Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc: add a powers.md to document who has access #811

Merged
merged 2 commits into from
Aug 10, 2017
Merged

doc: add a powers.md to document who has access #811

merged 2 commits into from
Aug 10, 2017

Conversation

gibfahn
Copy link
Member

@gibfahn gibfahn commented Jul 24, 2017
edited
Loading

Initial stab at covering who has access to what.

Outstanding questions:

  • @bnoordhuis has read access to nodejs/secrets, as he's an org owner I assume this is no longer necessary? EDIT: Yep, historical, removed him.
  • is release-* the same group as infra-*? I think it is, but looking at the commit history I'm not sure. EDIT: It's not
  • what about website access? Is there any special access that people have that we should document?

Follow-on proposal: we could create sub-teams of @nodejs/build to list the groups of people who have access to things (which saves having lists of names in this document). I think it's just nodejs/infra-admins (which have access to release-* and infra-*) but I'm not sure.

Refs: #798 (comment)

@gibfahn gibfahn force-pushed the doc-access branch 7 times, most recently from 7cc5206 to 45f3712 Compare July 24, 2017 05:12
@rvagg
Copy link
Member

rvagg commented Jul 24, 2017

might be a bit picking and this is just a suggestion, but maybe "powers" isn't the best name here, "access" or similar might be a bit more .. gentle?

also, who do those links to the team members work for? what level of access does someone need to be able to see who is in jenkins-admins for example and do we care for example if non-collaborators can't see that?

@mcollina
Copy link
Member

👍 on access.

Also, is there a crash course on the infra or some documents I can read. According to this doc, I have access to the infrastructure secrets and keys. However, there is little guidance in the CTC onboarding process on those.

Moreover, is there a process to revoke access? In other terms, how do we rotate keys?

@piccoloaiutante
Copy link
Member

I like access or even infra-access.md.

@rvagg it seems to me that in order to seejenkins-admins you need to be at least a member of the org. I think that having jenkins-admins not seen by non-collaborators isn't a big issue, as if a new comer needs to contact someone in the team can always ask in issues or irc.

@mcollina I got onboarded by @jbergstroem and @joaocgreis. Maybe would be a good idea to arrange one with you.

@gibfahn
Copy link
Member Author

gibfahn commented Jul 24, 2017
edited
Loading

also, who do those links to the team members work for? what level of access does someone need to be able to see who is in jenkins-admins for example and do we care for example if non-collaborators can't see that?

@rvagg They only work for org members. It would be great if they were public, but that's a Github thing, so there's not much we can do. The only question is whether it's better to have them or not. I'd say it's better to have them. I can add a sentence explaining that if it'd be helpful.

EDIT: I added an explanatory sentence and emailed Github to ask if it could be made public, I think that's about all that can be done.


Also, is there a crash course on the infra or some documents I can read.

@mcollina This is my first attempt at having build WG documentation. I figured we needed to work out what we actually have before we talk about how to do stuff.

EDIT: I should clarify that there is a tonne of really good technical documentation in ansible/, which @jbergstroem added. However to understand how to use that you already have to know quite a lot of stuff.

According to this doc, I have access to the infrastructure secrets and keys. However, there is little guidance in the CTC onboarding process on those.

You have access to the secrets repo, but not to the gpg encrypted secrets within. Access is documented in that repo, which I think is the best place for it. If it's inadequate then we should add to that repo's docs. I'll add a sentence saying that.

FWIW I don't think it's particularly intentional that org owners have access, it's just how Github works. You won't actually be able to decrypt any of the files inside it.

@mcollina
Copy link
Member

mcollina commented Jul 24, 2017
edited
Loading

EDIT: I understand now. It needs to be reworded and explained. Having access to the secrets repo means nothing, but given it is under "Machine Access" heading it seems to refer to machine access, not to the secrets repo.

@gibfahn
Copy link
Member Author

gibfahn commented Jul 24, 2017

For a list of machines, see the [inventory.yml][]. Access is controlled through the [secrets repo][], which [@nodejs/build][] (and [org owners][]) have access to.

You have access to the repo, just not to the individually encrypted secrets within. I've tried to clarify, does it make more sense? If not please suggest some text (I don't want to get too verbose here).

@mcollina
Copy link
Member

How about

Access to the secrets repo does not imply access to the machines themselves.

@gibfahn
Copy link
Member Author

gibfahn commented Jul 24, 2017

I changed powers.md to access.md. I quite liked powers, reminded me of superpowers (which is apt, as with other superpowers, it usually means you have to fix stuff at inconvenient hours etc.) But access is fine too (just bland).

@gibfahn
Copy link
Member Author

gibfahn commented Jul 24, 2017

@mcollina okay I pretty much added that, PTAL.

jbergstroem

This comment was marked as off-topic.

Sign in to view

mhdawson

This comment was marked as off-topic.

Sign in to view

@mhdawson
Copy link
Member

mhdawson commented Aug 2, 2017

In terms of employer, I don't think we want to add that as its not necessarily tied to why/who has access. Having is discover-able through the github profile is good though.

@gibfahn
Copy link
Member Author

gibfahn commented Aug 4, 2017

Generally LGTM. Thought: do we want to add employer or is that perhaps better expressed through a GitHub profile? A few of us have "keys to the kingdom" of sorts.

I agree with @mhdawson that adding the employer gives the wrong impression, people don't have access because of their employer. At the same time I think we should definitely be open about who we work for. Making sure everyone has it clearly documented in their Github profile would be good.

Github allows you to fill in the company field in https://github.com/settings/profile, maybe we should encourage everyone to fill it in.

image

image

gibfahn

This comment was marked as off-topic.

Sign in to view

@gibfahn
Copy link
Member Author

gibfahn commented Aug 9, 2017
edited
Loading

@rvagg I'd like to land this, any objections?

Answers to the questions in my initial comment would be great too!

@gibfahn gibfahn requested review from Starefossen and phillipj August 9, 2017 21:36
gibfahn

This comment was marked as off-topic.

Sign in to view

@gibfahn gibfahn mentioned this pull request Aug 9, 2017
Closed
@jbergstroem
Copy link
Member

No objections to landing as-is. Let me try and answer other outstanding questions.

@gibfahn said:
@bnoordhuis has read access to nodejs/secrets, as he's an org owner I assume this is no longer necessary?

I would agree. He was historically very active in part of the creation of io.js and the general structure of all repos. I would guess this is the remnant of that.

@gibfahn said:
what about website access? Is there any special access that people have that we should document?

Guessing you're referring to updating the website. This is handled through the website group in this repo: https://github.com/nodejs/nodejs.org as well as work that is done and landed through the build team for building those assets.

@gibfahn gibfahn force-pushed the doc-access branch 3 times, most recently from df9f404 to de2b956 Compare August 10, 2017 07:56
gibfahn added 2 commits August 10, 2017 08:58
@gibfahn
doc: rename jenkins job configuration doc
efb11cc 
PR-URL: nodejs#811
Refs: nodejs#798 (comment)
Reviewed-By: Johan Bergström <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
@gibfahn
doc: add a powers.md to document who has access
ef1f863 
Initial stab at covering who has access to what.

PR-URL: nodejs#811
Refs: nodejs#798 (comment)
Reviewed-By: Johan Bergström <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
@gibfahn gibfahn merged commit ef1f863 into nodejs:master Aug 10, 2017
@gibfahn
Copy link
Member Author

gibfahn commented Aug 10, 2017

Landed in efb11cc ef1f863

@gibfahn gibfahn deleted the doc-access branch August 10, 2017 07:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jbergstroem jbergstroem jbergstroem approved these changes

@mhdawson mhdawson mhdawson approved these changes

@rvagg rvagg Awaiting requested review from rvagg

@Starefossen Starefossen Awaiting requested review from Starefossen

@phillipj phillipj Awaiting requested review from phillipj

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@gibfahn @rvagg @mcollina @piccoloaiutante @mhdawson @jbergstroem @phillipj