
I'd start with the RO user and see where we're going with the spicerack Ganeti module and when we start feeling blocked by this re-evaluate.
Having all RO operations done via the API and just the RW via ssh might also be an option as final solution if we have concerns for the security of the RW API user.
My 2 cents.
Incidentally this is the strategy we're pursuing anyway. For the time being write operations will take the form of remote execution in the cookbook while the ganeti module will provide information to said cookbooks.