Sysadmin report on the modernization of our infrastructure
Jan Kundrát
jkt at kde.org
Thu Jan 22 02:03:49 GMT 2015
On Wednesday, 21 January 2015 23:57:07 CEST, Ben Cooksley wrote:
> Using either
> http://www.guywarner.com/2014/06/part-2-integrating-phabricator-and.html
> or http://www.dctrwatson.com/2013/01/jenkins-and-phabricator/ or a
> variation thereof.
That is quite some custom code that one has to maintain, though.
> Commit emails could either be sent by our existing hooks, or we could
> migrate to Herald and customise it's template to fit what we need if
> necessary.
> People would filter them / subscribe to them through Herald.
How would they subcribe via Herald if it was done via the existing hooks?
> Doesn't seem too high, although I don't see how that would be made web
> accessible - which might be the hard and costly part maintenance wise.
> (You have to deal with security issues too as you are in a separate
> web application, so you need to authenticate the developer first).
Well, Apache's mod_authnz_ldap and a "Require group developers" stanza
makes this really easy. Just look up $user from an appropriate env var
provided by the web server. Where is the problem?
> Our existing solution is triggered on change events in LDAP and causes
> all SSH keys to be re-read and a new ~/.ssh/authorized_keys file to be
> written out. You can't rely on OpenLDAP stating the addition/removals
> properly when using the syncrepl interface, at least in my experience.
> In this way we avoid dependence on the Identity web application.
A quick & dirty approach:
`ssh bot at gerrit set-account $user --remove-ssh-keys ALL`
`ssh bot at gerrit set-account $user --add-ssh-key - < authorized_keys`
A better and race-free code would have to invoke `comm` in addition to
that, and only add/remove keys which has to be removed or added. That's
left as an excercise for the reader, it's easy enough. Or, to avoid relying
on a local state altogether, just issue a REST call for SSH key retrieval
and base a decision on that. It's gonna be like 10 lines of custom code.
Cheers,
Jan
--
Trojitá, a fast Qt IMAP e-mail client -- http://trojita.flaska.net/
More information about the kde-core-devel
mailing list