SAC Status

Norman,

Have you had a chance to chat with John and Howard on the current status
of the telascience systems? There is a board meeting tomorrow, and one
of the issues will undoubtedly be whether SAC is functioning effectively
and what can be done to support SAC.

Things I would really like to see us move ahead with include:
  o Developing some sort of policy about who we give administrative
    access to, which machines need to be "very secure" (ie. LDAP master)
    vs. "less secure" (ie. build tests accessable to some project
    developers).

  o Working out how we back things up.

  o Working out a rough priority list for services to roll out.

  o Putting out a call for volunteers for SAC, which implies having
    a sense of what skills we need, and how we would manage a influx
    of several volunteers.

  o Setting up wiki pages explaining how the SAC administered systems
    are setup and a roadmap for what services go on what systems.

I believe both Arnulf and I are keen to assist on technical and
adminstrative issues. We have also had offers of technical help from
others such as Josh Livni, and Daniel Morissette.

Best regards,
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam@pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | President OSGF, http://osgeo.org

Frank

I am moving things slowly along... I could use some help on confirming the LDAP is working from plone... but i think it good everywhere else.
I am also trying to build another blade out with FC4 but my kickstart server is not leasing a DHCP address to the blade yet... Anyone that has
knowledge in this area will be welcome to hop in and help. This blade will be for the buildbot

John

Frank Warmerdam wrote:

Norman,

Have you had a chance to chat with John and Howard on the current status
of the telascience systems? There is a board meeting tomorrow, and one
of the issues will undoubtedly be whether SAC is functioning effectively
and what can be done to support SAC.

Things I would really like to see us move ahead with include:
o Developing some sort of policy about who we give administrative
   access to, which machines need to be "very secure" (ie. LDAP master)
   vs. "less secure" (ie. build tests accessable to some project
   developers).

o Working out how we back things up.

o Working out a rough priority list for services to roll out.

o Putting out a call for volunteers for SAC, which implies having
   a sense of what skills we need, and how we would manage a influx
   of several volunteers.

o Setting up wiki pages explaining how the SAC administered systems
   are setup and a roadmap for what services go on what systems.

I believe both Arnulf and I are keen to assist on technical and
adminstrative issues. We have also had offers of technical help from
others such as Josh Livni, and Daniel Morissette.

Best regards,

As far as I know, Plone/LDAP authentication seems to be working. Only big issue (which looks to be very challenging to fix without some funding for the guys who work on zope ldap stuff) is populating the LDAP with a new user when someone joins the website. That isn't automatic, and the only way to currently create users is to do so manually with the Directory tool. It's also possible that we could write a clever python script to do this for us.

Additionally, I setup the one blade I was accessing to use the LDAP for shell authentication (also limited by only users who were also in the "Shell" access group).

Short term things that I think need to be done include:
- For shell users (like buildbots and db administrators, etc), common home directories across the possible machines would be desirable. I do this with NFS and/or CIFS and it is sufficient if allowed within John's infrastructure.
- Hook up Apache to do LDAP authentication as well, so things like a subversion repository or just a dumb folder of files can be authenticated in the same way as everything else.
- The LDAP needs to be doing SSL, or be firewalled to only talk to internal TelaScience machines

Howard

At 2:24 PM -0700 6/22/06, John Graham wrote:

Frank

I am moving things slowly along... I could use some help on confirming the LDAP is working from plone... but i think it good everywhere else.
I am also trying to build another blade out with FC4 but my kickstart server is not leasing a DHCP address to the blade yet... Anyone that has
knowledge in this area will be welcome to hop in and help. This blade will be for the buildbot

John

Frank Warmerdam wrote:

Norman,

Have you had a chance to chat with John and Howard on the current status
of the telascience systems? There is a board meeting tomorrow, and one
of the issues will undoubtedly be whether SAC is functioning effectively
and what can be done to support SAC.

Things I would really like to see us move ahead with include:
o Developing some sort of policy about who we give administrative
   access to, which machines need to be "very secure" (ie. LDAP master)
   vs. "less secure" (ie. build tests accessable to some project
   developers).

o Working out how we back things up.

o Working out a rough priority list for services to roll out.

o Putting out a call for volunteers for SAC, which implies having
   a sense of what skills we need, and how we would manage a influx
   of several volunteers.

o Setting up wiki pages explaining how the SAC administered systems
   are setup and a roadmap for what services go on what systems.

I believe both Arnulf and I are keen to assist on technical and
adminstrative issues. We have also had offers of technical help from
others such as Josh Livni, and Daniel Morissette.

Best regards,

Howard Butler wrote:

As far as I know, Plone/LDAP authentication seems to be working. Only big issue (which looks to be very challenging to fix without some funding for the guys who work on zope ldap stuff) is populating the LDAP with a new user when someone joins the website. That isn't automatic, and the only way to currently create users is to do so manually with the Directory tool. It's also possible that we could write a clever python script to do this for us.

Additionally, I setup the one blade I was accessing to use the LDAP for shell authentication (also limited by only users who were also in the "Shell" access group).

Short term things that I think need to be done include:
- For shell users (like buildbots and db administrators, etc), common home directories across the possible machines would be desirable. I do this with NFS and/or CIFS and it is sufficient if allowed within John's infrastructure.
- Hook up Apache to do LDAP authentication as well, so things like a subversion repository or just a dumb folder of files can be authenticated in the same way as everything else.
- The LDAP needs to be doing SSL, or be firewalled to only talk to internal TelaScience machines

Howard,

Could you explain a bit more to me about why LDAP needs to be doing SSL
or firewalled to only talk to internal servers? I have added your items
to a SAC TODO list I have started at:

   http://wiki.osgeo.org/index.php/SAC_TODO_List

At 2:24 PM -0700 6/22/06, John Graham wrote:

Frank

I am moving things slowly along... I could use some help on confirming the LDAP is working from plone... but i think it good everywhere else.
I am also trying to build another blade out with FC4 but my kickstart server is not leasing a DHCP address to the blade yet... Anyone that has
knowledge in this area will be welcome to hop in and help. This blade will be for the buildbot

OK, this sounds good. Note, John, it was never my intention that you be
loaded with too much of the administrative work beyond what has to be
done on site.

I have tried logging into the plone instance at http://osgeo.telascience.org/
and it does not seem to let me login with my LDAP userid and password. It
does have an old userid/password that I created within plone. Howard
mentioned in IRC that the plone authentication module seems to be missing
from the plone instance now.

Best regards,
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam@pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | President OSGF, http://osgeo.org

Frank Warmerdam wrote:

Norman,

Have you had a chance to chat with John and Howard on the current status
of the telascience systems? There is a board meeting tomorrow, and one
of the issues will undoubtedly be whether SAC is functioning effectively
and what can be done to support SAC.

Norman,

OK, being the impatient person I am, I have lumbered ahead with a few
things I think need to be done.

I have added the following new documents off the SAC page:

  o TODO List: with a few things I think need to be done (and hobu's items).

    http://wiki.osgeo.org/index.php/SAC_TODO_List

  o Service Status: An attempt to list machines, and services that are setup
    currently, including IP #'s. Also some "outstanding issues". I would
    appreciate folks updating this as they build stuff out. I am a bit
    concerned about making this information publically visible, but the
    alternative so far has been a lack of clarity on status within the group
    and outwards to legitimately interested parties. Perhaps we ought to setup
    a more secure way of handling status information that might mildly
    compromise security (at least the obscure kind).

    http://wiki.osgeo.org/index.php/SAC_Service_Status

  o Security Groups Policy: This is my first draft of what I think we might
    need for user groups in LDAP for various user roles. I have tried to
    keep it simple, rather than provide for very fine grained items. I'm
    assuming we can add complexity later. Input appreciated. I think we
    need to get some sort of groups policy in place fairly quickly. If I
    don't get feedback in a few days, I'll propose a motion to adopt this
    document to the SAC list.

    http://wiki.osgeo.org/index.php/SAC:Security_Groups_Policy

  o LDAP related procedures: I think we need to capture some of the
    magic knowledge about how to do stuff like add new users to LDAP
    or how to configure a system or service to use LDAP for authentication.
    I think it would mostly be Howard that needs to flesh some of this in
    so he doesn't get stuck having to do everything related to LDAP
    forever. I hope over time we will accumulate 'how to' procedural
    information for a variety of common system administration tasks.

    http://wiki.osgeo.org/index.php/SAC:Create_New_User
    http://wiki.osgeo.org/index.php/SAC:Setup_LDAP_Authentication

Best regards,
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam@pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | President OSGF, http://osgeo.org

At 12:21 AM -0400 6/23/06, Frank Warmerdam wrote:

Could you explain a bit more to me about why LDAP needs to be doing SSL
or firewalled to only talk to internal servers? I have added your items
to a SAC TODO list I have started at:

It's the same dichotomy between running a webserver or SSL or not. SSL encrypts an otherwise clear text communication. This includes binding to the LDAP with a username/password. If the intention was ever to have systems from outside of TelaScience communicate with the LDAP (we'll want this for offsite replication/backup), it could be sniffed. Maybe the chance is low, but nonetheless we can make it harder

I have tried logging into the plone instance at http://osgeo.telascience.org/
and it does not seem to let me login with my LDAP userid and password. It
does have an old userid/password that I created within plone. Howard
mentioned in IRC that the plone authentication module seems to be missing
from the plone instance now.

Yeah, checking the plone instance at that site shows me that there isn't LDAPUserFolder installed there. John, was it installed on another instance when I was testing/working on it?

Howard

Howard Butler wrote:

At 12:21 AM -0400 6/23/06, Frank Warmerdam wrote:

Could you explain a bit more to me about why LDAP needs to be doing SSL
or firewalled to only talk to internal servers? I have added your items
to a SAC TODO list I have started at:

It's the same dichotomy between running a webserver or SSL or not. SSL encrypts an otherwise clear text communication. This includes binding to the LDAP with a username/password. If the intention was ever to have systems from outside of TelaScience communicate with the LDAP (we'll want this for offsite replication/backup), it could be sniffed. Maybe the chance is low, but nonetheless we can make it harder

I have tried logging into the plone instance at http://osgeo.telascience.org/
and it does not seem to let me login with my LDAP userid and password. It
does have an old userid/password that I created within plone. Howard
mentioned in IRC that the plone authentication module seems to be missing
from the plone instance now.

Yeah, checking the plone instance at that site shows me that there isn't LDAPUserFolder installed there. John, was it installed on another instance when I was testing/working on it?

Howard

fwiw - i could log in fine just now.

All

We can do SSL in hardware on this box http://www.sun.com/products/networking/blades/ssl/

http://ldap.telascience.org:8080/osgeo/acl_users/manage_GRUFSources Users source #1 is a LDAPUserFolder
   John

Howard Butler wrote:

At 12:21 AM -0400 6/23/06, Frank Warmerdam wrote:

Could you explain a bit more to me about why LDAP needs to be doing SSL
or firewalled to only talk to internal servers? I have added your items
to a SAC TODO list I have started at:

It's the same dichotomy between running a webserver or SSL or not. SSL encrypts an otherwise clear text communication. This includes binding to the LDAP with a username/password. If the intention was ever to have systems from outside of TelaScience communicate with the LDAP (we'll want this for offsite replication/backup), it could be sniffed. Maybe the chance is low, but nonetheless we can make it harder

I have tried logging into the plone instance at http://osgeo.telascience.org/
and it does not seem to let me login with my LDAP userid and password. It
does have an old userid/password that I created within plone. Howard
mentioned in IRC that the plone authentication module seems to be missing
from the plone instance now.

Yeah, checking the plone instance at that site shows me that there isn't LDAPUserFolder installed there. John, was it installed on another instance when I was testing/working on it?

Howard