cti-tac.lists.linuxfoundation.org archive mirror
 help / color / mirror / Atom feed
* Re: General keyring process questions.
  2024-02-29 14:55 General keyring process questions Carlos O'Donell
@ 2024-02-29 14:50 ` Konstantin Ryabitsev
  0 siblings, 0 replies; 2+ messages in thread
From: Konstantin Ryabitsev @ 2024-02-29 14:50 UTC (permalink / raw)
  To: Carlos O'Donell; +Cc: cti-tac

On Thu, Feb 29, 2024 at 09:55:45AM -0500, Carlos O'Donell wrote:
> - Does adding a key to allowed-signers give access to also update
>   allowed-signers itself?

No, it just adds the key to the keyring. The actual permissions to that
repository are granted by LF IT upon request and the trusted introducer
verification process.

>   - I assume the answer is that only trusted indtroducers can update
>     the keyring, and that the keyring is only an intermediary keyring
>     because it doesn't look like a normal gitolite admin repo.

Correct.

> - What is the syntax of allowed-signers?

https://man.openbsd.org/ssh-keygen.1#ALLOWED_SIGNERS

>   - What does 'namespace="git"' mean?

It means that this key is allowed to sign git commits.

> - Are new account requests sent to it-coreprojects-helpdesk@linuxfoundation.org?

For the moment -- I expect we will set up helpdesk@coretoolchain.dev in the
near future.

> - What are the implications of selecting a username?

Minimal.

>   - I assume the answer is that the username is not visible anywhere, but
>     is the username used during the ssh connection to the gitolite server
>     and as such is the name used in the gitolite admin repo with the keys?

The username only shows up in the backend logs and helps us figure out who
connected and what operations they performed.

> - How do we authorize group membership?

Helpdesk request.

>   - How do we know what groups to request in the email to LF IT?

To be established.

>   - Group membership is a gitolite repo policy detail and some groups may
>     have distinct project policy e.g. web repo vs. code repo.
> 
>     How do we enforce that policy?
> 
>     For example, a gitolite project will usually have an admin repo with
>     configuration and keys, and the code repos. In the current setup it
>     LF IT is the maintainer of the admin repo, and the community maintains
>     the keyring and content repos. If we have several content repos, how
>     do we authorize only access to one of them? Is that encoded in the
>     allowed-signers in some way?

No, this is discussed in a helpdesk request and acked by designated group
managers on the project side. We can establish the exact procedure at a later
time.

HTH.

-K

^ permalink raw reply	[flat|nested] 2+ messages in thread
* General keyring process questions.
@ 2024-02-29 14:55 Carlos O'Donell
  2024-02-29 14:50 ` Konstantin Ryabitsev
  0 siblings, 1 reply; 2+ messages in thread
From: Carlos O'Donell @ 2024-02-29 14:55 UTC (permalink / raw)
  To: Konstantin Ryabitsev; +Cc: cti-tac

Konstantin,

I'm dog-fooding the trusted introducer process with one of the CTI TAC
members as a way to work out the kinks for the general developer
workflow of adding and removing people.

Questions:

- Does adding a key to allowed-signers give access to also update
  allowed-signers itself?

  - The answer I epxect is "No" because I want a distinction between
    community "admin" and community "developer" (which write access
    to the repository).

  - I assume the answer is that only trusted indtroducers can update
    the keyring, and that the keyring is only an intermediary keyring
    because it doesn't look like a normal gitolite admin repo.
    
- What is the syntax of allowed-signers?

  - What does 'namespace="git"' mean?

- Are new account requests sent to it-coreprojects-helpdesk@linuxfoundation.org?

- What are the implications of selecting a username?

  - I assume the answer is that the username is not visible anywhere, but
    is the username used during the ssh connection to the gitolite server
    and as such is the name used in the gitolite admin repo with the keys?

- How do we authorize group membership?

  - How do we know what groups to request in the email to LF IT?

  - Group membership is a gitolite repo policy detail and some groups may
    have distinct project policy e.g. web repo vs. code repo.

    How do we enforce that policy?

    For example, a gitolite project will usually have an admin repo with
    configuration and keys, and the code repos. In the current setup it
    LF IT is the maintainer of the admin repo, and the community maintains
    the keyring and content repos. If we have several content repos, how
    do we authorize only access to one of them? Is that encoded in the
    allowed-signers in some way?

-- 
Cheers,
Carlos.


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-02-29 15:12 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-29 14:55 General keyring process questions Carlos O'Donell
2024-02-29 14:50 ` Konstantin Ryabitsev

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).