Opened 10 years ago

Closed 10 years ago

#49 closed (fixed)

Josh shouldn't be in xoadmins

Reported by: jbs@bbn.com Owned by: jonmills@renci.org
Priority: major Milestone:
Component: AM Version: SPIRAL4
Keywords: Cc:
Dependencies:

Description

Josh was temporarily added to the 'xoadmins' group, but he should really be in 'bbnadmins'. Put him back into that group, and fix the permissions on the FOAM and FV password files on both bbn-hn and rci-hn:

sudo chgrp bbnadmins /etc/flowvisor/fvpasswd /opt/foam/etc/foampasswd

Change History (7)

comment:1 Changed 10 years ago by jbs@bbn.com

I talked to Jon about this briefly today, and it's somewhat complicated, because the current model only really has "RENCI admins" and "BBN admins", and assumes that RENCI admins are full can-do-anything admins on the RENCI rack, while BBN admins are full can-do-anything admins on the BBN rack. What we really want here is that I (and Chaos and Tim) should be can-do-anything admins on the BBN rack, and have enough privs to admin *only* FOAM and FV on the RENCI rack.

That shouldn't necessarily need any sudo privs at all -- it should be enough for us to be in a group that can read the fvpasswd and foampasswd files. (It might be handy if we could restart FOAM too, but I think that isn't essential.) So one solution would be to make those files on the RENCI rack have gid 'bbnadmins', at least while GPO folks are running FOAM on the RENCI rack; but there might be a better solution, like a 'foamadmins' group. (But I suspect not, because I think we'll want the Clemson local admins to be able to run FOAM at Clemson, but not FOAM at RENCI or BBN -- I don't think there's a single ExoGENI-wide group of FOAM admins.)

comment:2 Changed 10 years ago by jbs@bbn.com

Jonathan put me back into bbnadmins, and I've chgrp-ed /opt/foam/etc/foampasswd back to bbnadmins on bbn-hn, but can't do likewise on rci-hn. Jonathan, can you do that at some point?

comment:3 Changed 10 years ago by jonmills@renci.org

Should be good to go now, Josh.

comment:4 Changed 10 years ago by jbs@bbn.com

/opt/foam/etc/foampasswd now looks good, but /opt/flowvisor/etc/flowvisor/fvpasswd on rci-hn is still group 'xoadmins'. In theory, one can be a FOAM admin without also having to be a FV admin, but it's probably easier to debug problems if we can do both. Can you make FV be group 'bbnadmins' too?

comment:5 Changed 10 years ago by jbs@bbn.com

Can you make FV be group 'bbnadmins' too?

By "FV", I meant "/opt/flowvisor/etc/flowvisor/fvpasswd on rci-hn", in case that wasn't obvious.

comment:6 Changed 10 years ago by vjo@duke.edu

Owner: changed from somebody to jonmills@renci.org

comment:7 Changed 10 years ago by jbs@bbn.com

Resolution: fixed
Status: newclosed

Victor reports that Jonathan added bbnadmins to the extended file ACL on /opt/flowvisor/etc/flowvisor/fvpasswd, and I confirmed that I can now read the file and run fvctl. That's it for this one!

Note: See TracTickets for help on using tickets.