This task aims to add a system user called analytics-privatedata to the analytics-privatedata-users POSIX group. This user will be useful when Kerberos will be enabled, since researchers/analysts/etc.. will need a way to run authenticated recurrent jobs (like crons) without the need to kinit manually every 24h.
This is a interim compromise to avoid impacting users with Kerberos too much, that may eventually be deprecated in favor of something better and more granular.
The idea is the following:
- a user authenticates with kinit (and password) when logging in into a stat/notebook host
- a user in analytics-privatedata-users will also be able to sudo as analytics-privatedata to kinit with a keytab (that doesn't require a password) stored on some stat/notebook hosts, but only in some use cases (like executing a cron for 3 days to test something etc..)