search

mozilla-platform-ops / ronin_puppet

RelOps Masterless Puppet
Mozilla Public License 2.0
7 stars 19 forks source link

Change cltbld account provisioning #693

Closed rcurranmoz closed 2 months ago

rcurranmoz commented 3 months ago

Historically we've been setting the password for the cltbld account using salt/iterations/hashing. The end result was a secure password but also one that was unknown to us in plaintext.

In an effort to shift to Generic Worker multiuser, we will need to hard code the credentials for cltbld in/opt/worker/current-task-user.json and /opt/worker/next-task-user.json.

This PR sets a plaintext password stored in Vault.

@aerickson I don't think this will break anything on your end, but can you check line 67 and just ensure there will be no conflict. I changed cltbld_user.password in Vault, but only in roles/gecko_t_osx_1015_r8_staging/vault_secrets::cltbld_user

Thanks

aerickson commented 3 months ago

LGTM. There are some test failures:

users
  User "cltbld"
    is expected to exist (FAILED - 1)
    is expected to belong to group "_developer" (FAILED - 2)
    is expected to belong to group "com.apple.access_screensharing" (FAILED - 3)
    is expected to belong to group "com.apple.access_ssh" (FAILED - 4)

Not sure why that wouldn't exist... is there an error earlier?

rcurranmoz commented 3 months ago

We went from using the user provisioner in puppet to exec. Could that be why?