#6031 use sysadmin-qa for maintaining waiverdb
Closed: Fixed 6 years ago Opened 6 years ago by mjia.

As $subject, please. @dcallagh, does this sound right to you?


Specifically, I think what we want here is for a new group outside sysadmin-main to be granted permission to run waiverdb playbooks using rbac-playbook.

We were thinking of re-using the sysadmin-qa group and getting @mjia sponsored into that group... but before we go co-opting the Fedora QA team's FAS group we will run it by them to see if they are okay with that. :-)

I have started a thread:
https://lists.fedoraproject.org/archives/list/qa-devel@lists.fedoraproject.org/thread/Z64ZJP3SRJSGUKRWQW3OH2PCMVXX6CCL/

So, one thing to note up front here: We have a process for adding new applications, called "Request For Resources". The process is outlined in: https://fedoraproject.org/wiki/Request_For_Resources

As part of that we usually make a new sysadmin-whatever group for the new app and it's maintainers.

I'm not against just re-using sysadmin-qa here if thats desired by the existing sysadmin-qa folks of course.

@ralph are you sponsoring this effort? Shall we make a RFR ticket and such?
@tflink what do you think about just using sysadmin-qa for this?

I don't have any strong feelings about it since I suspect this will become more related to the other qa stuff that we're doing. I assume that the plan is to use this in Fedora if it's being deployed there? Who's going to be maintaining this longer term?

After glancing through the code, I'm not sure it'll play nice in infra, though. It appears to only support krb for auth and I was under the impression that wouldn't work for most (if not all) non-koji apps.

For some background on what this thing is for, see https://fedoraproject.org/wiki/Infrastructure/Factory2/Focus/WaiverDB

@kevin, @dcallagh, with respect to the request for resources -- at the moment, this is just for maintaining the dev waiverdb node in the fedora infra cloud: See #6009.

@ralph are you sponsoring this effort? Shall we make a RFR ticket and such?

Yes, I will. I think @mjia and @dcallagh were going to hold off on RFR for staging/prod until their package gets through package review so they can mess with it on the dev node. Then again, maybe there's no reason to wait. Guys, when you're ready, can you file it and cc me?

The thing about the sysadmin-? group here is that @mjia can't currently run the playbook against the dev node without having some entry in rbac-playbook for him.

With respect to @tflink's comments: yeah, this is part of a longer process of getting waiverdb in place for use in Fedora. My team can be on the maintenance hook for it, but we'd appreciate sharing that responsibility with fedora qa.

As to auth, the openidc auth should've been added here: https://pagure.io/waiverdb/pull-request/20 The krb auth is there only for an internal RH deployment.

Makes sense.

Lets just use sysadmin-qa for now for the dev instance and if we decide to change it later we always can. Forward to victory! :revolving_hearts:

@ralph since we've decided to use sysadmin-qa for the dev instance, what is the next step for me to have the permission of running the playbook?

Sorry, you asked like a week ago @mjia and I never got back to this.

I just added sysadmin-qa to have perms to run hosts/waiverdb-dev.fedorainfracloud.org.yml with rbac playbook.

I see you're already in the sysadmin-qa group.

Next step would be to try it and see if it works.

Thanks @ralph, I'll give it go.

I've successfully run the playbook with rbac-playbook and deployed the dev instance of WaiverDB.

http://waiverdb-dev.fedorainfracloud.org/api/v1.0/waivers/

So I think we can mark this issue as resolved.

ok, great!

:honey_pot:

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Login to comment on this ticket.

Metadata