Help cleanup openscapes access list #3240
Comments
github-project-automation
bot
moved this to Needs Shaping / Refinement
in DEPRECATED Engineering and Product Backlog
|
Note that an existing GitHub org with a team can also be used instead :) |
|
Hi @yuvipanda - this looks great. We know our list of users to remove, let me know how best to get this to you all. I think we'd want to use teams set up in the NASA-Openscapes Github org (unless there is some limit b/c we're talking about ~300 people who will likely maintain access) |
|
@erinmr I think you should just add the people you wanna keep to specific teams in the What do you wanna do with the home directories of people who will no longer have access? |
|
What's the cost of keeping home directories for folks we remove in terms of size and $ range? |
|
@yuvipanda - I am not seeing options for bulk addition to Github teams. We are looking at adding about 300+ to a team. I can do this manually, but don't want to. They also will need to accept the invitation to the team which is another step that I'm not sure we want to add. Let me know what you think. |
|
@erinmr I can probably look into a script that could do bulk addition. Unfortunately if we want to use GitHub teams / organizations, they have to accept the invite - I don't think there's a way around that. |
|
@erinmr so this is the cost of home directories: 
The more data we get rid of here, the cheaper it will be (fairly proportionately). If you want, I can try get a 'size of each users homedir' to you and that can be used to proportionately do the math |
|
Hi @yuvipanda - I had no idea we were paying $500 a month for storage! I think we want so reduce that significantly and not be a place that people are storing anything. |
|
@erinmr I've emailed you a csv with user directory size info. |
|
Hi @yuvipanda - I have added column L called Github team to the sheet "All users matched...." https://docs.google.com/spreadsheets/d/10Qg8YtUegXs9bepJzvK4UN54bX8BLXTrhxsjb2uV_6k/edit?resourcekey#gid=1672531370 For Anyone we don't keep on a team, let's hold on deleting their home drives for a few days to make sure I haven't messed up, but I'd like to delete directories of those that we move off. |
|
@erinmr makes sense. Just ping again whenever you'd like directory deletion to happen. Have you sent out invites to github org / team for them as well? I want to understand if this is just some username homedirectory cleanup, or we're also moving to using github org / team for authentication. |
|
We are ready to move to GitHub org team authentication too. I was thinking
we could create teams with the names in column L and do the batch invite,
if that works?
Thanks!
…On Monday, October 23, 2023, Yuvi Panda ***@***.***> wrote:
@erinmr <https://github.com/erinmr> makes sense. Just ping again whenever
you'd like directory deletion to happen.
Have you sent out invites to github org / team for them as well? I want to
understand if this is *just* some username homedirectory cleanup, or
we're also moving to using github org / team for authentication.
—
Reply to this email directly, view it on GitHub
<#3240 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAWHZYYEN5CIG4BB4JNXEGTYA4XFPAVCNFSM6AAAAAA5VCDBLCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONZWGQZTQNJSGE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@erinmr that works! If you do end up using https://www.npmjs.com/package/gh-manage-invites for doing these invites, let me know how it goes :) |
|
I am going to try! |
|
Hi @yuvipanda - when I try to install nodejs the download times out and fails. Seems like this might be a known issue. I tried on two browsers too - chrome and firefox. |
|
@erinmr ah, you can also install it with conda ( |
|
Hi Yuvi - I used the Kyber package to bulk add users to teams. Now we have: We are ready to switch to team access. |
|
I also created the remove team -> https://github.com/orgs/NASA-Openscapes/teams/remove2i2caccess-team |
|
Hi @yuvipanda - I left off a chunk of new workshop participants, so they have their own team -> https://github.com/orgs/NASA-Openscapes/teams/ecostress-emitworkshop-2i2c I think moving forward we will create teams for workshops in bulk and give and take away access that way, if that works? Same with Champions cohorts. Long-term folks have been added. |
- Switching to using orgs & teams for authentication - Don't allow hand-entered usernames access anymore Ref 2i2c-org#3240
This also fixes an issue in 2i2c-org#3357, where config that should've been in staging.values.yaml was instead in common.values.yaml. I cancelled the run even though I only caught it after I hit merge, so no harm done. Ref 2i2c-org#3240
|
@erinmr https://github.com/openscapes/kyber looks super awesome! \o/
Yep, that makes sense. I think easiest would be for you to create a PR here adding them, and someone from our team can merge that. Sounds good? |
|
@erinmr let's schedule cleanup maybe first week of december? What do we do with the home directories of people who will be removed?
|
|
Hi @yuvipanda - Let's delete it. Could we also shoot for week of Nov 27 or week of Dec 18. I'd prefer sooner than later, but will be traveling the first two weeks of Dec and won't have as much time to do admin work for the hub. Thanks! |
|
@yuvipanda - We are struggling a bit with workshop real-time needs and Github Teams invitations. Can we talk about how to navigate this? |
|
@erinmr yeah. Is the primary issue that folks don't know that they need to 'accept' an invite before they can login? |
|
Hi Yuvi - The challenge is the workshop workflow. We often don't know the github names in advance so being able to quickly paste into 2i2c admin interface and get on with the workshop is best for that situation. In the workshop we need to go as fast as possible. We can move those folks over to a Github team after the workshop if they want to continue to work and continually remove the folks from 2i2c direct add after the workshop is over. |
|
@erinmr hmm, so a different workflow would be to allow either people in the admin interface or people in the github team? I'm not sure that is possible but can investigate. When is your next workshop? |
|
Choice of either admin interface would be great. Our next workshops are on Sunday, Dec 10 and there will be ~4 concurrent. |
damianavila
moved this from Needs Shaping / Refinement
to In progress
in DEPRECATED Engineering and Product Backlog
|
After debriefing with the openscapes folks on how this went, we have come to the conclusion that the best possible solution is to setup the authenticator in such a way that folks with pending invites can also log in. |
|
This cleanup has been accomplished, and we have an issue to discuss this during the hackday next week #3614 |
github-project-automation
bot
moved this from In progress
to Complete
in DEPRECATED Engineering and Product Backlog
@erinmr reached out about helping clean up the openscapes user access list. It's currently 800+ folks manually managed, and a bit unwieldy.
Openscapes was set up before our understanding of how to easily manage GitHub authentication solidifed, and I think this is a good time to move 'em forward.
Tasks
This isn't disruptive because usernames will still be the same (as we're switching to github directly than github via cilogon). It allows easier long term maintenance of access control (via GitHub org), as well as allowing us to show different profiles to subsets of users based on GitHub team membership. For temporary workshops and stuff, we can also grant access for the duration of the workshop to a different GH team, that can be then be revoked when they no longer need access.
The question to be determined is what happens to the home directories of all the users who will no longer have access? The openscapes folks must make a choice here before we can proceed with this. The options are:
The text was updated successfully, but these errors were encountered: