Difference between revisions of "SystemAdministration/GroupPermissions"

From SoylentNews
Jump to: navigation, search
Line 10: Line 10:
  
 
Here's our breakdown of permissions that can access what. Please note this refers to physical access permissions, *not* roles in teams. We try and practice least amount of access necessary in an attempt to keep things relatively secure. You can be in multiple groups
 
Here's our breakdown of permissions that can access what. Please note this refers to physical access permissions, *not* roles in teams. We try and practice least amount of access necessary in an attempt to keep things relatively secure. You can be in multiple groups
 +
 +
If you feel, you should have access to a machine you don't currently have, discuss the matter with your team leader, they can then request access the matter with a member of the Sysops team. The decision however, falls entirely in the hands of the Sysops group.
  
 
== List of Groups ==
 
== List of Groups ==

Revision as of 18:26, 29 March 2014

Access to machines are controlled by the POSIX groups you're present in LDAP. This page acts as a quick reference guide to see what you can do with what permissions.

Checking Permissions

From any node, you can run 'id' on a user to see what permissions you or anyone else has

mcasadevall@soylent-db:~$ id mcasadevall
uid=2500(mcasadevall) gid=2500(firefighters) groups=2501(sysops),2500(firefighters),2502(db)

Here's our breakdown of permissions that can access what. Please note this refers to physical access permissions, *not* roles in teams. We try and practice least amount of access necessary in an attempt to keep things relatively secure. You can be in multiple groups

If you feel, you should have access to a machine you don't currently have, discuss the matter with your team leader, they can then request access the matter with a member of the Sysops team. The decision however, falls entirely in the hands of the Sysops group.

List of Groups

Group Name Is What Can Access
firefighters all staff firefighters can access the shell box, used to springboard to other nodes
db database administrators db users can access production databases, and sudo to the db user. They can *not* sudo to root
dev_team slashcode develoeprs can access dev nodes, can sudo to root on dev nodes
ircops IRC administrators access to IRC hosting nodes, can sudo to root on irc boxes
prod_access people trusted to pushout on production can access all production nodes as well as edge nodes, can sudo to the slash account. No root privelleges
svcadmin admins of misc svcs box shell access to all services nodes (outdated?), can sudo to root on svc nodes.
sysops users with global root sysops can sudo to root on all nodes, as well as access any node that we run. Users in this group also have access to the Linode master panel