This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --vAdlbqM5VnUgh0rrpCp5tB6gsn2xr5v32 Content-Type: multipart/mixed; boundary="Srpen3rvdd6Jg9rUjug6MvQDA9IhajUuC"; protected-headers="v1" From: =?UTF-8?B?TWFyYyBEZXF1w6huZXMgKER1Y2sp?= <duck@redhat.com> To: oVirt Infra <infra@ovirt.org> Message-ID: <01387b1d-0041-b599-deb2-c9db5efccc61@redhat.com> Subject: admin user list --Srpen3rvdd6Jg9rUjug6MvQDA9IhajUuC Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Quack, So I'm setting up admin users for infra-ansible and the associated machines to give you root access. I need some help to understand how this list is defined. In Puppet I could find 23 users (not counting the devel and system accounts). If I log onto backup I can only find 18 of them deployed. So for example account 'dfediuck' is not created while I can't find any difference with other properly created ones. It does not seem there are Puppet groups defined either. On the contrary if I log into resources I can find extra users like 'rafaelmartins' and they are nowhere to be found into Puppet. So I guess they were added manually. This makes removing users no more in the project very difficult, so I think we should audit user accounts. Could someone give a hand please? \_o< --Srpen3rvdd6Jg9rUjug6MvQDA9IhajUuC-- --vAdlbqM5VnUgh0rrpCp5tB6gsn2xr5v32 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEcpcqg+UmRT3yiF+BVen596wcRD8FAllLNs4ACgkQVen596wc RD9izBAAmDXovZTAmfBRBSu6Zwm3FNQz16Y3ewFxDpOEGe1U4VFIWVgoXjg6POEm 5QUjPHcwftDmUQZhyp1i1JLkMgxCzJ6JCRCgMoNKhOx0EeGecUE4tACVldbIU7aI p4/uEM5QXbd+bFrxFFEnzMA84tCyD0UXR0HKAKxjWZ1Uc40YB6N+VVW9pq+2L+lz r08DRpmr2LAQWGF0iVdjjh9HKQtASM2ezUl7cPMftn/G4S2cJ/hGJq+fa2IDohwS 9KgWOnnVU5Mfdz4IkugvdYfEycndedLOwudr/UZjG2pCDw0udYUhvUllXHmWgdI6 u94Hn/D6CdK0sHR9Eu/zhkQ4w/QELY2VnKFp/k7ORQXlT/UK4MSi0YYaTnLDB6vV wn+ceZ9N73CWoS7ZYdBGv2iy5bRZrXQQBd9uk1TkJxY65Hl412Y/zLVSV4U+cm9D ah4YQLCOqK5XYdM0csawpb8R3/mkUgx6WqfCXjp0WEHYy84yRVkcSHzKFET8LEMA MDuxkH43XvRCj6cKWzUk4ppNwYh4uDiq/BDiEde1A6nR+NsTxPccLvy1lSIYWWYy OG0Ifn6PXc2ZLh7pMb/MYWnaa8CfKjRp18Z9ZyUVeLRaTdnavtv3vJMFXQiLTvES 5s2+YrRXOU/ImBzkUKYTAdKwlCxLaHPd+uMvlOkKhQoWM2YVKHE= =BHjg -----END PGP SIGNATURE----- --vAdlbqM5VnUgh0rrpCp5tB6gsn2xr5v32--
Content preview: On Thu, Jun 22, 2017 at 12:17:34PM +0900, Marc Dequènes (Duck) wrote: >Quack, > >So I'm setting up admin users for infra-ansible and the associated >machines to give you root access. I need some help to understand how >this list is defined. > >In Puppet I could find 23 users (not counting the devel and system >accounts). If I log onto backup I can only find 18 of them deployed. So >for example account 'dfediuck' is not created while I can't find any >difference with other properly created ones. It does not seem there are >Puppet groups defined either. [...] Content analysis details: (-1.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-SA-Exim-Connect-IP: 2a02:1398:804::199 X-SA-Exim-Mail-From: ewoud+ovirt@kohlvanwijngaarden.nl X-SA-Exim-Scanned: No (on mail.xentower.nl); SAEximRunCond expanded to false X-BeenThere: infra@ovirt.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "List for ovirt.org infrastructure team" <infra.ovirt.org> List-Unsubscribe: <http://lists.ovirt.org/mailman/options/infra>, <mailto:infra-request@ovirt.org?subject=unsubscribe> List-Archive: <http://lists.ovirt.org/pipermail/infra/> List-Post: <mailto:infra@ovirt.org> List-Help: <mailto:infra-request@ovirt.org?subject=help> List-Subscribe: <http://lists.ovirt.org/mailman/listinfo/infra>, <mailto:infra-request@ovirt.org?subject=subscribe> X-List-Received-Date: Thu, 22 Jun 2017 06:30:18 -0000 On Thu, Jun 22, 2017 at 12:17:34PM +0900, Marc Dequènes (Duck) wrote:
Quack,
So I'm setting up admin users for infra-ansible and the associated machines to give you root access. I need some help to understand how this list is defined.
In Puppet I could find 23 users (not counting the devel and system accounts). If I log onto backup I can only find 18 of them deployed. So for example account 'dfediuck' is not created while I can't find any difference with other properly created ones. It does not seem there are Puppet groups defined either.
As I recall it there's a puppet class for every user. Then in Foreman these classes can be added to a host. Mostly they will have the ensure set to present, but absent can work too if you want to remove them.
On the contrary if I log into resources I can find extra users like 'rafaelmartins' and they are nowhere to be found into Puppet. So I guess they were added manually. This makes removing users no more in the project very difficult, so I think we should audit user accounts.
Auditing makes sense. Given my lack of involvement I think my accounts could be cleaned up as well.
On Thu, Jun 22, 2017 at 9:30 AM, Ewoud Kohl van Wijngaarden < ewoud+ovirt@kohlvanwijngaarden.nl> wrote:
On Thu, Jun 22, 2017 at 12:17:34PM +0900, Marc Dequènes (Duck) wrote:
Quack,
So I'm setting up admin users for infra-ansible and the associated machines to give you root access. I need some help to understand how this list is defined.
In Puppet I could find 23 users (not counting the devel and system accounts). If I log onto backup I can only find 18 of them deployed. So for example account 'dfediuck' is not created while I can't find any difference with other properly created ones. It does not seem there are Puppet groups defined either.
As I recall it there's a puppet class for every user. Then in Foreman these classes can be added to a host. Mostly they will have the ensure set to present, but absent can work too if you want to remove them.
On the contrary if I log into resources I can find extra users like
'rafaelmartins' and they are nowhere to be found into Puppet. So I guess they were added manually. This makes removing users no more in the project very difficult, so I think we should audit user accounts.
Auditing makes sense. Given my lack of involvement I think my accounts could be cleaned up as well.
+1 on cleanup of unused accounts, I can help with what we can remove.
_______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
-- Eyal edri ASSOCIATE MANAGER RHV DevOps EMEA VIRTUALIZATION R&D Red Hat EMEA <https://www.redhat.com/> <https://red.ht/sig> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted> phone: +972-9-7692018 irc: eedri (on #tlv #rhev-dev #rhev-integ)
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --VhvII5cgkuwDdkGF3UuQF6pLAJG4vjFK7 Content-Type: multipart/mixed; boundary="sL1eJdgkvhMpKWnQmc6TPoKmmgJmrl8aV"; protected-headers="v1" From: =?UTF-8?B?TWFyYyBEZXF1w6huZXMgKER1Y2sp?= <duck@redhat.com> To: infra@ovirt.org Message-ID: <699c5d02-5f5b-e984-d648-22398984db21@redhat.com> Subject: Re: admin user list References: <01387b1d-0041-b599-deb2-c9db5efccc61@redhat.com> <20170622063011.GE27975@bogey.xentower.nl> In-Reply-To: <20170622063011.GE27975@bogey.xentower.nl> --sL1eJdgkvhMpKWnQmc6TPoKmmgJmrl8aV Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Quack, On 06/22/2017 03:30 PM, Ewoud Kohl van Wijngaarden wrote:
As I recall it there's a puppet class for every user. Then in Foreman these classes can be added to a host. Mostly they will have the ensure set to present, but absent can work too if you want to remove them.
Yes, I saw the classes but did not see any association with the hosts. I honestly did not expect to have this relation in Foreman. I never used Foreman, any idea in which config file it would be? \_o< --sL1eJdgkvhMpKWnQmc6TPoKmmgJmrl8aV-- --VhvII5cgkuwDdkGF3UuQF6pLAJG4vjFK7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEcpcqg+UmRT3yiF+BVen596wcRD8FAllLbfEACgkQVen596wc RD/XUxAAr6oqvjP3kYYTzEdjpc8qWWlNhyvp/2ID/MOIJJBerccuuDZmkJyDFqSp KaiEx1efslqj8exCRbNAlIVkciTP2zbzsC93a6ml1vnUiIdw6KKYtjVaTjvinSTD D5hHoU1bmANlfRhAIyMDIhSFufdHRRkoANkSwu8yry0b7BVf2rx2JOxopjWezhw6 Na0dmYS+x9Ep7cQx5QMqRF55MF7XPW9Z7mRO0eoYhE7+n71JaqWetWroFuft51Tt 8ctN3iEdt8TE1zgdd03jLYWKe6YkHSIJO31Q0fj0reW1aK+wEA41bjdXlD80T1MM 8bIx29d5exjfOYY2GKl3xAZKtxm2frVAwjTUkota8SU+Aco0lVZVqIOLD8skrUwL okwnRtVsKNkP+L7LW3yFB62AbVunMoXERIaSOLzrnqvhVnviwAr3MnDsseM75UoF vIYOG6sukSxBjRI+i0/BNRfoBL/ezNwR8jj3a+nts65/ppASJyjX2DSNg8Z9ryOj qOyudv6hs6Xt79+QpIlERkxUfVLVfgiaKHDAnynDLI3wuxGTgENj9wpNzOBDh/hS LeD807X04ZBxFSOKHF1vIrmDb1ykoHw8EfhDEiQn9JRxO6uUqMZlBXWiR/bZw1C5 Pm1FBvfqoz4OvnVRZBjdeSgXaDCeDViYT/edc0bb7LZl6FrLUl8= =Qgc6 -----END PGP SIGNATURE----- --VhvII5cgkuwDdkGF3UuQF6pLAJG4vjFK7--
Content preview: On Thu, Jun 22, 2017 at 04:12:49PM +0900, Marc Dequènes (Duck) wrote: >Quack, > >On 06/22/2017 03:30 PM, Ewoud Kohl van Wijngaarden wrote: > >> As I recall it there's a puppet class for every user. Then in Foreman >> these classes can be added to a host. Mostly they will have the ensure >> set to present, but absent can work too if you want to remove them. >
Yes, I saw the classes but did not see any association with the hosts. I honestly did not expect to have this relation in Foreman. I never used >Foreman, any idea in which config file it would be? [...]
Content analysis details: (-1.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-SA-Exim-Connect-IP: 2a02:1398:804::199 X-SA-Exim-Mail-From: ewoud+ovirt@kohlvanwijngaarden.nl X-SA-Exim-Scanned: No (on mail.xentower.nl); SAEximRunCond expanded to false X-BeenThere: infra@ovirt.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "List for ovirt.org infrastructure team" <infra.ovirt.org> List-Unsubscribe: <http://lists.ovirt.org/mailman/options/infra>, <mailto:infra-request@ovirt.org?subject=unsubscribe> List-Archive: <http://lists.ovirt.org/pipermail/infra/> List-Post: <mailto:infra@ovirt.org> List-Help: <mailto:infra-request@ovirt.org?subject=help> List-Subscribe: <http://lists.ovirt.org/mailman/listinfo/infra>, <mailto:infra-request@ovirt.org?subject=subscribe> X-List-Received-Date: Thu, 22 Jun 2017 08:22:50 -0000 On Thu, Jun 22, 2017 at 04:12:49PM +0900, Marc Dequènes (Duck) wrote:
Quack,
On 06/22/2017 03:30 PM, Ewoud Kohl van Wijngaarden wrote:
As I recall it there's a puppet class for every user. Then in Foreman these classes can be added to a host. Mostly they will have the ensure set to present, but absent can work too if you want to remove them.
Yes, I saw the classes but did not see any association with the hosts. I honestly did not expect to have this relation in Foreman. I never used Foreman, any idea in which config file it would be?
It could be inside the foreman database, but maybe this was moved to hiera. Currently I'm on very spotty wifi so not really in the position to look this up. I'd check the hiera repository first (should be in gerrit) and if it's not there then check Foreman. Not sure if you can easily use the API or just go from host to host manually.
On 22 June 2017 at 06:17, Marc Dequènes (Duck) <duck@redhat.com> wrote:
On the contrary if I log into resources I can find extra users like 'rafaelmartins' and they are nowhere to be found into Puppet. So I guess they were added manually. This makes removing users no more in the project very difficult, so I think we should audit user accounts.
'resources' includes users from the 'integration' team, not just the 'infra' team. All users should be in Puppet however. If that is not the case, I guess this is because the way puppet works, where removing code that configures things does not remove the configured things. Its highly likely we has a class for Rafael (He was a member if the 'integration' team) and it was removed when he left. -- Barak Korren RHV DevOps team , RHCE, RHCi Red Hat EMEA redhat.com | TRIED. TESTED. TRUSTED. | redhat.com/trusted
participants (4)
-
Barak Korren -
Ewoud Kohl van Wijngaarden -
Eyal Edri -
Marc Dequènes (Duck)