Comments (11)
is the second statement actually true? ocfroot should have /root, but not all of ocfroot needs /admin right? i though /admin is only for ldap/kerberos admin.
from utils.
there is no case where a person should be in ocfroot and not have a /admin principal
from utils.
oh, interesting. are we giving all root staff super powers in kerberos and ldap now?
from utils.
yes. it doesn't make sense to provide root but not ldap admin; you'll constantly be blocked on silly things like changing puppet environments, adding new hosts or puppet classes, etc.
additionally, there's no technical justification since both privileges easily escalate into the other
from utils.
yes. it doesn't make sense to provide root but not ldap admin; you'll constantly be blocked on silly things like changing puppet environments, adding new hosts or puppet classes, etc.
ah, all the newness of ldap for all the things.
additionally, there's no technical justification since both privileges easily escalate into the other
good point
though, it would make sense for an ocfstaff member to have /root just to change passwords, right? (i.e. staff member is not in ocfroot group, but only ocfstaff) (yes, i know we basically don't need that anymore since you can change it on the website now.)
from utils.
yeah, lots of staff have a /root principal but not root (ocfroot aka sudo)
it's definitely confusingly named. to make it worse, the /root principal is used to authenticate (but not authorize) sudo access, except on staff VMs and desktops
from utils.
good to know that /root (and /admin) are still as confusing as 3+ years ago.
from utils.
IMHO we should eventually rename /root to /staff and ocfroot to ocfadmin.
from utils.
IMHO we should eventually rename /root to /staff and ocfroot to ocfadmin.
didn't we decide to do that like 6 years ago, but never did it?
from utils.
I wonder if renaming /root
to /staff
will end up confusing new staff as to what privileges they have when they get added to the ocfstaff
LDAP group, but would still need to ask for a /staff
principal to do any root-requiring work
from utils.
Closed by ocf/puppet#835
from utils.
Related Issues (20)
- Command for managing printers in rotation HOT 3
- makemysql: automatically update db password in wordpress HOT 8
- Move ldap-lint to puppet
- Rewrite sorry/unsorry in python HOT 2
- Give more user feedback on check/signat/etc. HOT 8
- signat weird problem HOT 5
- kill current processes on sorry HOT 2
- easywp broken HOT 2
- Update ocf-tv script
- ocf-kubernetes-deploy: allow for templating large config files with secrets
- Store .sorry and .oldshell outside of user dir HOT 3
- easywp with more function
- Write script to restore various things from backups
- Have easywp install a plugin to block REST access HOT 1
- Resurrect https://github.com/ocf/utils/pull/114 HOT 2
- Sanitize makemysql SQL queries
- minutes: distinguish between people on/not on BoD HOT 1
- check-dns should handle the no-records case specially HOT 2
- migrate-vm: strip CPU information from XML HOT 2
- paper: refund to user on a machine HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from utils.