On Tue, Jun 24, 2014 at 7:37 AM, Renich Bon Ciric <[email protected]> wrote: > On Tue, Jun 24, 2014 at 8:33 AM, Filipe Brandenburger <[email protected]> > wrote: >> On Tue, Jun 24, 2014 at 6:27 AM, Renich Bon Ciric> <[email protected]> >> wrote: >>> The reason they enable sudo and lock root is to keep better auditing >>> options. But, hey, it's not like you're gonna create 20 keys in a >>> single server for 20 admins to go in and do stuff. >> >> Huh, it kind of is... If you create a project and add many users to >> it, all of them will get accounts created by google-compute-daemon, so >> in effect every user of the project will be able to login to every >> compute instance. I currently work on a project with 5 users and all >> of us can log in to all instances. If someone else comes along to the >> project, we just add them and they get access to all instances >> automatically. > > My only problem with that is that it will create passwordless sudo for > all of them. I don't think you want 20 admins in a 20 user server. My > point is that, usually, one is admin and he delegates (through sudo, > perms and gorups, ACL, SELinux, etc).
Yes, but currently there's no good way (that I know of) to specify which users are admins and which users are not... That's not just a problem with the Fedora image but with GCE in general. A possible way to handle that would be to introduce a metadata key such as "admin-users" with a list of users that should get sudo and then only add those to sudoers. The problem, then, is that *all* users can go to the GCE console and modify the metadata to add themselves to "admin-users" so that defeats the purpose... Unfortunately, right now I don't think there's a good way around it... All users registered for a project in GCE are effectively root, so if you want to keep that list short you should only keep a handful of users registered *in GCE*. Once your instances are up, you can of course activate some different form of user management for additional users, for instance you can hook it to a FreeIPA which contains a user database of your "mortal" users and then you can manage the box as you'd usually do. Does that make sense? Cheers, Filipe _______________________________________________ cloud mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
