Closed
Bug 734140
Opened 12 years ago
Closed 12 years ago
Need an LDAP account for automation
Categories
(Infrastructure & Operations :: Infrastructure: Other, task)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: mdas, Assigned: jabba)
Details
Attachments
(1 file, 1 obsolete file)
417 bytes,
text/plain
|
Details |
As described in Bug 733836, I'm setting up some automation to mirror a git repository to an hg repo in hg.mozilla.org. I want this automation to have its own LDAP account, and to grant it commit access only certain hg.mozilla.org/projects. Automated mirroring is something that our team is going be involved with more, so being able to grant commit access to a select few repositories in hg.mozilla.org would be the right way to go about it in the event that any of these automation machines get compromised.
Updated•12 years ago
|
Assignee: desktop-support → aignacio
Updated•12 years ago
|
Assignee: aignacio → mozillamarcia.knous
Component: Server Operations: Account Requests → Repository Account Requests
QA Contact: tfairfield → repo-acct-req
Comment 1•12 years ago
|
||
Malini: I imagine you want something similar to Bug 531141?
Reporter | ||
Comment 2•12 years ago
|
||
Maybe, if the calbld user has restricted access to only certain repos (under hg.mozilla.org/projects for us specifically). I didn't find the bug very clear.
Comment 3•12 years ago
|
||
This is a server-ops task. I'm guessing that this kind of restricted HG account is going to be troublesome to implement, given the current levels setup. Which exact repositories do you want this account to have access to?
Assignee: mozillamarcia.knous → server-ops-devservices
Component: Repository Account Requests → Server Operations: Developer Services
QA Contact: repo-acct-req → shyam
Reporter | ||
Comment 4•12 years ago
|
||
(In reply to Gavin Sharp (use gavin@gavinsharp.com for email) from comment #3) > This is a server-ops task. I'm guessing that this kind of restricted HG > account is going to be troublesome to implement, given the current levels > setup. > > Which exact repositories do you want this account to have access to? The repository in question is yet to be created (Bug 733836), but this is going to be an automation LDAP account, so as more projects on the ateam's side need repository automation, more repositories will be added. At the moment, I'll just need access to the repository created in Bug 733836.
Reporter | ||
Comment 5•12 years ago
|
||
We will be running our automation from an internal machine, so we won't need to restrict its commit access to particular repositories. We now only need this account to have level 2 commit access. Any idea when we can get this LDAP account created?
Comment 6•12 years ago
|
||
LDAP stuff is handled by the infra team, reassigning.
Assignee: server-ops-devservices → server-ops-infra
Component: Server Operations: Developer Services → Server Operations: Infrastructure
QA Contact: shyam → jdow
Assignee | ||
Updated•12 years ago
|
Assignee: server-ops-infra → jdow
Assignee | ||
Comment 7•12 years ago
|
||
I'll need: The name of the account a public ssh key for the account an ack from gavin to grant scm_level_2 privileges
Reporter | ||
Comment 8•12 years ago
|
||
Hey there, "automation" should be a good name for the account. If that's taken, then "ateamauto" should be fine.
Reporter | ||
Updated•12 years ago
|
Summary: Need a restricted LDAP account for automation → Need an LDAP account for automation
Reporter | ||
Comment 9•12 years ago
|
||
The previous public key was for an older automation machine. Updating the attachment for the new machine.
Attachment #615938 -
Attachment is obsolete: true
Assignee | ||
Comment 10•12 years ago
|
||
Ok, account is created, pubkey associated. The account is uid=ateamauto,ou=logins,dc=mozilla and has the "mail" attribute of "ateamauto@mozilla.com", which is a dummy mail address, but that is the username needed for hg, so the machine's ~/.ssh/config will need these lines in it: Host hg.mozilla.org User ateamauto@mozilla.com It's all set to go, but I'm waiting for the ack for addition to the scm_level_1 and scm_level_2 groups.
Comment 11•12 years ago
|
||
Go ahead and enable scm_level_1/scm_level_2.
Assignee | ||
Comment 12•12 years ago
|
||
Done! You should be good to go here.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Component: Server Operations: Infrastructure → Infrastructure: Other
Product: mozilla.org → Infrastructure & Operations
You need to log in
before you can comment on or make changes to this bug.
Description
•