[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Tiered admins with cfengine / dual control
From: |
Martin, Jason H |
Subject: |
RE: Tiered admins with cfengine / dual control |
Date: |
Thu, 13 Oct 2005 08:06:15 -0700 |
Could you provide some more details about your update script?
-Jason Martin
> -----Original Message-----
> From:
> help-cfengine-bounces+jason.h.martin=cingular.com@gnu.org
> [mailto:help-cfengine-bounces+jason.h.martin=cingular.com@gnu.
> org] On Behalf Of Adams, Russell L.
> Sent: Thursday, October 13, 2005 8:04 AM
> To: help-cfengine@gnu.org
> Subject: Re: Tiered admins with cfengine / dual control
>
>
> I sign my configs with gnupg, and my update script checks for
> a valid sig before installing new config files.
>
> You could do the same things but require a dual signing.
>
> Russell
>
> On Thu, Oct 13, 2005 at 07:58:28AM -0700, Martin, Jason H wrote:
> > Along the same lines, has anyone implemented a system such
> that there
> > is no one person capable of pushing out changes? I'm
> talking about a
> > system analogous to the nuclear missile keys that require 2
> people to
> > agree to launch.
> >
> > The scenario here is how would the college protect itself
> from Jason
> > Edgecombe, as a top-level SA, deciding to bring down the entire
> > university infrastruture.
> >
> > CFE doesn't support this directly, but perhaps it could be
> managed via
> > a module. I'm thinking it'd have to be based on two
> different master
> > servers agreeing on a configuration, with discrepencies
> causing CFE to
> > fail into a internal-maintenance-only mode. Assuming that
> each master
> > server has a mutually exclusive set of root users, it'd have to be
> > something that none of them could subvert on their own.
> >
> > Thank you,
> > -Jason Martin
> >
> > > -----Original Message-----
> > > From:
> > > help-cfengine-bounces+jason.h.martin=cingular.com@gnu.org
> > > [mailto:help-cfengine-bounces+jason.h.martin=cingular.com@gnu.
> > > org] On Behalf Of Mark Burgess
> > > Sent: Thursday, October 13, 2005 7:34 AM
> > > To: Jason Edgecombe
> > > Cc: help-cfengine@gnu.org
> > > Subject: Re: Tiered admins with cfengine
> > >
> > >
> > > On Thu, 2005-10-13 at 09:56 -0400, Jason Edgecombe wrote:
> > > > Hi everyone,
> > > >
> > > > I work at a university, and we are currently using
> cfengine in our
> > > > college to manage some linux and Mac machines. In our
> > > college, there are
> > > > two admins including myself who are trusted and have total
> > > control of
> > > > the cfengine config.
> > > >
> > > > Using cfengine has been proposed as being adopted by the entire
> > > > University for Mac administration. My concern is how do we
> > > inherit the
> > > > campus config and only let people in our college modify the
> > > config that
> > > > affects our machines.
> > > >
> > > > For example, I am in the College of Arts & Sciences and
> I can only
> > > > change the cfengine configs for machines in my college. The
> > > college of
> > > > Architecture would only have access to their machines,
> but we both
> > > > inheirt the changes pushed out by central IT.
> > > > I simply want to limit the effects of accidental
> changes made by
> > > > different admins. It's not just newbieness that I'm worried
> > > about. I
> > > > don't have a full understanding of what my changes might do
> > > to another
> > > > college's computers.
> > > >
> > > > Basically, how can we partition the cfengine set up between
> > > > admins,
> > > > but
> > > > still inherit a config from central it? Do we have to
> use different
> > > > cfengine servers for this?
> > > >
> > > > Thanks,
> > > > Jason
> > >
> > > Hi Jason - you don't have to use different cfengine servers
> > > for this, but you could, The way to inherit things is to use
> > > overridable "includes". One way to organize the permissions
> > > is to use CVS or subversion and put the different files in
> > > different projects so that one needs permission to edit them.
> > >
> > > Mark
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Help-cfengine mailing list
> > > Help-cfengine@gnu.org
> > > http://lists.gnu.org/mailman/listinfo/help-> cfengine
> > >
> >
> >
> > _______________________________________________
> > Help-cfengine mailing list
> > Help-cfengine@gnu.org
> > http://lists.gnu.org/mailman/listinfo/help-cfengine
>
>
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://lists.gnu.org/mailman/listinfo/help-> cfengine
>
- RE: Tiered admins with cfengine / dual control, Martin, Jason H, 2005/10/13
- Re: Tiered admins with cfengine / dual control, Adams, Russell L., 2005/10/13
- RE: Tiered admins with cfengine / dual control,
Martin, Jason H <=
- Re: Tiered admins with cfengine / dual control, Adams, Russell L., 2005/10/13
- RE: Tiered admins with cfengine / dual control, Martin, Jason H, 2005/10/13