Hi,
I'm not sure who is the correct person to direct this question at, so I'll open it up to the group. In my previous job I worked daily with AWS and have a decent grasp of the workings of some parts of it (I don't think anyone knows all of AWS).
I think I could be of assistance in implementing best practises and also in carrying out general day to day work. I have seen these 2 tickets specifically on the fedora infrastructure issue tracker which I may be of assistance with.
https://pagure.io/fedora-infrastructure/issue/8667 https://pagure.io/fedora-infrastructure/issue/8407
These involve IAM which I understand carries a bit of a security issue but I could work with someone who has access or even with read only access and I could offer some potential fixes. Let me know if I can help.
Regards, Mark
On Tue, Apr 28, 2020 at 03:55:52PM +0100, Mark O'Brien wrote:
Hi,
I'm not sure who is the correct person to direct this question at, so I'll open it up to the group. In my previous job I worked daily with AWS and have a decent grasp of the workings of some parts of it (I don't think anyone knows all of AWS).
Hey Mark. I guess that would be me (on the Fedora side) and Fabian (on the CentOS side).
I think I could be of assistance in implementing best practises and also in carrying out general day to day work. I have seen these 2 tickets specifically on the fedora infrastructure issue tracker which I may be of assistance with.
https://pagure.io/fedora-infrastructure/issue/8667 https://pagure.io/fedora-infrastructure/issue/8407
Excellent! I'd love some help in this area. :)
I know time zones are not too good between us, but perhaps we could schedule a time early my morning and later your afternoon/evening to get together on irc and go over things and try and solve some of those tickets?
These involve IAM which I understand carries a bit of a security issue but I could work with someone who has access or even with read only access and I could offer some potential fixes. Let me know if I can help.
Absolutely, and thanks for the offer.
Our setup is a little atypical, but I can explain it to you and we can work out some access to at least test things or the like.
We also have:
https://pagure.io/fedora-infrastructure/issue/8436
which I keep never getting around to, and perhaps you could script the needed steps for me there.
Let me know when a good morning might be and we can try and get together. IRC would be best for me, then we could also add in anyone else who was interested.
kevin
On Tue, Apr 28, 2020 at 9:27 PM Kevin Fenzi kevin@scrye.com wrote:
On Tue, Apr 28, 2020 at 03:55:52PM +0100, Mark O'Brien wrote:
Hi,
I'm not sure who is the correct person to direct this question at, so
I'll
open it up to the group. In my previous job I worked daily with AWS and have a decent grasp of the workings of some parts of it (I don't think anyone knows all of AWS).
Hey Mark. I guess that would be me (on the Fedora side) and Fabian (on the CentOS side).
Thanks, good to know who to reach out to.
I think I could be of assistance in implementing best practises and also
in
carrying out general day to day work. I have seen these 2 tickets specifically on the fedora infrastructure issue tracker which I may be of assistance with.
https://pagure.io/fedora-infrastructure/issue/8667 https://pagure.io/fedora-infrastructure/issue/8407
Excellent! I'd love some help in this area. :)
I know time zones are not too good between us, but perhaps we could schedule a time early my morning and later your afternoon/evening to get together on irc and go over things and try and solve some of those tickets?
These involve IAM which I understand carries a bit of a security issue
but
I could work with someone who has access or even with read only access
and
I could offer some potential fixes. Let me know if I can help.
Absolutely, and thanks for the offer.
Our setup is a little atypical, but I can explain it to you and we can work out some access to at least test things or the like.
I think a lot of places use an atypical set up from what I read. A possible way to give limited access going forward would be to federate access to a redhat account of some sort (gmail/fedora) that way you could set a generic limited access policy for new users.
We also have:
https://pagure.io/fedora-infrastructure/issue/8436
which I keep never getting around to, and perhaps you could script the needed steps for me there.
I have left a comment on the ticket about potentially using a daily lambda function to take care of this. I will put together a bash script which can make use of the aws cli for the initial clean up.
Let me know when a good morning might be and we can try and get together. IRC would be best for me, then we could also add in anyone else who was interested.
I can do Today or tomorrow at 16:30 IST/ 08:30PDT or 21:00 IST/13:00 PDT whichever would suit you best. I am off Friday so if neither of these times suit you we could try next week. We can use whichever IRC channel you think appropriate
Mark
On Wed, Apr 29, 2020 at 02:02:08PM +0100, Mark O'Brien wrote:
On Tue, Apr 28, 2020 at 9:27 PM Kevin Fenzi kevin@scrye.com wrote:
I think a lot of places use an atypical set up from what I read.
Heh. Yeah.
The big thing about ours is that we have just one account for all our community acitivites, which amazon picks up the tab for. :)
So, thats great on one hand, but on the other we have a bunch of different groups that all want to use it and we don't want them to step on each other or cause problems for one another.
A possible way to give limited access going forward would be to federate access to a redhat account of some sort (gmail/fedora) that way you could set a generic limited access policy for new users.
We already do.
All access to the account is via our ipsilon instance using SAML2. ipsilon in turn gets information from fas (fedora account system). When you login via SAML2, your group information is passed along and if you are in specific groups you are logged in with that groups role.
So, we have a master role (all access), a copr role (for the copr team), a fedora-ci role (for fedora-ci, etc). Some teams need programatic access also, so for them we create users that have the same IAM policy as the roles and use a token.
The IAM policies are setup so roles have limited access to most things, and then full access to things that are tagged with their group. When they spin up new resources, they tag them as belonging to their group and then they can do whatever they need to with them and other roles can't.
It's not great, but it does work.
We also have:
https://pagure.io/fedora-infrastructure/issue/8436
which I keep never getting around to, and perhaps you could script the needed steps for me there.
I have left a comment on the ticket about potentially using a daily lambda function to take care of this. I will put together a bash script which can make use of the aws cli for the initial clean up.
So, most of these are really old. I don't know who made them or why they are there, so I think if we could just mark them all unavailable or something, wait a few weeks to make sure no one comes asking about them, then delete them, that would likely do.
We do upload Fedora images... but that process is controlled by a application called fedimg and it has it's own cleanup scripts to cleanup things. I can dig up more details... but we are hoping to replace this with a new app from the coreos folks. If you are interested in drving that forward that would be great! https://pagure.io/fedora-infrastructure/issue/7702 is the old ticket on this.
Let me know when a good morning might be and we can try and get together. IRC would be best for me, then we could also add in anyone else who was interested.
I can do Today or tomorrow at 16:30 IST/ 08:30PDT or 21:00 IST/13:00 PDT whichever would suit you best.
Today is no good. ;) Tomorrow the infra meeting is at 8-9PDT. I'm free at 13pdt tomorrow tho, so that works fine, or between 9-11pdt.
I am off Friday so if neither of these times suit you we could try next week. We can use whichever IRC channel you think appropriate
How about #fedora-admin...
kevin
On Wed, Apr 29, 2020 at 5:41 PM Kevin Fenzi kevin@scrye.com wrote:
On Wed, Apr 29, 2020 at 02:02:08PM +0100, Mark O'Brien wrote:
On Tue, Apr 28, 2020 at 9:27 PM Kevin Fenzi kevin@scrye.com wrote:
I think a lot of places use an atypical set up from what I read.
Heh. Yeah.
The big thing about ours is that we have just one account for all our community acitivites, which amazon picks up the tab for. :)
So, thats great on one hand, but on the other we have a bunch of different groups that all want to use it and we don't want them to step on each other or cause problems for one another.
A possible way to give limited access going forward would be to federate access to a redhat account of some sort (gmail/fedora) that way you could set a generic limited access policy for new users.
We already do.
All access to the account is via our ipsilon instance using SAML2. ipsilon in turn gets information from fas (fedora account system). When you login via SAML2, your group information is passed along and if you are in specific groups you are logged in with that groups role.
So, we have a master role (all access), a copr role (for the copr team), a fedora-ci role (for fedora-ci, etc). Some teams need programatic access also, so for them we create users that have the same IAM policy as the roles and use a token.
The IAM policies are setup so roles have limited access to most things, and then full access to things that are tagged with their group. When they spin up new resources, they tag them as belonging to their group and then they can do whatever they need to with them and other roles can't.
It's not great, but it does work.
We also have:
https://pagure.io/fedora-infrastructure/issue/8436
which I keep never getting around to, and perhaps you could script the needed steps for me there.
I have left a comment on the ticket about potentially using a daily
lambda
function to take care of this. I will put together a bash script which can make use of the aws cli for
the
initial clean up.
So, most of these are really old. I don't know who made them or why they are there, so I think if we could just mark them all unavailable or something, wait a few weeks to make sure no one comes asking about them, then delete them, that would likely do.
We do upload Fedora images... but that process is controlled by a application called fedimg and it has it's own cleanup scripts to cleanup things. I can dig up more details... but we are hoping to replace this with a new app from the coreos folks. If you are interested in drving that forward that would be great! https://pagure.io/fedora-infrastructure/issue/7702 is the old ticket on this.
Let me know when a good morning might be and we can try and get together. IRC would be best for me, then we could also add in anyone else who was interested.
I can do Today or tomorrow at 16:30 IST/ 08:30PDT or 21:00 IST/13:00 PDT whichever would suit you best.
Today is no good. ;) Tomorrow the infra meeting is at 8-9PDT. I'm free at 13pdt tomorrow tho, so that works fine, or between 9-11pdt.
I am off Friday so if neither of these times suit you we could try next week. We can use whichever IRC channel you think appropriate
How about #fedora-admin...
Ok I'll ping you at about 13pdt on #fedora-admin and if you are free we can try go through some of this. I appreciate you are busy so no worries if you need to put me off.
Mark
On Thu, Apr 30, 2020 at 02:24:51PM +0100, Mark O'Brien wrote:
Ok I'll ping you at about 13pdt on #fedora-admin and if you are free we can try go through some of this.
ok. It's shaping up to be a busy day, but we can see.
I appreciate you are busy so no worries if you need to put me off.
ok. Ping me then and I'll try and be free. If not, then next week.
kevin
infrastructure@lists.fedoraproject.org