Loading policy/tpa-rfc-7-root.md +17 −6 Original line number Diff line number Diff line Loading @@ -126,20 +126,31 @@ three methods for ending the membership: # Examples * dgoulet should have root access on the Schleuder server (which should probably be moved out of `eugeni` beforehand, because we probably do not want to grant dgoulet root access on the main mail server) * ahf should have root access on the GitLab server, which would have helped diagnosing the [problem following the 13.5 upgrade](https://gitlab.torproject.org/tpo/tpa/team/-/issues/40074) * the `onionperf` services were setup outside of TPA because they required custom `iptables` rules, which wasn't allowed before but would be allowed under this policy: TPA would deploy the requested rule or, if they were dynamic, allow write access to the configuration somehow Counter examples: # Counter examples * service admins MUST NOT be granted root access on all servers * dgoulet should have root access on the Schleuder server but cannot have it right now because Schleuder is on a server that also hosts the main email and mailing lists services * service admins do not need root access to the monitoring server to have their services monitored: they can ask TPA to setup a scrape or we can configure a server which would allow collaboration on the monitoring configuration ([issue 40089][]) [issue 40089]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/40089 # Deadline No deadline set yet. This proposal will be adopted on December 7th 2020, unless there are objections. # Status Loading Loading
policy/tpa-rfc-7-root.md +17 −6 Original line number Diff line number Diff line Loading @@ -126,20 +126,31 @@ three methods for ending the membership: # Examples * dgoulet should have root access on the Schleuder server (which should probably be moved out of `eugeni` beforehand, because we probably do not want to grant dgoulet root access on the main mail server) * ahf should have root access on the GitLab server, which would have helped diagnosing the [problem following the 13.5 upgrade](https://gitlab.torproject.org/tpo/tpa/team/-/issues/40074) * the `onionperf` services were setup outside of TPA because they required custom `iptables` rules, which wasn't allowed before but would be allowed under this policy: TPA would deploy the requested rule or, if they were dynamic, allow write access to the configuration somehow Counter examples: # Counter examples * service admins MUST NOT be granted root access on all servers * dgoulet should have root access on the Schleuder server but cannot have it right now because Schleuder is on a server that also hosts the main email and mailing lists services * service admins do not need root access to the monitoring server to have their services monitored: they can ask TPA to setup a scrape or we can configure a server which would allow collaboration on the monitoring configuration ([issue 40089][]) [issue 40089]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/40089 # Deadline No deadline set yet. This proposal will be adopted on December 7th 2020, unless there are objections. # Status Loading
