On 24/10/17 15:56, Karanbir Singh wrote:
On 24/10/17 09:45, Fabian Arrotin wrote:
Here are some notes taken from the CERN pre-dojo meeting from last week :
<paste> Allow SIGs to have separate accounts for build bots - separate user accounts from "bot" accounts for security reasons - [proposal] have an email alias (not list) per sig for the bots, like sig-<bla>@centos.org pointing to the SIG's chair - [proposal] SIG chair must request or approve email alias requests/ ACO account creation sent to CentOS Board chairman </paste>
So, (as also discussed yesterday in the CBS meeting - https://www.centos.org/minutes/2017/October/centos-devel.2017-10-23-14.01.lo...)
The proposal would be to create a @centosproject.org (or @centos.org) email alias, that would go to SIG chair, and that would be used to create an account on https://accounts.centos.org While we can manually generate x509 cert with longer validity period, we discussed the fact that using centos-cert just takes 2 seconds every 6 months, so SIG members who were present didn't find it a real issue. (email notifications go to SIG chair - and/or other members ? - in advance so easy to follow)
That's probably the workflow people use already anyway, while Brian confirmed that longer-term a proper credentials store would be on the roadmap, but soon.
I'd like to see a better write up of the use cases for these bot's
As the requests came from SIGs, I'll let them explain their needs, but here are some points:
- SIG Cloud instance has already a "cloudinstance" bot that you approved for the Vagrant images - SIG Cloud / RDO people asked for such bot instead of using Haikel's "cert and key" in their existing workflow - SIG Storage (for Ceph) asked for the same thing : https://bugs.centos.org/view.php?id=13884