#27145 closed defect (wontfix)

help.tpo accounts is not clear enough

Reported by: juga Owned by: tpa
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Quoting https://help.torproject.org/tsa/doc/accounts/:

Most of the time when people want access to a specific host, what they really want is getting added to a particular group

does "people" need to know how ldap works or how the different services/machines are configured to know which "group" they want to be added to?
i suspect no

If you want to get added to some unix group, you will have to find an existing member of that group.

awesome explanation, what if a new group is needed?

They should then request on trac –

ok, the person in the group, not the person that "want" the "access".

ideally in a PGP signed message (as above in the new account creation section) – that you be added to their group.

it seems this means that the *OpenPGP*-signed messaged should be in the trac ticket, but gives confusion to whether it should be a email, and whether it should be PGP-signed.

And i could not find the component where to include this ticket.

Child Tickets

Attachments (3)

Change History (7)

comment:1 in reply to:  description Changed 14 months ago by irl

Component: - Select a componentInternal Services/Tor Sysadmin Team
Owner: set to tpa

I am not a sysadmin team person, so some of this may be incorrect, but here's my understanding:

Replying to juga:

Quoting https://help.torproject.org/tsa/doc/accounts/:

Most of the time when people want access to a specific host, what they really want is getting added to a particular group

does "people" need to know how ldap works or how the different services/machines are configured to know which "group" they want to be added to?
i suspect no

If you already have an ldap account you can probably log in to the machine and run ls -la /srv/thing and it will tell you what group owns a service.

Many things are documented on the Infrastructure wiki page.

For most services you would probably have been working with existing people in the group and they would know what group access to ask for.

If you want to get added to some unix group, you will have to find an existing member of that group.

awesome explanation, what if a new group is needed?

This should probably still be a ticket for the sysadmin component, but the group creation would normally be a side effect of the deployment of a new service, which again would be a ticket for the sysadmin component.

They should then request on trac –

ok, the person in the group, not the person that "want" the "access".

Yes. The request must be from an existing member of the group.

ideally in a PGP signed message (as above in the new account creation section) – that you be added to their group.

it seems this means that the *OpenPGP*-signed messaged should be in the trac ticket, but gives confusion to whether it should be a email, and whether it should be PGP-signed.

gpg --clearsign will produce a signed message that can be pasted into a trac ticket, and allow for the person processing the ticket to validate the signature.

And i could not find the component where to include this ticket.

I have filed it in the sysadmin component, which is where ldap related things go.

comment:2 Changed 14 months ago by weasel

Resolution: worksforme
Status: newclosed

It seems irl answered all your questions.

If you have proposed changes to the text of the wiki, by all means propose :)

comment:3 in reply to:  2 Changed 14 months ago by juga

Resolution: worksforme
Status: closedreopened

Replying to weasel:

It seems irl answered all your questions.

Not really, maybe because i didn't even made them

If you have proposed changes to the text of the wiki, by all means propose :)

Reopening this ticket with the patches i propose.

Replying to irl:

I am not a sysadmin team person, so some of this may be incorrect, but here's my understanding:

Replying to juga:

Quoting https://help.torproject.org/tsa/doc/accounts/:

Most of the time when people want access to a specific host, what they really want is getting added to a particular group

does "people" need to know how ldap works or how the different services/machines are configured to know which "group" they want to be added to?
i suspect no

If you already have an ldap account you can probably log in to the machine and run ls -la /srv/thing and it will tell you what group owns a service.

Before writing this ticket,I logged into perdulce as weasel said by IRC and run getent group. There was not any group called "dist". Weasel said it was probably torwww, but he had to check to know which group has access corresponds to "dist".

Log in into which machine you mean?. dist.tpo is a different machine as perdulce. In perdulce ls -ls /srv does not give any interesting information.

As nickm proposed in in https://trac.torproject.org/projects/tor/ticket/26849#comment:2, we should have write permissions only in a directory called sbws in dist.tpo, not to the root of dist.tpo.

So, questions:

  1. does a new group need to be created to have permissions in dist.tpo only in the directory sbws?
  2. which is the group that correspond to dist.tpo, torwww?

Many things are documented on the Infrastructure wiki page.

All the information i can get about dist.tpo in that page is:

dist.torproject.org (​web) helix packages N/A N/A

I think that page should be updated. Not sure there's alreay a ticket.

For most services you would probably have been working with existing people in the group and they would know what group access to ask for.

The group i'm mostly working with, is pastly and teor, which are not in the group torwww. Other people in network-team and weasel ar inclued in that group. It seems i've to ask one by one.

[...]

I think the rest of my comments can be understood by the patches.

Thanks.

Changed 14 months ago by juga

comment:4 Changed 12 months ago by juga

Resolution: wontfix
Status: reopenedclosed

AFAIU, there's no solution to this ticket without restructuring permissions/responsabilities.
So closing again for now.

Note: See TracTickets for help on using tickets.