On 7 May 2012 08:08, Michael Hudson-Doyle michael.hudson@linaro.org wrote:
Hi all,
Suppose there is a LAVA user, and to avoid taxing my imagination let's call him Alexandros. He wants to have some jobs submitted automatically from ci.linaro.org to lava that deposit results in a bundle stream that only members of linaro can see, which all seems reasonable enough.
Currently though, the story for tokens around this is a bit horrible. To be able to submit to the a /private/team/linaro/... bundle, you have to submit the job as a member of the linaro group in v.l.o.
I can think of a few ways of doing this, but I don't really like any of them:
- jenkins on ci.linaro.org could use one of alf's tokens, but that
seems a little tied to him (what if he leaves linaro, etc)
We have a process for leavers. If we choose this option, we should add an action to disable/remove those accounts.
- Another way is to create a user that does not correspond to a user on
LP (gfx-daily-job-submitter or somethign) and add it to the linaro group on v.l.o. This feels a bit better, but it's not very 'self service' -- the only way to create such a user is via the admin panel afaik.
- A third way is to create a fake user on LP and add it to the ~linaro
team there. This also seems a bit horrible.
There is a fourth way that is actually happening but doesn't help -- create a user on LP and do _not_ add it ~linaro: https://launchpad.net/~ciadmin [1].
This option isn't 'self service' either. A CI admin should add the credential on Jenkins and a v.l.o admin should create the user.
I don't really have a suggestion for what would be better here. It feels a bit like the model we have for access and handling tokens is perhaps a bit too simple currently. What do you guys think?
I don't have better to propose but the issue to resolve isn't for Validation only imo. It should involve Infrastructure to get a really safe [2] self service system and a better story for the end user.
Cheers, mwh
[1] this is why ci.linaro.org lost the job-submitting permission -- I didn't realize ciadmin on v.l.o corresponded to a user on LP!
[2] avoid leaking lava user/token