[CentOS-devel] Central Auth: Group naming and Process Proposal

Wed Aug 5 20:01:38 UTC 2015
Brian Stinson <brian at bstinson.com>

Hi All,

We're working on testing instances of FAS for storing our user/group
membership information used by the CBS. I'd like to talk about group
naming and the permissions model to get some input. The goal is to get
these discussions going so we can set up our test environment to mirror
what we'll roll out in production. Consider this a proposal, and please
send comments my way (on-list please!).

Groups will use the convention 'sig-<shortname>', for example: people in
the Cloud SIG will be members of the FAS group 'sig-cloud'. This
convention will allow push access in dist-git to any branch that starts
with sig-cloud (sig-cloud7, sig-cloud7-openstack,
sig-cloud7-openstack-juno) and grant build permissions under the SIG tags
in Koji[0]. 

FAS has 3 types of membership in a group: Admin, Sponsor, and User. All 3
levels will be granted commit/build permissions, while only Admins and
Sponsors can modify members of the group. 

To match our permissions model[1], I propose:
- We populate the 'Accounts' (Global Admin) group with the members of the
  CentOS Board. 
- The Board member responsible for each SIG will create the appropriate 
  SIG group in FAS
- The Board member will add him/herself as an admin of the group
- The Board member will sponsor the SIG Chair as a sponsor for the group
- From then on, the SIG Chair and Board member can sponsor others into the
  group as users (and optionally add more sponsors to the group)

Anyone have thoughts? Once we reach consensus, I'll get this written up
for the SIG wiki page. 

Cheers!
Brian 

[0]: http://wiki.centos.org/BrianStinson/GitBranchesandKojiTags
[1]: http://wiki.centos.org/SpecialInterestGroup