Closed gabeng closed 8 years ago
Ben; We're definitely agreed that the current blanket permissions approach is terrible. Unfortunately we don't have a full set of all actions bcbio and elasticluster does to readily fix this. Is there is any way to trace this for a run or does it require a manual audit?
We haven't drilled into this more as the active area of development in bcbio is in moving away from this infrastructure by using either a simpler setup that let's people manage this themselves:
https://github.com/chapmanb/bcbio-nextgen/tree/master/scripts/ansible
and using Common Workflow Language so bcbio can leverage more actively developed infrastructure that will have finer grained control over permissions:
http://bcbio-nextgen.readthedocs.io/en/latest/contents/cwl.html
Sorry to not have a ready to go answer but hope this helps.
Hi Brad,
thanks for the quick response.
bcbio-nextgen-vm
and move to a local installation of bcbio on a single AWS instance. We do not have the need for a cluster anyway.
Regarding the principle of least privilege it would be better to define an IAM access policy that comprises just the access rights
bcbio
needs. Larger organizations will never allow such a user to be created. What are the specific actions that bcbio needs to perform? I would be happy to help draft a policy that fits the purpose (and try it myself). Kind regards, Ben