Opened 12 years ago
Closed 12 years ago
#49 closed (fixed)
Josh shouldn't be in xoadmins
| Reported by: | jbs@bbn.com | Owned by: | jonmills@renci.org |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | AM | Version: | SPIRAL4 |
| Keywords: | Cc: | ||
| Dependencies: |
Description
Josh was temporarily added to the 'xoadmins' group, but he should really be in 'bbnadmins'. Put him back into that group, and fix the permissions on the FOAM and FV password files on both bbn-hn and rci-hn:
sudo chgrp bbnadmins /etc/flowvisor/fvpasswd /opt/foam/etc/foampasswd
Change History (7)
comment:1 Changed 12 years ago by
comment:2 Changed 12 years ago by
Jonathan put me back into bbnadmins, and I've chgrp-ed /opt/foam/etc/foampasswd back to bbnadmins on bbn-hn, but can't do likewise on rci-hn. Jonathan, can you do that at some point?
comment:4 Changed 12 years ago by
/opt/foam/etc/foampasswd now looks good, but /opt/flowvisor/etc/flowvisor/fvpasswd on rci-hn is still group 'xoadmins'. In theory, one can be a FOAM admin without also having to be a FV admin, but it's probably easier to debug problems if we can do both. Can you make FV be group 'bbnadmins' too?
comment:5 Changed 12 years ago by
Can you make FV be group 'bbnadmins' too?
By "FV", I meant "/opt/flowvisor/etc/flowvisor/fvpasswd on rci-hn", in case that wasn't obvious.
comment:6 Changed 12 years ago by
| Owner: | changed from somebody to jonmills@renci.org |
|---|
comment:7 Changed 12 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Victor reports that Jonathan added bbnadmins to the extended file ACL on /opt/flowvisor/etc/flowvisor/fvpasswd, and I confirmed that I can now read the file and run fvctl. That's it for this one!
I talked to Jon about this briefly today, and it's somewhat complicated, because the current model only really has "RENCI admins" and "BBN admins", and assumes that RENCI admins are full can-do-anything admins on the RENCI rack, while BBN admins are full can-do-anything admins on the BBN rack. What we really want here is that I (and Chaos and Tim) should be can-do-anything admins on the BBN rack, and have enough privs to admin *only* FOAM and FV on the RENCI rack.
That shouldn't necessarily need any sudo privs at all -- it should be enough for us to be in a group that can read the fvpasswd and foampasswd files. (It might be handy if we could restart FOAM too, but I think that isn't essential.) So one solution would be to make those files on the RENCI rack have gid 'bbnadmins', at least while GPO folks are running FOAM on the RENCI rack; but there might be a better solution, like a 'foamadmins' group. (But I suspect not, because I think we'll want the Clemson local admins to be able to run FOAM at Clemson, but not FOAM at RENCI or BBN -- I don't think there's a single ExoGENI-wide group of FOAM admins.)