[Linaro-validation] token management for automatically submitted jobs
michael.hudson at linaro.org
Wed May 9 00:03:19 UTC 2012
On Tue, 8 May 2012 10:48:06 +0200, Alexander Sack <asac at linaro.org> wrote:
> On Tue, May 8, 2012 at 3:21 AM, Michael Hudson-Doyle
> <michael.hudson at linaro.org> wrote:
> > On Mon, 7 May 2012 12:26:00 +0200, Alexander Sack <asac at linaro.org> wrote:
> >> On Mon, May 7, 2012 at 12:19 PM, Loïc Minier <loic.minier at linaro.org> wrote:
> >> > On Mon, May 07, 2012, Michael Hudson wrote:
> >> >> 2) Another way is to create a user that does not correspond to a user on
> >> >> LP (gfx-daily-job-submitter or somethign) and add it to the linaro
> >> >> group on v.l.o. This feels a bit better, but it's not very 'self
> >> >> service' -- the only way to create such a user is via the admin panel
> >> >> afaik.
> >> >
> >> > This seems fine to me; creating a machine-to-machine account/setup
> >> > seems like a one-off action which doesn't need to involve LP.
> >> > We could share a single set of LAVA credentials for all jobs coming
> >> > from ci.linaro.org.
> >> >
> >> > If this isn't automated enough, we could have a way to create new LAVA
> >> > credentials for anyone in a specific Launchpad team?
> >> >
> >> Yes, machine to machine is the way to go...
> >> But, I don't think we need specific users like gfx-... we just need
> >> _one_ user shared by all @linaro.org protected jobs. This should be
> >> configured on the backend side for all @linaro.org transparently so
> >> the user (alf) does not need to bother about it...
> >> That should be simple to setup and shouldn't require lot's of
> >> maintenance nor any further sophistication.
> > I think that makes sense. The necessity of the infrastructure team
> > sharing the password of this user still doesn't seem like a great thing,
> > but maybe that's OK for now.
> > (In the medium term, maybe we should be able to associate tokens with
> > groups, and any member of the group can manage tokens associated with
> > the group?)
> Why does the infrastructure team need to share the password? I
> anticipate them to setup the job for alf and ensure that the proper
> password is seeded on the build host that submits the tests.
They would need to log on to v.l.o as the "_one_ user shared by all
@linaro.org protected jobs" to generate/manage the tokens used.
More information about the linaro-validation