[SAC] Projects Administration Question

Mon Jun 21 00:47:58 EDT 2010

Hi,

We've decided to (at least attempt) to go with a single piece of 
shared infrastructure for project hosting at the moment on our new
VM setup.

Access to this VM should be relatively open, compared to other VMs.
However, this raises the question of admin access.

What I would like to do is to have each project use a setup that 
minimizes the need for actual 'admin' access. 

What I've done so far:

 * Created a globally writable /osgeo/, as a home for projects.
 * Created an openlayers user and group.
 * Added members of the OpenLayers LDAP group to the openlayers
   group
 * Made it so that all users of the OpenLayers group can
   sudo without a password to the OpenLayers user. (This would
   be good for things like running backups, setting up a crontab,
   etc.)
 * Then, add one member from each project to the admin group 
   (which has full sudo access).

I worry somewhat about giving full sudo access to all users who 
have access to the machine; most projects probably don't need it,
and having one contact per project means it will be more likely
that we can find the person responsible for a particular aspect
of the project.

Most likely, this isn't going to be a big deal for most projects;
most of the existing projects only have one main sysadmin. However,
for OpenLayers (for example) there are at least 4-5 people who
have expressed interest in participating in sysadminy stuff as we
grow our website presence. Under this setup, things like apache
config + restarts would go through me (Or, if the project admin is
not available, could be requested through SAC), but other OL members 
could write scripts, modify cronjobs, check status of the server, 
svn up files/change web site, etc.

Is this something that people think is practical for most projects
currently looking to use the projects VM, or is this just overkill?

I mostly just want to limit people stepping on each other's toes...

Regards,
-- 
Christopher Schmidt
Nokia