libre #smartos

12 Jul 2024

SmartOS -- A Modern, Open Source, Datacenter Operating System | smartos.org | github.com/TritonDataCenter/smartos-live | github.com/TritonDataCenter/triton | Security -- TritonDataCenter.com/security-issues | Channel logs - log.omnios.org/smartos

• 00:25
  jdt
  I'm thinking that I need to reorganize my accounts all under a single primary account as sub-users and use RBAC from there. I haven't explored that much in the past, but it seems like the way to go.
• 00:25
  bahamat
  Well, it depends.
• 00:26
  bahamat
  If you're using a public cloud, that's probably what you want so that you can consolidate billing.
• 00:26
  bahamat
  But if it's a private cloud, then there's less of an advantage to it.
• 00:26
  jdt
  Yeah, that's not relevant for this use-case. I just want to be sure that all users can see all VMs from the Triton CLI.
• 00:27
  bahamat
  I think the main advantage with using RBAD in a private cloud would be to create a fabric network in the top level account that can be used by more than one sub-account.
• 00:27
  bahamat
  Yeah, that would be another reason for it.
• 00:28
  bahamat
  Another way to go about it is to use --act-as
• 00:28
  jdt
  Oh, I'll check that out.
• 00:28
  jdt
  Nice.
• 00:28
  bahamat
  We could even update the triton cli so that act-as is a top level property that's always used in a specific profile.
• 00:29
  jdt
  That'll work for now - thanks for the tip.
• 00:29
  bahamat
  That way you basically have one account that holds all the vms, and everyone else has their own discrete logins.
• 00:29
  jdt
  I'm getting my team to start using Triton and realized I'd never used it in a multi-user sort of way outside of JPC. :)
• 00:29
  jdt
  Folks couldn't see other people's VMs and that surprised me (it shouldn't have).
• 00:30
  bahamat
  With MNX I basically make an account per app.
• 00:30
  bahamat
  Or other logical boundary.
• 00:30
  jdt
  That makes sense.
• 00:30
  bahamat
  So we've got a dev account that holds all of the build instances and stores the build artifacts in manta.
• 00:31
  bahamat
  That also has other things that are core to the dev process. Like our github webhooks are processed in that account.
• 00:31
  bahamat
  Then there's one for smartos, which has all of the non-triton related smartos things (web site, wiki/docs, etc)
• 00:32
  bahamat
  There's a "software" one that has the image servers (i.e., images.smartos.org, updates.tritondatacenter.com) and some tools for managing/publishing images
• 00:32
  bahamat
  One for metrics which has all of the prometheus/grafana infra.
• 00:32
  bahamat
  One for portal
• 00:33
  bahamat
  That way I context switch based on the app I'm managing.
• 00:33
  bahamat
  And I manage all of those from my own personal account using --act-as
• 00:33
  jdt
  Nice. That's a clean way to do it.
• 00:35
  bahamat
  My account is an operator, but you can do the same thing without operator access.
• 00:36
  bahamat
  In the account that owns the resources, make an rbac group named "administrator" and add other account names to it.
• 00:36
  bahamat
  Then those other accounts will be allowed to use the "owning" account with the same permissions as the owning account.
• 00:37
  bahamat
  If you want/need fine-grained permission control, that's when you really want to switch over to sub accounts.
• 00:38
  jdt
  Okay, great. Thanks.