Regardless how MirrorManager is made to work, the content itself will need
to come from S3; I think that's in agreement, right?
When I talked to Ben and Nathan at Amazon about it, Ben mentioned that it is
best to have an S3 account per region for large sites; I agreed, and have
already experienced why this is the case. I can go over the reasons more
extensively if the group would like, but they can be summed with a single
word: "security." I'll give two short examples, both based on what could
happen between Matt and I working on getting MirrorManager in AWS.
While working on the code to get MirrorManager to have an S3 back-end, say I
accidentally send the keypair in an email, or worse - in an email to a list.
Immediately failing over to the second keypair (accounts can only have two
keypairs, and only one should be used at a time except for when you're
changing the keys; the second allows for seamless switches to a new keypair,
as you leave both active until the process is complete, then deactivate the
old one). Having the keys be per-region minimizes the impact of this
problem; there was a temporary exposure, but it wasn't a /global/ exposure,
which means we can safely treat the contents of all the other regions as
clean/untainted still, and either sync from one region to another to make
sure nothing happened during the exposure, or at the very worst only have
one repo to rebuild.
As another example, to help Matt with getting S3 as a backend for
MirrorManager, I would have my productivity greatly increased by having
access to the keypair. Is the only thing on the official fedora account the
S3-backed repositories? I wouldn't think so. However, that keypair allows
access to *everything* at AWS. There is nothing sacred from that keypair; I
can use it to put a pubkey in the authorized_keys file of root on all the
ec2 instances then do things on the servers as root on the servers - as an
example. That keypair is godmode for *all* of the AWS services. Making
distinct per-region accounts that are used just to do S3 buckets protects
you from this. Matt could give me a normal login account on an ec2 server
so I could help test things, and I could use a keypair to work on S3 as a
backend, without worrying that doing so meant I needed access to the
god-mode keys.
A key per role, per need, more or less. Ben started our convo by trying to
sell me on multi-account setups, but didn't need to; I already work on a
team that needs to insulate itself from mistakes, and from workers who may
not be here next week (and who should therefore not have godmode keys).
There are a number of other reasons for it, if I need to go on ;)
Does that all make sense?
Brian LaMere