* Re: General keyring process questions.
2024-02-29 14:55 General keyring process questions Carlos O'Donell
@ 2024-02-29 14:50 ` Konstantin Ryabitsev
0 siblings, 0 replies; 2+ messages in thread
From: Konstantin Ryabitsev @ 2024-02-29 14:50 UTC (permalink / raw)
To: Carlos O'Donell; +Cc: cti-tac
On Thu, Feb 29, 2024 at 09:55:45AM -0500, Carlos O'Donell wrote:
> - Does adding a key to allowed-signers give access to also update
> allowed-signers itself?
No, it just adds the key to the keyring. The actual permissions to that
repository are granted by LF IT upon request and the trusted introducer
verification process.
> - I assume the answer is that only trusted indtroducers can update
> the keyring, and that the keyring is only an intermediary keyring
> because it doesn't look like a normal gitolite admin repo.
Correct.
> - What is the syntax of allowed-signers?
https://man.openbsd.org/ssh-keygen.1#ALLOWED_SIGNERS
> - What does 'namespace="git"' mean?
It means that this key is allowed to sign git commits.
> - Are new account requests sent to it-coreprojects-helpdesk@linuxfoundation.org?
For the moment -- I expect we will set up helpdesk@coretoolchain.dev in the
near future.
> - What are the implications of selecting a username?
Minimal.
> - I assume the answer is that the username is not visible anywhere, but
> is the username used during the ssh connection to the gitolite server
> and as such is the name used in the gitolite admin repo with the keys?
The username only shows up in the backend logs and helps us figure out who
connected and what operations they performed.
> - How do we authorize group membership?
Helpdesk request.
> - How do we know what groups to request in the email to LF IT?
To be established.
> - Group membership is a gitolite repo policy detail and some groups may
> have distinct project policy e.g. web repo vs. code repo.
>
> How do we enforce that policy?
>
> For example, a gitolite project will usually have an admin repo with
> configuration and keys, and the code repos. In the current setup it
> LF IT is the maintainer of the admin repo, and the community maintains
> the keyring and content repos. If we have several content repos, how
> do we authorize only access to one of them? Is that encoded in the
> allowed-signers in some way?
No, this is discussed in a helpdesk request and acked by designated group
managers on the project side. We can establish the exact procedure at a later
time.
HTH.
-K
^ permalink raw reply [flat|nested] 2+ messages in thread
* General keyring process questions.
@ 2024-02-29 14:55 Carlos O'Donell
2024-02-29 14:50 ` Konstantin Ryabitsev
0 siblings, 1 reply; 2+ messages in thread
From: Carlos O'Donell @ 2024-02-29 14:55 UTC (permalink / raw)
To: Konstantin Ryabitsev; +Cc: cti-tac
Konstantin,
I'm dog-fooding the trusted introducer process with one of the CTI TAC
members as a way to work out the kinks for the general developer
workflow of adding and removing people.
Questions:
- Does adding a key to allowed-signers give access to also update
allowed-signers itself?
- The answer I epxect is "No" because I want a distinction between
community "admin" and community "developer" (which write access
to the repository).
- I assume the answer is that only trusted indtroducers can update
the keyring, and that the keyring is only an intermediary keyring
because it doesn't look like a normal gitolite admin repo.
- What is the syntax of allowed-signers?
- What does 'namespace="git"' mean?
- Are new account requests sent to it-coreprojects-helpdesk@linuxfoundation.org?
- What are the implications of selecting a username?
- I assume the answer is that the username is not visible anywhere, but
is the username used during the ssh connection to the gitolite server
and as such is the name used in the gitolite admin repo with the keys?
- How do we authorize group membership?
- How do we know what groups to request in the email to LF IT?
- Group membership is a gitolite repo policy detail and some groups may
have distinct project policy e.g. web repo vs. code repo.
How do we enforce that policy?
For example, a gitolite project will usually have an admin repo with
configuration and keys, and the code repos. In the current setup it
LF IT is the maintainer of the admin repo, and the community maintains
the keyring and content repos. If we have several content repos, how
do we authorize only access to one of them? Is that encoded in the
allowed-signers in some way?
--
Cheers,
Carlos.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-02-29 15:12 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-29 14:55 General keyring process questions Carlos O'Donell
2024-02-29 14:50 ` Konstantin Ryabitsev
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).