[SAC] Projects Administration Question

Committees SAC mailing list
1

Hi,

We've decided to (at least attempt) to go with a single piece of
shared infrastructure for project hosting at the moment on our new
VM setup.

Access to this VM should be relatively open, compared to other VMs.
However, this raises the question of admin access.

What I would like to do is to have each project use a setup that
minimizes the need for actual 'admin' access.

What I've done so far:

* Created a globally writable /osgeo/, as a home for projects.
* Created an openlayers user and group.
* Added members of the OpenLayers LDAP group to the openlayers
   group
* Made it so that all users of the OpenLayers group can
   sudo without a password to the OpenLayers user. (This would
   be good for things like running backups, setting up a crontab,
   etc.)
* Then, add one member from each project to the admin group
   (which has full sudo access).

I worry somewhat about giving full sudo access to all users who
have access to the machine; most projects probably don't need it,
and having one contact per project means it will be more likely
that we can find the person responsible for a particular aspect
of the project.

Most likely, this isn't going to be a big deal for most projects;
most of the existing projects only have one main sysadmin. However,
for OpenLayers (for example) there are at least 4-5 people who
have expressed interest in participating in sysadminy stuff as we
grow our website presence. Under this setup, things like apache
config + restarts would go through me (Or, if the project admin is
not available, could be requested through SAC), but other OL members
could write scripts, modify cronjobs, check status of the server,
svn up files/change web site, etc.

Is this something that people think is practical for most projects
currently looking to use the projects VM, or is this just overkill?

I mostly just want to limit people stepping on each other's toes...

Regards,
--
Christopher Schmidt
Nokia

2

christopher.schmidt@nokia.com wrote:

Hi,

We've decided to (at least attempt) to go with a single piece of shared infrastructure for project hosting at the moment on our new
VM setup.

Access to this VM should be relatively open, compared to other VMs.
However, this raises the question of admin access.

What I would like to do is to have each project use a setup that minimizes the need for actual 'admin' access.

What I've done so far:

* Created a globally writable /osgeo/, as a home for projects.
* Created an openlayers user and group.
* Added members of the OpenLayers LDAP group to the openlayers
   group
* Made it so that all users of the OpenLayers group can
   sudo without a password to the OpenLayers user. (This would
   be good for things like running backups, setting up a crontab,
   etc.)

Chris,

In the past I thought the best way to handle "groups" might be to have
a group for each project, and then anyone with sudo access could add
people to the /etc/group file manually. The problem I ran into is
that I don't know the best way to work with groups. For instance, it
seems that a userid has an active group on login and if they are in
several groups it may not be the one they want to work on. Also, it may
be difficult to keep the group and group permissions set on group files.

Anyways, I was never very success on the blades with use of groups, but
it *seems* like it would be a better approach than having additional
"project" accounts, and groups that are administered via LDAP (I don't
want to have to create and manage too many ldap groups).

Perhaps someone more savvy than me will have ideas on how use of
groups could be made to work well?

Best regards,
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam@pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | Geospatial Programmer for Rent