Controls/gitea-pages
0
2
Fork 0
Code Pull Requests Actions Activity

reorganize bob access

Browse Source
This commit is contained in:
buchel_k
2023-05-11 08:33:26 +02:00
parent bd588901ec
commit 4432799d53
3 changed files with 16 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
infrastructure-guide/infrastructure_administration.md
View File

@@ -1,5 +1,19 @@
# Infrastructure Administration
## How to Grant a Access to bob/sysdb
bob is making http calls to the sysdb app. Authorization (https://git.psi.ch/linux-infra/sysdb#authentication-and-authorization) is done via krb5 tokens. Operations outside of environments (creating/changing the owner of/deleting environments) needs to be done by a sysdb admin, ie someone who is a member of the group sysdb-admins. Group membership of the authenticated users is evaluated on the OS level on sysdb.psi.ch. So group memberships can be set both locally or in the AD. This makes it a bit confusing, but both are used.
For the envs (bob env list), only adding and listing are implemented in bob, any other operation, like deletion or modification can only be performed in the sysdb sqlite database itself.
Each env can only have one user and one group assigned to it.
To grant access to different environments data-xxx repositories normal Git access control is used.
Nothing overrides the access control of the git server.
## linux.psi.ch
linux.psi.ch is hosted from this git repo as git pages. There is a proxy entry for the domain name linux.psi.ch on the F5 reverse proxy, that is managed by the network team, to reach the git pages by https://linux.psi.ch
@@ -38,3 +52,4 @@ This email list is administered by Outlook in the following way (if you have man
- Click on Add and add a new email address
![outlook_04.png](outlook_04.png)

14
infrastructure-guide/newbob.md
View File

@@ -1,14 +0,0 @@
# How to grand a person access to bob/sysdb
bob is making http calls to the sysdb app. Authorization (https://git.psi.ch/linux-infra/sysdb#authentication-and-authorization) is done via krb5 tokens. Operations outside of environments (creating/changing the owner of/deleting environments) needs to be done by a sysdb admin, ie someone who is a member of the group sysdb-admins. Group membership of the authenticated users is evaluated on the OS level on sysdb.psi.ch. So group memberships can be set both locally or in the AD. This makes it a bit confusing, but both are used.
The sysdb-admins specifically is a local group, see /etc/group
For the envs (bob env list), only adding and listing are implemented in bob, any other operation, like deletion or modification can only be performed in the sysdb sqlite database itself.
Each env can only have one user and one group assigned to it.
To grant access to different environments data-xxx repositories normal Git access control is used.
Nothing overrides the access control of the git server.

2
infrastructure-guide/sysdb_server.md
View File

@@ -1,4 +1,4 @@
# Sysdb Server
# Sysdb Server
https://git.psi.ch/linux-infra/sysdb/ is pulled into /var/www/sysdb/app/ (no automation, just by hand)