[FOLIO-2612] Have a backup admin account on the hosted environments Created: 21/May/20  Updated: 02/Sep/20

Status: Open
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Story Priority: TBD
Reporter: Marc Johnson Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: hosted-environments
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Sprint:
Development Team: FOLIO DevOps

 Description   

In order to compensate for situations where the diku_admin account becomes unusable
without requiring dedicated DevOps support (because capacity and availability are very limited)
we could create a second admin account with less well-known credentials
that could be used to perform recovery actions e.g. unlock the account, fix the record etc

Context

Recently (in the last week), there have been two outages for the folio-snapshot environment

Future Possible Actions

I think this is a useful fallback measure, however it does not mitigate the primary concern, which is that (pretty much) everyone who uses the hosted environments uses the diku_admin account. I think it could be worth considering generating other accounts for folks of these environments, and reserving this account for administration (or as a fallback).

Interested Parties

I'm including Cate Boerema Owen Stephens Ann-Marie Breaux Zak Burke Dima Tkachenko in this issue as they were involved in the previous issues



 Comments   
Comment by Marc Johnson [ 21/May/20 ]

Cate Boerema Jakub Skoczen John Malconian Ian Hardy Wayne Schneider David Crossley

What do you think to this idea?

If you like it, what is needed for it to get prioritised?

Comment by Cate Boerema (Inactive) [ 21/May/20 ]

This sounds like a great, low-cost solution that would save devops time later. Would the creation of this user need to be done by the devops folks on Core Platform?

Comment by Marc Johnson [ 21/May/20 ]

Cate Boerema

Would the creation of this user need to be done by the devops folks on Core Platform?

Yes, it would need to be done by the DevOps folks

Comment by Ian Hardy [ 21/May/20 ]

I like the idea. One approach might be to modify to the ansible create-tenant-admin and tenant-admin-permissions role to take an array of users instead of one. The quick hack would probably be to just run those roles again w/different data in the build. These roles are used in both single server and k8s builds.

Comment by Jakub Skoczen [ 22/Jun/20 ]

Returning back to the backlog since Mark won't be able to address it.

Comment by Marc Johnson [ 15/Jul/20 ]

Jakub Skoczen Ian Hardy John Malconian

When might there be DevOps capacity to make this change?

Generated at Thu Feb 08 23:21:57 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.