Page MenuHomePhabricator
Create Task
Maniphest T47119

Add per-project service/role user accounts and groups
Closed, ResolvedPublic
Actions

Description

Individual projects may need individual UID and GID assigned to be available project-wide; a general method to manage those needs to be put in place.

Use case: the Tools labs project(s) will need per-tool uid and gid to own the tool files, and to manage access control.

Implementation:

  • reserve a prefix for usernames and group names ('local-' has been suggested) and a UID and GID range (20000-29999)?
  • Add those users into the Labs LDAP under a per-project OU (OU=theproject,OU=Projects)?
  • Add the per-project base DN to the nslcd config

Also needed:

  • management tool (labsconsole, allow project admins to add/remove)

Version: unspecified
Severity: enhancement

Details

Reference
bz45119

Event Timeline

bzimport raised the priority of this task from to Unbreak Now!.Nov 22 2014, 1:36 AM
bzimport added a project: Cloud-VPS.
bzimport set Reference to bz45119.
coren created this task.Feb 18 2013, 2:18 PM
coren added a comment.Feb 18 2013, 2:21 PM

As an additional comment: initial information discussion raises the fact that authentication is not a necessary feature as no end-user is intended to authenticate as any of those service accounts -- they are intended only for suid/sgid and role usage, with sudo as the authorization mechanism.

coren added a comment.Feb 19 2013, 1:56 PM

Bumping importance up; this is a blocker for migration of tools to the labs and those who have already started working on it may end up having to redo part of their work (/way/ bad PR) if we change it later rather than sooner.

(Not yet familiar with the relative importance level. If 'highest' means "OMG the machine room is on fire!" as opposed to just "We really, really need this" then lower accordingly) :-)

coren added a comment.Apr 10 2013, 1:35 AM

Deployed to wikitech.

Aklapper added a project: Cloud-Services.Apr 29 2015, 12:20 PM
Luke081515 removed a subscriber: wikibugs-l-list.Jan 28 2016, 6:01 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL