For the context of this ticket, we have 3 kind of accounts:
- CloudVPS accounts (those managed by keystone). Stored in LDAP
- Toolforge user accounts (today, same as CloudVPS accounts)
- Toolforge tool accounts, (managed by toolsadmin, kind of LDAP groups). Stored in LDAP.
There is some level of multi-tenancy within the multi-tenancy (Toolforge tool accounts being CloudVPS accounts prefixed by tool.xxxx).
This design has some benefits and also some drawbacks.
Some examples of benefits:
- integrated Developer Account experience
- NFS file permissions
Some examples of weirdness produced by the account situation:
- T113979: Allow direct ssh access to tools
- T277756: tools-puppetmaster-02 allows any toolforge user to log in and view secrets
Did we ever consider breaking this into completely separated account realms? Would that break the Wikimedia Developer Account notion?
Perhaps this problem will go away as soon as we reach a point in Toolforge in which we don't need login servers (i.e, bastions).