On 1/18/20 7:12 PM, Christian Boltz wrote:
Am Freitag, 17. Januar 2020, 22:18:26 CET schrieb Lars Vogdt:
Michael Ströder wrote:
I've tried to login to nue-ns1.infra.opensuse.org to have a look at the current setup but are probably not allowed to do so.
You could. But I have to admit that I did not really much to make this easy for you: I only got the machine known by the saltmaster and made sure that the machine accepted the saltmaster for deployments. The rest is on you... ;-).
It would be nice to at least run highstate after setting up a new VM. This does some basic setup, for example the ssh and sssd config that allows ssh logins for FreeIPA users, [..] [..] Note that this base setup does not include sudo permissions. If someone submits a MR to our salt repo that adds sudo permissions to a role (the existing ns_slave role uses powerdns and probably doesn't fit, maybe a new role?), I'll happily review that ;-)
=> Just add your ssh-key via Salt.
No, please don't ;-) (unless you have very good reasons [1]) [..] Our usual workflow is to setup a group in FreeIPA (in this case probably "dns-admins"), and then setup a sudo rule for this group in salt (in pillar/role/*).
However, I wonder if it makes sense to keep this level of indirection, or if we should switch to listing individual users in salt.
This all sounds really odd to me. :-/ Why not just use a decent user management for all of that and maintain access control data just in the database? :-] Ah, it's already there: https://aedir1.infra.opensuse.org/ Everybody interested in testing this, just drop me an e-mail with your person name and e-mail address you want to use for registration. Ciao, Michael. -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org