launchpad-dev team mailing list archive

Thread
Date

Re: making it easier to determine if an instance has what it needs to work

To: Launchpad Community Development Team <launchpad-dev@xxxxxxxxxxxxxxxxxxx>
From: Julian Edwards <julian.edwards@xxxxxxxxxxxxx>
Date: Thu, 15 Sep 2011 12:15:27 +0100
Cc: Jonathan Lange <jml@xxxxxxxxxxxxx>
In-reply-to: <CAHZ8tnbchq7_pS_BNghZhmTD30XbKO7QazXkU9ruZS5ArdNo-g@mail.gmail.com>
Organization: Canonical Ltd
User-agent: KMail/1.13.6 (Linux/2.6.38-11-generic; KDE/4.6.2; x86_64; ; )

On Thursday 15 September 2011 10:09:09 Jonathan Lange wrote:
> On Thu, Sep 15, 2011 at 5:01 AM, Robert Collins
> <robertc@xxxxxxxxxxxxxxxxx> wrote:
> ...
> 
> > Bug 760079 talks about a app server specific checker, but thinking
> > about this more perhaps we should bake into all our services and
> > scripts a 'dependency checker'.
> > 
> > E.g.
> > oops-prune --check-environment
> > would:
> >  - check it has the needed DB access
> >  - and $any $other $needed firewall holes
> > in a non-destructive way.
> 
> ...
> 
> > What do you think?
> 
> Seems a fairly sensible idea. I'd be worried a little bit about skew
> between what an app thinks it needs to run and what it actually needs.
> Perhaps it's best phrased as a dry-run start up, rather than a deps
> check?

Agree, both with the idea and these concerns.

One of the biggest skews we have that *consistently* hurts us is setting up DB 
users with the right permissions on tables.  This is largely because the 
security.cfg is not action-based, but user-based.  That is - we should be 
composing DB users' permissions out of a set of actions/roles (I think there's 
one example if this in the file but it's an exception), not setting up each 
user discretely.

However, I want to re-examine the requirement to set up explicit permissions 
on each user at all.  Why do we need this?  What is it helping to protect?  Is 
any of this worth the hassle and rollout problems?

This permissioning is also sometimes extremely hard to catch in testing. Quite 
often a particular set of permissions are only required in a tiny corner case 
that is not always relevant to the test intentions.

We already know that having separate users is useful to identify rogue 
connections etc, but I fail to understand why they need permissions.  This is 
particularly interesting given that we only do this with scripts - the webapp 
has carte blanche.

I would like do away with the discrete permissions and make all the users 
inherit from "main".  This would also bring the benefits of quicker tests 
since they don't need to commit and switch db users.

I'd love to hear opinions on this.

Follow ups

Re: making it easier to determine if an instance has what it needs to work
From: Stuart Bishop, 2011-09-15
Re: making it easier to determine if an instance has what it needs to work
From: Robert Collins, 2011-09-15

References

making it easier to determine if an instance has what it needs to work
From: Robert Collins, 2011-09-15
Re: making it easier to determine if an instance has what it needs to work
From: Jonathan Lange, 2011-09-15