[Linaro-validation] token management for automatically submitted jobs

Alexander Sack asac at linaro.org
Tue May 8 08:48:06 UTC 2012 

On Tue, May 8, 2012 at 3:21 AM, Michael Hudson-Doyle
<michael.hudson at linaro.org> wrote:
> On Mon, 7 May 2012 12:26:00 +0200, Alexander Sack <asac at linaro.org> wrote:
>> On Mon, May 7, 2012 at 12:19 PM, Loïc Minier <loic.minier at linaro.org> wrote:
>> > On Mon, May 07, 2012, Michael Hudson wrote:
>> >> 2) Another way is to create a user that does not correspond to a user on
>> >>    LP (gfx-daily-job-submitter or somethign) and add it to the linaro
>> >>    group on v.l.o.  This feels a bit better, but it's not very 'self
>> >>    service' -- the only way to create such a user is via the admin panel
>> >>    afaik.
>> >
>> >  This seems fine to me; creating a machine-to-machine account/setup
>> >  seems like a one-off action which doesn't need to involve LP.
>> >   We could share a single set of LAVA credentials for all jobs coming
>> >  from ci.linaro.org.
>> >
>> >  If this isn't automated enough, we could have a way to create new LAVA
>> >  credentials for anyone in a specific Launchpad team?
>> >
>> Yes, machine to machine is the way to go...
>>
>> But, I don't think we need specific users like gfx-... we just need
>> _one_ user shared by all @linaro.org protected jobs. This should be
>> configured on the backend side for all @linaro.org transparently so
>> the user (alf) does not need to bother about it...
>>
>> That should be simple to setup and shouldn't require lot's of
>> maintenance nor any further sophistication.
>
> I think that makes sense.  The necessity of the infrastructure team
> sharing the password of this user still doesn't seem like a great thing,
> but maybe that's OK for now.
>
> (In the medium term, maybe we should be able to associate tokens with
> groups, and any member of the group can manage tokens associated with
> the group?)

Why does the infrastructure team need to share the password? I
anticipate them to setup the job for alf and ensure that the proper
password is seeded on the build host that submits the tests.


-- 
Alexander Sack
Technical Director, Linaro Platform Teams
http://www.linaro.org | Open source software for ARM SoCs
http://twitter.com/#!/linaroorg - http://www.linaro.org/linaro-blog

More information about the linaro-validation mailing list