User:John/Shell

From Orain Meta
Jump to navigation Jump to search

Shell access to the Orain cluster (emphasis on just shell here), may be granted to users when decided by the person responsible for managing access that both a) more hands are needed to help maintain a service or b) shell for the particular user would be advantageous to Orain directly or indirectly. As shell access is not given out on any regular basis (if at all), there is no set procedure apart from contacting the person responsible for managing access to the cluster. For the purpose of this page (and to reflect current working state) this person is John.

For those who have shell - John is wanting to cut down on broad access currently given (such as full root access for those who does not require it) and the general working practice of those with access. Below are a set of principles lovingly collected from places such as Debian and Ubuntu working policies with the Orain spin attached to them.

Responsibilities

  1. The users marked as 'roots' on all machines (a list in ansible is available here) are wholly responsible for ensuring all of the servers and services used on the servers are security patched and running as expected. Discretion lies with them to do anything necessary even against these guidelines if the end result is security and integrity of the system.
  2. Do not use any of the servers for third party uses which are contributing directly to Orain. As all of the servers are paid for through donations - everything should be going back to feeding into the end game. Third party use of the servers can be approved by a root although only under exceptional circumstances.
  3. Some servers may grant access to private data. If this is the case for you - do not share the data with anyone outside of who has access to the data. This means, sharing some private data with a root or a user with the same access as you is acceptable if the method of communication is private and secure. Access to private data is taken very seriously by Orain - currently we do not employ any sort of legal agreements with users with access to the data but that does not mean we are not able to handle basic things such as revoking access for an undetermined about of time and deferring the matter to someone with legal knowledge of the matter.
  4. Just don't do anything stupid.