[tor-bugs] #27145 [Internal Services/Tor Sysadmin Team]: help.tpo accounts is not clear enough

Tue Aug 14 22:59:08 UTC 2018

#27145: help.tpo accounts is not clear enough
-------------------------------------------------+---------------------
 Reporter:  juga                                 |          Owner:  tpa
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+---------------------
Changes (by irl):

 * owner:  (none) => tpa
 * component:  - Select a component => Internal Services/Tor Sysadmin Team

Comment:

 I am not a sysadmin team person, so some of this may be incorrect, but
 here's my understanding:

 Replying to [ticket:27145 juga]:
 > Quoting https://help.torproject.org/tsa/doc/accounts/:
 >
 > > Most of the time when people want access to a specific host, what they
 really want is getting added to a particular group
 >
 > does "people" need to know how ldap works or how the different
 services/machines are configured to know which "group" they want to be
 added to?
 > i suspect no

 If you already have an ldap account you can probably log in to the machine
 and run `ls -la /srv/thing` and it will tell you what group owns a
 service.

 Many things are documented on the
 [[https://trac.torproject.org/projects/tor/wiki/org/operations/Infrastructure|Infrastructure]]
 wiki page.

 For most services you would probably have been working with existing
 people in the group and they would know what group access to ask for.

 > > If you want to get added to some unix group, you will have to find an
 existing member of that group.
 >
 > awesome explanation, what if a new group is needed?

 This should probably still be a ticket for the sysadmin component, but the
 group creation would normally be a side effect of the deployment of a new
 service, which again would be a ticket for the sysadmin component.

 > > They should then request on trac –
 >
 > ok, the person in the group, not the person that "want" the "access".

 Yes. The request must be from an existing member of the group.

 > > ideally in a PGP signed message (as above in the new account creation
 section) – that you be added to their group.
 >
 > it seems this means that the *OpenPGP*-signed messaged should be in the
 trac ticket, but gives confusion to whether it should be a email, and
 whether it should be PGP-signed.

 `gpg --clearsign` will produce a signed message that can be pasted into a
 trac ticket, and allow for the person processing the ticket to validate
 the signature.

 > And i could not find the component where to include this ticket.

 I have filed it in the sysadmin component, which is where ldap related
 things go.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27145#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online