On Tue, May 24, 2011 at 2:09 AM, Jeroen Vermeulen <j...@canonical.com> wrote: > Hi, > > This is something I run into from time to time: some component of Launchpad > needs to do things in Launchpad that previously only humans and teams could > do. The component needs to be an owner of something, or enter a comment in > a conversation, or commit to a bzr branch etc. > > What we've done so far is create accounts for these components more or less > ad hoc. Sometimes this is helpful because the persona will be specific to > the component it represents — e.g. launchpad-pqm — but mainly it's a pain. > > Should we have a single celebrity user identity for "Launchpad itself" that > we can reach for in these situations?
No. We have a similar situation in DB connections where we make new users for each service and so on - and its extremely useful. The security side is sometimes a wash, particularly where many things run from the same box, but the reporting is definitely a major win. I think that we have two categories of actors: - internal actors - actors of clients of launchpad For the former we *might* want a single service account. *might*. I've yet to see a convincing argument for its utility. What we usally want IME is impersonation: The ability for a service to act 'on behalf of user Fred' when journalling actions etc. For instance software centre agent wants the ability to subscribe PPA consumers to private PPAs, and it would be neat if the audit log for that said 'SCA on behalf of Fred (PPA owner that got paid) subscribed Bart to PPA Fred/product'. For the latter, we *definitely* want separate service accounts. What we need is the ability to have such an account (sketching): - be tightly associated with either a person/team (so its owned) or project - not have an email address (we never need to contact it and sending it mail is a waste) - be able to be granted access analogously to other Persons - probably don't want impersonation, or want tight rules over who it can impersonate. Now, if a user of Launchpad (like Canonical) were to choose to have a single service account and reuse it for all their stuff - thats fine and outside our worry-sphere ;) -Rob _______________________________________________ Mailing list: https://launchpad.net/~launchpad-dev Post to : launchpad-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~launchpad-dev More help : https://help.launchpad.net/ListHelp
